Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Tasks for PKCS#11

Securing Passphrase

search

Please Note:

printsuggest an edit

Securing Passphrase

CADP for C allows you to use obfuscated, secured (using a callback function), or plaintext passphrase.

copy link to clipboardObfuscated Passphrase

Note

• On succesful installation (using SSL protocol) of CADP_for_C , the installer sets the Passphrase_Encrypted=yesautomatically in the CADP_CAPI.properties and CADP_PKCS11.properties files.
• If you have generated the certificate manually and encrypted the private key with the passphrase, you can also encrypt the passphrase using the PassPhraseSecure utility. In this case, you need to set Passphrase_Encrypted=yes in the CADP_CAPI.properties or CADP_PKCS11.properties files.

To obfuscate the passphrase and store the obfuscated value in the Passphrase parameter:

  1. The parameters with PassPhraseSecure Utility allows the user to give different inputs to the utility. Following parameters are used:

  2. PassPhraseSecure -txt <TextToBeObfuscated> - Allows the user to provide input as text and display the obfuscated value.

Note

If the text to (be obfuscated) contains whitespaces then it must be provided within double quotes (" ").

For example:

[et-apps@localhost bin]$ ./PassPhraseSecure -txt "hello, input to passpharase" 41058116C2572937869274FC1BD81EDB75AF95182F62870815220A3890B3BD6C

Note

The length of the text to be obfuscated must be <=1023 characters, excluding leading and trailing whitespaces. Any leading and trailing whitespaces are removed from the text before obfuscation.

  • PassPhraseSecure -file <FileName> - Allows the user to provide input from a file and display the obfuscated value. The FileName could be the name and path of the file from which the text is to be obfuscated.

    For example:

    [et-apps@localhost bin]$ ./PassPhraseSecure -file test.txt 66A09CF4974DB15B1E3C22F89912338E

    Note

    There is no restriction on the length of the file. However, only first line from the file is obfuscated irrespective of the file length.

  • PassPhraseSecure -help - Displays the help, to use this utility, on the console.

    For example:

    [et-apps@localhost bin]$ ./PassPhraseSecure -help
Usage :
Passphrase -help -- To print this help
Passphrase -txt <TextToBeObfuscated> -- Obfuscates the provided text
Passphrase -file <FileName> -- Obfuscates first line of the file provided in file name

    If user does not provide any parameter with the utility, the -help parameter output is displayed.

copy link to clipboardSecured Passphrase

You can use the I_C_SetPassPhraseCallback() function to secure the passphrase. This function can be used to get the passphrase using a user-specified callback function. The I_C_SetPassPhraseCallback() function can only be used when Passphrase_Encrypted=no. When the I_C_SetPassPhraseCallback() function is called, it sets the callback function to get the passphrase. In this case, the plaintext passphrase stored in the Passphrase parameter is ignored.

copy link to clipboardExample

The following is an example of using secured passphrase functionality:

char str[100] = {0,};
char * getstring (void *arg)
{
printf("\nPlease enter password for private key [%s] : ",(char*)arg);
scanf("%s",str); // Some other way can be used to read secure password from User Interface
return str;
} // Before calling I_C_OpenSession, the following function should be called to set a
callback
for passphrase.
rc = I_C_SetPassPhraseCallback(getstring);
if (rc != I_E_OK)
{ fprintf(stderr, "
I_C_SetPassPhraseCallback error: %
s\n", I_C_GetErrorString(rc));
return rc;
}

This causes the password to be dynamically collected when reading Key_File while establishing SSL connection with the server. Here, getstring is the user-specified function that provides the user with a customized approach to secure/get the passphrase. For details on the I_C_SetPassPhraseCallback() function, refer to the CADP for C CAPI API Guide.

copy link to clipboardPlaintext Passphrase

When Passphrase_Encrypted is set to no, and the callback function is not used, the Passphrase parameter stores the password in plaintext for the private key. Storing the password in plaintext on the system is against a good security practice, as it might compromise the security of the private key.

Note

It is strongly recommended to use secured or obfuscated passphrase.

On this page