2

I am trying to use nShield from Thales to generate pair of asymmetric keys on it. I have found the following example on msdn:

CspParameters csp = new CspParameters(1, "eToken Base Cryptographic Provider");
csp.Flags = CspProviderFlags.UseDefaultKeyContainer;
try
{
    RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(csp); 
            key = rsa.ToXmlString(true);

}
catch(Exception ex )
{
    string s = ex.Message;
}

I can use KeySafe to succesfully connect and generate key-pairs on the HSM. The code above throws the following exception:

System.Security.Cryptography.CryptographicException      
"Invalid Signature."    System.Security.Cryptography.CryptographicException

I have the feeling that I am not setting the correct second parameter in the CspParameters constructor. This is what it says in the example:

 // The 1st parameter comes from HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Provider Types. 
 // The 2nd parameter comes from HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Provider.

I don't see any nCipher or nShield or Thales or anything like that there.

Edit:

Working test:

RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(csp);
byte[] data = Encoding.ASCII.GetBytes("string");
byte[] enc = rsa.Encrypt(data, false);
String dec = Encoding.ASCII.GetString(rsa.Decrypt(enc, false));
key = rsa.ToXmlString(true);
AlexandruC
  • 3,527
  • 6
  • 51
  • 80

1 Answers1

1

You need to run nCipher CSP install wizard which is located under Start > All Programs > nCipher in order to register nCipher CSP in your operating system. After that mentioned registry entries will be available and you will be able to read exact CSP name from them.

jariq
  • 11,681
  • 3
  • 33
  • 52
  • while calling the rsa.ToXmlString(true) I am getting a "Access denied error" and how would I specify the HSM not to store the keys ? – AlexandruC Apr 07 '14 at 17:15
  • 1
    It is one of the primary functions of HSM to provide secure key storage. Why would you use HSM if you don't want it to store the keys? – jariq Apr 07 '14 at 17:27
  • I only want it to generate them for me, I'll do the storage in another way, they are to be used in a different manner. – AlexandruC Apr 07 '14 at 17:29
  • @A.K Generally all CSP keys should be exportable unless you specify CspProviderFlags.UseNonExportableKey flag. Well at least this is how it works with Microsoft software based CSPs. However I am not sure whether keys generated by nCipher CSP can be exported as there may be some custom vendor policy that prohibits such actions. I think you should consider using PKCS#11 interface which gives you much more control over HSM and it definitely allows you also to export keys. – jariq Apr 07 '14 at 17:44