Proposals for amendments to pkcs 11
Download
1 / 9

Proposals for Amendments to PKCS#11 - PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on

Proposals for Amendments to PKCS#11. Secondary Authentication WTLS support TLS amendment. Secondary Authentication. Present support in PKCS#11 Sec 6.7 (depreciated) Via CKF_PROTECTED_AUTHENTICATION_PATH Appendix D Via virtual tokens (a token for each (private object) PIN) Analysis

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Proposals for Amendments to PKCS#11' - dung


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Proposals for amendments to pkcs 11

Proposals for Amendments to PKCS#11

Secondary Authentication

WTLS support

TLS amendment


Secondary authentication
Secondary Authentication

  • Present support in PKCS#11

    • Sec 6.7 (depreciated)

      • Via CKF_PROTECTED_AUTHENTICATION_PATH

    • Appendix D

      • Via virtual tokens (a token for each (private object) PIN)

  • Analysis

    • The 6.7 approach was not complete + impact on applications

    • The Appendix D approach is demanding a lot of logic and additional memory space for a simple task


Secondary authentication proposal
Secondary Authentication Proposal

With attributes:

CKA_SECONDARY_AUTH

CKA_AUTH_PIN_FLAGS

CKA_AUTH_PIN

CKA_AUTH_PIN_LEN

Private keyobject

New flags:

CKF_AUTH_PIN_AUTHENTICATED

  • C_SignInit(...);

  • tests if secondary authentication is required

  • returns CKR_SECONDARY_AUTHENTICATION_REQUIRED

  • C_AuthenticateObject (…);

  • sets flag

  • C_SignInit(…):

  • tests if secondary authentication is required

  • resets flag

  • performs signing

New interface parts are in blue !!!


Secondary authentication proposal1
Secondary Authentication Proposal

With attributes:

CKA_SECONDARY_AUTH

CKA_AUTH_PIN_FLAGS

CKA_AUTH_PIN

CKA_AUTH_PIN_{MIN,MAX}LEN

CKA_AUTH_NEW_PIN

Internal flags:

CKF_AUTH_PIN_AUTHENTICATED

Private keyobject

  • C_SignInit(...);

  • - tests if secondary authentication is required

  • returns CKR_SECONDARY_AUTHENTICATION_REQUIRED

  • C_SetAttributeValue

  • Enter (or change) PIN

  • C_SignInit(…):

  • tests if secondary authentication is required

  • performs signing

New interface parts are in blue !!!


Secondary authentication proposal2
Secondary Authentication Proposal

With attributes:

CKA_SECONDARY_AUTH

CKA_CLASS = SECRET KEY

CKA_ACCESS_EXEC = OBJH,never,always

CKA_ACCESS_{READ,WRITE,DELETE}

CKA_ENUM

PIN:

CKA_CLASS =CKO_AUTHENTICATION

CKA_AUTH_TYPE = PIN

CKA_VALUE

CKA_NEW_VALUE

CKA_MIN_LEN

CKA_MAX_LEN

CKA_BAD_TRYS

CKA_MAX_TRY

CKA_STATUS=1:LOCKED, 2:INIT

CKA_ACCESS_UNLOCK = PUK

Internal flags:

CKF_AUTH_PIN_AUTHENTICATED

Private keyobject

  • C_SignInit(...);

  • - tests if secondary authentication is required

  • returns CKR_SECONDARY_AUTHENTICATION_REQUIRED

  • C_SetAttributeValue

  • Enter (or change) PIN

  • C_SignInit(…):

  • tests if secondary authentication is required

  • performs signing

New interface parts are in blue !!!


Wtls support
WTLS support

  • WTLS is a WAP TLS derivative

  • Although WTLS has its limitations there is an existing infrastructure of WAP gateways that use it.


Wtls support1
WTLS support

  • CK_WLTS_RANDOM_DATA

  • CK_WTLS_PARAMS

  • CK_WTLS_MASTER_KEY_DERIVE_PARAMS

  • CK_WTLS_PRF_PARAMS

  • CK_WTLS_KEY_MAT_OUT

  • CK_WTLS_KEY_MAT_PARAMS

  • CKM_WTLS_PRE_MASTER_KEY_GEN

  • CKM_WTLS_PRF

  • CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE

  • CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE


Tls amendment
TLS amendment

Currently the PKCS#11 does not support a direct use of the TLS PRF.

  • Some TLS (protocol) implementations need support for the TLS PRF (directly) like for WTLS (WIM has only PRF)

  • The TLS PRF is useful for other purposes (than handshake only)


TLS

  • CK_TLS_PARAMS

  • CKM_TLS_PRF


ad