On 12/13/2011 7:32 AM, Umaxik wrote:
Many thanks, Douglas! You helped me to sort this problem out after I had spent a week or so.
Good to hear.
Some words to finish this topic: My goal was to encrypt/decrypt some data with the PIV card (i.e., only the card keeper may use the data). It can be done in the easier way: 1. PIV cards can have their Key Management Key destined to provide key establishment during transactions. 2. If this KMK uses ECDH, I can emulate C(1;1) scheme (NIST SP800-73-3,part2). That is: 2.1. I create and store in code my own EC public key (openssl affords to create EC private keys and certificates with public keys included). 2.2. The card is authorized. 2.3. I call its 'General authentication' operation with KMK and this public key.
Are you using any of the OpenSC code to talk to the card, or are you using some other code to send the 'General authentication' command to the card? If anyone is interested: https://github.com/dengert/OpenSC under the ECDH branch has the code that can be applied to OpenSC-0.12.2 to support PKCS#11 C_DeriveKey for the PIV card. There is also a pkcs11-tool
2.4. As a result, I have the secret code. This code is suitable for AES encryption. Therefore, I use openssl in order to create this public key and to operate with AES encryption.
And you should only need to save the (ephemeral) public key, and destroy the private key, and the AES key.
Best regards, Max Ushakov
-- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
