Unwrap key using javacard

Unwrapping keys in Java Card is done via the keyEncryption parameter (check the methods in the security package which do key modification). Key encryption is optional, and e.g. JCOP products don't support it.

The most convinient option is the transmission of key information via a GP secure channel. In case of the e.g. PUT KEY command the keys must be encrypted, independent of the the secure channel (authentication, C_MAC, C_ENC - the smart card OS decrypts it automatically and stores it in the CM key storage). You can encrypt any information via the CM encryption key (session key, don't forget the MAC) and use the GP API command to unwrap() the key. There is a drawback though: GP 2.1.1 supports only symmetric (3DES) encryption.

If your requirement is key encryption with RSA you need to program it by yourself in the applet.

lexdabeara at 2007-7-12 22:53:46 >

Not knowing exactly what the keywrapper does, I assume it's just a simplified way of using RSA (or some other asymmetric scheme) to transfer the keys.

The following procedure will give secure key transfer to the card:

1. Generate keypair on-card.

2. Transfer public key to the off-card software.

3. Encrypt any data (i.e. the key you wish to transfer to the card) to send.

4. Send encrypted data (key) to the card.

5. Decrypt on-card using the private key component of the keypair.

This, as you probably know already, will be secure as only the private key will be able to decrypt the message encrypted using the public key of the keypair.

Hope this answers your question.

Lillesanda at 2007-7-12 22:53:46 >