If you want to enhance your cryptographic security it’s a good idea to migrate existing cryptographic keys to the an HSMs. In this article we demonstrate how to import an RSA key in PEM format to the se.SAM™ N200 Crypto Appliance.

Extract key details to prepare the import of the key

First of all, locate the key and display its details. In Linux this easily can be done with OpenSSL. You find a full reference of OpenSSL rsa under this link.

$ openssl rsa -in private_unencrypted.pem -text -inform PEM -noout
RSA Private-Key: (2048 bit, 2 primes)
modulus:
00:e3:ae:ff:be:a1:84:3a:78:ae:1b:02:08:b3:69:13:69:d7:70:b3:4a:57:0a:bf:bb:2c:e1:6e:57:63:
99:61:ef:74:c0:a6:ac:40:00:30:29:c3:0b:d9:76:fd:7f:2e:7b:c1:5f:f5:de:e3:18:37:a2:84:20:2f:
bf:04:0b:af:2e:ed:c3:2e:31:0c:7a:45:d8:33:a9:7a:cb:c1:12:0e:7e:42:12:4c:0f:3e:b7:54:02:5f:
ca:ab:e5:c0:5d:7d:20:e1:83:c1:85:06:08:b0:58:38:50:1a:b6:f9:84:7c:d6:a0:a8:4f:2c:23:a3:8c:
b3:13:c5:40:99:e0:b0:3d:ac:fa:10:8e:21:36:a1:84:36:e9:7c:a0:71:8d:25:0f:c1:ef:2b:90:8a:8b:
ea:71:63:de:ad:1e:43:83:dd:b6:08:a1:f6:2c:0b:28:78:e7:f9:79:de:7c:97:dc:c0:02:5e:11:e9:ac:
4e:27:ab:89:7d:1f:98:87:4c:0d:da:2e:90:28:56:89:57:69:e2:b9:ee:bc:f4:3c:f2:10:56:b4:18:92:
39:ad:9a:01:17:ce:3d:37:64:6c:33:52:eb:df:82:de:11:26:69:e4:57:d3:e9:42:90:19:14:b4:c3:89:
1e:16:e6:fd:de:5f:46:6b:db:18:0f:b2:ca:98:85:0b:43
publicExponent: 65537 (0x10001)
privateExponent:
00:a1:6b:0d:37:9a:8d:03:63:51:94:26:42:02:e8:48:f2:2d:e2:61:ca:1f:a1:a8:42:cc:53:da:85:ac:
40:2f:15:b4:41:6d:29:0b:8a:d6:9a:95:04:8e:9d:74:a5:39:50:55:cd:71:a4:1e:7e:a9:da:d7:2f:76:
8a:47:14:fd:93:18:cf:da:ac:bd:7a:e6:8f:9c:38:d8:ad:21:e9:6a:4b:0b:0e:ab:cb:d7:1b:e4:3c:76:
ab:5a:69:5d:93:2a:46:28:7b:df:b4:2e:8d:f4:6f:e7:24:ab:7b:f3:b4:81:49:2c:c7:86:b1:f5:66:5b:
37:0e:9a:36:ed:a1:45:71:c3:1d:55:d9:fc:00:b8:43:2c:1e:89:99:86:bf:5e:43:49:20:24:17:8e:b5:
75:68:a0:e9:17:aa:20:13:85:17:ba:4d:41:6b:30:ef:a3:2e:9e:0b:53:a4:e8:7d:0e:27:d9:92:e1:f5:
f6:5f:11:d3:81:e6:94:69:55:30:38:3a:5a:21:18:ff:09:f2:a5:3e:cd:ca:75:96:0a:a8:bb:af:74:f8:
71:c5:8a:09:c7:c4:ea:ba:77:3c:2c:12:2d:c0:02:d3:fa:e3:d2:cb:8f:80:5d:df:46:ce:cb:b0:45:8c:
0c:2b:16:72:cd:ea:d6:18:36:f6:0f:fc:55:36:1c:9f:21
prime1:
00:f9:9b:e9:ce:6c:cd:fb:48:ad:30:a0:df:d1:5a:73:41:86:8d:80:fb:9f:f0:4b:bb:39:2a:10:eb:c1:
9b:f2:07:04:b9:f6:da:b0:70:45:5a:02:22:87:4c:67:b7:ab:42:46:f2:4a:16:f2:01:c6:8f:32:74:f1:
65:cb:85:3c:da:19:b8:a3:66:0d:fd:cf:5b:52:32:76:4b:6a:1e:59:62:ff:62:73:81:30:77:29:83:5d:
6f:a9:a8:33:4c:5c:2e:dc:81:04:c9:f6:0b:3b:c2:6b:c4:eb:32:7c:0c:8c:4b:d2:8c:ee:92:04:b5:d4:
7d:f4:e4:d4:6f:5b:97:6e:73
prime2:
00:e9:83:5f:8b:bd:28:6c:a2:c9:56:56:fc:37:3c:d1:ce:6f:7f:77:7c:07:5a:bf:cf:20:d4:05:b9:67:
9d:69:e4:5a:19:ac:f6:cc:95:fb:32:53:3e:aa:39:39:be:77:46:aa:6f:0b:a4:fc:64:c2:70:c6:f2:fa:
9a:82:04:4f:aa:c9:83:3f:2b:0d:ab:cb:4d:60:20:64:70:2a:1d:cb:d6:6a:f6:66:b8:b6:42:44:b8:9e:
e0:08:c2:16:43:54:01:d3:fc:e2:53:27:de:7a:07:1d:a5:3b:ad:68:fd:71:d4:04:b3:1b:ee:1c:7d:e5:
78:49:b6:ca:d2:be:04:6b:f1
exponent1:
4d:5e:90:98:55:8d:7b:68:49:96:9b:27:05:23:7e:3a:3f:54:b9:38:45:99:1c:40:4a:35:c9:cc:e9:d4:
46:ae:fa:3e:12:50:33:04:79:da:ae:72:b9:71:6b:6c:b8:fe:f0:32:c5:d8:5a:e7:45:fe:b8:eb:1a:b0:
2c:e7:7d:b7:34:e5:d0:70:1f:c2:1e:75:f6:02:82:3c:5a:06:52:3a:a7:62:82:de:f6:80:d9:33:48:d1:
05:cb:87:2b:12:1f:cc:65:89:70:78:7d:7e:e6:82:b5:25:1a:1e:ed:5c:c7:5b:da:27:50:c7:78:fd:06:
95:d4:20:2c:ec:3d:02:15
exponent2:
12:cf:39:40:09:51:9b:46:95:8f:35:dc:85:1a:8a:0f:e5:dd:4f:a3:96:f8:11:61:3e:d4:b5:4d:54:f2:
52:18:49:c5:ad:b0:07:94:c1:32:31:90:67:a7:ca:65:f4:37:a5:fc:e1:e4:3d:4c:64:79:2f:1d:5d:60:
5a:be:bc:28:16:a9:52:ca:46:04:a3:90:ad:00:8e:f6:95:fd:e6:70:74:17:3a:f8:ff:fd:60:89:ba:8a:
73:4a:26:fe:ef:62:62:50:09:6f:07:54:1d:62:3b:5a:16:ef:85:f8:7c:55:c6:b7:22:b5:d0:67:b7:b7:
33:c0:dc:9f:93:1c:ca:11
coefficient:
00:f9:87:5b:f6:21:a7:7d:bd:16:54:8a:af:6a:c5:63:5d:eb:da:f5:7e:b7:d4:a6:9f:d4:91:9b:e3:18:
95:b5:90:69:e2:71:70:1a:32:bf:c3:61:53:7d:b0:3b:6d:52:ae:4c:89:49:1b:4a:d1:58:13:8e:33:a9:
be:38:a0:9d:19:b2:cf:85:38:3e:76:aa:dd:a4:b6:22:fc:0a:10:71:84:ed:b3:db:19:f0:47:b3:94:af:
41:ab:29:54:a4:19:61:6e:0f:58:5f:be:27:96:5d:9a:53:e4:0e:2c:5c:52:f6:09:13:ab:1f:3d:37:91:
cd:63:e0:08:39:ec:05:4e:c9

The content of prime1 is the so called “p” value, where prime2 is the “q” value. Just remove the colons and the leading “00” to get their HEX values:

p: f99be9ce6ccdfb48ad30a0dfd15a7341868d80fb9ff04bbb392a10ebc19bf20704b9
f6dab070455a0222874c67b7ab4246f24a16f201c68f3274f165cb853cda19b8a3660d
fdcf5b5232764b6a1e5962ff627381307729835d6fa9a8334c5c2edc8104c9f60b3bc26
bc4eb327c0c8c4bd28cee9204b5d47df4e4d46f5b976e73

q: e9835f8bbd286ca2c95656fc373cd1ce6f7f777c075abfcf20d405b9679d69e45a19ac
f6cc95fb32533eaa3939be7746aa6f0ba4fc64c270c6f2fa9a82044faac9833f2b0dabcb
4d602064702a1dcbd66af666b8b64244b89ee008c216435401d3fce25327de7a071da
53bad68fd71d404b31bee1c7de57849b6cad2be046bf1

How to import a key on the HSM?

The se.SAM™ N200 Crypto Appliance supports a function named “importrsakeycrt”:

importrsakeycrt

This function allows the user to import an RSA key as a component for the CRT (= Chinese Remainder Theorem). The Chinese Remainder Theorem is a possibility to speed up RSA-operation by not using the large Modulo “N” (size is equivalent to the key size), but instead the prime-factors that were initially used to generate N for calculations using special mathematical functions. Calculations become easier for microprocessors and computers. If possible, this way of importing RSA keys should be preferred for performance reasons. There is no decrease in security. The results are the same.

To import an RSA key by its p and q values to the HSM just complete the following URL and load the URL within an authenticated HSM session:

https://{hsmhostname}/n200/importrsakeycrt/FFFF/{HSM-key-pin}/F99BE9CE6CCDFB48AD30A0DFD15A7341868D80FB9FF04BBB392A10EBC19BF20704B9F6DAB070455A0222874C67B7AB4246F24A16F201C68F3274F165CB853CDA19B8A3660DFDCF5B5232764B6A1E5962FF627381307729835D6FA9A8334C5C2EDC8104C9F60B3BC26BC4EB327C0C8C4BD28CEE9204B5D47DF4E4D46F5B976E73/E9835F8BBD286CA2C95656FC373CD1CE6F7F777C075ABFCF20D405B9679D69E45A19ACF6CC95FB32533EAA3939BE7746AA6F0BA4FC64C270C6F2FA9A82044FAAC9833F2B0DABCB4D602064702A1DCBD66AF666B8B64244B89EE008C216435401D3FCE25327DE7A071DA53BAD68FD71D404B31BEE1C7DE57849B6CAD2BE046BF1/

A typical result of the HSM REST-API request is:

{
"command": "importrsakeycrt",
"core": 1,
"result": "hsm0101237A8C224FC92BEE0000000000001775"
}

The key imported on to the HSM already an now is available as key reference hsm0101237A8C224FC92BEE0000000000001775. You can securely sign, encrypt, wrap keys, and perform all other cryptographic supported by the HSM without dealing with the private key.

Import RSA Key on se.SAM N200 Crypto Appliance HSM - Admin GUI

Imported RSA Key on se.SAM N200 Crypto Appliance HSM – Admin GUI

Hints:

  • Secure your key assets! Software keys are unsecure, as they can be copied at any time. So, don’t forget to delete the software key after importing!
  • According to cryptographic recommendations like BSI TR-02102-1 Cryptographic methods – Recommendations and key lengths dated 28th January 2022 please note the lack of security of 2048 bit RSA keys:
    • For a period of use beyond 2022, this Technical Guideline recommends using a key length of 3000 bits in order to achieve a comparable level of security for all asymmetric procedures. A key length of ≥ 3000 bits will be mandatory for cryptographic DLIES and DSA implementations conforming to this Technical Guideline from 2023 onwards.
  • For performance reasons do not use RSA keys on microprocessors and IoT devices. We strongly recommend migrating to elliptic curve cryptography (ECC) as keys operations are much faster and the keys sizes is a fraction of RSA key sizes.

In a future post you find an example how to import an existing ECC key to an HSM.