SmartCard-HSM File Encryption

The Key Manager can be used to encrypt end decrypt files using a SmartCard-HSM.

Note: The current implementation is a Proof-of-Concept and is not meant for productive use. It has been created to review the algorithms and file format. It is in particular not suitable to encrypt large files, as the file content is read into memory completely. Use with care.

Operating Modes

The file encryption mechanism allows you to encrypt and decrypt files using one of the following three methods:

  • Native - Encrypt and decrypt using an AES key on the device.
  • Derived - Encrypt and decrypt using an AES key derived from an AES key on the device.
  • Hybrid - Encrypt and decrypt using an AES key resulting from a key agreement with an EC key pair.

The Native variant does the encryption and decryption in the SmartCard-HSM and is as such limited by the AES performace of the chip. The SmartCard-HSM can typically encrypt 5 kB per second in contact mode and 10 kB per second when used in a contactless reader.

The Derived variant encrypts in memory and is only limited by the processing power of the host. The encryption key is derived from the AES key in the SmartCard-HSM.

The last variant is a hybrid scheme based on ECDH for key agreement, where the SmartCard-HSM is only needed for decryption. The sender only needs the public key to encrypt the file.

Generating Keys

For Native and Derived mode you need to generate an AES key supporting algorithms CBC_ENC, CBC_DEC and CMAC.

Create AES Key

For Hybrid mode an EC key pair must be generated supporting the ECDH algorithm.

Create EC Key Pair

The public key must be exported to a file and transmitted to the sender.

Export Public Key

You can of course generate the keys in a Key Domain to create a backup or for distribution.

Using Native and Derived Mode

The encryption and decryption operation is available in the context menu of the AES key.

Select Encrypt Decrypt

After selecting Encrypt you are prompted to select the mode.

Select Mode

You can then select the file you want to encrypt.

Select Input File

The proposed file name for the encrypted file is the input file name with the extension .enc.

Select Output File

After pressing OK the file is encrypted and writen to disk:

sc@calzone:~/tmp/fileenc$ cat plain.txt
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
asc@calzone:~/tmp/fileenc$ hexdump -C plain.txt.enc 
00000000  30 61 30 4d 06 0b 2b 06  01 04 01 81 c3 1f 04 06  |0a0M..+.........|
00000010  01 04 08 7d a6 b0 2b f8  f0 e1 94 04 20 af b0 fb  |...}..+..... ...|
00000020  e8 2d ef 88 20 55 d1 72  de 02 db aa b2 93 e8 8a  |.-.. U.r........|
00000030  e1 de 64 93 84 c2 7c c2  74 56 d9 4c 34 04 10 e7  |..d...|.tV.L4...|
00000040  ac ea e3 69 83 aa 45 b3  19 de a1 54 8a d0 3d 30  |...i..E....T..=0|
00000050  00 04 10 48 6e 3d 20 15  b0 cb 88 c8 80 ce 28 d7  |...Hn= .......(.|
00000060  7f a3 a8 00 9c 8e 53 6a  7a 83 0d 3e e1 40 34 4c  |......Sjz..>.@4L|
00000070  6d 97 cc 84 52 e9 cd 01  f7 b7 92 af 49 4e bc dd  |m...R.......IN..|
00000080  e4 d0 c8 01 be b9 76 d4  6b 69 7a 8d 25 da c0 cd  |......v.kiz.%...|
00000090  20 3d 22 05 e0 7e 3f a5  5e c5 b9 a6 b8 14 eb 60  | ="..~?.^......`|
000000a0  cb ae ab d7 86 72 91 e4  a9 61 dc 67 5e 7a 01 34  |.....r...a.g^z.4|
000000b0  47 1b 69 c7 be fd 29 59  cb 96 45 22 2b ff 4f f2  |G.i...)Y..E"+.O.|
000000c0  c6 d7 ae 2d a0 72 34 b6  a4 02 7d 17 05 98 7b 02  |...-.r4...}...{.|
000000d0  a7 fa aa 34 ce 5a 92 3b  c2 a9 91 18 10 c6 b5 07  |...4.Z.;........|
000000e0  5f 2f bf 48 5a f4 b9 b7  b3 b1 64 87 e1 ca 2c dc  |_/.HZ.....d...,.|
000000f0  ce 1e f4 75 bc 99 c3 c9  39 c8 ce 0c 2b 53 e1 62  |...u....9...+S.b|
00000100  5d 22 21 c0 94 fe 4f 53  c8 62 d0 fc 88 91 09 0e  |]"!...OS.b......|
00000110  ed 90 b0 78 86 ae b7 fd  69 ec 38 0c d6 71 20 2f  |...x....i.8..q /|
00000120  72 bd 5a c2 c5 87 b8 12  2c eb 3c d4 83 a3 75 f4  |r.Z.....,.<...u.|
00000130  86 d6 2b a2 73 83 54 a3  57 7e cf 61 e9 3a f1 8d  |..+.s.T.W~.a.:..|
00000140  87 c3 7c 80 e1 7f 90 4b  83 21 8b 93 a1 08 30 23  |..|....K.!....0#|
00000150  57 29 95 cf ab 59 6d 62  63 ad ba 6d 33 b1 0d 27  |W)...Ymbc..m3..'|
00000160  93 f2 d2 c1 a2 1f bb 81  b2 b4 12 a6 d0 5f a5 94  |............._..|
00000170  f1 be 48 32 89 3e e4 13  e1 19 ae 39 9b d3 f5 b3  |..H2.>.....9....|
00000180  f8 8b 4e db 3c 22 ac 2e  be f8 d7 29 ce 2d a6 f5  |..N.<".....).-..|
00000190  e0 41 14 ad 57 04 aa 61  80 31 5f 38 7a 72 e6 b2  |.A..W..a.1_8zr..|
000001a0  c6 fc 55 1c 7d ea 8c f3  bc 3f 4a 39 2e 69 7f 11  |..U.}....?J9.i..|
000001b0  19 6f 80 08 06 a2 e8 19  c3 27 82 b9 6d b5 80 69  |.o.......'..m..i|
000001c0  19 86 b2 09 73 f0 66 94  b3 7f 55 20 28 86 8d 5f  |....s.f...U (.._|
000001d0  f7 72 93 45 06 07 6d 5b  23 4a bb 16 5e 50 31 3c  |.r.E..m[#J..^P1<|
000001e0  ff 36 31 af 94 f6 44 5e  b9 b3 d5 7f 3e 63 8b d9  |.61...D^....>c..|
000001f0  79 79 28 35 4d 6f c9 db  f6 61 c2 9f 4c 83 3c 1c  |yy(5Mo...a..L.<.|
00000200  2d d9 c9 91 ba 80 fc 4c  b9 ff 88 4c 3c 3b 67 74  |-......L...L<;gt|
00000210  39 2e ea 59 28 f7 f8 c9  38 7b 6e 4b a3 eb 97 bd  |9..Y(...8{nK....|
00000220  82 a1 0b 98 92 9a 68 9e  cf 24 62 db ec f5 f6 66  |......h..$b....f|
00000230  57 ba bd                                          |W..|
00000233

Using the Decrypt options works the other way and after selecting the file name of the encrypted file and the file name for the result (here plain.txt_) the plain file content is recovered.

asc@calzone:~/tmp/fileenc$ cat plain.txt_
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.
The quick brown fox jumps over the leazy dog.

Using Hybrid Mode

For encrypting a file using Hybrid mode you need to run the encrypt-file.js script from the tools directory.

Select Output File

The script will prompt to select the file containing the recipients public key.

Select Public Key

In the next two steps you are prompted to select a file to encrypt and the output file name.

The resulting encrypted file can only be decrypted using the private ECDH at the recipient.

First you select Decrypt from the context menu of the private EC key.

Select Private Key

After selecting the encrypted file name and defining the output file name, the encryption process is performed.

File Format

The encrypted file contains an ASN.1 DER encoded header followed by the encrypted payload.

An AES key K.ENC is used to encrypt the plain input in CBC mode with a random IV and ISO padding. ISO padding adds a '80' and the required number of '00' to complete the last block. Padding is removed during decryption.

The encrypted payload is protected with a SHA-256 hash, that is contained in the header. The header is protected with a AES CMAC calculated with K.MAC.

In Direct mode K.ENC and K.MAC are the AES key in the SmartCard-HSM. In Derived mode K.ENC is derived from the AES key in the SmartCard-HSM. K.MAC again is the key itself. In Hybrid mode K.ENC and K.MAC are derived from the static EC key pair of the receiver and the ephemeral EC key pair of the sender.

The K.ENC in Derived mode is derived from the AES key in the SmartCard-HSM using the CMAC based Key Derivation Function in Counter Mode as per NIST SP 800-108.

The K.ENC and K.MAC in Hybrid mode are derived from the ECDH shared secret using the one-step-kdf with SHA-256 (Option 1) as defined in NIST SP 800-56C.

Header Format

The header is encoded using ASN.1 in DER encoding.

EncryptionHeader SEQUENCE SIZE( 97 )
  tbs SEQUENCE SIZE( 77 )
    oid OBJECT IDENTIFIER = { 1 3 6 1 4 1 24991 4 6 1 }
    keyId OCTET-STRING SIZE( 8 )
      0000  7D A6 B0 2B F8 F0 E1 94                          }..+....
    hash OCTET-STRING SIZE( 32 )
      0000  AF B0 FB E8 2D EF 88 20 55 D1 72 DE 02 DB AA B2  ....-.. U.r.....
      0010  93 E8 8A E1 DE 64 93 84 C2 7C C2 74 56 D9 4C 34  .....d...|.tV.L4
    iv OCTET-STRING SIZE( 16 )
      0000  E7 AC EA E3 69 83 AA 45 B3 19 DE A1 54 8A D0 3D  ....i..E....T..=
    extensions SEQUENCE SIZE( 0 )
  mac OCTET-STRING SIZE( 16 )
    0000  48 6E 3D 20 15 B0 CB 88 C8 80 CE 28 D7 7F A3 A8  Hn= .......(....
  • tbs is the part of the header protected by the mac.
  • oid identifies the file format and mode (Last byte Direct(1), Derived(2) and Hybrid(3)).
  • keyId is the key identifier of the AES key or the Subject Public Key Identifier of the receivers EC public key.
  • hash contains the SHA-256 over the encrypted payload.
  • iv is the randomly generated initialization vector for encryption. It is also used as context parameter in the K.ENC derivation in Derived mode.
  • extensions allows to include further extensions.

The header in Hybrid mode additionally contains the Subject Public Key Info of the ephemeral sender EC public key.

EncryptionHeader SEQUENCE SIZE( 204 )
  tbs SEQUENCE SIZE( 183 )
    oid OBJECT IDENTIFIER = { 1 3 6 1 4 1 24991 4 6 3 }
    keyId OCTET-STRING SIZE( 20 )
      0000  EB 70 8C 69 4D 74 6E ED 6F C7 A2 B5 FA 5F 15 92  .p.iMtn.o...._..
      0010  84 40 32 44                                      .@2D
    hash OCTET-STRING SIZE( 32 )
      0000  EC 1A BE D6 34 86 57 FD 9F C3 B0 A1 68 B6 DB 12  ....4.W.....h...
      0010  83 8A 05 4E 89 2F 7D 98 48 8A 8C 8B 78 BB 96 BE  ...N./}.H...x...
    iv OCTET-STRING SIZE( 16 )
      0000  FE 20 C7 3F A6 C5 F7 C8 D5 AE 7E 59 BB 7F CC 9F  . .?......~Y....
    extensions SEQUENCE SIZE( 0 )
    senderPublicKey A0 [ CONTEXT 0 ] IMPLICIT SEQUENCE SIZE( 92 )
      subjectPublicKeyInfo SEQUENCE SIZE( 90 )
        algorithm SEQUENCE SIZE( 20 )
          algorithm OBJECT IDENTIFIER = { id-ecPublicKey }
          parameters OBJECT IDENTIFIER = { brainpoolP256r1 }
        subjectPublicKey BIT-STRING SIZE( 66 )
          0000  00 04 94 E8 AC 87 83 D8 EC E6 D8 12 64 DD F3 A6  ............d...
          0010  57 10 C1 01 4F 50 84 FC 0E 01 B2 13 DE F0 4E B4  W...OP........N.
          0020  67 C7 89 F2 7A 27 B9 71 B0 F4 39 70 2E 4B EB 8A  g...z'.q..9p.K..
          0030  50 F1 19 2D 96 DC 4F C5 01 74 4C 3D F7 B5 3A F2  P..-..O..tL=..:.
          0040  8B 13                                            ..
  mac OCTET-STRING SIZE( 16 )
    0000  A9 FF 12 55 1A 6E 0C 4B A4 10 24 44 E7 3F A9 A1  ...U.n.K..$D.?..

Implementation

A reference implementation can be found in the scsh/file/FileEncryptor module in the Smart Card Shell installation directory.