Encrypting an AES Key using PIVKey

Thanks to Stan Borbat for the following:

This example uses utilities from the OpenSC project
See also PyKCS11

I create a 256 byte secret AES key or such. I encrypt it with one of the four RSA public keys available on the card. Then I can store the resulting secret alongside of the encrypted drive or whatever else needs offline authentication. Only the private key embedded in the smart card can then be used to derive that secret given that a user is able to authenticate with the smart card. I put together a proof of concept that seems to work. Now it's a matter of figuring out of this is at all usable in practice.

#!/bin/bash

# Requires the opensc and openssl packages on Ubuntu

SECRET="256byte.dat" # Sample secret data that must be exactly 256 bytes.

PIN="123456" # Smart card pin

KID="01" # 01 and 02 work on PIV cards

echo "== Extracting the public certificate '$KID' from the smart card"

pkcs15-tool --read-certificate $KID > /tmp/sc-cert.crt

echo "== Extracting the public key from the certificate"

openssl x509 -in /tmp/sc-cert.crt -pubkey -noout > /tmp/sc-cert.key

echo "== Encrypting a secret the smart card's public key =="

openssl rsautl -in $SECRET -raw -encrypt -pubin -inkey /tmp/sc-cert.key -out not-secret.dat

#########################################

# not-secret.dat can now be distributed #

#########################################

echo "== Decrypting with the smart card (sign with card's private key)"

pkcs15-crypt --key $KID --pin $PIN --sign --input not-secret.dat -o secret.dat

echo "== Comparing original secret with a decrypted one"

diff $SECRET secret.dat

echo "== Cleaning up =="

rm secret.dat

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk