EldoS | Feel safer!

Software components for data protection, secure storage and transfer

HSM Decryption

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 05/23/2012 03:23:02
by Martin Frommeyer (Basic support level)
Joined: 05/23/2012
Posts: 5

I want to decrypt data using 3DES with a key from a HSM. I have a TElPKCS11CertStorage object with a open session and I found the correct TElPKCS11SecretKeyObject in it, but I cant find fitting TElKeyMaterial via the get_Keys() function. I think I will need the TElKeyMaterial (or TElSymmetricKeyMaterial) for decryption using the TEl3DESSymmetricCrypto.

How can I solve this problem?
Posted: 05/23/2012 03:51:22
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

Could you please clarify if TElPKCS11CertStorage.KeyCount is 0 or not. How do you find corresponding TElKeyMaterial? You can post your code here, so we'll be able to find the problem faster.

Also, if you have a license, please assign the license ticket to your user account before we continue. The ticket itself and the procedure of it's use are specified in the registration e-mail that was sent to you upon license purchase.
Posted: 05/23/2012 04:02:52
by Martin Frommeyer (Basic support level)
Joined: 05/23/2012
Posts: 5

Key Count is 4. Object count is 35.
In the section which cycles throug the objects I get the fitting key, but I get no result via get_Keys (which is a TElSymmetricKeyMaterial).
So this code fails, because the "keyMaterial" remains null.

        public byte[] Decrypt(byte[] encryptedData, string keyName, int mechanism, byte[] iv)
            if (_currentSession == null)
                throw new HsmCommunicationException("No session opened. Decryption not possible.");
            byte[] retVal=new byte[encryptedData.Length];
            #region Get Key

            TElPKCS11SecretKeyObject key = null;
            TElSymmetricKeyMaterial keyMaterial = null;
            for (int i = 0; i < _storage.ObjectCount; i++)
                TElPKCS11Object obj=_storage.get_Objects(i);
                if (obj.ObjectLabel==keyName && obj.ObjectType==TSBPKCS11ObjectType.otSecretKey)
                    key = (TElPKCS11SecretKeyObject) obj;

            for (int i = 0; i < _storage.KeyCount; i++)
                TElKeyMaterial tempKeyMaterial = _storage.get_Keys(i);
                if (tempKeyMaterial is TElSymmetricKeyMaterial)
                    keyMaterial = (TElSymmetricKeyMaterial) tempKeyMaterial;


            //if (iv!=null) key.KeyMaterial.Key.IV = iv;
            #region Decrypt

            TEl3DESSymmetricCrypto crypto = new TEl3DESSymmetricCrypto(TSBSymmetricCryptoMode.cmCBC, key.CryptoProvider);
            crypto.KeyMaterial = keyMaterial;
            int outSize = encryptedData.Length;
            crypto.Decrypt(encryptedData, 0, encryptedData.Length, ref retVal, 0, ref outSize);
            return retVal;
Posted: 05/23/2012 04:15:10
by Vsevolod Ievgiienko (Team)

You should better use key ID to find it. First you should record it using TElPKCS11SecretKeyObject.ID property. Then you can find a needed key index by comparing recorded ID to each of TElPKCS11CertStorage.KeyIDs.
Posted: 05/23/2012 04:28:42
by Martin Frommeyer (Basic support level)
Joined: 05/23/2012
Posts: 5

The TElPKCS11SecretKeyObject has no ID Property, only a KeyID property, which is 0 byte long in my case, so it wont be usefull for comparing. But still I have the problem, that I only recive TElPKCS11PublicKeyObject elements from the "get_Keys" function, but there should be a TElPKCS11SecretKeyObject in it.
Posted: 05/23/2012 04:58:55
by Ken Ivanov (Team)


Your understanding of the components' work is correct, and your code should work as you expect it to - i.e. the relevant TElSymmetricKeyMaterial object should be available via the get_Keys() property. I guess there is some problem with the key itself that results in TElPKCS11CertStorage failing to load it into the TElSymmetricKeyMaterial instance.

Let's try to import the key manually:

TElPKCS11SecretKeyObject obj = <the secret key object you've found by enumerating objects>
TElPKCS11SessionInfo sessInfo = <opened session object>

SBCryptoProv.TElCustomCryptoKey ck = sessInfo.CryptoProvider.CreateKey(SBConstants.Unit.SB_ALGORITHM_CNT_SYMMETRIC, 0, null);
ck.SetKeyProp(SBCryptoProv.Unit.SB_KEYPROP_PKCS11_SESSION_HANDLE, SBCryptoProvUtils.Unit.GetBufferFromInteger((int)sessInfo.Handle));
ck.SetKeyProp(SBCryptoProv.Unit.SB_KEYPROP_PKCS11_KEY_HANDLE, SBCryptoProvUtils.Unit.GetBufferFromInteger((int)obj.Handle));
TElSymmetricKeyMaterial km = new TElSymmetricKeyMaterial(ck, sessInfo.CryptoProvider);

If my guess is correct, the above code should throw an exception on some stage.
Posted: 05/23/2012 05:14:00
by Martin Frommeyer (Basic support level)
Joined: 05/23/2012
Posts: 5

Your guess is correct ;-)
The line "... ck = sessInfo. ..." throws: "Unsupported algorithm (28706)".
I remember I had a exception like this, when I tried to manualy create the KeyMaterial from my found key and the coresponding crypto provider.

What does it mean?
The key itself works, I allready tried it successfull on an other implementation.
Posted: 05/23/2012 09:23:15
by Ken Ivanov (Team)

Thank you for checking. Could you please try to replace the SBConstants.Unit.SB_ALGORITHM_CNT_SYMMETRIC entry with SBConstants.Unit.SB_ALGORITHM_CNT_3DES and check if it changes anything?
Posted: 05/23/2012 09:31:17
by Martin Frommeyer (Basic support level)
Joined: 05/23/2012
Posts: 5

Thanks for the answer. I just checked it, now the error message is "Unsupported algorithm (28675)".
Posted: 05/23/2012 09:53:45
by Ken Ivanov (Team)

Thank you. As a part of further investigation, we would ask you to run a small investigation tool in your environment and send us the results. As the forum doesn't support big attachments, I've created a ticket in the Helpdesk for you, and uploaded the tool together with further instructions there.
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.



Topic viewed 1815 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!