SE050 - It is possible to generate a reference key for a symmetric key?

CristianeBP · ‎08-09-2023

Good morning,

I'm able to inject a HMAC key in the SE with success.
But now I need to use my injected key from an openssl command.

I know that is possible, using openssl, to access an internal element through the "-key refkeyfile.ref" command.
I would like to know if it is possible to generate a reference key file for a symmetric key (HMAC) and if yes, where I can find an example?

Thanks in advance.

Cristiane Bellenzier Piaia

Kan_Li · ‎08-10-2023

Hi @CristianeBP ,

in Plug&Trust we have no such support of HMAC for the openssl engine as well as provider. This forwarding would need to be implemented , and can be done by the customer for sure. The reference key concept could be used there as well, although on asymmetric keys the key characteristics make it easier to clearly tell that a given key cannot be a normal key but needs to be a reference key instead. On symmetric HMAC keys all key values are equally possible so a reference key cannot be differentiated from a normal key with absolute 100% certainty. But the chance is most likely negligibly small.

In case the application always works with HMAC reference keys that would be not an issue, because then no differentiation needs to be done. Concrete: In case the engine gets loaded all HMAC keys are "reference keys" in case it is not loaded all HMAC keys are normal SW keys.

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

在原帖中查看解决方案

Kan_Li · ‎08-10-2023

Hi @CristianeBP ,

in Plug&Trust we have no such support of HMAC for the openssl engine as well as provider. This forwarding would need to be implemented , and can be done by the customer for sure. The reference key concept could be used there as well, although on asymmetric keys the key characteristics make it easier to clearly tell that a given key cannot be a normal key but needs to be a reference key instead. On symmetric HMAC keys all key values are equally possible so a reference key cannot be differentiated from a normal key with absolute 100% certainty. But the chance is most likely negligibly small.

In case the application always works with HMAC reference keys that would be not an issue, because then no differentiation needs to be done. Concrete: In case the engine gets loaded all HMAC keys are "reference keys" in case it is not loaded all HMAC keys are normal SW keys.

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------