Re: [pkcs11] CKM_SEAL_KEY

[Michael StJohns <msj@nthpermutation.com>]

On 7/3/2013 3:07 AM, Oscar K So Jr. wrote:

Thanks Michael.

Q#3 (continue # from previous emails):
I tried to dig through the old emails, but I could not find the "Use Case" example for CKM_SEAL_KEY.

AFAIK that's usually not included with a mechanism description.  But there is a code example.

But, here is a one example that I can think of (if I understand this correctly):
Backing up a wrapped RSA private key, a password on a USB stick for temporary use, and seal it with this CKM_SEAL_KEY mechanism.
This wrapped RSA private key is by no means to be exported to anywhere outside of the token.

I'm not sure actually what the question is?  If you're saying this is one example of a use case, I'm not sure what the password comment is about.

How about:  Token has space for 50 keys.  Application needs to use 1000 keys.  It's willing to manage the loading and unloading as necessary.    Application generates the keys on the token (or derives them using something like ECDH), seals them (exporting the encrypted blob), and then deletes the generated key.  Later, when it needs the key, it unseals it from the encrypted blob creating a new key on the token. 

Mike

Best,
Oscar