How to get a key with JCA / JCE and with HSM

Question

How to get a key with JCA / JCE and with HSM

I have a master key in HSM, and I want to get it with the given diversifier. I am completely new to JCA / JCE, and have lost a little with KeyGenerator, SecretKeyFactory, ... especially since all parameters are strings. I want to use AES or HmacSha1. It seems I need to use SecretKeyFactory and provide KeySpec. But what type of KeySpecs?

(I saw a post on this topic, but I did not think that HSM was used.)

Thanks.

+5

java jce hsm

Joel Oct 9 '14 at 15:20

source share

1 answer

Afriza n arief · Answer 1 · 2015-08-20T01:45:29+0000

You can get the key using:

password-based output (PKCS # 5) as described in Obtaining a secret key using a master key using JCE / JCA or
emulate C_Derive from PKCS # 11 using encryption as described in PKCS11 deriveKey () and encrypt () returns different results for 3DES

To use HSM from the JCA / JCE API, you need to add the appropriate provider to the JCA / JCE API, and then specify the provider parameter to request a specific provider implementation.

For instance:

 int slot = 0; Provider provider = new au.com.safenet.crypto.provider.SAFENETProvider(slot); Security.addProvider(provider); final String PROVIDER = provider.getName(); // "SAFENET", "SAFENET.1", ... KeyGenerator keyGen = KeyGenerator.getInstance("DESede", PROVIDER); Key baseKey = keyGen.generateKey(); Cipher desCipher = Cipher.getInstance("DESede/CBC/PKCS5Padding", PROVIDER); desCipher.init(Cipher.ENCRYPT_MODE, baseKey); byte[] derived = desCipher.doFinal("diversification data".getBytes());

Please note that if you need to do key derivations very often, you can use the PCKS # 11 provider shell for Java (for example, jcprov from SafeNet) or other APIs so that you can talk more about session management and use resources more efficiently .

How to get a key with JCA / JCE and with HSM

More articles: