PKCS. PKCS: Public Key Cryptography Standards

Similar documents
PKCS. PKCS: Public Key Cryptography Standards. Apple, Digital, Lotus, Microsoft, MIT, Northern Telecom, Novell, Sun

JCCM : Flexible Certificates for smartcards with Java Card

PKCS #11: Cryptographic Token Interface Standard

Introducing etoken. What is etoken?

PrivateServer HSM Integration with Microsoft IIS

CALIFORNIA SOFTWARE LABS

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Public-Key Infrastructure

Key & Data Storage on Mobile Devices

National Security Agency Perspective on Key Management

SAP Single Sign-On 2.0 Overview Presentation

A Noval Approach for S/MIME

Forging Digital Signatures

<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008

CS 356 Lecture 28 Internet Authentication. Spring 2013

NISTIR 7676 Maintaining and Using Key History on Personal Identity Verification (PIV) Cards

Key Management and Distribution

The Security Framework 4.1 Programming and Design

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

GlobalSign Enterprise Solutions

Guide to Obtaining Your Free WISeKey CertifyID Personal Digital Certificate (Personal eid) WISeKey 2010 / Alinghi 2010 Smartcards

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

Standardizing PKI in Higher Education Apple PKI and Universal Hi-Ed Spec proposal

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Certification Authority. The X.509 standard, PKI and electronic documents. X.509 certificates. X.509 version 3. Critical extensions.

Cryptographic Services Guide

Getting to know your card: Reverse-Engineering the Smart-Card Application Protocol Data Unit for PKCS#11 Functions

Customised version for ČSOB a.s. - English

Draft Middleware Specification. Version X.X MM/DD/YYYY

Entrust Smartcard & USB Authentication

Ciphire Mail. Abstract

The Role of Digital Certificates in Contemporary Government Systems: the Case of UAE Identity Authority

Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications

GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

Chapter 17. Transport-Level Security

Cryptography and Network Security Chapter 14

EXPLORING SMARTCARDS: AN INDEPENDENT LOOK TO TECHNOLOGIES AND MARKET

Using etoken for Securing s Using Outlook and Outlook Express

National Certification Authority Framework in Sri Lanka

An Introduction to Cryptography as Applied to the Smart Grid

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

I. Configuring Digital signature certificate in Microsoft Outlook 2003:

How To Understand And Understand The Security Of A Key Infrastructure

Cryptography and network security CNET4523

Guidelines for Developing Cryptographic Service Providers (CSPs) for Acrobat on Windows

SafeNet Authentication Client (Mac)

Citrix MetaFrame XP Security Standards and Deployment Scenarios

Check Point FDE integration with Digipass Key devices

VoIP Security. Seminar: Cryptography and Security Michael Muncan

X.509 Certificate Generator User Manual

e-code Academy Information Security Diploma Training Discerption

Design and Analysis of Methods for Signing Electronic Documents Using Mobile Phones

GPG - GNU Privacy Guard

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Grid Computing - X.509

Introduction to Network Security Key Management and Distribution

An Introduction to Entrust PKI. Last updated: September 14, 2004

BlackBerry Enterprise Server 5.0 SP3 and BlackBerry 7.1

Chapter 8. Network Security

Security Technical. Overview. BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4

Standards and Products. Computer Security. Kerberos. Kerberos

PrivateServer HSM EKM Provider for Microsoft SQL Server

I N F O R M A T I O N S E C U R I T Y

GT 6.0 GSI C Security: Key Concepts

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Issues in Smart Card Development

BlackBerry Enterprise Solution

Savitribai Phule Pune University

I N F O R M A T I O N S E C U R I T Y

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Capture Resilient ElGamal Signature Protocols

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Public Key Infrastructure for a Higher Education Environment

Gemalto SafeNet Minidriver 9.0

MyKey is the digital signature software governed by Malaysia s Digital Signature Act 1997 & is accepted by the courts of law in Malaysia.

Chapter 7 Transport-Level Security

GoldKey Product Info. Do not leave your Information Assets at risk Read On... Detailed Product Catalogue for GoldKey

Lecture 1: Introduction. CS 6903: Modern Cryptography Spring Nitesh Saxena Polytechnic University

The Mathematics of the RSA Public-Key Cryptosystem

Key Management and Distribution

Yale Software Library

YubiKey PIV Deployment Guide

eid Security Frank Cornelis Architect eid fedict All rights reserved

An Open Source eid Simulator Open Identity Summit 9th -11th September 2013

Chapter 10. Network Security

TrustKey Tool User Manual

Sharing Secrets Using Encryption Facility

HIGHSEC eid App Administration User Manual

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Wireless Mobile Internet Security. 2nd Edition

Overview. SSL Cryptography Overview CHAPTER 1

Understanding digital certificates

Network Security Essentials Chapter 5

CRYPTOGRAPHY AS A SERVICE

Transcription:

: Public Key Cryptography Standards Devised and published by RSA Security Launched in 1991 as implementation agreements among early adopters of public-key cryptography Apple, Digital, Lotus, Microsoft, MIT, Northern Telecom, Novell, Sun Revised 1993, Cryptoki ( #11) released 1995 Workshops, ongoing updates, new documents since 1996 1 - Standards #1 : RSA Cryptography Standard #3 : Diffie-Hellman Key-Agreement #5 : Password-Based Cryptography #7 : Cryptographic Message Syntax Standard Sign/encrypt messages under a PKI #8 : Private-Key Information Syntax #9 : Selected Attribute Types selected attribute types for use in #7, #8, #10 #10: Certification Request Syntax Format of messages sent to a certification authority to request certification of a public key #11: Cryptographic Token Interface (Cryptoki) #12: Personal Information Exchange Syntax #13: Elliptic Curve Cryptography Standard #14: Pseudo-random Number Generation #15: Cryptographic Token Information Format Standard Obsolete: #2, #4, #6 2

#1: RSA Cryptography RSA encryption, signature schemes v1.5 (1993) has basic RSA schemes, specified in SSL, S/MIME, PKIX v2.0 (1998) adds Bellare-Rogaway OAEP encryption v2.1 (2002) adds B-R PSS (Probabilistic Signature Scheme) #7: Cryptographic Message Syntax Signed, encrypted message syntax enhancement to Privacy-Enhanced Mail v1.5 (1993) has RSA-oriented key management, basis for S/MIME, some PKIX protocols IETF RFC 2630 (CMS) adds DH-oriented key management v1.6 (2009) supports SET (Secure Electronic Transaction) protocol 3 : Cryptographic Token Interface (a.k.a. Cryptoki) Programming interface for smart cards, other devices v1.0 (1995) has basic methods v2.01 (1997) adds cryptographic mechanisms, improves management v2.11 (2001) clarifies interfaces, adds more mechanisms - Main Goals: The primary goal of Cryptoki: a lower-level programming interface that abstracts the details of the devices; and presents to the application a common model of the cryptographic device, called a cryptographic token. A secondary goal: resource-sharing» as desktop multi-tasking operating systems become more popular, a single device should be shared between more than one application. In addition, an application should be able to interface to more than one device at a given time. 4

11 and several key concepts Slot place where the smart card is inserted Token thing, which is inserted into the Slot. Commonly the Smart Cards Object keys, certificates, data, sessions, etc. Session before any operation we need to establish a session to the token Object Data Key Certificate Public Key Private Key Secret Key 5 - Functions SmarCard Management:» C_GetSlotList» C_GetSlotInfo» C_GetTokenInfo» C_GetMechanismList» C_GetMechanismInfo» C_InitToken» C_InitPIN» C_SetPIN Digital Signature:» C_SignInit» C_Sign» C_SignUpdate» C_SignFinal» C_VerifyInit» C_Verify» C_VerifyUpdate» C_VerifyFinal Session Managment:» C_OpenSession» C_CloseSession» C_CloseAllSession» C_GetSessionInfo» C_Login» C_Logout Key Management:» C_GenerateKey» C_GenerateKeyPair» C_WrapKey» C_UnwrapKey Message Hashing:» C_DigestInit» C_Digest» C_DigestUpdate» C_DigestFinal 6

example Management of SmartCard - Generation of a public/private key pair: the C_GenerateKeyPair function performs the following operations: 1. Inserts the file EF_Index identification of key items obtained from templates; 2. Compiles the files EF_Kpub_Attribute and EF_Kpri_Attribute with information obtained from templates; 3. Constructs the file via the APDU command: EF_Kpub: CREATE FILE; 4. Constructs the object BSOKPRI-SIGN through the APDU command: APDU: PUT DATA OCI forcing algorithm and conditions of access consistent with the template of the private key; 5. Generates the key pair using the APDU command: APDU: GENERATE KEY PAIR. 7 example The C_GenerateKeyPair (pre-requisite? C_Login) Input Parameters: CK_SESSION_HANDLE hsession:» session handle obtained by the functions C_OpenSession and C_GetSessionInfo; CK_MECHANISM_PTR pmechanism:» pointer to the cryptographic mechanisms supported by the library; CK_ATTRIBUTE_PTR ppublickeytemplate:» pointer to the template of the public key; CK_ULONG ulpublickeyattributecount:» number of attributes of the template; CK_ATTRIBUTE_PTR pprivatekeytemplate:» pointer to the template of the private key; CK_ULONG ulprivatekeyattributecount:» number of attributes of the template; CK_OBJECT_HANDLE_PTR phpublickey:» pointer to where the library will return the object handle public key; CK_OBJECT_HANDLE_PTR phprivatekey:» pointer to where the library will return the object handle private key. CK_RV CK_ENTRY C_GenerateKeyPair ( CK_SESSION_HANDLE hsession, CK_MECHANISM_PTR pmechanism, CK_ATTRIBUTE_PTR ppublickeytemplate, CK_ULONG ulpublickeyattributecount, CK_ATTRIBUTE_PTR pprivatekeytemplate, CK_ULONG ulprivatekeyattributecount, CK_OBJECT_HANDLE_PTR phpublickey, CK_OBJECT_HANDLE_PTR phprivatekey ); 8

#15 #15: Cryptographic Token Information Format File format for cryptographic data on smart cards, other devices v1.0 (1998) newly released, candidate for WAP Forum, country e-id cards v1.1 (2004), adds software format Common formats for cryptographic objects File formats in case of smart cards Coordination with several groups:» WAP Forum» PC/SC Forum» SEIS (Sweden) 9 #15 - File System EF_Index: Elementary Linear File type TLV that contains identifiers # 11 (CKA_ID) objects public key, private key, certificates, and data objects in the Digital Signature directory. This file is used by the object management functions for the "navigation" of the Smart Card file system. 10

Abstraction: APPLICATION COM Ser.Provider C - API Crypto Service Provider Resource Manager IFD Driver OS manufacture IFD SC reader Smart Card 11 Abstraction in Windows - Cryptographic Service Provider (CSP): 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information