Some applications require a symmetric key for encryption and decryption of communications. In this procedure, you create a symmetric key and store it.
If your site has a random number generator, you can use the generator to create a random number for the key. This procedure does not use your site's random number generator.
You can instead use the dd command with the Solaris /dev/urandom device as input. The dd command does not store the key. For the procedure, see How to Generate a Symmetric Key by Using the dd Command.
(Optional) If you plan to use a keystore, create it.
To create and initialize a PKCS #11 keystore, see How to Generate a Passphrase by Using the pktool setpin Command.
To create and initialize an NSS database, see Example 15–5.
Generate a random number for use as a symmetric key.
Use one of the following methods.
Generate a key and store it in a file.
The advantage of a file-stored key is that you can extract the key from this file for use in an application's key file, such as the /etc/inet/secret/ipseckeys file or IPsec.
% pktool genkey keystore=file outkey=key-fn \ [keytype=generic|specific-symmetric-algorithm] [keylen=size-in-bits] \ [dir=directory] [print=n] |
The value file specifies the file type of storage location for the key.
Is the filename when keystore=file.
For a symmetric key of any length, the value is generic. For a particular algorithm, specify aes, arcfour, des, or 3des.
Is the length of the key in bits. The number must be divisible by 8. Do not specify for des or 3des.
Is the directory path to key-fn. By default, directory is the current directory.
Prints the key to the terminal window. By default, the value of print is n.
Generate a key and store it in a PKCS #11 keystore.
The advantage of the PKCS #11 keystore is that you can retrieve the key by its label. This method is useful for keys that encrypt and decrypt files. You must complete Step 1 before using this method.
% pktool genkey label=key-label \ [keytype=generic|specific-symmetric-algorithm] [keylen=size-in-bits] \ [token=token] [sensitive=n] [extractable=y] [print=n] |
Is a user-specified label for the key. The key can be retrieved from the keystore by its label.
For a symmetric key of any length, the value is generic. For a particular algorithm, specify aes, arcfour, des, or 3des.
Is the length of the key in bits. The number must be divisible by 8. Do not specify for des or 3des.
Is the token name. By default, the token is Sun Software PKCS#11 softtoken.
Specifies the sensitivity of the key. When the value is y, the key cannot be printed by using the print=y argument. By default, the value of sensitive is n.
Specifies that the key can be extracted from the keystore. Specify n to prevent the key from being extracted.
Prints the key to the terminal window. By default, the value of print is n.
Generate a key and store it in an NSS keystore.
You must complete Step 1 before using this method.
% pktool keystore=nss genkey label=key-label \ [keytype=[keytype=generic|specific-symmetric-algorithm] [keylen=size-in-bits] [token=token] \ [dir=directory-path] [prefix=database-prefix] |
The value nss specifies the NSS type of storage location for the key.
Is a user-specified label for the key. The key can be retrieved from the keystore by its label.
For a symmetric key of any length, the value is generic. For a particular algorithm, specify aes, arcfour, des, or 3des.
Is the length of the key in bits. The number must be divisible by 8. Do not specify for des or 3des.
Is the token name. By default, the token is the NSS internal token.
Is the directory path to the NSS database. By default, directory is the current directory.
Is the prefix to the NSS database. The default is no prefix.
Prints the key to the terminal window. By default, the value of print is n.
(Optional) Verify that the key exists.
Use one of the following commands, depending on where you stored the key.
In the following example, a user creates a PKCS #11 keystore for the first time, and then generates a large symmetric key for an application. Finally, the user verifies that the key is in the keystore.
# pktool setpin Create new passphrase:easily-remembered-hard-to-detect-password Re-enter new passphrase:Retype password Passphrase changed. % pktool genkey label=specialappkey keytype=generic keylen=1024 Enter PIN for Sun Software PKCS#11 softtoken :Type password % pktool list objtype=key Enter PIN for Sun Software PKCS#11 softtoken :Type password Found 1 keys. Key #1 - symmetric: specialappkey (1024 bits) |
In the following example, a secret key for the DES algorithm is created. The key is stored in a local file for later decryption. The command protects the file with 400 permissions. When the key is created, the print=y option displays the generated key in the terminal window.
DES mechanisms use a 64-bit key. The user who owns the keyfile retrieves the key by using the od command.
% pktool genkey keystore=file outkey=64bit.file1 keytype=des print=y Key Value ="a3237b2c0a8ff9b3" % od -x 64bit.file1 0000000 a323 7b2c 0a8f f9b3 |
In the following example, the administrator manually creates the keying material for IPsec SAs and stores them in files. Then, the administrator copies the keys to the /etc/inet/secret/ipseckeys file and destroys the original files.
First, the administrator creates and displays the keys that the IPsec policy requires:
# pktool genkey keystore=file outkey=ipencrin1 keytype=generic keylen=192 print=y Key Value ="294979e512cb8e79370dabecadc3fcbb849e78d2d6bd2049" # pktool genkey keystore=file outkey=ipencrout1 keytype=generic keylen=192 print=y Key Value ="9678f80e33406c86e3d1686e50406bd0434819c20d09d204" # pktool genkey keystore=file outkey=ipspi1 keytype=generic keylen=32 print=y Key Value ="acbeaa20" # pktool genkey keystore=file outkey=ipspi2 keytype=generic keylen=32 print=y Key Value ="19174215" # pktool genkey keystore=file outkey=ipmd51 keytype=generic keylen=64 print=y Key Value ="438c3ad2cec9a3621e90462d11ca7d2f" # pktool genkey keystore=file outkey=ipmd52 keytype=generic keylen=64 print=y Key Value ="a61319630cf2abde7609ce24de3d029f" |
Then, the administrator creates the following /etc/inet/secret/ipseckeys file:
## SPI values require a leading 0x. ## Backslashes indicate command continuation. ## ## for outbound packets on this system add esp spi 0xacbeaa20 \ src 192.168.1.1 dst 192.168.2.1 \ encr_alg 3des auth_alg md5 \ encrkey 294979e512cb8e79370dabecadc3fcbb849e78d2d6bd2049 \ authkey 438c3ad2cec9a3621e90462d11ca7d2f ## ## for inbound packets add esp spi 0x19174215 \ src 192.168.2.1 dst 192.168.1.1 \ encr_alg 3des auth_alg md5 \ encrkey 9678f80e33406c86e3d1686e50406bd0434819c20d09d204 \ authkey a61319630cf2abde7609ce24de3d029f |
After verifying that the syntax of the ipseckeys file is valid, the administrator destroys the original key files.
# ipseckey -c /etc/inet/secret/ipseckeys # rm ipencrin1 ipencrout1 ipspi1 ipspi2 ipmd51 ipmd52 |
The administrator copies the ipseckeys file to the communicating system by using the ssh command or another secure mechanism. On the communicating system, the protections are reversed. The first entry in the ipseckeys file protects inbound packets, and the second entry protects outbound packets. No keys are generated on the communicating system.