PKCS-11 Protocol for Enterprise Key Management

Slides:



Advertisements
Similar presentations
1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Advertisements

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Introduction to z/OS Security Lesson 4: There’s more to it than RACF
CT-KIP Magnus Nyström, RSA Security OTPS Workshop, October 2005.
Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.
1 May 25, 2005 Security Pki en pkcs. 2 May 25, 2005 Waarom beveiligen? Confidentiality – to keep exchanged information private Integrity – to prove that.
GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |
SafeNet Luna XML Hardware Security Module
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Identity and Access IDGo Secure (ISE) for Android Didier Bonnet April 2015.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Pertemuan 12 Security Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication.
Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.
魂▪創▪通魂▪創▪通 Use Case and Requirement for Future Work Sangrae Cho Authentication Research Team.
PKCS11 Key Protection And the Insider Threat.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
SODA Archiving October 2013
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
The Cryptographic Sensor FTO Libor Dostálek, Václav Novák.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
Unit 1: Protection and Security for Grid Computing Part 2
EIDE Design Considerations 1 EIDE Design Considerations Brian Wright Portland General Electric.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Symmetric Encryption Mom’sSecretApplePieRecipe Mom’sSecretApplePieRecipe The same key is used to encrypt and decrypt the data. DES is one example. Pie.
Cryptography and Network Security (CS435) Part Twelve (Electronic Mail Security)
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
New Cryptographic Techniques for Active Networks Sandra Murphy Trusted Information Systems March 16, 1999.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Building a Fully Trusted Authentication Environment
1 Thuy, Le Huu | Pentalog VN Web Services Security.
1 Session 4 Module 6: Digital signatures. Digital Signatures / Session4 / 2 of 18 Module 4, 5 - Review (1)  Java 2 security model provides a consistent.
Peter Gutmann A PKCS #11 Test Suite Peter Gutmann
Electronic Mail Security Prepared by Dr. Lamiaa Elshenawy
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
By Marwan Al-Namari & Hafezah Ben Othman Author: William Stallings College of Computer Science at Al-Qunfudah Umm Al-Qura University, KSA, Makkah 1.
Security By Meenal Mandalia. What is ? stands for Electronic Mail. much the same as a letter, only that it is exchanged in a different.
Security is one of the most widely used and regarded network services
Cryptographic Usage Mask
Student: Ying Hong Course: Database Security Instructor: Dr. Yang
Cryptographic Usage Mask
Presentation transcript:

PKCS-11 Protocol for Enterprise Key Management June 2007

Question for P1619.3 Should we consider using PKCS #11 as: A reference point to validate any standard key management protocol for P1619.3? In serialized form, a candidate for a comprehensive key management protocol as P11619.3 standard?

PKCS #11 Standard PKCS #11 is a widely-accepted standard for interfacing with devices that store keys (e.g. Hardware Security Module, smartcard) Specifies application programming interface (“Cryptoki”) in C Does not specify storage format History 1/94: project launched 4/95: v1.0 published 12/97: v2.01 published 12/99: v2.10 published 6/04: v2.20 published Current specification http://www.rsa.com/rsalabs/node.asp?id=2124

PKCS#11 Core Concepts Manage security objects Security Object Life cycle Security Attributes for all Objects Secure by Design Cryptographic Services Extensible architecture Arbitrary Objects Arbitrary Attributes Supports wide range of devices simple tokens complex hardware security modules

PKCS#11 v2.20 Specification – Figure 2 Object Hierarchy * Object Hierarchy PKCS#11 v2.20 Specification – Figure 2

General Cryptoki Model * General Cryptoki Model PKCS#11 v2.20 Specification – Figure 1

PKCS#11 Core Concepts Base Security Object Life Cycle Services Create object on device In volatile (session) or persistent (token) form With security attributes (to protect migration or usage of object) Destroy object on device Import object into the device Via secure (wrapped) or insecure (plaintext) approach Export object from the device Perform operation on object on device (cryptographic services) Locate object on device The search criteria is specified in terms of attribute values Set attributes against an object on device Get attributes from an object on device

PKCS#11 Core Concepts Base Security Object Cryptographic Services Encrypt & Decrypt[1] Digest[1] Sign/MAC & Verify/VerifyMAC[1] Generate or Derive Key (for the various key types) Wrap Key & Unwrap Key Random Number Generator [1] Provided in both single and multi-part forms

Object Attribute Hierarchy * Object Attribute Hierarchy PKCS#11 v2.20 Specification – Figure 5

PKCS#11 Core Concepts The class hierarchy presented above includes a number of abstract classes which do not exist in the PKCS#11 specifications (Passive, Active, and Device). These have been introduced in order to logically model what is in place. Storage and Key are defined in the specification as is the concept of Security Object (although the generic name of Object is what is used). There are two main groups of Classes – those which report information about the PKCS#11 Device and those which involve the storage of data (in either volatile or persistent form). For Storage Classes, there are classes which only store data (Data, Certificate) and cannot be used in operations (Encrypt/Decrypt, Sign/Verify, Digest, Generate/Derive).

PKCS#11 Core Concepts Security Object Basic Permissions CKA_TOKEN, CKA_MODIFIABLE, CKA_SENSITIVE, CKA_PRIVATE, CKA_TRUSTED, CKA_LOCAL Security Object Allowed Operations CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_DERIVE, CKA_ALLOWED_MECHANISMS Security Object Import/Export CKA_WRAP, CKA_WRAP_WITH_TRUSTED, CKA_UNWRAP, CKA_EXTRACTABLE, CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE Security Object Historical State CKA_ALWAYS_SENSITIVE, CKA_NEVER_EXTRACTABLE, CKA_START_DATE, CKA_END_DATE

PKCS#11 Core Concepts Security Object Basic Permissions CKA_TOKEN CK_TRUE if security object is a token object CK_FALSE if security object is a session object CKA_MODIFIABLE CK_TRUE if object can be modified CKA_SENSITIVE Security sensitive attributes non-readable CKA_PRIVATE Authentication required prior to security object being visible CKA_TRUSTED For certificates – can be trusted for verification For keys – can be used as the wrapping key for wrap-trusted operations CKA_LOCAL Security object was created on the device (not imported)

PKCS#11 Core Concepts Security Object Allowed Operations CKA_ENCRYPT CK_TRUE if the security object supports encryption CKA_DECRYPT CK_TRUE if the security object supports decryption CKA_SIGN CK_TRUE if the security object supports signing CKA_VERIFY CK_TRUE if the security object supports verification where the signature is an appendix to the data CKA_VERIFY_RECOVER CK_TRUE if the security object supports verification where the data is recovered from the signature CKA_DERIVE CK_TRUE if the security object key supports key derivation (i.e., if other keys can be derived from this one) CKA_ALLOWED_MECHANISMS A list of mechanisms allowed to be used with this security object

PKCS#11 Core Concepts Security Object Import/Export CKA_WRAP CK_TRUE if the security object supports wrapping (i.e., can be used to wrap other security objects) CKA_WRAP_WITH_TRUSTED CK_TRUE if the security object can only be wrapped with a wrapping security object that has CKA_TRUSTED set to CK_TRUE CKA_UNWRAP CK_TRUE if the security object supports unwrapping (i.e., can be used to unwrap other security objects) CKA_EXTRACTABLE CK_TRUE if the security object is extractable and can be wrapped CKA_WRAP_TEMPLATE The attribute template to match against any security objects wrapped using this wrapping security object. Security objects that do not match cannot be wrapped CKA_UNWRAP_TEMPLATE The attribute template to apply to any security objects unwrapped using this wrapping security object. Any user supplied template is applied after this template as if the object has already been created.

PKCS#11 Core Concepts Security Object Historical State CKA_ALWAYS_SENSITIVE CK_TRUE if the security object has always had the CKA_SENSITIVE attribute set to CK_TRUE CKA_NEVER_EXTRACTABLE CK_TRUE if the security object has never had the CKA_EXTRACTABLE attribute set to CK_TRUE CKA_START_DATE Start date for the security object (day/month/year) CKA_END_DATE End date for the security object (day/month/year)

Current Application Usage As Deployed Today Crypto provider API Defined Interface nCipher NetHSM SafeNet iKEY …. C_Initialize() C_GetFunctionList() … PKCS#11

Current Application Usage As Deployed Today Client Direct PKCS#11 MS-CryptoAPI Sun-JCE, IBM-JCE BSAFE SDK, OpenSSL, … API External nCipher NetHSM SafeNet iKEY ….

Internal representation Internal representation PKCS#11 Network Protocol Client External API API Internal representation Internal representation Encode Decode Encode Decode Transport Transport

… … PKCS#11 Network Protocol Wire format totally independent of API encode / decode Can be simple TLV or XML LEN … Tag Len Value LEN … Tag Len Value

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.