[xmlsec] Re: Generate symmetric key
aleksey at aleksey.com
Wed Jun 18 08:41:50 PDT 2003
As you can see from the code, there is a special GenerateKey function.
Yes, the simplest implementation I have for NSS does use the random
generator but it was only a result of copy/paste from GnuTLS/OpenSSL code.
It would be great to have symmetric key generated on crypto token.
However, you need to remember that you might need to get *raw* symmetric
key data in some cases (encrypting with encrypted key).
Bottom line: I have no problems with your suggestions. But you might want
to talk with Tej about that too.
Andrew Fan wrote:
> Hi Aleksey,
> I noticed that in the implementation of xmlSec on top of NSS, every
> symmetic key( symkeys.c ) is generated from calling
> PK11_RandomGenerate( unsigned char* data , int len ), which calling
> the C_GenerateRandom of PKCS#11, and creating an internal pkcs11 slot
> for C_GenerateRandom.
> I think it is unreasonable. 1. a symmetric key should be created in the
> user practice context, i.e., a certain slot and an a certain session.
> 2. a symmetic key should be created by the crypto device( C_GenerateKey )
> instead of constructed from a random. 3. although from a random, it is
> possible to create a symmetric key, it is not a recommendable
> solution. 4. this implementation hides the mechanism of crypto device.
> What's your idea about this questions?
More information about the xmlsec