EldoS | Feel safer!

Software components for data protection, secure storage and transfer

XML Encryption

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#1449
Posted: 10/13/2006 17:47:27
by Haris Zujo (Standard support level)
Joined: 05/12/2006
Posts: 33

Hi

I have a problem and I wondering if you can help me with an example.

I need to encrypt a XML document using "Key wrap" for the KEK type. In Simple encryptor example you load a key from a file
Quote
F := TFileStream.Create(frmEnc.KeyFile, fmOpenRead or fmShareDenyWrite);
SymKEKData.Key.Load(F);

but I need to use public RSA key loaded from X509 certificate.

regards Haris
#1450
Posted: 10/13/2006 18:12:13
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Haris Zujo wrote:
I have a problem and I wondering if you can help me with an example.

I need to encrypt a XML document using "Key wrap" for the KEK type. In Simple encryptor example you load a key from a file

but I need to use public RSA key loaded from X509 certificate.

The "key wrap" algorithms are symmetric algorithms only (Triple-DES key wrap and AES key wrap).
For RSA key you should use "key transport" algorithms.
#1453
Posted: 10/16/2006 07:56:06
by Haris Zujo (Standard support level)
Joined: 05/12/2006
Posts: 33

Can you tell me the correct way to decode xml document encoded to X509 certificate on the crypto card?

Usually I can't decrypt this document because private key can't be exported and on the crypto card have not enough memory to decrypt entire document. The second thing is that some crypto cards doesn't support »key transport« encoded documents at all.

Have you same suggestions?

Regards Haris
#1454
Posted: 10/16/2006 11:55:50
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Can you tell me the correct way to decode xml document encoded to X509 certificate on the crypto card?

You should load certificate using PKCS11 (see TElPKCS11CertStorage and Samples\PKI\PKCS11). And then pass it to X509KeyData.

Quote
Usually I can't decrypt this document because private key can't be exported and on the crypto card have not enough memory to decrypt entire document. The second thing is that some crypto cards doesn't support »key transport« encoded documents at all.


"Key transport" algorithms are public key encryption algorithms specified for encrypting and decrypting keys. Then those keys used for encrypting and decrypting xml document using specified symmetric algorithm.
The Crypto card should simply support encrypt/decrypt operation. With non-exportable certificate it will decrypt small piece of data (session key).
#1455
Posted: 10/17/2006 03:00:51
by Haris Zujo (Standard support level)
Joined: 05/12/2006
Posts: 33

Quote
You should load certificate using PKCS11 (see TElPKCS11CertStorage and Samples\PKI\PKCS11). And then pass it to X509KeyData.


Tel me if there is any difference if I load certificate from windows cert store or from PKCSCertStore directly, because SmartTrust software automaticaly transferes certs from card to win cert storage?
#1456
Posted: 10/17/2006 06:42:12
by Eugene Mayevski (EldoS Corp.)

There's no difference unless your smartcard drivers do something special, that prevents some function to work correctly.


Sincerely yours
Eugene Mayevski
#1457
Posted: 10/17/2006 07:55:18
by Haris Zujo (Standard support level)
Joined: 05/12/2006
Posts: 33

Here is my problem. I can't decrypt document encrypted for certificate on the crypto card. I have tested with cards with the following software: SmartTrust, iD2 and ActiveCard Gold-2.3.1. When I try to decrypt the document I got the following error message:

---------------------------
Project1
---------------------------
Decryption failed. Error code: 0x8550.
---------------------------
OK
---------------------------
Have you any ideas what this code means?
#1458
Posted: 10/17/2006 08:21:04
by Eugene Mayevski (EldoS Corp.)

Invalid KEK. Probably you passed the wrong certificate or the certificate's key was not accessible for use for some reason.


Sincerely yours
Eugene Mayevski
#1461
Posted: 10/17/2006 11:56:47
by Haris Zujo (Standard support level)
Joined: 05/12/2006
Posts: 33

Ok. Can you try it yourself?
For that purpose I've prepared a slightly modified version of “Simple Encryptor” that uses Certificates from Windows Cert Store.

1. Encrypt XML document (be sure to select a certificate from Crypto Card)
2. Decrypt that document and use the same Certificate that you used for Encrypt.

I’m pretty sure that you will get an error that I mentioned earlier in the post.

If you will use the ordinary certificate the sample code will work without any problems!


[ Download ]
#1462
Posted: 10/18/2006 01:04:24
by Eugene Mayevski (EldoS Corp.)

The issue is indeed present. We are working on it now.


Sincerely yours
Eugene Mayevski
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 15044 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!