DEVHIDE
Login Or Sign up

PKCS#11: Encryption of multiple plaintext

539 Views Asked by At

I want to encrypt a large number of plaintext using PKCS#11 and SafeNet HSM devices. It will take a long time when I encrypt each plaintext one by one.

So It came to my mind if there are any methods in PKCS#11 which can encrypt several data at once?

I've found the below sample for encryption of multiple-part data in SafeNet C Programming manual which is using PKCS #11 APIs.

/* read, encrypt, digest and write the cipher text in chunks
*/ totbw = 0;
for ( ;; ) {
    br = fread(buffer, 1, sizeof(buffer), ifp);
    if ( br == 0 )
        break;
    
    /* digest */

    /* encrypt */
    curLen = sizeof(encbuffer);
    rv = C_EncryptUpdate(hrSession, buffer, (CK_SIZE)br, encbuffer, &curLen);
    CHECK_RV(FN "C_EncryptUpdate", rv);
    if (rv) return 1;
    
    /* write cipher text */
    br = fwrite(encbuffer, 1, (int)curLen, ofp);
    totbw += br;
}

It is mentioned in that manual:

For the encryption, we use C_EncryptUpdate, which continues a multiple-part encryption operation, processing another data part.

I want to know if this method can be used for encrypting multiple plaintexts at once or it will consider all buffer elements just as blocks of the same input data?

I'm looking for a solution which can encrypt multiple plaintexts but consider them as seperate item (not as blocks of a big single item).

encryption pkcs#11 hsm safenet
Original Q&A
2

There are 2 best solutions below

12
On

It will consider all data as blocks of one input. It is for encrypting data as as stream. So if you think you can use it to parallelize your encryption process, you are wrong.

BTW, what mechanism do your use for your encryption? Don't tell me you are just using a asymmetric algorithm (such as RSA) directly. If you do, that's why your encryption process is very slow.

Update:

Off top of my head, you can try something like this:

1-Genrate a random number using C_GenerateRandom.
2-Encrypt this random using HSM.
3-Use this encrypted random to encrypt your data locally.
4-Send encrypted data and non-encrypted random number to other side.

Other side can encrypt received random to reach encryption key and decrypt received encrypted data.

I should say that this is a 30 sec design and it should consider other critical parts (like timestamp). But I wanted to show how it can be done without overusing your HSM card.

0
On

I have this solution for you, this are two parts:

    1. encrypt in your hardware. this should resolved whit threads in JAVA.
    1. Use the Salt Concept by HSM only one time in your encrypt program.

------- in your hardware (# CP´s) Run a Program to Cipher Whit AES256 ----- but Using HSM for take a token or a numberRandom, this will be our SALT.

    import java.io.Serializable;
    import java.nio.charset.StandardCharsets;
    import java.security.spec.KeySpec;
    import java.util.Base64;
    import javax.crypto.Cipher;
    import javax.crypto.SecretKey;
    import javax.crypto.SecretKeyFactory;
    import javax.crypto.spec.IvParameterSpec;
    import javax.crypto.spec.PBEKeySpec;
    import javax.crypto.spec.SecretKeySpec;

    public class Encrypt implements Serializable {

        private static final String secretKeyAES = "My_Long_bytes_to_cipher";
        private static final String saltAES = "My_Salt_only_one_time_for_20M_ByHMS_Random";

        public Encrypt() {
}

public String getAES(String data) {
    try {
        byte[] iv = new byte[16];
        IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
        SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
        KeySpec keySpec = new PBEKeySpec(secretKeyAES.toCharArray(), saltAES.getBytes(), 65536, 256);
        SecretKey secretKeyTemp = secretKeyFactory.generateSecret(keySpec);
        SecretKeySpec secretKey = new SecretKeySpec(secretKeyTemp.getEncoded(), "AES");
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivParameterSpec);
        return Base64.getEncoder().encodeToString(cipher.doFinal(data.getBytes("UTF-8")));
    } catch (Exception e) {
        e.printStackTrace();
    }
    return null;
}

public String getAESDecrypt(String data) {
    byte[] iv = new byte[16];
    try {
        IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
        SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
        KeySpec keySpec = new PBEKeySpec(secretKeyAES.toCharArray(), saltAES.getBytes(), 65536, 256);
        SecretKey secretKeyTemp = secretKeyFactory.generateSecret(keySpec);
        SecretKeySpec secretKey = new SecretKeySpec(secretKeyTemp.getEncoded(), "AES");
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.DECRYPT_MODE, secretKey, ivParameterSpec);
        return new String(cipher.doFinal(Base64.getDecoder().decode(data)));
    } catch (Exception e) {
        e.printStackTrace();
    }
    return null;
}
    }

-----this answer resolve HSM petitions, but now you should resolve whit petitions in JAVA.

the most processing would be done on the CPU side

Related Questions in ENCRYPTION

Related Questions in PKCS#11

Related Questions in HSM

Related Questions in SAFENET

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.