Forum Stats

  • 3,826,756 Users
  • 2,260,705 Discussions
  • 7,897,072 Comments

Discussions

unwrapping a secrete key reveals actual key

8512e022-ad8e-48f8-b5ec-831ab5e613c0
edited Sep 7, 2018 10:25AM in Cryptography

I am trying to unwrap a secrete key (AES/DES) using Java APIs and SunPKCS11. Problem is that it reveals the value of unwrapped key (out of HSM) in the key object. Here is the code:

<span class="typ" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #2b91af;">Key</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> privateKey </span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">=</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> keyStore</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">.</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">getKey</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">(</span><span class="str" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #7d2727;">"MyKeyId"</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">,</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> keyStorePassword</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">);</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">  <br/></span><span class="typ" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #2b91af;">Cipher</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> cipher </span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">=</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> </span><span class="typ" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #2b91af;">Cipher</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">.</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">getInstance</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">(</span><span class="str" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #7d2727;">"RSA"</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">,</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> </span><span class="str" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #7d2727;">"SunPKCS11-Safenet"</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">);</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> <br/>cipher</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">.</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">init</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">(</span><span class="typ" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #2b91af;">Cipher</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">.</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">UNWRAP_MODE</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">,</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> privateKey</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">);</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> <br/></span><span class="com" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #858c93;">// The unwrapped key is visible in below line in unwrappedKey object</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> <br/></span><span class="typ" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #2b91af;">Key</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> unwrappedKey </span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">=</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> cipher</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">.</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">unwrap</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">(</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">wrappedKey</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">,</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> </span><span class="str" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #7d2727;">"AES"</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">,</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;"> </span><span class="typ" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #2b91af;">Cipher</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">.</span><span class="pln" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">SECRET_KEY</span><span class="pun" style="font-style: inherit; font-weight: inherit; font-family: inherit; color: #303336;">);</span>

How I can tell code to not to reveal the unwrapped key?

Do I have to add something in PKCS11 cfg file? I tried some combination in cfg file but none helped:

attributes(*,CKO_SECRET_KEY,*) = {

CKA_SENSITIVE=true

}

OR

attributes(*,CKO_SECRET_KEY,*) = {

CKA_PRIVATE=true

CKA_SENSITIVE=true

CKA_ENCRYPT=true

CKA_DECRYPT=true

CKA_WRAP=true

CKA_UNWRAP=true

}

This discussion has been closed.