On 1/1/2012 4:03 PM, Jean-Michel Pouré - GOOZE wrote: > Dear all, > > Is there a way to store a 3DES key on smartcard, so it cannot be > extracted but still be usable by OpenSSL? > > We wrote this; > http://www.gooze.eu/howto/smartcard-quickstarter-guide/scenario-5-importing-3des-key > > pkcs11-tool -v --module /usr/lib/opensc-pkcs11.so --slot 1 --label > "3deskey" --write-object 3des.key --type data --private --login --pin > 0000 > > But this is not really a suitable solution to store a 3DES key securely. > Is there a best solution? > > Can 3DES keys be generated on card? (I guess NO)?
It would depend on the card. Currently OpenSC does not have any secret key object support. But the ECDH git branch introduces some routines. Just enough to support the creation of the secret_key object, (without any key) to be used to return the secret key generated by a C_DeriveKey. Only PKCS#11 "Session Object" support was added. (The PIV card with ECDH can return such a key. I don't have any other card to use to test anything else.) > Can 3DES keys be imported as unextractible keys (like RSA private keys)? PKCS#11 does define CKA_EXTRACTABLE, CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE attributes for secret key objects. If it is generated on the card, you will need to extract it at least once, to give to the other party, or generate it external to the card and load it on the card. If generated on the card, you could be able to extract it as a wrapped key, and insert it on some other card, so only the two cards know the key. And if the card supported it, you could derive the same key on two card using DH or ECDH for example. (The PIV returns the ECDH derived key, it does not store it on the card so is not usable on the card, it just returns it anf it is not wrapped.) > > Kind regards, > > > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
