Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKCS-11 Protocol for Enterprise Key Management

Published byElla Hoover Modified over 10 years ago

Similar presentations

Presentation on theme: "PKCS-11 Protocol for Enterprise Key Management"— Presentation transcript:

1 PKCS-11 Protocol for Enterprise Key Management
June 2007

2 Question for P1619.3 Should we consider using PKCS #11 as:
A reference point to validate any standard key management protocol for P1619.3? In serialized form, a candidate for a comprehensive key management protocol as P standard?

3 PKCS #11 Standard PKCS #11 is a widely-accepted standard for interfacing with devices that store keys (e.g. Hardware Security Module, smartcard) Specifies application programming interface (“Cryptoki”) in C Does not specify storage format History 1/94: project launched 4/95: v1.0 published 12/97: v2.01 published 12/99: v2.10 published 6/04: v2.20 published Current specification

4 PKCS#11 Core Concepts Manage security objects
Security Object Life cycle Security Attributes for all Objects Secure by Design Cryptographic Services Extensible architecture Arbitrary Objects Arbitrary Attributes Supports wide range of devices simple tokens complex hardware security modules

5 PKCS#11 v2.20 Specification – Figure 2
Object Hierarchy * Object Hierarchy PKCS#11 v2.20 Specification – Figure 2

6 General Cryptoki Model
* General Cryptoki Model PKCS#11 v2.20 Specification – Figure 1

7 PKCS#11 Core Concepts Base Security Object Life Cycle Services
Create object on device In volatile (session) or persistent (token) form With security attributes (to protect migration or usage of object) Destroy object on device Import object into the device Via secure (wrapped) or insecure (plaintext) approach Export object from the device Perform operation on object on device (cryptographic services) Locate object on device The search criteria is specified in terms of attribute values Set attributes against an object on device Get attributes from an object on device

8 PKCS#11 Core Concepts Base Security Object Cryptographic Services
Encrypt & Decrypt[1] Digest[1] Sign/MAC & Verify/VerifyMAC[1] Generate or Derive Key (for the various key types) Wrap Key & Unwrap Key Random Number Generator [1] Provided in both single and multi-part forms

9 Object Attribute Hierarchy
* Object Attribute Hierarchy PKCS#11 v2.20 Specification – Figure 5

10 PKCS#11 Core Concepts The class hierarchy presented above includes a number of abstract classes which do not exist in the PKCS#11 specifications (Passive, Active, and Device). These have been introduced in order to logically model what is in place. Storage and Key are defined in the specification as is the concept of Security Object (although the generic name of Object is what is used). There are two main groups of Classes – those which report information about the PKCS#11 Device and those which involve the storage of data (in either volatile or persistent form). For Storage Classes, there are classes which only store data (Data, Certificate) and cannot be used in operations (Encrypt/Decrypt, Sign/Verify, Digest, Generate/Derive).

11 PKCS#11 Core Concepts Security Object Basic Permissions
CKA_TOKEN, CKA_MODIFIABLE, CKA_SENSITIVE, CKA_PRIVATE, CKA_TRUSTED, CKA_LOCAL Security Object Allowed Operations CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_DERIVE, CKA_ALLOWED_MECHANISMS Security Object Import/Export CKA_WRAP, CKA_WRAP_WITH_TRUSTED, CKA_UNWRAP, CKA_EXTRACTABLE, CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE Security Object Historical State CKA_ALWAYS_SENSITIVE, CKA_NEVER_EXTRACTABLE, CKA_START_DATE, CKA_END_DATE

12 PKCS#11 Core Concepts Security Object Basic Permissions
CKA_TOKEN CK_TRUE if security object is a token object CK_FALSE if security object is a session object CKA_MODIFIABLE CK_TRUE if object can be modified CKA_SENSITIVE Security sensitive attributes non-readable CKA_PRIVATE Authentication required prior to security object being visible CKA_TRUSTED For certificates – can be trusted for verification For keys – can be used as the wrapping key for wrap-trusted operations CKA_LOCAL Security object was created on the device (not imported)

13 PKCS#11 Core Concepts Security Object Allowed Operations
CKA_ENCRYPT CK_TRUE if the security object supports encryption CKA_DECRYPT CK_TRUE if the security object supports decryption CKA_SIGN CK_TRUE if the security object supports signing CKA_VERIFY CK_TRUE if the security object supports verification where the signature is an appendix to the data CKA_VERIFY_RECOVER CK_TRUE if the security object supports verification where the data is recovered from the signature CKA_DERIVE CK_TRUE if the security object key supports key derivation (i.e., if other keys can be derived from this one) CKA_ALLOWED_MECHANISMS A list of mechanisms allowed to be used with this security object

14 PKCS#11 Core Concepts Security Object Import/Export
CKA_WRAP CK_TRUE if the security object supports wrapping (i.e., can be used to wrap other security objects) CKA_WRAP_WITH_TRUSTED CK_TRUE if the security object can only be wrapped with a wrapping security object that has CKA_TRUSTED set to CK_TRUE CKA_UNWRAP CK_TRUE if the security object supports unwrapping (i.e., can be used to unwrap other security objects) CKA_EXTRACTABLE CK_TRUE if the security object is extractable and can be wrapped CKA_WRAP_TEMPLATE The attribute template to match against any security objects wrapped using this wrapping security object. Security objects that do not match cannot be wrapped CKA_UNWRAP_TEMPLATE The attribute template to apply to any security objects unwrapped using this wrapping security object. Any user supplied template is applied after this template as if the object has already been created.

15 PKCS#11 Core Concepts Security Object Historical State
CKA_ALWAYS_SENSITIVE CK_TRUE if the security object has always had the CKA_SENSITIVE attribute set to CK_TRUE CKA_NEVER_EXTRACTABLE CK_TRUE if the security object has never had the CKA_EXTRACTABLE attribute set to CK_TRUE CKA_START_DATE Start date for the security object (day/month/year) CKA_END_DATE End date for the security object (day/month/year)

16 Current Application Usage As Deployed Today
Crypto provider API Defined Interface nCipher NetHSM SafeNet iKEY …. C_Initialize() C_GetFunctionList() PKCS#11

17 Current Application Usage As Deployed Today
Client Direct PKCS#11 MS-CryptoAPI Sun-JCE, IBM-JCE BSAFE SDK, OpenSSL, … API External nCipher NetHSM SafeNet iKEY ….

18 Internal representation Internal representation
PKCS#11 Network Protocol Client External API API Internal representation Internal representation Encode Decode Encode Decode Transport Transport

19 … … PKCS#11 Network Protocol
Wire format totally independent of API encode / decode Can be simple TLV or XML LEN Tag Len Value LEN Tag Len Value

20

Download ppt "PKCS-11 Protocol for Enterprise Key Management"

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P1619.3 April 11, 2007 Andrea Doherty.

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Introduction to z/OS Security Lesson 4: There’s more to it than RACF

Introduction to z/OS Security Lesson 4: There’s more to it than RACF
CT-KIP Magnus Nyström, RSA Security OTPS Workshop, October 2005.

CT-KIP Magnus Nyström, RSA Security OTPS Workshop, October 2005.
Practical Digital Signature Issues. Paving the way and new opportunities. www.oasis-open.org Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.
1 May 25, 2005 Security Pki en pkcs. 2 May 25, 2005 Waarom beveiligen? Confidentiality – to keep exchanged information private Integrity – to prove that.

1 May 25, 2005 Security Pki en pkcs. 2 May 25, 2005 Waarom beveiligen? Confidentiality – to keep exchanged information private Integrity – to prove that.
GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |

GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |
SafeNet Luna XML Hardware Security Module

SafeNet Luna XML Hardware Security Module
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Identity and Access IDGo Secure Email (ISE) for Android Didier Bonnet April 2015.

Identity and Access IDGo Secure (ISE) for Android Didier Bonnet April 2015.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Pertemuan 12 E-mail Security Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 12 Security Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Similar presentations

Ads by Google