OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [pkcs11] RSA Key Import proposal


Hi All, 

As per the action item from the previous meetings, below is the RSA private key import proposal I would like to address in the spec moving forward :


The Problem:

The CKA_UNWRAP_TEMPLATE attribute can be used to set the policy of a wrapped key. For example, this means that if an RSA private-key is wrapped with an AES key, then the CKA_UNWRAP_TEMPLATE attribute associated with the AES key can ensure that the RSA private-key will be sensitive, unwrappable or whatever desired. However, if one wishes to unwrap an RSA private-key PrivK_new using an RSA private-key PrivK already on the token, then a problem arises since PrivK_new cannot be wrapped by PrivK directly due to its size being too great. Thus, one must wrap a symmetric key K using PrivK and then wrap the RSA private key PrivK_new using the symmetric key K.
It is possible to set the policy of K using the CKA_UNWRAP_TEMPLATE attribute of PrivK. However, it is not clear in the PKCS#11 specification, that it is also possible to set the policy of PrivK_new by the CKA_UNWRAP_TEMPLATE of K include a template for PrivK_new (i.e., for any key wrapped with K itself). If such a nesting of templates is not allowed, then there is no way to securely unwrap an RSA private key with another RSA private key.
In addition, in order to prevent oracle padding attacks when unwrapping a key using a symmetric key (either directly or as in the above case), an authenticated-encryption mechanism like CCM and/or GCM must support wrap and unwrap.

Proposal :

We propose that the PKCS#11 specification explicitly state that a CKA_UNWRAP_TEMPLATE attribute can contain a CKA_UNWRAP_TEMPLATE to be applied to whatever key is unwrapped by the key in question. Currently this is ambiguous.  In addition, we recommend that CCM and GCM be enabled for wrap and unwrap. This is crucial for prevent oracle padding attacks.

Example of Usage

We show how to define a nested template so that an RSA private key (the target private key) can be securely imported using another RSA private key (called the base private key), via an intermediate AES key. 

Attribute template for the target RSA key:

CK_ATTRIBUTE tPrvKey[] = {
    {CKA_TOKEN, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_PRIVATE, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_CLASS, &ckoPrivateKey, sizeof(CK_ULONG)},
    {CKA_KEY_TYPE, &ckkRsa, sizeof(CK_ULONG)},
    {CKA_UNWRAP, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_DECRYPT, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_SIGN, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_SIGN_RECOVER, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_ALLOWED_MECHANISMS, &ckmRsaPkcs, sizeof(CK_ULONG)},
  }; 

Attribute template for the intermediate AES key (only uses CCM to prevent oracle-padding attack on target RSA key, and doesn't allow decrypt):
  CK_ATTRIBUTE tAesKey[] = {
    {CKA_TOKEN, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_PRIVATE, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_CLASS, &ckoSecretKey, sizeof(CK_ULONG)},
    {CKA_KEY_TYPE, &ckkAes, sizeof(CK_ULONG)},
    {CKA_SENSITIVE, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_EXTRACTABLE, &ckFalse, sizeof(CK_BBOOL)},
    {CKA_ALLOWED_MECHANISMS, &ckmAesCcm, sizeof(CK_ULONG)},
    {CKA_VALUE_LEN, &aesLen, sizeof(CK_ULONG)},
    {CKA_UNWRAP, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_DECRYPT, &ckFalse, sizeof(CK_BBOOL)},
    {CKA_SIGN, &ckFalse, sizeof(CK_BBOOL)},
    {CKA_VERIFY, &ckFalse, sizeof(CK_BBOOL)},
    {CKA_UNWRAP_TEMPLATE, tPrvKey, sizeof(tPrvKey)},
  }; 

Note that the CKA_UNWRAP_TEMPLATE attribute of the AES key contains the template of the target RSA private key.

Attribute template for the base RSA key:
  CK_ATTRIBUTE tPrvKeyBase[] = {
    {CKA_TOKEN, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_PRIVATE, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_UNWRAP, &ckTrue, sizeof(CK_BBOOL)},
    {CKA_DECRYPT, &ckFalse, sizeof(CK_BBOOL)},
    {CKA_SIGN, &ckFalse, sizeof(CK_BBOOL)},
    {CKA_SIGN_RECOVER, &ckFalse, sizeof(CK_BBOOL)},
    {CKA_ALLOWED_MECHANISMS, &ckmRsaPkcs, sizeof(CK_ULONG)},
    {CKA_UNWRAP_TEMPLATE, tAesKey, sizeof(tAesKey)},
  }; 
Note that the CKA_UNWRAP_TEMPLATE attribute of the RSA base key contains the template of the intermediate AES key.

Generate key command (generating privK )  :
  C_GenerateKeyPair(hSession, &rsaGenMech, tPubKeyBase, sizeof(tPubKeyBase)/sizeof(CK_ATTRIBUTE), tPrvKeyBase, sizeof(tPrvKeyBase)/sizeof(CK_ATTRIBUTE), &hPubKeyBase, &hPrvKeyBase);
  
  

Thanks
Doron





The information contained in this electronic mail transmission 
may be privileged and confidential, and therefore, protected 
from disclosure. If you have received this communication in 
error, please notify us immediately by replying to this 
message and deleting it from your computer without copying 
or disclosing it.




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]