Questions tagged [pkcs11]

42 questions
12
votes
2 answers

TPM 2.0 PKCS#11 on Windows and Linux

The new Skylake processors have integrated TPM 2.0 inside. Is there any way how to use the TPM 2.0 as a PKCS#11 token on Windows and Linux for symmetric and asymmetric keys? TPM 1.2 has a PKCS#11 libraries and I am looking for something similar for…
user1563721
  • 1,099
  • 11
  • 22
6
votes
1 answer

uploading pkcs12 to yubikey piv slot

i have a id_rsa (private key which is used by me to authentication and encryption together with cert on yubikey piv smardcart provider on slot 9a) now i wish to use this key to create a pkcs12 keystore (private key + self signed cert) to sign jar…
ceph3us
  • 161
  • 1
  • 6
5
votes
1 answer

Key derivation inside secure container of HSM

I have to implement custom key derivation function which basically works as follows: I have encryption key K in secure container of HSM. K can't be exported and the only way how to use it is through HSM command or PKCS#11 function. The derived key…
user1563721
  • 1,099
  • 11
  • 22
5
votes
2 answers

Key based encryption for files with the key stored on a USB drive?

We're a small startup running a server inside the clients premises and certain files needs to be kept encrypted on that server. We want the decryption to be only possible when we plug in a particular USB drive (with the private key inside it). Are…
Grim Reaper
  • 518
  • 1
  • 4
  • 14
4
votes
1 answer

Create certificate without private key or using USB eToken

Considering this thread: Create certificate without private key with OpenSSL I have a very similar situation. I have a USB eToken 5110 JC (Aladdin) which has an inaccessible private key, since it's the main objective. I can use pkcs11-tool --module…
4
votes
1 answer

What is the state of smart card/computer interoperability

Smart cards are the only really secure device that can be used for, among other things, electronic identification. However, there are usability concerns stemming from the lack of standartization. Usually, in order to use a smartcard, the user has…
Bozho
  • 1,173
  • 1
  • 10
  • 12
4
votes
1 answer

How can I use my HSM to turn a CSR into a certificate?

I create a CSR using OpenSSL, so I have public and private keys. Now I want to sign this CSR and convert it into an X.509 certificate. The only problem is, my signer is a custom HSM. I can send bytes and it signs them for me using SHA1. (The full…
John McKean
  • 73
  • 1
  • 6
3
votes
1 answer

Extract the content of PKCS7 file in Java

I have a PKCS#7 signature that have the content‐type signed data and it embeds an XML document, and I have to extract the xml document from this PKCS7 file. Anyone know how to do that in java ??
Hakim
  • 619
  • 3
  • 9
  • 14
3
votes
1 answer

OBKG on smartcard with PKCS#11

I have a new smart card with an on board PKCS#11 module and operate in a Win 8 environment. Like many cards, it can generate its own key pairs for enhanced security (only the public key can leave the card). The keys generated are not OTP keys,…
TrustNoOne
  • 261
  • 1
  • 8
3
votes
3 answers

Is it possible to wrap and export RSA private key in FIPS 140-2 Level 3 compliant hardware?

I would like to do the following on FIPS 140-3 Level 3 certified cryptographic token using PKCS#11: Generate RSA key pair on token Import AES key from multiple components Wrap and export RSA private key with AES key (PKCS#8) into file I am trying…
user1563721
  • 1,099
  • 11
  • 22
3
votes
1 answer

Smartcard - main differences between .NET and Java smartcard?

My question focuses on the differences regarding PKCS11 implementation between a .Net and a Java smartcard. More generally, do smartcard use a specific "OS" (or firmware) and only differ in the middleware / application layer ? Is it easy to format…
crypto-learner
  • 697
  • 1
  • 7
  • 17
3
votes
1 answer

Why does it take so much time to create a secret key on a HSM?

I was testing key generation on a Hardware Security Module and I noticed that it takes so much time to generate an AES 256 secret key on the HSM. I've used pkcs11-tool to generate the key and it took about 5 sec to complete the task: $ pkcs11-tool…
No name
  • 93
  • 7
3
votes
0 answers

Is it possible to use Bouncy Castle crypto library with PKCS#11 HSMs?

Is it possible to use Bouncy Castle crypto library with PKCS #11 HSMs?
westbeam87
  • 419
  • 4
  • 11
3
votes
1 answer

PKCS#11 session object security

The CKA_TOKEN attribute identifies whether the object is a token object or a session object. We can believe that when the PKCS#11 object has CKA_TOKEN attribute set to true, then it is securely stored inside memory of PKCS#11 enabled device. For…
user1563721
  • 1,099
  • 11
  • 22
2
votes
2 answers

PKCS#1-1.5 encoding - is there a reason to use 00 in block type?

For encryption block looking like this: EB = 00 || BT || PS || 00 || Data where BT - block type and PS - padding string, I've read that we use three types of BT - 00, 01, 02. Now, since 00 and 01 are for private key operations (where 01 is…
James Pond
  • 77
  • 2
  • 9
1
2 3