Re: Public key handle in HSM



1. You cannot DECRYPT a message with a public key. You can only VERIFY a
SIGNED message using the certificate. If that's what you need, you don't need
at all the public key from the cert - both CAPI and OpenSSL can verify a
message with the certificate.

2. If you really need to DECRPT a message and the private key is in the HSM,
you don't need the public key - the HSM's private key is already there. (And
it's certainly NOT in the certificate.)

3. If you want to ENCRYTPT a message for somebody, that's when you need the
public key to wrap the random session key (which is actually used to encrypt
the message).

4. Anyway, seems you are trying to use OpenSSL. Please be advised that this
forum is for CAPI related questions, you would need to find OpenSSL support
somewhere else.

(BTW: despite 4. above we do provide advise on not strictly CAPI related -
but security, crypto - questions.)

Laszlo Elteto
SafeNet, Inc.

"yadav.dhananjay@xxxxxxxxx" wrote:

Dear Responder,
Thank you for ur valueable suggestion.
my main problem is How to generate public key handle in PCI
HSM(Hardware security Model) from crtificates public key.
I do have the cerificate but i need to import public key(hanlde) into
PCI HSM from certificate to decrypt a message.
I trying to use openssl to import the public key but openssl showing
following error...
********************************************************************************
C:\OpenSSL\bin>openssl ca
Using configuration from /usr/local/ssl/openssl.cnf
error loading the config file '/usr/local/ssl/openssl.cnf'
2652:error:02001003:system library:fopen:No such process:bss_file.c:
104:fopen('/
usr/local/ssl/openssl.cnf','rb')
2652:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:
107:
2652:error:0E064072:configuration file routines:CONF_load:no such
file:conf_def.
c:197:
*********************************************************************************
i could not find the openssl.cnf file and path "/usr/local/ssl/
openssl.cnf"
how to remove this issue

Regards
Dhananjay Yadav
CMC LTD.
On Feb 29, 3:04 am, Sylvain <noS...@xxxxxxxx> wrote:
lelteto wrote on 28/02/2008 22:31:



3. In case of hardware you usually don't get any speed advantage of PUBLIC
KEY operations. They are pretty fast in software, and the communication
overhead (context switches, driver involvement, etc.) probably result in
longer total time than doing the computation in software. Hardware is
excellent at accelerating private key operations - which is usally slow in
software - but you wouldn't get much speedup (and oftentimes slower speed)
from hardware for public key operations.

(good) HSM are faster than any software lib. even for exponentiation
with public exp.

OOH, the public key import can be required to wrap a key (may be
session, sym., ...) with the cert. of the recipient part.
in such a case, computation shall occur in the HSM.

Sylvain.


.



Relevant Pages

  • Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix ..
    ... > to assert that certificate validation doesn't happen, ... this trusted public key store contains public keys of that the ... signed by the CA. this digital certificate is returned to the "key ...
    (comp.security.unix)
  • Re: What is a Certificate?
    ... what exactly is a certificate? ... > I've read that it is a private key / public key pair. ... register public keys of something called "certification authorities" ... An example is the SSL domain name digital certificate scenario. ...
    (comp.security.misc)
  • Re: Public Encryption Key
    ... encrypt the message with the recipient's public key (or ... the two can be combined by: first do a digital signature of the ... certificate, certifying the validity of the assertion (ex: ...
    (comp.security.misc)
  • Re: Public Encryption Key
    ... encrypt the message with the recipient's public key (or ... the two can be combined by: first do a digital signature of the ... certificate, certifying the validity of the assertion (ex: ...
    (sci.crypt)
  • Re: Is symmetric key distribution equivalent to symmetric key generation?
    ... > channel through which you can request the public key. ... That person might provide a certificate signed by some ... then (trusting the digital certificate) using the ... for transaction scenar, the individual created a transaction, ...
    (sci.crypt)