OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [pkcs11] RSA Key Import proposal


On 4/2/2013 7:12 PM, StJohns, Michael wrote:
>
>If you're worried about misuse of the AES key, then instead, how about defining a mechanism - CKM_RSA_AES_KEYWRAP?   This defines a mechanism 
>which first unwraps the AES key using RSA, and then uses the AES key wrap mechanism to unwrap the actual data?  The AES key gets implicit attributes 
> (and actually never gets a public handle) when unwrapped, and goes away once the other key is unwrapped.  The template on the original RSA private key 
>applies to the finally unwrapped new RSA private key.
>
>On the wrapping side, the AES key is generated internally, wraps the data, is encrypted under the RSA public key, and then zeroized.
>
>For an elliptic curve equivalent you probably need something like CKM_ECIES_AES_KEYWRAP.

Attached is the first draft of the proposed mechanism for secure key import using an RSA key.   
Assuming this is acceptable, I will provide the elliptic curve equivalent so both merged with the 2.4 new mechanisms document .


Doron





The information contained in this electronic mail transmission 
may be privileged and confidential, and therefore, protected 
from disclosure. If you have received this communication in 
error, please notify us immediately by replying to this 
message and deleting it from your computer without copying 
or disclosing it.


Attachment: pkcs11-ckm-rsa-aes-key-wrap-r1.doc
Description: pkcs11-ckm-rsa-aes-key-wrap-r1.doc



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]