Algorithmic Research SmartAdaptor What problems does it solve? RSA's PKCS#11 is an industry-standard security provider commonly used by secure applications. However, significant shortcomings have become apparent: An application cannot operate easily with multiple PKCS#11 providers. Use of multiple providers on the same program flow may cause serious complications. In contrast, suites like PC/SC, CAPI, CDSA were designed from the outset to support multiple providers.
Algorithmic Research SmartAdaptor What problems does it solve? PKCS#11 entered the concept of slot and token. However, since the concept of a provider is absent, there is no standard way to separate slot-dependent code from token-dependent code. As a result, it complicates the use of smart cards and in case of different vendors it does not support interoperability. Reader interfaces inadvertently use mutually incompatible standards such as PC/SC, CT-API or proprietary methods. PKCS#11 defines a lot of cryptographic mechanisms. While some of them are mandatory for operating a specific provider (e.g. for a signing token), others may be optional. However, PKCS#11 vendors still supply a lot of optional mechanisms to support more applications. The reuse of crypto-functionality for both applications and PKCS#11 vendors would be very appreciated.
Algorithmic Research SmartAdaptor What is it? A software tool that: Enables multiple PKCS#11 providers to coexist and from the application's perspective, causes them to be implemented as a single PKCS#11 package. By use of plug-ins, SmartAdaptor enables various smart card providers to interoperate with the different readers that are recognized in the system, leaving the details (reader recognition, interface, etc.) to the SmartAdaptor.
Algorithmic Research SmartAdaptor What is it? Frees PKCS#11 providers from the need to implement crypto-mechanisms. By relying on the basic algorithms, providers can focus on their specific implementations, contributing to the efficient reuse of code. Imposes thread-safety by serialization of requests even when a particular PKCS#11 provider does not support it. Allows loading of only trusted providers.
Algorithmic Research SmartAdaptor How does it work? Relies on PKCS#11 standard Views smart card and reader as distinct providers Defines three basic types of PKCS#11 provider: PKCS#11 Core Provider - self-contained PKCS#11 library, supported without any modifications. PKCS#11 Card Provider - library, which externally has a PKCS#11 interface, and internally relies on proprietary smart card API; it uses callbacks supplied by SmartAdaptor to communicate with the readers. PKCS#11 Reader Provider - library, which provides an interface to a proprietary reader, established according to SmartAdaptor rules. Defines simple provider registration API
Algorithmic Research SmartAdaptor How does it work? Defines simple reader access API to enable PKCS#11 Card Providers to interoperate with all readers. Recognizes PC/SC readers automatically, no adaptor needed. Recognizes CT-API compliant readers, no adaptor needed (though registration is still required). Provides software (virtual) token support with a full set of crypto-mechanisms implemented in software. Provides default user interface functionality for obtaining the PIN when the token does not support a protected authentication path. This user interface can be customized by the application.
Algorithmic Research SmartAdaptor Adaptation to existing APIs and applications SmartAdaptor includes a set of additional layers: CAPI adaptation layer – allows PKCS#11 vendors to become plug-ins to Microsoft applications (IE, Outlook). Entrust adaptation layer – allows PKCS#11 vendors to become plug-ins to Entrust applications. Though Entrust is in principle PKCS#11 enabled, early versions are based on PKCS#11 v1.0, which is incompatible with the current PKCS#11 version. Even Entrust v5.x, which is PKCS#11 v2.x compliant, still requires some adaptation to operate with a standard PKCS#11 module. Java adaptation layer – allows Java applications to access PKCS#11-based cryptographic devices.
Algorithmic Research SmartAdaptor Architecture PKCS#11 API Provider Registration API: Core Provider Reader Provider Card Provider Simple Reader Access API PKCS#11 Reader Provider PC/SC Reader CT- API Reader Proprietary Reader APP 1APP 2APP 3... APP n Crypto Algorithms SmartAdaptor 3 rd Party SmartAdaptor PKCS#11 Core Provider PKCS#11 Card Provider Software Token User Interface API 3 rd Party Entrust AdaptorCAPI AdaptorJava Adaptor
Algorithmic Research SmartAdaptor Registration API With SmartAdaptor, in order to register a provider, an application needs to create a registration context: CreatePKCS11ProviderContext CreatePKCS11SmartcardProviderContext CreateSmartcardReaderContext to supply information about provider name, path, ATR of card with comparison mask (in the case of smart card provider), possibly some other information and register provider: RegisterProvider C ontext must be released at the end of registration: FreeContext
Algorithmic Research SmartAdaptor Registration API Several services for obtaining information about registered providers, modifying data, and searching are supplied : GetProviderData SetProviderData AddATRToList ListProviders All provider-related information is stored in fields. SmartAdaptor has a set of predefined fields, though vendor-defined fields are also supported. Fields are presented in TLV form.
Algorithmic Research SmartAdaptor Reader Provider Proprietary reader vendors must provide an interface according to a simple generic access API defined in SmartAdaptor : power on ( parameters : input - slot ID, output - ATR ) power off ( parameters : input – slot ID ) transmit ( parameters : input – slot ID and send Buffer, output – received Buffer ) get card status ( parameters : input – slot ID, output – card state(inserted, powered, etc. )) A reader vendor must also supply an Entry function, which provides pointers to the above interface functions. The name of the Entry function must be supplied to SmartAdaptor during reader provider registration.
Algorithmic Research SmartAdaptor Smart Card Provider Smart card providers working under SmartAdaptor can interoperate with any PC/SC, CT-API or proprietary reader. All they need is to use callback functions provided by SmartAdaptor, instead of direct calls to the reader interface. During registration the smart card provider should supply the name of an Entry function, which can be used by SmartAdaptor to provide it with the callbacks. During C_OpenSession, SmartAdaptor retrieves the ATR of the card inserted in the slot and looks for a registered provider with matching ATR. (Mechanisms for multi- application card recognition will be added in the next version of SmartAdaptor).
Algorithmic Research SmartAdaptor Smart Card Provider When a smart card provider is found, SmartAdaptor loads the appropriate library and calls the Entry function, where the smart card provider can find the callback functions to communicate with the reader. The smart card provider must work with the readers via the callbacks supplied by the Entry call, using the slot IDs obtained from C_OpenSession call. Smart card providers can always recognize the reader they currently work with, and for readers with known special features, SmartAdaptor enables smart card providers to gain direct access to the reader. SmartAdaptor takes responsibility for synchronization of requests to the reader made by threads and applications.
Algorithmic Research SmartAdaptor Solution The solution is already proven and fully operational. Supported platforms: Windows 95/98, WinNT v4.0, Win2000 Next version: Unix