How to derive a key with JCA/JCE and with an HSM

前端 未结 1 557
星月不相逢
星月不相逢 2021-02-04 19:35

I have a master key in an HSM and I want to derive it with a given diversifier. I am quite new to JCA/JCE, and a bit lost with KeyGenerator, SecretKeyFactory, ... especially sin

相关标签:
1条回答
  • 2021-02-04 19:58

    You can derive key using:

    • password-based derivation (PKCS#5) as described in Deriving a secret from a master key using JCE/JCA or
    • emulate C_Derive from PKCS#11 using encryption as described in PKCS11 deriveKey() and encrypt() returning different results for 3DES

    to use HSM from JCA/JCE APIs, you need to add the corresponding provider to the JCA/JCE APIs and then specify the the provider parameter to request for that specific provider implementation.

    For example:

    int slot = 0;
    Provider provider = new au.com.safenet.crypto.provider.SAFENETProvider(slot);
    Security.addProvider(provider);
    final String PROVIDER = provider.getName(); // "SAFENET", "SAFENET.1", ...
    
    KeyGenerator keyGen = KeyGenerator.getInstance("DESede", PROVIDER);
    Key baseKey = keyGen.generateKey();
    
    Cipher desCipher = Cipher.getInstance("DESede/CBC/PKCS5Padding", PROVIDER);
    desCipher.init(Cipher.ENCRYPT_MODE, baseKey);
    
    byte[] derived = desCipher.doFinal("diversification data".getBytes());
    

    Note that if you need to do key derivation very often, you might consider to use your provider's PCKS#11 wrapper for Java (e.g. jcprov from SafeNet) or other APIs so that you can be more explicit about its session management and be more efficient about resource usage.

    0 讨论(0)
提交回复
热议问题