What does (118) Extract Object Option in the ckdemo utility do

Question

I am using a Safenet Luna HSM 5.1. and I am trying to figure out if it is possible to extract a SecretKey from my HSM using ckdemo tools option #118 Extract Object.

The whole point of the HSM is that it will be impossible to extract private keys from it, but this option is making me very suspicious.

vlp · Answer 1 · 2016-03-23T20:36:08.523

(Wanted to write a comment, but it got quite long...)

As this ckdemo command is not documented you can capture and analyse directly on the pkcs11 interface level.

To capture, you can use:

cklog provided in the Luna SA SDK
some other (1, 2) pkcs11 logger

To analyze just examine the captured log and look up the used mechanisms in the documentation.

Some additional (random) notes:

SafeNet sometimes uses their own CT_.. API extensions which would not be captured by a generic pkcs11 logger
Remember that storing a key in a HSM does not mean it really is unextractable. You need to carefully set it to be unextractable (read the documentation thoroughly).

Good luck!

Desclaimer: I am no crypto expert, so please do validate my thoughts.

What does (118) Extract Object Option in the ckdemo utility do

1 Answers1