// The number of bytes in the secret key defines the bit-strength of an encryption // algorithm. For example, AES with a 32-byte key is 256-bit AES. Most algorithms // define restrictions on key sizes. For example, AES has 3 choices: 128-bit, 192-bit, // or 256-bit. In the ChaCha20 algorithm, the key size must always be 256-bits (32-bytes). You decrypt the key, then decrypt the data using the AES key. This example will show the entire process. (1) Generate an RSA key and save both private and public parts to PEM files. (2) Encrypt a file using a randomly generated AES encryption key. (3) RSA encrypt the AES key. (4) RSA decrypt the AES key. (5) Use it to AES decrypt the file or data. Internally the code will manage to use the embedded AES-128, AES-192 or AES-256 key using the obfuscated tables. The compiler is also capable to generate AES-512 and AES-1024 tables, following Cho, J. The same logic was applied to generate experimental AES-2048 and AES-4096 tables. Jun 23, 2012 There is also the option to use the EVPBytesToKey function which is a PBKDF. This function, as I called it, will generate a 256 bit key in CBC mode, with a salt and passphrase that are random data (the password being random data is just for demonstration purposes).
How to generate RSA, ECC and AES keys: pkcs11-tool is a command line tool to test functions and perform crypto operations using a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.
This post is part of #CryptoCorner my contribution to open source cryptography and secure hardware key storage to reduce risks from misunderstood and unsecure implemented key management.
PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at oasis-open.org.
Generate a RSA key on a key media using PKCS#11
Please see my previous and related posts how to compile a PKCS#11 library and configure OpenSC to use this cryptographic module.
To generate a key I am using SoftHSM2 version 2.6.1 with Cryptoki 2.40 implementation of PKCS11 as the PKCS#11 module and generate the key using OpenSC pkcs11-tool
In this example I did not use the parameter „–slot 1234567890“ to specify a slot, so the key is generated on the first available slot. Better you select the slot when you create a key.
Generate different ECC keys on a key media (smart card, token, HSM, SoftHSM) using PKCS#11
To generate a SECP r1 ECC key pair use the following command. The key length 384 can be changed according to the available ciphers.
If you want to generate a Koblitz k1 curve use the following command. Again you can change the key length 256 depending on the module supported key lengths.
Generate an AES key on smart card or HSM using PKCS#11
The generation of a AES key is quite simple as well. In this example I choose a specific slot on the media using option „–slot XXXXXXXX“:
In this example the „–id 256“ does not specify the AES-256 key length, it just defines an intern ID of the generated to you can use later to specify the key by ID. The AES key length is defined by aes:32 defining an AES length of 32 bytes equal to 32×8 bit = 256 bit. To generate a AES-128 bit key just use „–key-type aes-16“ or to create a AES-192 key use „–key-type aes:24“.
Where to find working PKCS#11 libraries?
The most common open source libraries are found here:
libsofthsm2.so – The PKCS#11 library of SoftHSM2 a popular software defines key store. You need to install or compile SoftHSM2 to get this library.
libykcs11.so – The Yubico PKCS#11 library for all YubiKey token with smart card PIV functionallity. Install and compile Yubico yubico-piv-tool.
opensc-pkcs11.so – The popular OpenSC PKCS#11 library supporting many smart cards and PKI token. Install or compile opensc to use this software interface.