EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Encrypting data with certificate

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#13503
Posted: 05/29/2010 02:03:58
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

HI,
I have a certificate stored in PKCS#11 token and a set of private/public rsa/1024 keys. Is it possible to encrypt message using public key and decrypt using private key with RSA keys?

I ask this becouse its a know fact that if a data is bigger than the RSA key from the certificate, Encryption cannot be made.

I have tried decrypting with certificates using .NET XML signing functions and I get an exception that data to encrypt is bigger than the key.

Does PKIBlackBox support exchange of data bigger than the keys from certificates? and if yes,how?
#13504
Posted: 05/29/2010 02:32:51
by Eugene Mayevski (EldoS Corp.)

Direct signing or encryption of data using RSA is meaningless: RSA is way too slow for such operation. Of course you can create a function which will split the input stream to 112 byte chunks (max. size for 128-bit RSA) and encrypt them one by one. However, such format won't be handled by any other software and as you will find out soon, will take too long for practical implementation.

So the correct approach is not to reinvent the wheel and use industry-standard formats such as PKCS#7.


Sincerely yours
Eugene Mayevski
#13505
Posted: 05/29/2010 03:03:32
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Eugene Mayevski wrote:
Direct signing or encryption of data using RSA is meaningless: RSA is way too slow for such operation. Of course you can create a function which will split the input stream to 112 byte chunks (max. size for 128-bit RSA) and encrypt them one by one. However, such format won't be handled by any other software and as you will find out soon, will take too long for practical implementation.

So the correct approach is not to reinvent the wheel and use industry-standard formats such as PKCS#7.


I see.Basically, i have to write a java card applet for storing the privatekey and that can encrpt data that I send from the host computer. By no means I can let this private key be stored on the host computer.Is there a way of doing this usi PKIBlackBox?
#13506
Posted: 05/29/2010 03:30:04
by Eugene Mayevski (EldoS Corp.)

I am not sure that I understood your question. What particular operations you want to perform with PKIBlackbox? If you are asking about encryption of data using the key stored on the card, then the answer is yes, if the device supports PKCS#11 interface. There exist other interfaces such as PC-SC or PKCS#15, but we don't support them for various reasons.


Sincerely yours
Eugene Mayevski
#13507
Posted: 05/29/2010 03:40:22
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Eugene Mayevski wrote:
I am not sure that I understood your question. What particular operations you want to perform with PKIBlackbox? If you are asking about encryption of data using the key stored on the card, then the answer is yes, if the device supports PKCS#11 interface. There exist other interfaces such as PC-SC or PKCS#15, but we don't support them for various reasons.
Quote
Eugene Mayevski wrote:
I am not sure that I understood your question. What particular operations you want to perform with PKIBlackbox? If you are asking about encryption of data using the key stored on the card, then the answer is yes, if the device supports PKCS#11 interface. There exist other interfaces such as PC-SC or PKCS#15, but we don't support them for various reasons.


OK, so I if I have a key on the card that supports PKCS#11 interface,can I encrypt arbitrary array of data?Becouser the keys on my card are RSA keys. Basically I need to secure my channel with key stored on the card and remote server
#13508
Posted: 05/29/2010 03:48:40
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Tomislav Jakopović wrote:
Quote
Eugene Mayevski wrote:
I am not sure that I understood your question. What particular operations you want to perform with PKIBlackbox? If you are asking about encryption of data using the key stored on the card, then the answer is yes, if the device supports PKCS#11 interface. There exist other interfaces such as PC-SC or PKCS#15, but we don't support them for various reasons.
Quote
Eugene Mayevski wrote:
I am not sure that I understood your question. What particular operations you want to perform with PKIBlackbox? If you are asking about encryption of data using the key stored on the card, then the answer is yes, if the device supports PKCS#11 interface. There exist other interfaces such as PC-SC or PKCS#15, but we don't support them for various reasons.


OK, so I if I have a key on the card that supports PKCS#11 interface,can I encrypt arbitrary array of data?Becouser the keys on my card are RSA keys. Basically I need to secure my channel with key stored on the card and remote server


To be exact,I have to send a message to the webserver,that is encryped with a key on the card. The server would decrypt the message, done some logic,encrypted the response, and send back the response.
#13509
Posted: 05/29/2010 03:50:23
by Eugene Mayevski (EldoS Corp.)

See my message above about encryption with RSA keys.


Sincerely yours
Eugene Mayevski
#13510
Posted: 05/29/2010 03:59:52
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Eugene Mayevski wrote:
See my message above about encryption with RSA keys.


Hi,
Yes I understand that,but unfortunately,I still dont know how can I establish secure channel from my host application and remote server using certificate from the smartcard. I tried using it manually with SOAP extensions,signing the request with the certificate from the smart card and then encrypting the whole message with server's certificate public key, and the server woudl do the opposite.
But now,as you said RSA encryption is meaningless, and Im back to square one to begin with. Any help,guideline with using your components,would be highly appreciated. As you can see,Im having troubles in architectural design of the whole system becouse If I get an idea, I dont know it its implementable
#13512
Posted: 05/29/2010 05:39:07
by Eugene Mayevski (EldoS Corp.)

You are mixing "certificate" and "RSA key". Certificate is more high-level entity, than a key, so is certificate-based encryption comparing to RSA encryption. Low-level RSA encryption is meaningless (except short blocks such as session keys for symmetric encryption), but you've been offered to use certificate-based encryption and signing using TElMessageSigner / TElMessageEncryptor / TElMessageVerifier / TElMessageDecryptor. They can be used with certificate and private key residing on PKCS#11-compliant smartcard, and you can accomplish your task trivially by just using those classes.


Sincerely yours
Eugene Mayevski
#13514
Posted: 05/29/2010 07:25:38
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Eugene Mayevski wrote:
You are mixing "certificate" and "RSA key". Certificate is more high-level entity, than a key, so is certificate-based encryption comparing to RSA encryption. Low-level RSA encryption is meaningless (except short blocks such as session keys for symmetric encryption), but you've been offered to use certificate-based encryption and signing using TElMessageSigner / TElMessageEncryptor / TElMessageVerifier / TElMessageDecryptor. They can be used with certificate and private key residing on PKCS#11-compliant smartcard, and you can accomplish your task trivially by just using those classes.
Quote
Eugene Mayevski wrote:
You are mixing "certificate" and "RSA key". Certificate is more high-level entity, than a key, so is certificate-based encryption comparing to RSA encryption. Low-level RSA encryption is meaningless (except short blocks such as session keys for symmetric encryption), but you've been offered to use certificate-based encryption and signing using TElMessageSigner / TElMessageEncryptor / TElMessageVerifier / TElMessageDecryptor. They can be used with certificate and private key residing on PKCS#11-compliant smartcard, and you can accomplish your task trivially by just using those classes.


Hi

but when I stored the certificate on the card, I associated it with rsa private/public keypair. Would this mean that I cant encrypt messages becouse the certificate is using the rsa keys(1024 bits). I initialized these certificates using OpenSC
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 3082 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!