Brian Hawkins wrote:
I'm creating shared keys using an anonymous diffie hellman key exchange. The shared secret will be used to create key block material similar to how TLS does it. So what I need is a method to create a cipher, provide a key and encrypt/decrypt some data. All the methods in nss look like they use public/private keys to decrypt/encrypt stuff.Ah, Then life is good. What you need to do is have the token generate the dh key for you. BTW, you are using public and private keys, they just happen to be DH, not RSA.
Get your DH keys with PK11_GenerateKeyPair. PK11_GenerateKeyPair takes a mechanism specific parameter. For DH that parameter contains the prime and the base for your key exchange. The output of PK11_GenerateKeyPair is a public key and a private key. You will need to extract the public key to send to your remote user. You probably only need the 'VALUE' of the public key, but, depending on the protocol, the key may be der wrapped with the base and prime. Unlike private keys, SECKEYPublicKey objects are publically readable.
From your other use you will get a public DH key value. You construct a DH public key and import it into the token. You then use PK11_PubDerive to get a symetric key from your private DH key and the opposite's public DH key. That Symetric key can be used in PK11_CreateContext to create a symetric key context and off you go.
This is mostly a sketch, but poking around the header files should get you want you want.
yes, PK11_PubDerive (potentially followed by PK11_Derive if you need to mangle the bits) would be your way in in this case.Based on what you have said it looks like I need to create a PK11SymKey and use it right?
bob
Thanks BrianOn 6/3/07, *Robert Relyea* < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:Brian Hawkins wrote: > I would like to use a block cipher to encrypt some data using a shared > secret. It doesn't appear that nss provides access to the low level > cipher suite, is that true? I cannot use public/private keys for my > encryption because of a design issue. Is there any way to sign and > encrypt data using a shared key? > The PK11_ functions handle the basic crypto functionality. When dealing with raw shared keys, there's often the issue that applications try to manipulate these keys directly. This can be make to work in NSS, but your application will fail if you try to operate in FIPS mode. The big question, then, is how are you distributing the keys? If you are typing hex strings or copying files of raw keys around, then things are a bit problematic. If the shared key is generated with a pbe, things are better, and can usually be accommodated in FIPS mode. So the short answer is yes, you can do what you are asking, but if you need to use a raw key interface, then you need to ask yourself if you have a more fundamental design issue. Hope that helps, bob > Thanks > _______________________________________________ > dev-tech-crypto mailing list > [email protected] <mailto:[email protected]> > https://lists.mozilla.org/listinfo/dev-tech-crypto <https://lists.mozilla.org/listinfo/dev-tech-crypto> >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
