EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Cryptographic card

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#245
Posted: 05/17/2006 10:34:58
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Hi!,

One of the betatesters of my program has a cryptographic card (with reader from: http://www.c3po.es/kit_ltc32.html)

Everything goes ok for him (i was frighten that the application collapses); except that all the operations that require private key (signing, decrypting), ends up with error 2002. So it seems that my program cannot access his private key.

I'm gonna buy a card-reader and upgrade my certificate to test it; but i wanted to ask you before i can manage to get it; because i suppose that you may had this problem in the past?.

In other things; i'm pleased to see the proximity of secureblackbox 5; and i've got a very good suggestion: "allow a file to be signed, encrypted, verified, unencrypted (messages operations) to be incrementally feed, so we don't have to have 8Gb of RAM ;). Also, this can provide us to know the progress of that operation (and also a procedure for aborting the process safely would be great). I know that this operations may not be designed for large files, but i know that many people will use it on they; and they'll have a very beautiful error of "Out of memory" ;)".

Thanks
#246
Posted: 05/17/2006 11:44:45
by Eugene Mayevski (EldoS Corp.)

Quote
Santiago Castaño wrote:
Everything goes ok for him (i was frighten that the application collapses); except that all the operations that require private key (signing, decrypting), ends up with error 2002. So it seems that my program cannot access his private key.


This means that presense of the private key is not even detected. The problem can be device-specific, i.e. if the device doesn't export private keys AND doesn't report the presence of the certificate correctly, you will get exactly what you get.

Quote
Santiago Castaño wrote:
allow a file to be signed, encrypted, verified, unencrypted (messages operations) to be incrementally feed


It's been in ToDo for over a year already ... Will be done in SBB 5.


Sincerely yours
Eugene Mayevski
#248
Posted: 05/17/2006 12:22:46
by Eugene Mayevski (EldoS Corp.)

From their site:

Quote

Electronic signature development with cryptographic card
These kits are not appropriate for development within electronic signature smart card environments. While not a proper development kit, the Cryptokit, used alongside Microsoft's SDKs (Software Development Kits) and RSA, is the best tool for this sort of development.

The use of cryptographic card supported electronic signature is based on two standard software components: CSP and PKCS#11, which are included in the Cryptokit


If I understand right, the device is not mapped into CryptoAPI (unless you have Cryptokit installed). Maybe I am mistaken, though. I can't check cause they don't sell the device to outside of Spain.


Sincerely yours
Eugene Mayevski
#258
Posted: 05/17/2006 14:16:32
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Well, i don't understand neither if it's running via cryptoapi or not. The product i was looking for buying was exactly that "cryptokit", because it contains a card especially done for the certificates we're working with (FNMT).

But as i understand, if my customer is able to see his certificate on my application, i suppose that windows can see it and operate with it. I told him to test with outlook to sign or encrypt mail messages.

Other thing i don't understand is this text from the site of the card reader:

Quote

The card has the capability to:

Generate and store several key pairs, making the extraction of private keys impossible (STRONG SECURITY)
Store several certificates in a single card (FNMT-RCM, Verisign, Entrust, etc.)


What will the mean by extraction of private keys impossible?. Well, we don't need to extract it; but trough cryptoapi i think that windows should be able to communicate with that private key and operate with it.

Conclusion: i'll get that device (it's the one that FNMT recommends) and see what's happening and translate that information to you. Do you know any GOOD device that doesn't give problems? (may be we can test it also).

Thanks anyway for your time
#260
Posted: 05/17/2006 14:35:57
by Eugene Mayevski (EldoS Corp.)

It is possible, that the certificates are reported, but cryptographic operations can't be performed.

Quote
Santiago Castaño wrote:
What will the mean by extraction of private keys impossible?. Well, we don't need to extract it; but trough cryptoapi i think that windows should be able to communicate with that private key and operate with it.


Hardware certificate containers never let the private key away. Instead they perform the cryptographic operations, that involve those, keys, internally.

Quote
Santiago Castaño wrote:
Conclusion: i'll get that device (it's the one that FNMT recommends) and see what's happening and translate that information to you. Do you know any GOOD device that doesn't give problems? (may be we can test it also).


So far we only use USB tokens. eToken, Eutron and Rainbow. eToken is probably the most "mature" one.


Sincerely yours
Eugene Mayevski
#265
Posted: 05/17/2006 15:29:49
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Is it possible that an application that uses capicom get access to the private key and cryptofiles/my application not?. As soon as i understood capicom is only a interface for activex to cryptoapi.

The thing is that FNMT (the organization that makes the certificates) uses in their application ONLY capicom (and i think that they don't have any problems).

Anyway, my bosses have taken as a very good idea to test etoken smartcard and etoken usb; and if they don't give any troubles, we'll recomend it to our customers (but anyway we'll test also what's happening with those c3po devices).
#266
Posted: 05/17/2006 15:38:22
by Eugene Mayevski (EldoS Corp.)

If you get the device, we will work with you on finding the reason for the strange behaviour and fixing it.


Sincerely yours
Eugene Mayevski
#277
Posted: 05/21/2006 15:40:46
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Hi!,

I've just received my card-reader; changed the pin, imported my certificate into it. And my application is able to see it.

But when i try to sign or decrypt a file it says me the error 2002 (verifying or encrypting it works ok).

I started your cryptotoken application, and it just works wonderful (sign, verify, De/encrypt).

Why doesn't the cryptoapi works just as cryptotoken?.

Also, more information... my application says (just a warning message) that the certificate has a private key that is not exportable.

I'm here for all your questions, and let us see if we can make it run just as good as cryptotoken.

One more thing... i just realised that i can mix the cryptotoken application with my application (i'll make a new button yo select those certificates). But how can i know where's the dll that i've got to use programatically?. And of course, it'll be confusing, because the application can SEE the certificate but not do anything with the private key.

Thanks
#278
Posted: 05/21/2006 15:43:57
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Umm, i didn't explain well in the last lines. I say that it'll be confusing because they can see the certificate in the principal window, and they'll select it. But instead of that, they would have to select the certificate that appears in the "cryptotoken" area. So if i mix cryptotoken and my application, i'll have to not show the certificate that cryptoapi says, and put the certificate of the cryptotoken area.

Hope to have explain better (sundays are sundays :p)
#279
Posted: 05/21/2006 16:04:45
by Eugene Mayevski (EldoS Corp.)

Quote
Santiago Castaño wrote:
I started your cryptotoken application, and it just works wonderful (sign, verify, De/encrypt).


Which one are you referring at? PKCS#11 sample?

As for cryptoapi, - as supposed, the card drivers don't properly expose their functionality via CSP. That's why our code doesn't work. Innokentiy will give more info on the topic.


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 14260 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!