How to derive a key with JCA/JCE and with an HSM

情到浓时终转凉″ 提交于 2020-01-22 08:04:23

问题


I have a master key in an HSM and I want to derive it with a given diversifier. I am quite new to JCA/JCE, and a bit lost with KeyGenerator, SecretKeyFactory, ... especially since all parameters are strings. I want to use AES or HmacSha1. It seems I need to use a SecretKeyFactory, and provide a KeySpecs. But which type of KeySpecs?

(I have seen a post on that topic, but I didn't seem an HSM was used.)

Thanks.


回答1:


You can derive key using:

  • password-based derivation (PKCS#5) as described in Deriving a secret from a master key using JCE/JCA or
  • emulate C_Derive from PKCS#11 using encryption as described in PKCS11 deriveKey() and encrypt() returning different results for 3DES

to use HSM from JCA/JCE APIs, you need to add the corresponding provider to the JCA/JCE APIs and then specify the the provider parameter to request for that specific provider implementation.

For example:

int slot = 0;
Provider provider = new au.com.safenet.crypto.provider.SAFENETProvider(slot);
Security.addProvider(provider);
final String PROVIDER = provider.getName(); // "SAFENET", "SAFENET.1", ...

KeyGenerator keyGen = KeyGenerator.getInstance("DESede", PROVIDER);
Key baseKey = keyGen.generateKey();

Cipher desCipher = Cipher.getInstance("DESede/CBC/PKCS5Padding", PROVIDER);
desCipher.init(Cipher.ENCRYPT_MODE, baseKey);

byte[] derived = desCipher.doFinal("diversification data".getBytes());

Note that if you need to do key derivation very often, you might consider to use your provider's PCKS#11 wrapper for Java (e.g. jcprov from SafeNet) or other APIs so that you can be more explicit about its session management and be more efficient about resource usage.



来源:https://stackoverflow.com/questions/26282162/how-to-derive-a-key-with-jca-jce-and-with-an-hsm

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!