[xmlsec] Re: Generate symmetric key

Aleksey Sanin aleksey@aleksey.com
Wed, 18 Jun 2003 08:41:50 -0700


As you can see from the code, there is a special GenerateKey function.
Yes, the simplest implementation I have for NSS does use the random
generator but it was only a result of copy/paste from GnuTLS/OpenSSL code.
It would be great to have  symmetric key generated on crypto token.
However, you need to remember that you might need to get *raw* symmetric
key data in some cases (encrypting with encrypted key).

Bottom line: I have no problems with your suggestions. But you might want
to talk with Tej about that too.

Aleksey

Andrew Fan wrote:

> Hi Aleksey,
>
> I noticed that in the implementation of xmlSec on top of NSS, every 
> symmetic key( symkeys.c ) is generated from calling 
> PK11_RandomGenerate( unsigned char* data , int len ), which calling 
> the C_GenerateRandom of PKCS#11, and creating an internal pkcs11 slot 
> for C_GenerateRandom.
>
> I think it is unreasonable. 1. a symmetric key should be created in the
> user practice context, i.e., a certain slot and an a certain session. 
> 2. a symmetic key should be created by the crypto device( C_GenerateKey )
> instead of constructed from a random. 3. although from a random, it is
> possible to create a symmetric key,  it is not a recommendable
> solution. 4. this implementation hides the mechanism of crypto device.
>
> What's your idea about this questions?
>
> Regards,
> Andrew
>