Re: Importing a symmetic key into NSS database
Robert Relyea wrote On 07/30/2013 06:37 PM, John wrote: At this point I usually ask, what is it you are trying to do? usually when I see someone trying to import or export keyblobs, they are coding at the wrong level and we should be pushing more of whatever protocol you are running into NSS. I'm developing a One Time Password software token and wanting to store the shared secret in the NSS database. At this point I'm inclined to think importing the shared secret using PK11_CreateGenericObject() is probably more appropriate, i.e. if I can get it to work. Can you recommend a better approach? I would recommend against that. Let me get straight exactly what you are trying to do. You are taking a key in the clear (which you got from somewhere) and importing it into softoken. Then you are running a derive function on the key to generate the output you would give to the user (again in the clear)? This resulting key isn't the also the key you are going to use to seed the next 'generate key' is it? Presumably you would also run a derive function on the original key to 'increment it' or are you passing in some salt as part of the original derive? You can see that why I'm a little reluctant to endorse your course of action here. What we be best is if you had a means of distributing your key that didn't involve sending it in the clear (like wrapping it with a PBE at least). Also, I can see where a OTP needs to get the data to give to the user (by it's nature it gets send over clear channels). So extracting that key may make sense, or it may make sense to use the internal key to to do cryptographic operation on plaintext to hand derive the output bits of the OTP. In any case if you need to extract the OTP key, PK11_CreateGenericObject() isn't going to help you, since the key you want to extract is the user OTP data, which would be the result of some derive operation. bob -- View this message in context: http://mozilla.6506.n7.nabble.com/Importing-a-symmetic-key-into-NSS-database-tp286642p286750.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@.mozilla https://lists.mozilla.org/listinfo/dev-tech-crypto smime.p7s (6K) lt;http://mozilla.6506.n7.nabble.com/attachment/286891/0/smime.p7sgt; You're right - the OTP data is intrinsically a HMAC digest, which can be generated using NSS functions so there's no need to export the key. On a related topic, to support event-based OTP we would need to keep track of a counter and increment it each time a code is generated. We could store this counter in a separate sqlite database but would be cleaner, from an application perspective, if we could store it in the NSS database as well. We'd need to be able to extract the counter, increment it and then store it back in the NSS database. Is this possible? Regards, John -- View this message in context: http://mozilla.6506.n7.nabble.com/Importing-a-symmetic-key-into-NSS-database-tp286642p286974.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Importing a symmetic key into NSS database
Hi, I need some help in setting up the NSS Cryptographic module for doing Encryption and Decryption. Could any one help me in doing that. Thanks you, Raj On Tue, Jul 30, 2013 at 9:37 PM, John jbu...@yahoo.com wrote: At this point I usually ask, what is it you are trying to do? usually when I see someone trying to import or export keyblobs, they are coding at the wrong level and we should be pushing more of whatever protocol you are running into NSS. I'm developing a One Time Password software token and wanting to store the shared secret in the NSS database. At this point I'm inclined to think importing the shared secret using PK11_CreateGenericObject() is probably more appropriate, i.e. if I can get it to work. Can you recommend a better approach? -- View this message in context: http://mozilla.6506.n7.nabble.com/Importing-a-symmetic-key-into-NSS-database-tp286642p286750.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- *Thanks Regards,* *Rajesh Kareti* *571-512-0105* -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Importing a symmetic key into NSS database
On 07/31/2013 09:47 AM, Rajesh Kareti wrote: Hi, I need some help in setting up the NSS Cryptographic module for doing Encryption and Decryption. Could any one help me in doing that. Thanks you, Raj Raj, please do not hijack threads, your question has nothing to do with importing a symmetric key. Using NSS to perform miscellaneous cryptographic operations https://developer.mozilla.org/en-US/docs/NSS/NSS_Tech_Notes/nss_tech_note5 and NSS Sample Code https://developer.mozilla.org/en-US/docs/NSS/NSS_Sample_Code Were you unable to find these? On Tue, Jul 30, 2013 at 9:37 PM, John jbu...@yahoo.com wrote: At this point I usually ask, what is it you are trying to do? usually when I see someone trying to import or export keyblobs, they are coding at the wrong level and we should be pushing more of whatever protocol you are running into NSS. I'm developing a One Time Password software token and wanting to store the shared secret in the NSS database. At this point I'm inclined to think importing the shared secret using PK11_CreateGenericObject() is probably more appropriate, i.e. if I can get it to work. Can you recommend a better approach? -- View this message in context: http://mozilla.6506.n7.nabble.com/Importing-a-symmetic-key-into-NSS-database-tp286642p286750.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- John -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Importing a symmetic key into NSS database
On 07/30/2013 06:37 PM, John wrote: At this point I usually ask, what is it you are trying to do? usually when I see someone trying to import or export keyblobs, they are coding at the wrong level and we should be pushing more of whatever protocol you are running into NSS. I'm developing a One Time Password software token and wanting to store the shared secret in the NSS database. At this point I'm inclined to think importing the shared secret using PK11_CreateGenericObject() is probably more appropriate, i.e. if I can get it to work. Can you recommend a better approach? I would recommend against that. Let me get straight exactly what you are trying to do. You are taking a key in the clear (which you got from somewhere) and importing it into softoken. Then you are running a derive function on the key to generate the output you would give to the user (again in the clear)? This resulting key isn't the also the key you are going to use to seed the next 'generate key' is it? Presumably you would also run a derive function on the original key to 'increment it' or are you passing in some salt as part of the original derive? You can see that why I'm a little reluctant to endorse your course of action here. What we be best is if you had a means of distributing your key that didn't involve sending it in the clear (like wrapping it with a PBE at least). Also, I can see where a OTP needs to get the data to give to the user (by it's nature it gets send over clear channels). So extracting that key may make sense, or it may make sense to use the internal key to to do cryptographic operation on plaintext to hand derive the output bits of the OTP. In any case if you need to extract the OTP key, PK11_CreateGenericObject() isn't going to help you, since the key you want to extract is the user OTP data, which would be the result of some derive operation. bob -- View this message in context: http://mozilla.6506.n7.nabble.com/Importing-a-symmetic-key-into-NSS-database-tp286642p286750.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. smime.p7s Description: S/MIME Cryptographic Signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Importing a symmetic key into NSS database
On 07/29/2013 06:00 PM, John wrote: Hi, Is is possible to import a symmetric key such that it is persisted in the database? Short answer: use PK11_ImportSymKeyWithFlags(). Set flags=0, and isPerm to PR_TRUE. Longer answer: NOTE: neither PK11_ImportSymKey() nor PK11_ImportSymKeyWithFlags() work in FIPS mode. You'll need to unwrap the key with some private or symetric key. If you use a symetric key to unwrap, you can use PK11_UnwrapSymKeyWithFlagsPerm() if you use a private key you can use PK11_PubUnwrapSymKeyWithFlagsPerm(). NOTE2: the 'Perm' only means you can specify isPerm or not, so you can use these functions as replacements for PK11_UnwrapSymkey() and PK11_PubUnwrapSymKey() respectively. bob I have tried the following. unsigned char secret[] = {0xe8, 0xa7, 0x7c, 0xe2, 0x05, 0x63, 0x6a, 0x31}; SECItem key; key.type = siBuffer; key.data = secret; key.len = sizeof(secret); PK11SlotInfo *slot = PK11_GetInternalKeySlot(); // Import key. PK11SymKey *symKey = PK11_ImportSymKey(slot, CKM_DES_CBC, PK11_OriginUnwrap, CKA_ENCRYPT, key, NULL); if (!symKey) { cout Failed to import key endl; goto shutdown; } // Assign nickname to key. SECStatus rv = PK11_SetSymKeyNickname(symKey, MySymKey); if (rv != SECSuccess) { cout Couldn't set name on key endl; PK11_DeleteTokenSymKey(symKey); PK11_FreeSymKey(symKey); goto shutdown; } // Check if key was imported. if (PK11_ListFixedKeysInSlot(slot, MySymKey, NULL) == NULL) { cout Failed to find key endl; goto shutdown; } PK11_ListFixedKeysInSlot returns NULL and the timestamp on key4.db remains unchanged, indicating the key was not imported into the database. Thanks, John -- View this message in context: http://mozilla.6506.n7.nabble.com/Importing-a-symmetic-key-into-NSS-database-tp286642.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. smime.p7s Description: S/MIME Cryptographic Signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Importing a symmetic key into NSS database
Thank you. FIPS is not enabled so PK11_ImportSymKeyWithFlags() works for me. However I'm unable to export the imported key using PK11_ExtractKeyValue() and PK11_GetKeyData(). I suspect this is by design - keys are protected from being exported? As a work around, I have tried importing the key using PK11_CreateGenericObject() instead, as shown below. However PK11_CreateGenericObject() failed to create the object, and PORT_GetError() returned -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Am I missing something? -- View this message in context: http://mozilla.6506.n7.nabble.com/Importing-a-symmetic-key-into-NSS-database-tp286642p286742.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Importing a symmetic key into NSS database
On 07/30/2013 05:34 PM, John wrote: Thank you. FIPS is not enabled so PK11_ImportSymKeyWithFlags() works for me. However I'm unable to export the imported key using PK11_ExtractKeyValue() and PK11_GetKeyData(). I suspect this is by design - keys are protected from being exported? keys that are marked CKA_EXTRACTABLE = PR_FALSE. aren't exportable I suspect that Symkeys are marked that way be default. It's a really bad idea to use raw keys (both import and export), so we don't make it easy. Your best bet is to at least wrap the keys you are trying to export out using PK11_WrapSymKey(). Then use the corresponding Unwrap to take the keys back out. At this point I usually ask, what is it you are trying to do? usually when I see someone trying to import or export keyblobs, they are coding at the wrong level and we should be pushing more of whatever protocol you are running into NSS. As a work around, I have tried importing the key using PK11_CreateGenericObject() instead, as shown below. However PK11_CreateGenericObject() failed to create the object, and PORT_GetError() returned -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Am I missing something? It depends on the template, when you call PK11_CreateGeneric object, you are responsible for your own template. NSS doesn't map all the PKCS #11 errors (particularly template errors since normally only NSS creates templates). -- View this message in context: http://mozilla.6506.n7.nabble.com/Importing-a-symmetic-key-into-NSS-database-tp286642p286742.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. smime.p7s Description: S/MIME Cryptographic Signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Importing a symmetic key into NSS database
At this point I usually ask, what is it you are trying to do? usually when I see someone trying to import or export keyblobs, they are coding at the wrong level and we should be pushing more of whatever protocol you are running into NSS. I'm developing a One Time Password software token and wanting to store the shared secret in the NSS database. At this point I'm inclined to think importing the shared secret using PK11_CreateGenericObject() is probably more appropriate, i.e. if I can get it to work. Can you recommend a better approach? -- View this message in context: http://mozilla.6506.n7.nabble.com/Importing-a-symmetic-key-into-NSS-database-tp286642p286750.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto