[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pkcs11] Key Import proposal update
Hi Doron - Thanks! We'll review in our call today and see if we are ready to initiate a ballot accepting the proposal. Please upload the docs into the ''documents" folder in the PCKS 11 TC doc repository. Regards, Bob -----Original Message----- From: pkcs11@lists.oasis-open.org [mailto:pkcs11@lists.oasis-open.org] On Behalf Of Cohen, Doron Sent: Tuesday, May 28, 2013 11:38 AM To: pkcs11@lists.oasis-open.org Subject: [pkcs11] Key Import proposal update I am attaching two documents with the new mechanisms proposal for the secure key import . The first is an updated description for key import using an RSA key . This copy only includes minor and typo fixes - it updates the unwrapping description to indicate the use of CKM_AES_KEY_WRAP_PAD (rather than CKM_AES_KEY_WRAP) . The second is a first cut of the ECC variant . Doron -----Original Message----- From: Cohen, Doron Sent: Monday, May 20, 2013 3:46 PM To: 'pkcs11@lists.oasis-open.org' Subject: RE: [pkcs11] RSA Key Import proposal Here is an update to the proposal taking into account additional input from Mike . Doron -----Original Message----- From: Cohen, Doron Sent: Thursday, May 09, 2013 11:28 AM To: pkcs11@lists.oasis-open.org Subject: RE: [pkcs11] RSA Key Import proposal On 4/2/2013 7:12 PM, StJohns, Michael wrote: > >If you're worried about misuse of the AES key, then instead, how about defining a mechanism - CKM_RSA_AES_KEYWRAP? This defines a mechanism >which first unwraps the AES key using RSA, and then uses the AES key >wrap mechanism to unwrap the actual data? The AES key gets implicit >attributes (and actually never gets a public handle) when unwrapped, and goes away once the other key is unwrapped. The template on the original RSA private key applies to the finally unwrapped new RSA private key. > >On the wrapping side, the AES key is generated internally, wraps the data, is encrypted under the RSA public key, and then zeroized. > >For an elliptic curve equivalent you probably need something like CKM_ECIES_AES_KEYWRAP. Attached is the first draft of the proposed mechanism for secure key import using an RSA key. Assuming this is acceptable, I will provide the elliptic curve equivalent so both merged with the 2.4 new mechanisms document . Doron The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]