topic Re: Object policy issue on SE050 in Secure Authentication

Object policy issue on SE050

Exocet — Mon, 04 Oct 2021 17:31:50 GMT

I`m trying to implement a very simple use case with SE050. The secure element administrator must create a set of keys that must not be overwritten or deleted. The normal user could use the key only under the policy rules.

No matter how I create the policy, the Sign/Verify can still be performed despite assigning a special singing deny policy.

I`m using Auth Obj ID as 0 because I want the policy to be applied for all users.

I have a few questions:
1. Is it possible to create an object(asymkey or binary file) with special policy for signing/encryption for example? How?

2. How would a policy assigned to an object be different for multiple users ? Normal user canot delete an object, only the super user could delete the object.
3. How to perform authentication to the Administrator and then as normal user ? For example "ssscli connect se05x vcom COM4 --auth_type UserID" seem generic and misleading.

Please find below the ssscli commands. I have run the execute se05x_Delete_and_test_provision.exe before. Do you encounter a similar issue, or this needs a different approach?

Thanks!

ssscli connect se05x vcom COM4
ssscli policy asymkey nosign 0 --sign 0 --verify 0

ssscli policy dump nosign

Created object policy:

Key_type : Asymmetric_Key
Auth Obj ID : 0x0
Sign : False
Verify : False
Encrypt : True
Decrypt : True
Key Derive : True
Wrap : True
Generate : True
Write : True
Read : True
Import Export : True
Key Agreement : True
Attestation : True
forbid_derived_output : False

Policy in hex:

08 00 00 00 00 07 F8 10 00

ssscli connect se05x vcom COM4
ssscli generate rsa 0x400 2048 --policy_name nosign

echo 122>>in.txt
ssscli sign 0x400 in.txt out.txt

c:\Projects\Se050_Middleware\SE-PLUG-TRUST-MW _v3_3_0\simw-top\binaries\PCWindows\ssscli>ssscli generate rsa 400 2048 --policy_name nosign
Reading policy from file path:
c:\Projects\Se050_Middleware\SE-PLUG-TRUST-MW _v3_3_0\simw-top\binaries\PCWindows\ssscli\policy\ssscli_obj_policy_nosign.pkl
Generating RSA Key Pair at KeyID = 0x00000400, bits=2048
Opening COM Port 'COM4'
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is with UserID (But Plain).
sss :WARN :!!!Not recommended for production use.!!!
Generated RSA Key Pair at KeyID = 0x00000400

c:\Projects\Se050_Middleware\SE-PLUG-TRUST-MW _v3_3_0\simw-top\binaries\PCWindows\ssscli>ssscli sign 0x400 in.txt out.txt
Opening COM Port 'COM4'
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is with UserID (But Plain).
sss :WARN :!!!Not recommended for production use.!!!
Signed from KeyID = 0x00000400 <--- successfull, but it should not be ?!

Re: Object policy issue on SE050

Kan_Li — Wed, 20 Oct 2021 03:13:37 GMT

Hi @Exocet ,

Please kindly have my comments as below:

1. Is it possible to create an object(asymkey or binary file) with special policy for signing/encryption for example? How?

- Yes, it is possible. Create a policy allowing for sign/encryption and then attach it to the object.

2. How would a policy assigned to an object be different for multiple users ? Normal user canot delete an object, only the super user could delete the object.

- By default POLICY_OBJ_ALLOW_DELETE is always enabled, but any policy specified for some Auth ID would override the default policy, so if you create a policy without allowing delete and related to some specific Auth ID , for example, some UserID, then only users perform a successful UserID authentication can access&delete the objects attached with this policy.

3. How to perform authentication to the Administrator and then as normal user ? For example "ssscli connect se05x vcom COM4 --auth_type UserID" seem generic and misleading.

- The example establishes a UserID session , so you have to disconnect from this session at first, then connect again with auth_type None.

In your example, the policy just specifies auth ID none, you may understand it is for normal user, while the session you built is based on UserID authentication, so it would not take effect.

Hope that makes senses,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Re: Object policy issue on SE050

Exocet — Wed, 20 Oct 2021 11:46:29 GMT

Hi @Kan

Thank you for yout time answering my questions.

The problem with the above ssscli commands was that RSA Sign and Verify end up using encrypt() and decrypt() methods. So even if you forbid sign and verify you will be able to perform such operations.

The same test for ECC key type works as expected.

Still I have 3 questions:

1. Given the example:

Step 1: Login with UserID 0x7AFFFFFF

Step 2: Create Object (0x100) with Policy POLICY_OBJ_ALLOW_DELETE, POLICY_OBJ_ALLOW_SIGN, POLICY_OBJ_ALLOW_VERIFY

Step 3 : Relogin with auth_id None

Step 4: Can I use object 0x100 to sign and verify but not delete the object ?

Please clarify how to implement this scenario.

2. How can we pass the UserID value when using the ssscli ? Like the below API call in which we provide the kEX_SSS_ObjID_UserID_Auth parameter:

sw_status = Se05x_API_CreateSession(&pSession->s_ctx, kEX_SSS_ObjID_UserID_Auth, userid1_value, &sess_len)

3. Is there a non invasive way to get the policy information for an object (in the current authenticated user context or even None) ?

For example, I don`t want to delete an object, to discover that it can be deleted.

I saw the Read_with_Attestation sample, but is there another simpler way besides creating another ECC key for the attested object? Can you post a sample with this feature.

The ssscli policy dump command only reads the policy from the local file, not from the SE.

Thanks!

Re: Object policy issue on SE050

Kan_Li — Thu, 28 Oct 2021 07:03:26 GMT

Hi @Exocet ,

What is the auth id for Object (0x100)? If it is the UserID 0x7AFFFFFF, I don't think you can access this object in the default session.

Have a great day,
Kan