© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.

Slides:



Advertisements
Similar presentations
Operating-System Structures
Advertisements

PKCS-11 Protocol for Enterprise Key Management
Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide
DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
© 2003, Cisco Systems, Inc. All rights reserved..
Multi-Application in Smart Card-based Devices Christophe Colas, Chief Software Architect August 2002.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Introduction to z/OS Security Lesson 4: There’s more to it than RACF
Digital Certificate Installation & User Guide For Class-2 Certificates.
PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.
POC Security System High security system combining PIN-on-Card, information security, physical access, control and alarm – all in one system.
Test Case Management and Results Tracking System October 2008 D E L I V E R I N G Q U A L I T Y (Short Version)
Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
SafeNet Luna XML Hardware Security Module
Operating-System Structures
Travel and Expense Management Scenario Overview
SDN and Openflow.
FIT3105 Smart card based authentication and identity management Lecture 4.
Requirements Specification
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
VDA Security Services Freeware Libraries Update IETF S/MIME WG 29 March 2000 John Pawling J.G. Van Dyke & Associates (VDA), Inc;
Course 201 – Administration, Content Inspection and SSL VPN
Hacking the Bluetooth Pairing Authentication Process Graduate Operating System Mini Project Siyuan Jiang and Haipeng Cai.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
UICC UICC is a smart card used in mobile terminals in GSM and UMTS networks It provides the authentication with the networks secure storage crypto algorithms.
© 2003 East Collaborative e ast COLLABORATIVE ® eC SoftwareProducts TrackeCHealth.
OPC.NET 3.0 Technical Overview. OPC.NET 3.0 or Xi OPC Xi was renamed to OPC.NET 3.0 to better reflect its purpose – to provide a.NET interface for OPC.
Chapter 9 CAD & Parameters
An Introduction to Software Architecture
Copyright © 2007, Oracle. All rights reserved. Managing Concurrent Requests.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
This presentation contains information that is proprietary to ClickSoftware. Any copying, distribution, display, transmission or dissemination of the information.
Analysis of IP over power lines in conjunction with ADSL as a rapid network deployment package. David Mackie Supervisor: Professor Peter Clayton.
Middleware for FIs Apeego House 4B, Tardeo Rd. Mumbai Tel: Fax:
Leveraging UICC with Open Mobile API for Secure Applications and Services.
Ivo Rosol, OKsystem Middleware.
PI Data Archive Server COM Points Richard Beeson.
Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.
All Rights Reserved, Swurv, secure gateway interoperable communication multidomain traffic system APPLICATION LAYER TECHNICAL DISCUSSION.
Frameworks CompSci 230 S Software Construction.
Ken Asnes RSA Laboratories July 2001
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 9 Virtual Trunking Protocol.
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
Adxstudio Portals Training
Dispatching Java agents to user for data extraction from third party web sites Alex Roque F.I.U. HPDRC.
Basics of JDBC Session 14.
L10: Model-View-Controller General application structure. User Interface: Role, Requirements, Problems Design patterns: Model – View – Controller, Observer/Observable.
Institute for the Protection and Security of the Citizen HAZAS – Hazard Assessment ECCAIRS Technical Course Provided by the Joint Research Centre - Ispra.
11/18/2003 Smart Card Authentication Mechanism Tim W. Baldridge, CISSP Marshall Space Flight Center Office of the Chief Information Officer.
Secure Mobile Development with NetIQ Access Manager
SAP NetWeaver Business Intelligence SAP Netweaver Business Warehouse (SAP NetWeaver BW) the name of the Business Intelligence,
APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.
Introduction to Operating Systems Concepts
The Client/Server Database Environment
Data and Applications Security Developments and Directions
CASE STUDY 1: Linux and Android
Security and Encryption
Wireless Universal Serial Bus
Chapter 2: System Structures
Chapter 2: The Linux System Part 1
Public Key Infrastructure from the Most Trusted Name in e-Security
Installation & User Guide
SharePoint Online Authentication Patterns
ARCHITECTURE OVERVIEW
Outline Operating System Organization Operating System Examples
Presentation transcript:

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company SmartAdaptor PKCS#11 Interface for Smart Card/Reader applications

Algorithmic Research SmartAdaptor What problems does it solve? RSA's PKCS#11 is an industry-standard security provider commonly used by secure applications. However, significant shortcomings have become apparent: An application cannot operate easily with multiple PKCS#11 providers. Use of multiple providers on the same program flow may cause serious complications. In contrast, suites like PC/SC, CAPI, CDSA were designed from the outset to support multiple providers.

Algorithmic Research SmartAdaptor What problems does it solve? PKCS#11 entered the concept of slot and token. However, since the concept of a provider is absent, there is no standard way to separate slot-dependent code from token-dependent code. As a result, it complicates the use of smart cards and in case of different vendors it does not support interoperability. Reader interfaces inadvertently use mutually incompatible standards such as PC/SC, CT-API or proprietary methods. PKCS#11 defines a lot of cryptographic mechanisms. While some of them are mandatory for operating a specific provider (e.g. for a signing token), others may be optional. However, PKCS#11 vendors still supply a lot of optional mechanisms to support more applications. The reuse of crypto-functionality for both applications and PKCS#11 vendors would be very appreciated.

Algorithmic Research SmartAdaptor What is it? A software tool that: Enables multiple PKCS#11 providers to coexist and from the application's perspective, causes them to be implemented as a single PKCS#11 package. By use of plug-ins, SmartAdaptor enables various smart card providers to interoperate with the different readers that are recognized in the system, leaving the details (reader recognition, interface, etc.) to the SmartAdaptor.

Algorithmic Research SmartAdaptor What is it? Frees PKCS#11 providers from the need to implement crypto-mechanisms. By relying on the basic algorithms, providers can focus on their specific implementations, contributing to the efficient reuse of code. Imposes thread-safety by serialization of requests even when a particular PKCS#11 provider does not support it. Allows loading of only trusted providers.

Algorithmic Research SmartAdaptor How does it work? Relies on PKCS#11 standard Views smart card and reader as distinct providers Defines three basic types of PKCS#11 provider: PKCS#11 Core Provider - self-contained PKCS#11 library, supported without any modifications. PKCS#11 Card Provider - library, which externally has a PKCS#11 interface, and internally relies on proprietary smart card API; it uses callbacks supplied by SmartAdaptor to communicate with the readers. PKCS#11 Reader Provider - library, which provides an interface to a proprietary reader, established according to SmartAdaptor rules. Defines simple provider registration API

Algorithmic Research SmartAdaptor How does it work? Defines simple reader access API to enable PKCS#11 Card Providers to interoperate with all readers. Recognizes PC/SC readers automatically, no adaptor needed. Recognizes CT-API compliant readers, no adaptor needed (though registration is still required). Provides software (virtual) token support with a full set of crypto-mechanisms implemented in software. Provides default user interface functionality for obtaining the PIN when the token does not support a protected authentication path. This user interface can be customized by the application.

Algorithmic Research SmartAdaptor Adaptation to existing APIs and applications SmartAdaptor includes a set of additional layers: CAPI adaptation layer – allows PKCS#11 vendors to become plug-ins to Microsoft applications (IE, Outlook). Entrust adaptation layer – allows PKCS#11 vendors to become plug-ins to Entrust applications. Though Entrust is in principle PKCS#11 enabled, early versions are based on PKCS#11 v1.0, which is incompatible with the current PKCS#11 version. Even Entrust v5.x, which is PKCS#11 v2.x compliant, still requires some adaptation to operate with a standard PKCS#11 module. Java adaptation layer – allows Java applications to access PKCS#11-based cryptographic devices.

Algorithmic Research SmartAdaptor Architecture PKCS#11 API Provider Registration API: Core Provider Reader Provider Card Provider Simple Reader Access API PKCS#11 Reader Provider PC/SC Reader CT- API Reader Proprietary Reader APP 1APP 2APP 3... APP n Crypto Algorithms SmartAdaptor 3 rd Party SmartAdaptor PKCS#11 Core Provider PKCS#11 Card Provider Software Token User Interface API 3 rd Party Entrust AdaptorCAPI AdaptorJava Adaptor

Algorithmic Research SmartAdaptor Registration API With SmartAdaptor, in order to register a provider, an application needs to create a registration context: CreatePKCS11ProviderContext CreatePKCS11SmartcardProviderContext CreateSmartcardReaderContext to supply information about provider name, path, ATR of card with comparison mask (in the case of smart card provider), possibly some other information and register provider: RegisterProvider C ontext must be released at the end of registration: FreeContext

Algorithmic Research SmartAdaptor Registration API Several services for obtaining information about registered providers, modifying data, and searching are supplied : GetProviderData SetProviderData AddATRToList ListProviders All provider-related information is stored in fields. SmartAdaptor has a set of predefined fields, though vendor-defined fields are also supported. Fields are presented in TLV form.

Algorithmic Research SmartAdaptor Reader Provider Proprietary reader vendors must provide an interface according to a simple generic access API defined in SmartAdaptor : power on ( parameters : input - slot ID, output - ATR ) power off ( parameters : input – slot ID ) transmit ( parameters : input – slot ID and send Buffer, output – received Buffer ) get card status ( parameters : input – slot ID, output – card state(inserted, powered, etc. )) A reader vendor must also supply an Entry function, which provides pointers to the above interface functions. The name of the Entry function must be supplied to SmartAdaptor during reader provider registration.

Algorithmic Research SmartAdaptor Smart Card Provider Smart card providers working under SmartAdaptor can interoperate with any PC/SC, CT-API or proprietary reader. All they need is to use callback functions provided by SmartAdaptor, instead of direct calls to the reader interface. During registration the smart card provider should supply the name of an Entry function, which can be used by SmartAdaptor to provide it with the callbacks. During C_OpenSession, SmartAdaptor retrieves the ATR of the card inserted in the slot and looks for a registered provider with matching ATR. (Mechanisms for multi- application card recognition will be added in the next version of SmartAdaptor).

Algorithmic Research SmartAdaptor Smart Card Provider When a smart card provider is found, SmartAdaptor loads the appropriate library and calls the Entry function, where the smart card provider can find the callback functions to communicate with the reader. The smart card provider must work with the readers via the callbacks supplied by the Entry call, using the slot IDs obtained from C_OpenSession call. Smart card providers can always recognize the reader they currently work with, and for readers with known special features, SmartAdaptor enables smart card providers to gain direct access to the reader. SmartAdaptor takes responsibility for synchronization of requests to the reader made by threads and applications.

Algorithmic Research SmartAdaptor Solution The solution is already proven and fully operational. Supported platforms: Windows 95/98, WinNT v4.0, Win2000 Next version: Unix

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.