HSM decryption + encryption chaining - encryption

My application is acting as a switchboard to transfer very sensitive messages between two parties and I'm trying to figure out how I can do this without "looking" at the message they're trying to send.
I have a HSM, and I've generated a keypair for the sender - they're going to encrypt the message with their public key that I gave them, and I can decrypt the message using the private key I have in the HSM.
I'm going to then pass that message on by encrypting it with the public key of the ultimate receiver, which I have.
Is there any way to chain these two operations inside the HSM, without having the decrypted message anywhere near my application memory? I would like the plaintext content to never leave the boundaries of the HSM.
I know that some HSMs have a CodeSafe / SEE machine feature that lets me write embedded system code and run it inside the HSM, before I get into that I'd like to see if there's a way using the general PKCS / JCE / CNG APIs to do this safely.

If all you need is to re-encrypt the same secret under a different key, you can use C_Unwrap to create a temporal HSM object with value of the translated secret and then use C_Wrap to encrypt the value of this temporal HSM object for all the recipients.
This way the secret will never leave HSM.
Something like this (verified to be working on SafeNet Luna 7 with RSA-OAEP):
// Your private key for 'decrypting' secret. Must have key unwrapping allowed
CK_OBJECT_HANDLE hsmPrivateKey = ... ;
// Encrypted secret
byte[] wrappedKey = ... ; //
// Template for temporal generic secret key with value of the secret
CK_ATTRIBUTE[] tempTemplate = new CK_ATTRIBUTE[] {
new CK_ATTRIBUTE(CKA.CLASS, CKO.SECRET_KEY),
new CK_ATTRIBUTE(CKA.KEY_TYPE, CKK.GENERIC_SECRET),
new CK_ATTRIBUTE(CKA.TOKEN, false),
new CK_ATTRIBUTE(CKA.PRIVATE, true),
new CK_ATTRIBUTE(CKA.EXTRACTABLE, true),
new CK_ATTRIBUTE(CKA.SENSITIVE, true),
new CK_ATTRIBUTE(CKA.ENCRYPT, false),
new CK_ATTRIBUTE(CKA.DECRYPT, false),
new CK_ATTRIBUTE(CKA.WRAP, false),
new CK_ATTRIBUTE(CKA.UNWRAP, false),
new CK_ATTRIBUTE(CKA.SIGN, false),
new CK_ATTRIBUTE(CKA.VERIFY, false),
new CK_ATTRIBUTE(CKA.DERIVE, false)
};
// Unwrapping/decryption mechanism
CK_MECHANISM mechanism = ... ;
// Handle for temporal generic secret key with value of the secret
CK_OBJECT_HANDLE temporalValueHandle = new CK_OBJECT_HANDLE();
// Unwrap/decrypt the secret into temporal key
CryptokiEx.C_UnwrapKey(session, mechanism, hsmPrivateKey, wrappedKey, wrappedKey.length, tempTemplate, tempTemplate.length, temporalValueHandle);
// Wrap/encrypt the secret for recipients. Recipient public keys must have key wrapping allowed
for(CK_OBJECT_HANDLE recipientPublicKey : ... ) {
LongRef resSize = new LongRef(0);
CryptokiEx.C_WrapKey(session, mechanism, recipientPublicKey, temporalValueHandle, null, resSize);
byte[] rewrappedKey = new byte[CryptokiUtils.safeIntCast(resSize.value)];
CryptokiEx.C_WrapKey(session, mechanism, recipientPublicKey, temporalValueHandle, rewrappedKey, resSize);
System.out.println("Re-wrapped key: " + bytesToHexString(rewrappedKey));
}
// Delete temporal generic secret key
CryptokiEx.C_DestroyObject(session, temporalValueHandle);
Good luck!

Related

How to hash a password using an existing key in PCLCrypto?

I'm creating a mobile application that connects to a web service. It needs to login to the system using a password. The password is stored on the server as a MD5 hashed password that was hashed using this method:
Byte[] Initial = <Key goes here>
MD5CryptoServiceProvider Provider = new MD5CryptoServiceProvider();
List<Byte> Encoding = new List<Byte>(Initial);
Encoding.AddRange(ASCIIEncoding.ASCII.GetBytes(inputString));
return Convert.ToBase64String(Provider.ComputeHash(Encoding.ToArray()));
The key and code to hash the password on the web application cannot be used in my Xamarin PCL project because it's not possible to use the 'MD5CryptoServiceProvider' in Xamarin PCL.
I need to create an equivalent method in the xamarin application to hash the password, before it's compared to the web service version.
To do this I have chose PCLCrypto but I can't seem to find anywhere to include the same key that was used to originally encrypt the password.
This is the Xamarin code:
Byte[] Initial = <the same key as was used to originally cache it>
// step 1, calculate MD5 hash from input
var hasher = WinRTCrypto.HashAlgorithmProvider.OpenAlgorithm(HashAlgorithm.Md5);
byte[] inputBytes = Encoding.UTF8.GetBytes(inputString);
byte[] hash = hasher.HashData(inputBytes);
StringBuilder sb = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sb.Append(hash[i].ToString("X2"));
}
return sb.ToString();
Thanks in advance for your help.
I have a solution but i use plateform specific code.
In xamarin.forms part you implement an interface like for example:
public interface SpecificCodes
{
Boolean comparePasswords(String userPassword,String DBPassword);
}
In xamarin.android you create a class which implements interface
[assembly:Dependency(typeof(MyProject.Droid.Code.SpecificPartsAndroid))]
namespace MyProject.Droid.Code
{
...
public class SpecificPartsAndroid: SpecificCodes
{
public Boolean comparePasswords(String userPassword, String DBPassword)
{
byte[] dig = hash(new Java.Lang.String(userPassword).GetBytes("UTF-8"),"MD5");
byte[] res=Base64.Decode(DBPassword,Base64Flags.Default);
return String.Compare(dig.ToString(),res.ToString())==0?true:false;
}
private static byte[] hash (byte[] toHash, String algorithm)
{
MessageDigest md = MessageDigest.GetInstance(algorithm);
return md.Digest(toHash);
}
}
}
In xamarin.ios do the same
And then to call your function use the code below in Xamarin.forms
DependencyService.Get<SpecificCodes>().comparePasswords(pwdUser, pwdHashed);
Hope it helps
Just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iIterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2, password_hash, Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force.
Protecting your users is important, please use secure password methods.
See How to securely hash passwords, The Theory on Security Stackexchange.
See OWASP (Open Web Application Security Project) Password Storage Cheat Sheet.
See Modern, Secure, Salted Password Hashing Made Simple
See Toward Better Password Requirements by Jim Fenton:

Salted Password Hashing. Am I doing it right in ASP.NET environment?

I am developing a website by using ASP.NET. I want to implement login authentication for my users. I am using SALT HASH method to securely save users' passwords to the DB. By looking at various codes I wrote a code like below to generate the SALT and the Hashed passwords to store in Database.
private string hashedPassword;
private string Salt;
private string SaltPlusPassword;
private const byte saltSize = 24;
byte[] saltArray;
byte[] hashedPasswordArray;
byte[] bytes;
public void Save_Login(string passWord)
{
using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider())
{
saltArray = new byte[saltSize];
rng.GetBytes(saltArray);
}
Salt = Convert.ToBase64String(saltArray);
SaltPlusPassword = String.Format("{0}{1}", Salt, passWord);
using (SHA256 sha = SHA256.Create())
{
bytes = Encoding.UTF8.GetBytes(SaltPlusPassword);
hashedPasswordArray = sha.ComputeHash(bytes);
}
hashedPassword = Convert.ToBase64String(hashedPasswordArray);
}
//Salt will be save to DB
//hashedPassword will be save to DB.
So I have few questions.
1) I read in an article that saying "make your salt is at least as long as the hash function's output" ok. What are the sizes for saltArray, hashedPasswordArray and bytes arrays which are declared in my code? I used saltArray size as 24. Is it ok?
2) What will happen if I use ?
bytes = Encoding.Unicode.GetBytes(SaltPlusPassword);
instead of
bytes = Encoding.UTF8.GetBytes(SaltPlusPassword);
3) What is the datatype should I use to store salt and the hashed password in the DB? ( My db is MYSQL )
4) Is there any performance difference if I use SHA256Managed instead of SHA256? Which is best?
5) Finally am I doing this in the right way? What are the weaknesses in above code? What are your suggestions?
Rather than deal with all these issues, why not use the built in identity management tools provided by ASP.NET. See here
http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity
Much more common and robust.

Sign and decrypt data using private keys located on a HSM

I have a task to sign and decrypt data, but the private keys are located at a HSM ( Luna SA, / Safenet ). I installed all the client software and connected the Luna SA CSP to the test servers.
Using the PKCS#11 functions provided, I am able to list and export the public keys on the HSM as PCCERT_CONTEXT (CertCreateCertificateContext). When I try to acquire the private key (using CryptoAPI function CryptAcquireCertificatePrivateKey), I receive an error code CRYPT_E_NO_KEY_PROPERTY.
I am probably missing the link between the certificate data and the CSP/HSM. Has anybody done something similar and can give any hints?
EDIT
I sucessfully created CER files from all the keys located on the HSM.
When i know use signtool.exe (the one that ships with Microsoft Plattform SDK) i am able to sign a dll with a key on the HSM (the tool wizard lets me choose key container, key spec, ...). I tried to use the information the tool shows me and set the private key
bool LinkPrivateKey(PCCERT_CONTEXT cert)
{
CRYPT_KEY_PROV_INFO cryptKeyProvInfo;
memset(&cryptKeyProvInfo, 0, sizeof(cryptKeyProvInfo));
cryptKeyProvInfo.pwszContainerName = L"MSS";
cryptKeyProvInfo.pwszProvName = L"Luna Cryptographic Services for Microsoft Windows";
cryptKeyProvInfo.dwProvType = PROV_RSA_FULL;
cryptKeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET; // CERT_SET_KEY_CONTEXT_PROP_ID | CERT_SET_KEY_PROV_HANDLE_PROP_ID;
cryptKeyProvInfo.cProvParam = 0;
cryptKeyProvInfo.dwKeySpec = AT_SIGNATURE;
return CertSetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &cryptKeyProvInfo) != FALSE;
}
but CryptAcquirePrivateKey still gives me the same error. I believe I am missing only a small bit here, since the signtool is able to access the private key
Edit2
The screnshot shows KEYEXCHANGE but I chose SIGNATURE
Edit3
I changed the LinkPrivateKeyfunction a little bit, now it works
bool LinkPrivateKey(PCCERT_CONTEXT cert)
{
CRYPT_KEY_PROV_INFO cryptKeyProvInfo;
memset(&cryptKeyProvInfo, 0, sizeof(cryptKeyProvInfo));
cryptKeyProvInfo.pwszContainerName = L"MSS";
cryptKeyProvInfo.pwszProvName = L"Luna Cryptographic Services for Microsoft Windows";
cryptKeyProvInfo.dwProvType = PROV_RSA_FULL;
cryptKeyProvInfo.dwFlags = 1; // CERT_SET_KEY_CONTEXT_PROP_ID | CERT_SET_KEY_PROV_HANDLE_PROP_ID;
cryptKeyProvInfo.dwKeySpec = AT_SIGNATURE;
return CertSetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &cryptKeyProvInfo) != FALSE;
}
I don't have any experience with Luna but this worked well for nCiper HSM:
certutil -repairstore -csp "nCipher Enhanced Cryptographic Provider" My <serial number of certificate>
where "nCipher Enhanced Cryptographic Provider" is the name of CSP that comes with HSM.
Serial number of certificate can be obtained using this command:
certutil -store My
It will print all certificates in Local_Machine\My store. The serial number will be between bunch of ====== like ================ Certificate 5 ================. It will also parse information about the certificates like serial number, subject etc. and it will run encrypt/decrypt test to verify usability of the certificate.
After you repair the binding you can use this (second) command to verify that it went well. Don't be fooled by output of the first command, I have never seen it put out anything other than success.
You can find more information about usage of certutil here.
As stated in my post, I can link the private key using
I changed the LinkPrivateKeyfunction a little bit, now it works
bool LinkPrivateKey(PCCERT_CONTEXT cert)
{
CRYPT_KEY_PROV_INFO cryptKeyProvInfo;
memset(&cryptKeyProvInfo, 0, sizeof(cryptKeyProvInfo));
cryptKeyProvInfo.pwszContainerName = L"MSS";
cryptKeyProvInfo.pwszProvName = L"Luna Cryptographic Services for Microsoft Windows";
cryptKeyProvInfo.dwProvType = PROV_RSA_FULL;
cryptKeyProvInfo.dwFlags = 1; // CERT_SET_KEY_CONTEXT_PROP_ID | CERT_SET_KEY_PROV_HANDLE_PROP_ID;
cryptKeyProvInfo.dwKeySpec = AT_SIGNATURE;
return CertSetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &cryptKeyProvInfo) != FALSE;
}
YOu have to replace L"MSS"with the key container defined on you server.
LunSA provides the tool keymap.exe that is insatlled along with the LunaCSP to get the container names.

AES256 encryption and decryption in ASP

I have to send a username and password from my iphone app to a ASP server page, and I will encrypt them using: http://iphonedevelopment.blogspot.com/2009/02/strong-encryption-for-cocoa-cocoa-touch.html. What is the best way to decrypt these strings on the ASP page? I found some examples, but since the encryption will happen on two completely unrelated sides, I think I need to hard code the key in on both sides, and I can't find any examples that don't have use generated keys.
Thanks!
Yes, key management is a big problem. You will have to have the keys on both sides, on iOS you can save the key in the Keychain, that is secure but the process to get it there securely is more difficult.
The other main issue is getting all the parameters the same on both sides. Of particular interest are
encryption key value and size
mode: CBC, ECB, etc. (you should probably be using CBC)
initialization vector (iv) is needed for most modes
padding method: PKCS7, etc. (AES is a block cypher and needs input
in a multiple of block size)
Why not store the passwords in the database with SHA1, then use HMAC with a client specified key for the communication?
Have the server generate a random key and send it with the login request. The client computes the SHA1 hash of the password, then computes the HMAC SHA1 hash of that using the server-specified key. The server then verifies that the result is correct.
On the client end:
// password is the plaintext password
// keyb64 is a random key specified by the server, encoded in base64.
string ComputeSecureHash(string password, string keyb64)
{
byte[] data = Encoding.UTF8.GetBytes(password);
byte[] key = Convert.FromBase64String(keyb64);
byte[] hash;
byte[] machash;
// compute a plain SHA1 hash of the specified data
using (SHA1Managed sha1 = new SHA1Managed())
{
hash = sha1.ComputeHash(data);
}
// now compute a HMAC hash of that hash, using the random key.
using (HMACSHA1 sha1mac = new HMACSHA1(key))
{
machash = sha1mac.ComputeHash(hash);
}
return Convert.ToBase64String(machash);
}
On the server end:
// hash is the string produced by the function above
// realHash is the SHA1 hash of the real password, which you've fetched from the db
// key is the key you generated for this login session
bool VerifyHash(string hash, byte[] realHash, byte[] key)
{
byte[] machash;
using (HMACSHA1 sha1mac = new HMACSHA1(key))
{
machash = sha1mac.ComputeHash(realHash);
}
return (Convert.ToBase64String(machash) == hash);
}
This allows you to authenticate over a plaintext medium without having the password cracked.

Decryption failed when storing the key inside Java key store

I've created an encryption key by the following code:
SecretKeyFactory skFactory = SecretKeyFactory.getInstance("PBEWithSHA1AndDESede");
SecretKey key = skFactory.generateSecret(new PBEKeySpec("<some password>".toCharArray()));
Then I've used the key to encrypt some text.
I've stored this key inside a java key store and saved in on FS:
KeyStore ks = KeyStore.getInstance("JCEKS");
ks.setKeyEntry(keyAlias, key ,keyPassword.toCharArray(), null);
FileOutputStream fileOutputStream = new FileOutputStream (keyStorePath);
keyStore.store(fileOutputStream , keyStorePassword.toCharArray());
fileOutputStream.close();
In a different process I open the key store and try to decrypt some text:
KeyStore ks2 = KeyStore.getInstance("JCEKS");
ks2.load(new java.io.FileInputStream(keyStorePath), ksPassword.toCharArray());
SecretKeyFactory skFactory2 = SecretKeyFactory.getInstance("PBEWithSHA1AndDESede");
String passForTheKey = ks2.getKey(keyAlias, keyPass.toCharArray()).toString();
KeySpec key = new PBEKeySpec(passForTheKey.toCharArray());
SecretKey sKey2 = skFactory.generateSecret(key);
When trying to decrypt the text I get the error:
java.security.InvalidKeyException: Given final block not properly padded
If I try to use the key without storing it in the key store immediately after creating it, the decription proccess is working great.
Any ideas?
You're storing the actual secret key in your keystore (which is normal). However, you seem to be trying to read it as a password, for a new key you're generating later.
Instead of this:
String passForTheKey = ks2.getKey(keyAlias, keyPass.toCharArray()).toString();
KeySpec key = new PBEKeySpec(passForTheKey.toCharArray());
SecretKey sKey2 = skFactory.generateSecret(key);
use this:
SecretKey sKey2 = (SecretKey) ks2.getKey(keyAlias, keyPassword.toCharArray());
What you're reading from the keystore is the key itself (as you've stored it), not some password. (generateSecret will just generate a new key.)

Resources