EldoS | Feel safer!

Software components for data protection, secure storage and transfer

HSM Decryption

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
Posted: 05/23/2012 03:23:02
by Martin Frommeyer (Basic support level)
Joined: 05/23/2012
Posts: 5

I want to decrypt data using 3DES with a key from a HSM. I have a TElPKCS11CertStorage object with a open session and I found the correct TElPKCS11SecretKeyObject in it, but I cant find fitting TElKeyMaterial via the get_Keys() function. I think I will need the TElKeyMaterial (or TElSymmetricKeyMaterial) for decryption using the TEl3DESSymmetricCrypto.

How can I solve this problem?
Posted: 05/23/2012 03:51:22
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Could you please clarify if TElPKCS11CertStorage.KeyCount is 0 or not. How do you find corresponding TElKeyMaterial? You can post your code here, so we'll be able to find the problem faster.

Also, if you have a license, please assign the license ticket to your user account before we continue. The ticket itself and the procedure of it's use are specified in the registration e-mail that was sent to you upon license purchase.
Posted: 05/23/2012 04:02:52
by Martin Frommeyer (Basic support level)
Joined: 05/23/2012
Posts: 5

Key Count is 4. Object count is 35.
In the section which cycles throug the objects I get the fitting key, but I get no result via get_Keys (which is a TElSymmetricKeyMaterial).
So this code fails, because the "keyMaterial" remains null.

        public byte[] Decrypt(byte[] encryptedData, string keyName, int mechanism, byte[] iv)
            if (_currentSession == null)
                throw new HsmCommunicationException("No session opened. Decryption not possible.");
            byte[] retVal=new byte[encryptedData.Length];
            #region Get Key

            TElPKCS11SecretKeyObject key = null;
            TElSymmetricKeyMaterial keyMaterial = null;
            for (int i = 0; i < _storage.ObjectCount; i++)
                TElPKCS11Object obj=_storage.get_Objects(i);
                if (obj.ObjectLabel==keyName && obj.ObjectType==TSBPKCS11ObjectType.otSecretKey)
                    key = (TElPKCS11SecretKeyObject) obj;

            for (int i = 0; i < _storage.KeyCount; i++)
                TElKeyMaterial tempKeyMaterial = _storage.get_Keys(i);
                if (tempKeyMaterial is TElSymmetricKeyMaterial)
                    keyMaterial = (TElSymmetricKeyMaterial) tempKeyMaterial;


            //if (iv!=null) key.KeyMaterial.Key.IV = iv;
            #region Decrypt

            TEl3DESSymmetricCrypto crypto = new TEl3DESSymmetricCrypto(TSBSymmetricCryptoMode.cmCBC, key.CryptoProvider);
            crypto.KeyMaterial = keyMaterial;
            int outSize = encryptedData.Length;
            crypto.Decrypt(encryptedData, 0, encryptedData.Length, ref retVal, 0, ref outSize);
            return retVal;
Posted: 05/23/2012 04:15:10
by Vsevolod Ievgiienko (EldoS Corp.)

You should better use key ID to find it. First you should record it using TElPKCS11SecretKeyObject.ID property. Then you can find a needed key index by comparing recorded ID to each of TElPKCS11CertStorage.KeyIDs.
Posted: 05/23/2012 04:28:42
by Martin Frommeyer (Basic support level)
Joined: 05/23/2012
Posts: 5

The TElPKCS11SecretKeyObject has no ID Property, only a KeyID property, which is 0 byte long in my case, so it wont be usefull for comparing. But still I have the problem, that I only recive TElPKCS11PublicKeyObject elements from the "get_Keys" function, but there should be a TElPKCS11SecretKeyObject in it.
Posted: 05/23/2012 04:58:55
by Ken Ivanov (EldoS Corp.)


Your understanding of the components' work is correct, and your code should work as you expect it to - i.e. the relevant TElSymmetricKeyMaterial object should be available via the get_Keys() property. I guess there is some problem with the key itself that results in TElPKCS11CertStorage failing to load it into the TElSymmetricKeyMaterial instance.

Let's try to import the key manually:

TElPKCS11SecretKeyObject obj = <the secret key object you've found by enumerating objects>
TElPKCS11SessionInfo sessInfo = <opened session object>

SBCryptoProv.TElCustomCryptoKey ck = sessInfo.CryptoProvider.CreateKey(SBConstants.Unit.SB_ALGORITHM_CNT_SYMMETRIC, 0, null);
ck.SetKeyProp(SBCryptoProv.Unit.SB_KEYPROP_PKCS11_SESSION_HANDLE, SBCryptoProvUtils.Unit.GetBufferFromInteger((int)sessInfo.Handle));
ck.SetKeyProp(SBCryptoProv.Unit.SB_KEYPROP_PKCS11_KEY_HANDLE, SBCryptoProvUtils.Unit.GetBufferFromInteger((int)obj.Handle));
TElSymmetricKeyMaterial km = new TElSymmetricKeyMaterial(ck, sessInfo.CryptoProvider);

If my guess is correct, the above code should throw an exception on some stage.
Posted: 05/23/2012 05:14:00
by Martin Frommeyer (Basic support level)
Joined: 05/23/2012
Posts: 5

Your guess is correct ;-)
The line "... ck = sessInfo. ..." throws: "Unsupported algorithm (28706)".
I remember I had a exception like this, when I tried to manualy create the KeyMaterial from my found key and the coresponding crypto provider.

What does it mean?
The key itself works, I allready tried it successfull on an other implementation.
Posted: 05/23/2012 09:23:15
by Ken Ivanov (EldoS Corp.)

Thank you for checking. Could you please try to replace the SBConstants.Unit.SB_ALGORITHM_CNT_SYMMETRIC entry with SBConstants.Unit.SB_ALGORITHM_CNT_3DES and check if it changes anything?
Posted: 05/23/2012 09:31:17
by Martin Frommeyer (Basic support level)
Joined: 05/23/2012
Posts: 5

Thanks for the answer. I just checked it, now the error message is "Unsupported algorithm (28675)".
Posted: 05/23/2012 09:53:45
by Ken Ivanov (EldoS Corp.)

Thank you. As a part of further investigation, we would ask you to run a small investigation tool in your environment and send us the results. As the forum doesn't support big attachments, I've created a ticket in the Helpdesk for you, and uploaded the tool together with further instructions there.
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.



Topic viewed 1661 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!