iKey 2000 Decrypt problem

Hi !

I'm having a problem during decryption with the private key of a X509 certificate that is on a SafeNet Rainbow iKey 2000.

A BadPaddingException is raised when i decrypt previously encrypted data and an InvalidKeyException when i unwrap a previously wrapped symmetric key.

However the access of private key seems to be good because i can sign data with the same key and verification works.

Two examples :

1) Encryption/Decryption example

Code : certs[0] is a X509Certificate on the iKey 2000

String alias = ks.getCertificateAlias(certs[0]);
RSAPublicKey pubKey=(RSAPublicKey)certs[0].getPublicKey();
RSAPrivateKey key = (RSAPrivateKey) ks.getKey(alias, null);
KeyGenerator keyGen=KeyGenerator.getInstance("DESEDE", "BC");
SecureRandom rand=new SecureRandom();
keyGen.init(rand);
SecretKey encKey = keyGen.generateKey();
byte[] encKeyTab=encKey.getEncoded();
String encKeyStr="Secret Key ("+encKeyTab.length+") = ";
for(int i=0;i<encKeyTab.length;i++){
encKeyStr=encKeyStr+Integer.toHexString(encKeyTab[i] & 0xFF)+" ";
}
System.out.println(encKeyStr);
Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding", "JCAPI");
c.init(Cipher.ENCRYPT_MODE, pubKey, rand);
byte[] cryptEncKeyTab=c.doFinal(encKeyTab);
String cryptEncKeyStr="Crypted Secret Key("+cryptEncKeyTab.length+")= ";
for(int i=0;i<cryptEncKeyTab.length;i++){
cryptEncKeyStr=cryptEncKeyStr+Integer.toHexString(cryptEncKeyTab[i] & 0xFF)+" ";
}
System.out.println(cryptEncKeyStr);
c.init(Cipher.DECRYPT_MODE, key, rand);
byte[] decryptEncKeyTab=c.doFinal(cryptEncKeyTab);
String decryptEncKeyStr="Decrypted Secret Key("+decryptEncKeyTab.length+") = ";
for(int i=0;i<decryptEncKeyTab.length;i++){
decryptEncKeyStr=decryptEncKeyStr+Integer.toHexString(decryptEncKeyTab[i] & 0xFF)+" ";
}
System.out.println(decryptEncKeyStr);

The result is :

Secret Key (24) = 1c 34 25 b0 f4 6e 2 ea d 94 8c 6d b6 6e ec 62 1c 34 25 b0 f4 6e 2 ea
Crypted Secret Key (128 ) = 43 1b 4 9e 15 97 3f 91 3f 96 a4 5c 44 3d cb 26 36 b7 5d 4e ca 9 78 30 20 2a c7 e3 42 8a f9 5e fe 73 a0 6a b4 d6 77 a3 bc 44 c4 90 39 d8 16 bb fd 55 d9 b5 9a a5 6d c9 f0 fd af da 93 70 bf 6d d2 b5 34 5 a4 c4 24 16 b0 3c 5b 7b be 7b 61 81 bd 25 82 be 49 34 33 46 5c 34 65 cd 11 45 be 0 50 46 20 9a 21 81 8b 6d bf 53 a 6f 41 77 3d 44 e 8e 54 4d 69 82 65 52 75 b5 88 cd f8 f5 15 20
javax.crypto.BadPaddingException: Decryption failed.
Exception raised in JCAPI.DLL:
JCAPICipher_decrypt() - Could not decrypt data.
Error code: 0x80090003
at com.pheox.jcapi.d.a(Unknown Source)
at com.pheox.jcapi.JCAPICipher.engineDoFinal(Unknown Source)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at webcrypt.process.Kernel.crypt(Kernel.java:370)
at webcrypt.process.Kernel.traite(Kernel.java:285)
at webcrypt.ui.MainPanel$Task.doInBackground(MainPanel.java:248 )
at webcrypt.ui.MainPanel$Task.doInBackground(MainPanel.java:235)
at javax.swing.SwingWorker$1.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at javax.swing.SwingWorker.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

2) Wrap/Unwrap example

Code :

String alias = ks.getCertificateAlias(certs[0]);
RSAPublicKey pubKey=(RSAPublicKey)certs[0].getPublicKey();
RSAPrivateKey key = (RSAPrivateKey) ks.getKey(alias, null);
KeyGenerator keyGen=KeyGenerator.getInstance("DESEDE", "BC");
SecureRandom rand=new SecureRandom();
keyGen.init(rand);
SecretKey encKey = keyGen.generateKey();
byte[] encKeyTab=encKey.getEncoded();
String encKeyStr="Secret Key ("+encKeyTab.length+") = ";
for(int i=0;i<encKeyTab.length;i++){
encKeyStr=encKeyStr+Integer.toHexString(encKeyTab[i] & 0xFF)+" ";
}
System.out.println(encKeyStr);
Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding", "JCAPI");
c.init(Cipher.WRAP_MODE, pubKey, rand);
byte[] wrapEncKeyTab=c.wrap(encKey);
String wrapEncKeyStr="Wrap Secret Key ("+wrapEncKeyTab.length+")= ";
for(int i=0;i<wrapEncKeyTab.length;i++){
wrapEncKeyStr=wrapEncKeyStr+Integer.toHexString(wrapEncKeyTab[i] & 0xFF)+" ";
}
System.out.println(wrapEncKeyStr);
c.init(Cipher.UNWRAP_MODE, key, rand);
SecretKey secKey=(SecretKey)c.unwrap(wrapEncKeyTab, "DESEDE", Cipher.SECRET_KEY);
byte[] unwrapEncKeyTab=secKey.getEncoded();
String unwrapEncKeyStr="Unwrap Secret Key ("+unwrapEncKeyTab.length+") = ";
for(int i=0;i<unwrapEncKeyTab.length;i++){
unwrapEncKeyStr=unwrapEncKeyStr+Integer.toHexString(unwrapEncKeyTab[i] & 0xFF)+" ";
}
System.out.println(unwrapEncKeyStr);

The result is :

Secret Key (24) = 9e 94 20 43 8f 23 fd 79 d0 40 4 ce 67 c8 4c 8 9e 94 20 43 8f 23 fd 79
Wrap Secret Key (128 ) = 2 5 61 e0 8d 72 7 ee 56 ee 7f 85 bd c9 2b f7 4e a4 2f b5 92 d3 84 c5 f3 7a 30 ee c9 d 5d 37 58 88 e7 3e bc 4c e1 5d aa 9e 7f 7a a0 a8 89 3f 49 ff 1c 51 88 cc c5 91 6b fa 33 7c fa b1 6 90 de d7 3f 99 66 29 fe c9 0 48 58 85 ac 65 d1 c2 a7 7f 46 e4 6f 1f 3d 79 af 85 a7 c2 a5 30 7b b d0 73 59 f f4 53 19 f5 aa 66 df dc 97 fa 98 12 ba fd 9e 51 37 2a fa 77 23 b0 bf bc 86 e1 56 c8
java.security.InvalidKeyException: Decryption failed.
Exception raised in JCAPI.DLL:
JCAPICipher_decrypt() - Could not decrypt data.
Error code: 0x80090003
at com.pheox.jcapi.d.a(Unknown Source)
at com.pheox.jcapi.JCAPICipher.engineUnwrap(Unknown Source)
at javax.crypto.Cipher.unwrap(DashoA13*..)
at webcrypt.process.Kernel.crypt(Kernel.java:362)
at webcrypt.process.Kernel.traite(Kernel.java:285)
at webcrypt.ui.MainPanel$Task.doInBackground(MainPanel.java:248 )
at webcrypt.ui.MainPanel$Task.doInBackground(MainPanel.java:235)
at javax.swing.SwingWorker$1.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at javax.swing.SwingWorker.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

I'have tried to set key as exportable to change CSP to Datakey's one (actually Microsoft Enhanced Provider is used), or to set the PKCS11 support of the ikey 2000 with no effects.

I'm working on Windows XP Pro SP 3
with JCAPI 1.2.4 and Internet Explorer 7 for viewing the applets

Pleas help me !

Igor.>

Hi Igor,

The error code you encounter indicates that the private key handle is invalid when accessing the private key through Safenet's MS CAPI CSP. This is fortunately not that common these days since most companies are more careful (and observant when it comes to the non-mandatory parts of the API) when implementing a MS CAPI CSP.

You mentioned that you tried to add Safenet's PKCS#11 provider to JCAPI without any success. Did you actually try the following?
JCAPIUtil.addPKCS11CSP("Datakey RSA CSP", "dkck201.dll");

If it still doesn't work, then please respond with the output from this test.

Regards,
Tommy

Hi tommy, thank you for your response.

In fact, i was using dkck232.dll i will try this as soon as possible.

see you bye

Hi Tommy,

That's OK it worked !

So if i have well understood the iKey 2000 can't be accessed through the MSCAPI Layer.

That's embarassing because i can't add the PKCS11 driver for all the keys that have been developped by manufacturers !

Is there a problem if the dll doesn't exist (an error) because i'm developping an applet and i can't know in advance the key that a user will have installed ?

PS : I also tried the same test in C++ (including wincrypt.h) and it worked so Windows can walk through th error.

Regards, Igor

Hi Igor,

Glad to hear that it worked for you.

Their MS CAPI CSP can be used for accessing the private, but for some reason it has a problem with the CAPI function that is used by JCAPI for decryption.
Just for curiosity, can you please run the same test again but using the new jcapi.jar file attached to this message (remember to remove the JCAPIUtil.addPKCS11CSP(...) method call from your source code)? I've created a new way of getting the private key handle and would like to see if it solves your problem.

Thanks.

Regards,
Tommy

Filename JCAPI.jar

Description Patched JCAPI v1.2.3.

Filesize 427 Kbytes

Downloaded 473 time(s)

[Disk] Download

Hi Tommy,

I've just tried your new JCAPI.jar file but i get the same error as before.

I also get a message in the Java console that seems to mean that perhaps something is not working with this new file :

WARNING! The JCAPI DLL is not of the same version as the JCAPI Java classes.
This might cause JCAPI to crash.
You might consider maually removing the JCAPI DLL file from your system, or force JCAPI to overwrite the DLL at startup (see class JCAPIDLL).
-------------------------------------------------------------------
EVALUATION LICENSE

This version of JCAPI is licensed for evaluation purpose only.
You must purchase a commercial license for this software if you are
going to use it for any other reason.
For a commercial license, please visit:
http://www.pheox.com/products/jcapi/

This evaluation version is only valid for 60 days.
-------------------------------------------------------------------

On the other side the message confirms the change of the file because i had a commercial version 1.2.4 and it seems to be an evaluation version 1.2.3.

I have made tests on others USB token and it works for the most of them except for a token that leads to the same errors with error code 0x80090020

I have seen the photo of the token (the user didn't know the model) but i think that it's an e-gate from Axalto.

The tokens that make the errors are old ones and the recent ones are giving no errors but i must be compliant with all of them.

What can i do ?

Regards, Igor

Hi Igor,

Hmm, ok. Too bad we can't get it too work without the PKCS#11 patch solution.
I've tried to reproduce your problem on our iKey 2032 USB device (unfortunately we don't have a ikey 2000 device) with drivers v4.0.0.17, v3.4.9.4, and v3.4.7 on WinXP, but my encryption/decryption test never fails. It's very hard to fix it if we can't reproduce it.

You mentioned in an earlier post that you have had it worked in your own C++ implementation. One way to fix it might be to test your code in JCAPI. Is it possible for us to get a snippet of your test code to see how you have managed the decryption part?

Regards,
Tommy

Hi Tommy,

This not my own C++ code but a code that i got on the net that use JNI with a DLL to attack directly Microsoft Crypto API here are the codes :

Source.c : Le source faisant lien avec la Microsoft Crypto API
Source.h : Le source faisant lien avec la Microsoft Crypto API
Hope that this will help you !

Regards Igor

Filename Source.c

Description Le source faisant lien avec la Microsoft Crypto API

Filesize 118 Kbytes

Downloaded 602 time(s)

[Disk] Download

Filename Source.h

Description Les declarations JNI

Filesize 4 Kbytes

Downloaded 815 time(s)

[Disk] Download

Filename Source.c

Description Le source faisant lien avec la Microsoft Crypto API

Filesize 118 Kbytes

Downloaded 930 time(s)

[Disk] Download

Filename Source.h

Description Les declarations JNI

Filesize 4 Kbytes

Downloaded 822 time(s)

[Disk] Download

Filename Source.h

Description Le source faisant lien avec la Microsoft Crypto API

Filesize 4 Kbytes

Downloaded 832 time(s)

[Disk] Download

Filename Source.c

Description Le source faisant lien avec la Microsoft Crypto API

Filesize 118 Kbytes

Downloaded 718 time(s)

[Disk] Download

Hi Igor,

I can see that you are using CryptDecryptMessage() which acts a bit different from CryptDecrypt() which is used in JCAPI. A problem here is that CryptDecryptMessage() will do a lot more than we ask for i.e. it will envelope the data using a session key, and that's not what we want. I don't know if it's possible to mimic the behavior of CryptDecrypt() through CryptDecryptMessage().
Give me a couple of days and I'll see if I can come up with a solution. Would be nice to solve this issue.

Regards,
Tommy

Hi Tommy,

The goal of my developement is in fact to make enveloped messages (to match the PKCS7 standard).

I create a symmetric session key which i use to crypt a file then i crypt the session key whith the public key of a user that's why in my example I create a TripleDES key and try to wrap/unwrap or crypt/decrypt it.

I have used a dll compiled with the source code in C i gave you for several months but the dll seemed to behave strangely, to be very long and to convert files in Base64 which makes files 30% longer.

So i decided to try something else : make my own Java code to do this.

I've bought your JCAPI product because it is for me the best product of the market to interact simply with Windows Certificate store and because it's installation of the JCAPI.dll don't create any problem (that was not the case with the previous dll).

So for each file i create a symmetric session key for crypting th file with BouncyCastle then i use JCAPI to crypt the session key with the public key of a user Certificate. I use the BouncyCastle API the create a PKCS7 file (.p7m) to contain all the informations.

So when i get a PKCS7 file i use BouncyCastle API to extract the certificate informations and then i can use JCAPI to decrypt the session key with the private key of the certificate then i use BouncyCastle to decrypt the file with the unwrap (or uncrypted) session key.

In this algorithm the problem is the encryption/decryption of the session key for some users with a USB token and that's why I have tested usb tokens with the code i gave you.

If i understand you when the previous dll used CryptDecryptMessage it can get the container of the private key but JCAPI use CryptDecrypt which can't get this container.

However, i decided to not use CryptDecryptMessage because it makes things that i don't want (convert files in Base64, uses the method GetMessageType which is sometimes very long and is not compliant with the PKCS7 standard).

The solution would be to find the difference between CryptDecrypt and CryptDecryptMessage in the maner to get the private key container. Since i don't have the source code of these methods i can't do that, maybe will you can !

I hope so.

Regards.

Igor

Hi Igor,

I've not yet found a solution for the CryptDecrypt vs CryptDecryptMessage problem.
However, I've found another way of retrieving a valid private key handle. Since I cannot reproduce your problem, could you please test the attached JCAPI.jar file to see if your test still fail? If we're lucky, it might work.

Please note that the JNI decryption function in this JCAPI.dll is heavily modified so you can only use it for your specific test case i.e. by providing a valid alias and not adding a PKCS#11 provider for your SafeNet CSP when running your test case.

Regards,
Tommy

Filename JCAPI.jar

Description Patched JCAPI Jar file.

Filesize 426 Kbytes

Downloaded 492 time(s)

[Disk] Download

Hi Tommy,

I just tried your new JCAPI.jar and it makes exactly the same error.

Sorry.

Regards
Igor

Hi Igor,

Ok, no worries. Thanks for testing it.

It's quite problematic since I can't reproduce this on my iKey 2032 USB token. I'll see if I can get hold of an iKey 2000 token, but it seems hard to find one when searching the internet.

A couple of questions:
1. What version of the SafeNet software driver (iKey 2000) are you using? Can you please send it (zipped or installer) to us?
2. Do you encounter the same problem for any key entry (certificate & private key) on your iKey token? If yes, can you please do the following:
2.1 Create a self signed key entry and store it in a PKCS#12 key store.
2.2 Import this key store into your iKey token and validate that the same problem still occur.
2.3 Send this key store to us.
3. Can you please export all your current certificates from your iKey token and send it to us?

If you don't want to put the above files on this public forum, then you are welcome to send them to support@pheox.com.
Thanks.

Regards,
Tommy

Hi Tommy,

That is the response to your questions :

1. The iKey driver is version 3.4.1, the iKey 2000 SDK version is 4.7.0, the CIP Utilities programs versions are :

CIPUtils.exe - 4.07.00.027
DKTools.dll - 4.07.00.027
dkAutoReg.exe - 4.07.00.027
DkBsiProv.dll -
DkCert.dll - 4.07.00.027
Dkck132.dll - 4.07.00.027
Dkck201.DLL - 4.07.00.027
Dkcktkn.exe - 4.07.00.028
DkDmdcCac.dll -
dkdsacsp.dll -
dklog.dll - 4.07.00.027
dklog.exe - 4.07.00.027
dkrsacsp.dll - 4.07.00.017

I'll send the installer version on support@pheox.com

2. The iKey 2000 i have did contain only one certificate (private key) so i import another one on the iKey and it makes the same error, i'll send the PFX file of the new certificate on support@pheox.com

2.1 I've generated the PKCS12 keystore with a self-signed key entry using the command "keytool -genkeypair -storetype pkcs12 -keyalg rsa -alias test -dname "cn=Igor,ou=Conti,o=Pheox,c=FR" -keypass 123456 -keystore keystore.p12 -storepass 123456 -validity 180"

2.2 I've imported it on the iKey and it makes the same error

2.3 I'll send the PKCS12 keystore on support@pheox.com

3. I've exported the only certificate that was on the iKey before these tests, but the private key can't be exported so only the CER file is available, i'll send the CER file on support@pheox.com. With the SDK i've managed to export the private key info in a text file that i'll send on support@pheox.com

I'll send a copy of this response with files (and associated filenames) on support@pheox.com but i post this message on the forum for other people.

I hope that this will help you.

Regards.
Igor

Filename	JCAPI.jar
Description	Patched JCAPI v1.2.3.
Filesize	427 Kbytes
Downloaded	473 time(s)
Download

Filename	Source.c
Description	Le source faisant lien avec la Microsoft Crypto API
Filesize	118 Kbytes
Downloaded	602 time(s)
Download

Filename	Source.h
Description	Les declarations JNI
Filesize	4 Kbytes
Downloaded	815 time(s)
Download