Hello, How should or could the encrypted key blob format look like?
At the moment the header is starting with one byte declaring the key encoding, only unencrypted, plain, is supported right now, then the key type and the key size. After this header the key data starts. A simple approach would be to set the byte declaring the key blob encoding to encrypted and encrypt the key data. But with this approach the used key and algorithm must be saved somewhere else, so that it is possible to decrypt it. To eliminate this two bytes specifying the algorithm and key could be introduced which are saved prefixing the key data. Any suggestions? Also interesting would be the usefulness of this feature. What can be done with it? Keys could be exported with a key which was generated on card and never leaves the card. So it would be possible to swap out keys in a secure way and import them later again. One problem is migration. I might be nice to migrate all keys to another token, but this can produce security risks, e.g. a card generated key should always stay there and never leave the card, the migration would allow this. Also all key flags, cipher policies and so on are lost, if a key is exported and later imported, e.g. an exported key can never again has the flag "generated on card", because this is not sure. Karsten _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
