How to sign data with OpenSSL on an HSM

This article shows in detail how to use OpenSSL to sign critical data with an network HSM. The data can be sensitive log data, license data, or any other data where integrity on transfer must be ensured.

Recently I was challenged in a project to sign some data using OpenSSL on an HSM. In my case it is license data. The data resides on a Linux host, that does not have a hardware security module available.

After short research I found that the Sematicon AG se.SAM N200 Crypto Appliance is available for remote evaluation. Business users can request an evaluation from the Sematicon website. The se.SAM N200 Crypto Appliance is an easy-to-use network HSM offering a PKCS11 interface for OpenSSL 1.1.1 and OpenSSL 3.0 and can sign any data using PKCS11 or REST-API.

How to sign data with OpenSSL on an HSM weiterlesen

First Steps with OpenSSL for signature and encryption

Ever wondered what TLS is? You might heard about private- and public-keys, about digital certificates and don’t know what exactly that is and how you can use them? Frankly I was in the same situation and thought I write an blog article regarding these issues to make them a little bit clearer for everyone who needs or wants to learn about it.

To use Transport Layer Security (TLS) a private-public-key-pair, and a X.509 certificate is needed. With the public key, a file or message gets encoded and can only be decoded with the corresponding private key, that’s called asymmetric cryptography. The most common algorithm for the creation of these key pairs are RSA and ECC. Where the digital certificate guarantees the authenticity and integrity of a server or a client.

First Steps with OpenSSL for signature and encryption weiterlesen

Full working ECDSA signature with OpenSSL

There are many ressources that shows how to generate a RSA signature and perform a RSA signature verfication process. Nowadays, more and more developers are looking for ECC keys and ECDSA signature, as there are many reasons to consider elliptic curve cryptography (ECC):

  • Key generation is much faster for ECC keys than for RSA keys
  • Key operation for ECDSA signature is faster
  • The EC key size is only 1/10 of comparable RSA keys, so smart cards and HSMs may hold more ECC than RSA keys in their secure memory
  • The RSA algorithm my be compromized by quantum computer using Shor algorithm
  • Modern applications like WireGuard and crypto-currencies rely on elliptic curve cryptography

In this walk through I will show the full process to perform a ECDSA signature:

  1. Select a supported ECC curve
  2. Generate a private key (including the public key)
  3. Extract the public key
  4. Convert the ECC public key in DER and PEM format
  5. View the public key content
  6. Generate a hash
  7. Create a signature using the private key and the hash
  8. View the content of the signature
  9. Verify the signature

This all is done with two commands only:

  • OpenSSL (in my case version 1.1.1d)
  • dumpasn1 (installed by Linux package dumpasn1)

OpenSSL ECDSA signature & verification

Full working ECDSA signature with OpenSSL weiterlesen

S/MIME Zertifikat per OpenSSL erstellen

Mit dem Programm kannst du gültige S/MIME Schlüssel und Zertifikate selbst erstellen. Getestet unter Windows und iOS kannst du E-Mails signieren und verschlüsseln. S/MIME Zertifikat per OpenSSL erstellen weiterlesen

EFS Schlüssel per OpenSSL erstellen

Alle die ihre Encrypting-File-System – oder kurz EFS – Schlüssel nicht vom Microsoft OS oder einer Microsoft-CA erzeugen möchten, erhalten hier die Anleitung diese per OpenSSL zu erstellen.


Hier die Funktionsweise aus Wikipedia:

Wenn eine Datei per EFS verschlüsselt wird, generiert das System zunächst einen zufälligen Schlüssel, den sogenannten File Encryption Key (FEK), mit dem die Datei dann mittels des symmetrischen Verschlüsselungsverfahrens DES oder ab Windows XP SP1 mittels AES chiffriert wird. Der FEK wird dann mittels des asymmetrischen RSA-Algorithmus unter Benutzung des öffentlichen Schlüssels des Benutzers verschlüsselt und mit der Datei zusammen abgespeichert. Soll die Datei gelesen werden, wird der FEK mittels des geheimen Schlüssels des Benutzers entschlüsselt, um damit den Klartext der verschlüsselten Datei wiederherzustellen.

Ich nutze in meinem Code-Beispiel einen Ubuntu 16.04 LTE Server mit OpenSSL Version 1.0.2g-fips. Da die Befehlsyntax von OpenSSL aber auf allen unterstützten Systemen ident ist, wird das Script auf anderen Linux / Unix Systemen und auch mit neues OpenSSL wie der Version 1.1.* ebenfalls laufen. EFS Schlüssel per OpenSSL erstellen weiterlesen