How to generate RSA, ECC and AES keys: pkcs11-tool is a command line tool to test functions and perform crypto operations using a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.
This post is part of #CryptoCorner my contribution to open source cryptography and secure hardware key storage to reduce risks from misunderstood and unsecure implemented key management.
PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at oasis-open.org.
$ openssl enc -aes-256-cbc -base64 -in message NOTE:Now here the command line will prompt you for secret key. Now if we want to store the encrpted message in some file we can use this command. $ openssl enc -aes-256-cbc -base64 -in message -out enc. # openssl genrsa -aes256 -out domain.key 4096. Or # openssl genrsa -aes256 -out domain.key 2048. Enter pass phrase for domain.key. Note: Write this down and make sure you keep it in a safe place or memorize it. Once you have typed your password, it will generate your private key. Generating a CSR Request for SSL Certificate.
Generate a RSA key on a key media using PKCS#11
Please see my previous and related posts how to compile a PKCS#11 library and configure OpenSC to use this cryptographic module.
To generate a key I am using SoftHSM2 version 2.6.1 with Cryptoki 2.40 implementation of PKCS11 as the PKCS#11 module and generate the key using OpenSC pkcs11-tool
Openssl Generate Aes 256 Key
In this example I did not use the parameter „–slot 1234567890“ to specify a slot, so the key is generated on the first available slot. Better you select the slot when you create a key.
C 2b 2b Openssl Generate Aes 256 Keyboard
Generate different ECC keys on a key media (smart card, token, HSM, SoftHSM) using PKCS#11
To generate a SECP r1 ECC key pair use the following command. The key length 384 can be changed according to the available ciphers.
If you want to generate a Koblitz k1 curve use the following command. Again you can change the key length 256 depending on the module supported key lengths.
Generate an AES key on smart card or HSM using PKCS#11
The generation of a AES key is quite simple as well. In this example I choose a specific slot on the media using option „–slot XXXXXXXX“:
In this example the „–id 256“ does not specify the AES-256 key length, it just defines an intern ID of the generated to you can use later to specify the key by ID. The AES key length is defined by aes:32 defining an AES length of 32 bytes equal to 32×8 bit = 256 bit. To generate a AES-128 bit key just use „–key-type aes-16“ or to create a AES-192 key use „–key-type aes:24“.
Where to find working PKCS#11 libraries?
The most common open source libraries are found here:
libsofthsm2.so – The PKCS#11 library of SoftHSM2 a popular software defines key store. You need to install or compile SoftHSM2 to get this library.
libykcs11.so – The Yubico PKCS#11 library for all YubiKey token with smart card PIV functionallity. Install and compile Yubico yubico-piv-tool.
Openssl Create Aes 256 Key
opensc-pkcs11.so – The popular OpenSC PKCS#11 library supporting many smart cards and PKI token. Install or compile opensc to use this software interface.