Discuss this help topic in SecureBlackbox Forum

Use hardware cryptographic keys for signing and encryption

Using asymmetric keys stored on hardware devices is not harder than using generic keys loaded from files. The only difference is in how the key material object is prepared.

If you access the hardware cryptographic key via PKCS#11:

  1. Use TElPKCS11CertStorage component to access the token. Run the driver, then open a session, then log in if needed.
  2. The cryptographic keys in the storage are accessed via the Keys[] property (get_Keys() method in C#) of TElPKCS11CertStorage. If your hardware device contains several keys, iterate over the Keys[] and the KeyIDs[] properties to find the right one. Depending on the type of the key returned by Keys[], the corresponding key material has to be used, e.g., TElRSAKeyMaterial. If you plan to use it for an operation involving a private key (signing, decryption) ensure that the private key is there by checking the IsSecret property.
  3. When the desired key is found, assign it to the crypto's KeyMaterial property. Cast the object explicitly to the appropriate type if needed: crypto.KeyMaterial = (TElRSAKeyMaterial)(storage.get_Keys(idx));
  4. Perform the operation as normal (consult the following articles for: signing, signing, encryption, decryption, or signature verification).
  5. Don't forget to dispose of the crypto object, then close the PKCS#11 session and storage.

How To articles related to low-level cryptography

Discuss this help topic in SecureBlackbox Forum