Timeline for answer to Offloading hashing and symmetric encryption to HSM by mat
Current License: CC BY-SA 3.0
Post Revisions
6 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 22, 2017 at 0:13 | comment | added | eckes | 1 - yes encrypted. 2 - but not the digest 3) yes but CKM_SHA1_RSA* is different from CKM_RSA* as it does thendigesting and the other only fhe sign part. | |
| Jul 21, 2017 at 19:15 | comment | added | mat | 1) Well, you want to send the session key anyway, so it leaving the HSM is a must. But if you execute the "wrap" operation, it won't leave it unencrypted which is just what you want. 2) CKM_RSA_PSS does the padding/armoring by itself. Otherwise, it would just be a raw signature 3) CKM_SHA256_RSA_PKCS is just PKCS#1 v1.5 but with SHA-256 instead of SHA-1 | |
| Jul 21, 2017 at 16:41 | comment | added | eckes | If I understand the PKCS11 api correctly CKM_RSA_PKCS (and CKM_RSA_X_509 and _PSS) expect the (padded) digest value, which means I can/must digest myself (and this opens some attacks as I can hand it chosen integers, right?). The difference would be CKM_SHA256_RSA_PKCS which is safer (but PKCS11 does not allow me to limit a key to those variants?). | |
| Jul 21, 2017 at 16:22 | comment | added | eckes | The problem with "construct it yourself" means the session key leaves the HSM, right? Or can I have HSM produce a random key, keep it with a handle and then reference that handle as input for the RSA? It seems to work for Key wrapping. | |
| Jul 21, 2017 at 11:16 | history | edited | schroeder♦ | CC BY-SA 3.0 |
deleted 11 characters in body
|
| Jul 21, 2017 at 11:14 | history | answered | mat | CC BY-SA 3.0 |