[xmlsec] Re: Generate symmetric key

Tejkumar Arora tej@netscape.com
Wed, 18 Jun 2003 09:46:12 -0700


Aleksey Sanin wrote:

> As you can see from the code, there is a special GenerateKey function.
> Yes, the simplest implementation I have for NSS does use the random
> generator but it was only a result of copy/paste from GnuTLS/OpenSSL 
> code.
> It would be great to have  symmetric key generated on crypto token. 

Definitely.

>
> However, you need to remember that you might need to get *raw* symmetric
> key data in some cases (encrypting with encrypted key). 

Theoretically (in the context of NSS) we should be able to manage 
without ever using
raw symmetric keys. The key material can be in the crypto token,
and users can just use key handles. For distribution, the keys
can be wrapped using key transport algorithms (using PKI).  In any case,
NSS does have APIs (PK11_ExtractKeyValue; PK11_GetKeyData) to extract the
raw symmetric key from the token... (which will fail if a token is
in FIPS mode.... which prohibits export of key material).

>
>
> Bottom line: I have no problems with your suggestions. But you might want
> to talk with Tej about that too.
>
> Aleksey
>
> Andrew Fan wrote:
>
>> Hi Aleksey,
>>
>> I noticed that in the implementation of xmlSec on top of NSS, every 
>> symmetic key( symkeys.c ) is generated from calling 
>> PK11_RandomGenerate( unsigned char* data , int len ), which calling 
>> the C_GenerateRandom of PKCS#11, and creating an internal pkcs11 slot 
>> for C_GenerateRandom.
>>
>> I think it is unreasonable. 1. a symmetric key should be created in the
>> user practice context, i.e., a certain slot and an a certain session. 
>> 2. a symmetic key should be created by the crypto device( 
>> C_GenerateKey )
>> instead of constructed from a random. 3. although from a random, it is
>> possible to create a symmetric key,  it is not a recommendable
>> solution. 4. this implementation hides the mechanism of crypto device.
>>
>> What's your idea about this questions?
>>
>> Regards,
>> Andrew
>>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec@aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec