[openssl-users] Smartcard cert used for encrypt\decrypt
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu Jan 31 21:46:11 UTC 2019
On 1/31/19, 09:19, "openssl-users on behalf of Antonio Iacono" <openssl-users-bounces at openssl.org on behalf of antiac at gmail.com> wrote:
> Does anybody know how to use the smartcard to encrypt and decrypt files?
Smartcard performs public-key crypto operations, which aren't suitable for bulk processing, such as file encryption/decryption. In general, you'd need a hybrid scheme - generate a random symmetric key, encrypt the file with that symmetric key, and encrypt this symmetric key itself with an appropriate public key from the smartcard. Decryption would be the reverse: with the smartcard (using the private key) decrypt the symmetric key, and pass that symmetric key to OpenSSL to decrypt the file.
Here's an example, which I hope would be useful, as it shows how to use OpenSSL to encrypt and decrypt data (like symmetric keys – short). It uses OpenSC as PKCS#11 library, libp11 as PKCS#11 engine/interface to OpenSSL, p11-kit to allow URI for objects on the smartcard, and OpenSSL itself:
#!/bin/bash
# Settings for US DoD CAC smartcard
MANUFACTURER="manufacturer=Common%20Access%20Card;"
PRK="pkcs11:${MANUFACTURER}id=%00%03;type=private"
PUBK="pkcs11:${MANUFACTURER}id=%00%03;type=public"
# Generate a random text file
openssl -out textfile.txt -hex 600
TEXTFILE="textfile.txt"
# Generate random symmetric key
KEY=`openssl rand -hex 32`
# Generate random IV for file encryption
IV=`openssl rand -hex 16`
# Encrypt symmetric key to token RSA KEY MAN Key
Echo $KEY | xxd -r -p 200 | openssl pkeyutl -engine pkcs11 -keyform engine -encrypt -pubin -inkey "${PUBK}" -pkeyopt rsa_padding_mode:oaep -out encrypted.key.enc
# Encrypt file with above symmetric key and IV
openssl enc -aes-256-cfb -a -e -in ${TEXTFILE} -out ${TEXTFILE}.enc -K ${KEY} -iv ${IV}
# Decrypt symmetric key on the token
KEY2=`openssl pkeyutl -engine pkcs11 -keyform engine -decrypt -inkey "${PRK}" -pkeyopt rsa_padding_mode:oaep -in ${TMP}.key.enc | xxd -p -c 200`
# Decrypt the file
openssl enc -aes-256-cfb -a -d -in ${TEXTFILE}.enc -out ${TEXTFILE}.dec -K ${KEY2} -iv ${IV}
Hi Boyd,
there are many ways to encrypt/decrypto with smartcard but since you
wrote to the list of OpenSSL I answer you how to do with OpenSSL.
In the meantime you need two other software, in addition to openssl,
the engine and the pkcs11 library.
A step-by-step guide can be found here:
https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC
Antonio
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190131/c5e4d80f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190131/c5e4d80f/attachment-0001.bin>
More information about the openssl-users
mailing list