Hardware Security module / Crypto Accelerator

I think this is a very interesting topic, I have just started to learn this, But as I am going through this I have found couple of links as well as documents which are really interesting. These articles talk about openssl, Hardware Security module, SSL Accelerator and information about provider companies

  1. Blog post : http://jadickinson.co.uk/2007/11/02/using-hardware-security-modules/
  2. Article on HSM, http://nlnetlabs.nl/downloads/publications/hsm/hsm.pdf
  3. Wiki http://en.wikipedia.org/wiki/SSL_acceleration
  4. Wiki http://en.wikipedia.org/wiki/Hardware_Security_Module
  5. SSL programming tutorial http://h71000.www7.hp.com/doc/83final/BA554_90007/ch04s03.html
  6. VIA PadLock support for Linux http://www.logix.cz/michal/devel/padlock/
  7. Something from safenet http://www.safenet-inc.com/products/pki/psGold_API.asp

I will write about my findings, An how to do , Short cut of course. But let me look in to it more carefully. Thanks to Jad.

One Way Hash functions — OpenSSL

Hash or Fingerprint generation functions are always an interesting Chapter in Cryptography as they are the basics of the most cryptographic protocols.
Definition for a Cryptographic Hash Functions
Let us consider that M is the message and h is it’s hash value after applying the hash function H. Or, it can be stated mathematically as: H (M) :=h. Where H will also satisfy the following characteristics.
  1. Given M, it is easy to compute h
  2. Given h, it is hard to compute M such that H(M) = h
  3. Given M, it is hard to find another messag, M1 , such that H(M) = H(M1)

SHA-*, MD* and RIPEMD-* are the most popular Hash functions. OpenSSL provides both generic APIs to these Hash functions also provides direct APIs. Accessing through generic API (the EVP) is preferred.

Now let us first use the Hash APIs from OpenSSL and generate fingerprint or calculate hash value. The alorithm, that we will use, is MD5. MD5 (MD stands for Message Digest ) is One way hash algorithm from Ron Rivest. There are test vectors in MD5 RFC, which we can use to calculate (or validate) the hash values. The following figure shows the process of calculation MD5 hash using OpenSSL :-OpenSSL - Using Message Digest APIs

Below is an example to calculate message digest using MD5 algorithm.

Code Snippet :



#include <stdio.h>
#include <string.h>
#include <openssl/evp.h>

int main(int argc, char *argv[  ]) {

	int i,j;
	const int	totalTestVectors = 7;
	The ouput length for the claculated
	digest. This will be fixed for a parti-
	cular Hash algorithm and will very algo-
	rithm to algorithm.
	unsigned int	outputLength;
	The Message Digest Context object, which
	will hold the intermediate state.
	EVP_MD_CTX    messageDigestContext;

	The buffer to store message digest after
	computing. 64 bytes is enough for any hash
	function. For MD5 128/8 would be fine as
	MD5 has 128 bit output length.
	Someone can directly use the 128/8 as
	the size but if you change the Hash
	algorithm, for example SHA1,has 160 bit
	output, the length need to be changed to
	160/8 bytes.

	unsigned char messageDigest[EVP_MAX_MD_SIZE];

	Hashes will be calculated for the following strings.
	These strings are from the MD5 RFC.
	const char *strMessages[] = 
	{	"", // Input String : 1
		"a", // Input String : 2
		"abc",// Input String : 3
		"message digest",// Input String : 4
		"abcdefghijklmnopqrstuvwxyz",// Input String : 5
		"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",// Input String : 6
		"12345678901234567890123456789012345678901234567890123456789012345678901234567890"// Input String : 7
	For each Input string the Expected Output are (from RFC,
	this is to make sure that, this implementation is not bogus):
	1: d41d8cd98f00b204e9800998ecf8427e
	2: 0cc175b9c0f1b6a831c399e269772661
	3: 900150983cd24fb0d6963f7d28e17f72
	4: f96b697d7cb7938d525a2f31aaf161d0
	5: f96b697d7cb7938d525a2f31aaf161d0
	6: d174ab98d277d9f5a5611c2c9f419d9f
	7: 57edf4a22be3c955ac49da2e2107b67a
	Initialize the Message Digest Context
	Calculate Message Digest
	//EVP_DigestInit(&amp;amp;amp;messageDigestContext, EVP_md5());
	for (j=0; j < totalTestVectors; j++)
		EVP_DigestInit(&messageDigestContext, EVP_md5()); // for SHA1 use EVP_sha1()
		EVP_DigestUpdate(&messageDigestContext, strMessages[j], strlen(strMessages[j]));
		EVP_DigestFinal(&messageDigestContext, messageDigest, &outputLength);
		printf("Test Vector : \"%s\" \n, Digest : = \"",strMessages[j]);
		for (i = 0;  i < outputLength;  i++) printf("%02x", messageDigest[i]);
	return 0;

The above code work fine on windows or Linux but you should have already openssl libs with you or you can download it.

Tips : Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange)

PFX : PFX defines a file format commonly used to store private with accompanying public key certificates, protected with a password-based symmetric key (standard-PKCS12).
PEM : Openssl usages PEM (Privacy Enhanced Mail Certificate) to store the private key.
If you have the openssl then go to command promt and run the following commands (If not, download it from openssl, you can either download binary or source and then compile).

If you want to extract private key from a pfx file and write it to PEM file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem
If you want to extract the certificate file (the signed public key) from the pfx file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem
To remove the password from the private key file.
>> openssl.exe rsa -in privateKey.pem -out private.pem
This is required as, at the time of exporting privateKey, you have added a password to the private key to secure it. If you left the password with it, it will keep asking the password as any application tries to access it.