PKCS#11

PKCS#11 : CRYPTOGRAPHIC TOKEN INTERFACE STANDARD

LI NI U Khi mt m kha cng khai bt u ng dng rng ri v c chp nhn l ngy cng r rng. Nu n c c hiu qu nh cc cng ngh c bn cho php n c th, phi c tiu chun tng thch. Mc d cc nh cung cp c th tho thun v k thut c bn kha cng khai, tnh tng thch gia hin thc l do khng c phng tin bo m. Kh nng cng tc i hi phi tun th nghim ngt theo tha thuntiu chun nh dng cho d liu chuyn giao. Hng ti mc tiu , RSA Laboratories pht trin, hp tc vi cc i din ngnh cng nghip v cc hc vin, chnh ph, mt h cc tiu chun c gi l Public-Key Cryptography Standards, hoc PKCS cho ngn. PKCS c cung cp bi RSA Laboratoriescho cc nh pht trin ca cc h thng my tnh s dng cng ngh public-key. RSA Laboratories c nh ci thin v tinh chnh cc tiu chun kt hp vi cc nh pht trin h thng my tnh, vi mc tiu sn xut tiu chun m hu ht nu khng phi tt c cc nh pht trin thng qua. Vai tr ca RSA Laboratoriestrong qu trnh tiu chun lm l gp bn ln: 1. Xut bn mt cch cn thn cc ti liu bng vn bn m t tiu chun. 2. C gng ly c kin v li khuyn t cc nh pht trin v ngi s dng thay i hu ch hoc cn thit v phn m rng. 3. Cng b tiu chun sa i khi thch hp. 4. Cung cp hng dn thc hin v / hoc trin khai thc hin tham chiu. Trong qu trnh pht trin ca PKCS, RSA Laboratoriesvn gi c quyn ti cao cui cng trn mi ti liu, mc d u vo t nhn xt r rng l c nh hng. Tuy nhin, RSA Laboratories, mc tiu l y mnh pht trin cc tiu chun chnh thc, khng phi cnh tranh vi cc cng vic nh vy. V vy, khi mt ti liu PKCS c chp nhn nh mt ti liu c s cho mt tiu chun chnh thc, RSA Laboratories tuyn b t b "quyn s hu" ca n. Ti liu, m ng cho qu trnh pht trin cc tiu chun m. RSA Laboratoriesc th tip tc pht trin cc ti liu lin quan, tt nhin, theo cc iu khon c m t trn. H PKCS hin ti bao gm cc ti liu sau y: PKCS #1: RSA Encryption Standard. Version 1.5, November 1993. PKCS #3: Diffie-Hellman Key-Agreement Standard. Version 1.4, November 1993. PKCS #5: Password-Based Encryption Standard. Version 1.5, November 1993. PKCS #6: Extended-Certificate Syntax Standard. Version 1.5, November 1993. PKCS #7: Cryptographic Message Syntax Standard. Version 1.5, November 1993. PKCS #8: Private-Key Information Syntax Standard. Version 1.2, November 1993. PKCS #9: Selected Attribute Types. Version 1.1, November 1993. PKCS #10: Certification Request Syntax Standard. Version 1.0, November 1993. PKCS #11: Cryptographic Token Interface Standard. Version 1.0, April 1995.

Trang 1


GHI CH API Giao din lp trnh ng dng. Application Bt k chng trnh my tnh m cc li gi giao din Cryptoki. ASN.1 Tm tt K hiu c php, nh nh ngha trong X.208. Attribute Mt c tnh ca mt i tng. BER Thut ton m ha khi Chaining ch , nh c nh ngha trong FIPS PUB 81. CBC Encoding Rules c bn, nh c nh ngha trong X.209. Certificate Mt tin nhn k kt rng buc mt tn ch v mt kha cng khai. Cryptographic Device Mt thit b lu tr thng tinmt mvcththchinchc nng m ha.C th c thc hin nhmt th thng minh, athng minh, thPCMCIA, hoc vi mt scngnghkhc, bao gm cphnmmhocmt qu trnh trnmt my ch. Cryptoki Cryptographic m thng bo giao din c quy nh trong tiu chun ny. Cryptoki library Mt th vin m thc hin cc chc nng quy nh trong tiu chun ny. DES Chun m ha d liu, nh c nh ngha trong FIPS PUB 46-2. DSA Ch k s thut ton, nh c nh ngha trong FIPS PUB 186. ECB Codebook ch in t, nh c nh ngha trong FIPS PUB 81. MAC M xc thc tin nhn, nh c nh ngha trong ANSI X9.9. MD2 RSA Data Security, Inc. MD2 nhn tiu ha thut ton, nh c nh ngha RFC 1319. MD5 RSA Data Security, Inc. Thng ip MD5 tiu ha thut ton, nh c nh ngha RFC 1321. Mechanism Mt qu trnh thc hin mt hot ng mt m. Object Mt mc c lu tr trn mt th, c th l d liu, chng ch, hoc mt cha kha. PIN M s c nhn. RSA Cc RSA h thng mt m kha cng khai, theo quy nh trong PKCS # 1. RC2 Thuc quyn s hu khi thut ton m ha RSA RC2 bo mt d liu i xng. RC4 c quyn dng thut ton m ha RSA RC4 bo mt d liu i xng. Reader Cc phng tin thng tin c trao i vi mt thit b. Session Mt kt ni hp l gia mt ng dng v mt m thng bo. SHA Thut ton bm an ton, nh c nh ngha trong FIPS PUB 180. Slot Mt c gi hp l c kh nng cha mt m thng bo. Subject Name X.500 tn phn bit ca thc th m quan trng l c giao. SO Cn b an ninh ngi s dng. Token quan imlun lca mt thit bm hac xc nh biCryptoki. User Ngi s dng mt ng dng giao din vi Cryptoki.CI NHN TNG QUAN PKCS #11Trang 2


THIT K MC TIU Mc tiu chnh ca Cryptokilgiao din lp trnh cp thptm ttccchititca cc thit b, v trnh byccngdngmt m hnhphbinca cc thit bm ha, cgilmt " cryptographic token" (hocch n gin l"token"). Mc tiu th hai l chia s ti nguyn.

-

M HNH M hnh chung ca Cryptoki c minh ha trong hnh di y :

XEM LUN L CA MT TOKEN Xem ca logic Cryptoki ca mt m thng bo l mt thit b lu tr i tng v c th thc hin chc nng m ha. Cryptoki nh ngha ba lp hc ca i tng d liu, chng nhn, v Keys. Mt i tng d liu c nh ngha bi mt ng dng. Mt i tng chng ch lu tr mt giy chng nhn kha cng khai. Mt i tng quan trng lu gi mt cha kha m ha. Cc m ha kha c mt kha cng khai (RSA, DSA hoc Diffie-Hellman), mt kha ring (RSA, DSA hoc Diffie- Hellman) hoc mt cha kha b mt (RC2, RC4, DES, vv). Quan im ny c minh ha trong hnh di y:

Trang 3


NGI S DNG Phin bn ny ca Cryptoki cng nhn hai loi ngi s dng m thng bo. Mt loi l bo mt cp cao (SO). Loi khc l ngi s dng bnh thng.

SESSIONS Cryptoki i himt ng dng "m mt phin hp" vimt m thng botrc khi ng dngc quyn truy cpcho cc i tngvchcnngcath. Sessioncung cp cckt ni hp lgia cc ng dngv m thng bo. Mtsession c thlread/write(R /W) phin hocmt phinread-only(R /O). Read-only session states -

Read/write session statesTrang 4


Session events Cc s kin phin gy ra trng thi phin thay i. Bng di y m t cc s kin :

CHC NNG TNG QUAN API Cryptoki bao gm mt s chc nng, bao gmqun lslot v token thng qua i tng qun l, cng nh cc chc nng m ha. Cc chc nng ny c trnh by trong bng di y :

TH LOI Mc ch chung

HM C_Initialize C_GetInfo

M T khi to Cryptoki c c thng tin tng qut v Cryptoki

Trang 5


C_GetSlotList C_GetSlotInfo C_GetTokenInfo Qun l slot v token C_GetMechansimList C_GetMechanismInfo C_InitToken C_InitPIN C_InitPIN C_OpenSession C_CloseSession Qun l session C_CloseAllSessions C_GetSessionInfo C_Login C_Logout C_CreateObject C_CopyObject C_DestroyObject C_GetObjectSize Qun l object C_GetAttributeValue C_SetAttributeValue C_FindObjectsInit C_FindObjects C_DigestInit Message digesting C_Digest C_DigestUpdateTrang 6

c ccmtdanh sch cckhecmtrong h th c c thng tinvmt khe cmcbit c c thng tinvmt m thng bocth mt danh sch cc c chh tr bimt m thng bo nhn cthng tinvmt c chcth khi to mt m thng bo khi to s PINcangi s dng bnh thng thay i m PIN ca ngi s dng hin ti m mt kt ni"sesion" gia mt ng dngvmt m thng bocth ng mt session ng mi sessionsvimt m thng bo c c thng tinvsession bn ghivomt m thng bo bn ghi ratmt m thng bo to ramt object to ra mt bnsaoca mt object hymt object c cckch thccamt object trongbyte c ccmt gi trthuctnhca mt object sa i mt gi trthuctnhca mt object khi to mt hot ngtm kimobject tip tc mthot ng tm kimobject Khi to mt hot ng message digesting Phn loid liumtphn tip tcmt hot ngphn loinhiuphn


C_DigestFinal C_SignInit C_Sign C_SignUpdate C_SignFinal C_SignRecoverInit C_SignRecover C_VerifyInit Ch k v xc thc C_Verify C_VerifyUpdate C_VerifyFinal C_VerifyRecoverInit

C_VerifyRecover

C_GenerateKey C_GenerateKeyPair Qun l Key C_WrapKey C_UnwrapKey C_DeriveKey Khi to mt s ngu nhin C_SeedRandom C_GenerateRandom C_GetFunctionStatus Hm qun l C_CancelFunctionTrang 7

kt thc mt hot ngphn loinhiuphn khi to mt thao tcch k ng k mt phn d liu duy nht tip tc mt thao tcch knhiuphn kt thc mt thao tcch knhiuphn khi to mtthao tc ch k, ni m cd liu du hiu duy nhtmt phn d liu, nid liu c th phc hitch k khi to mt thao tcxc thc xcthcmt ch k trnmtphnd liu tip tcmt thao tcxc thcnhiuphn kt thc mt thao tcxc thcnhiuphn khi to mt thao tcxc thcd liu phc hitch k xc thcmt ch k trnmtphnd liu,ni m cc d liu c phc hithtch k to mt key bo mt to ra mt cppublickey/private-key wraps(m ha) 1key unwraps (Gii m) 1 key xut pht 1 keyt 1 key c bn Tp hp cc ti liu b sung cho vic to s To d liu ngu nhin c c trng thicp nht camt chc nngang chytrong song song ving dng hy b mt chc nngchy song songvi cc ng dng


Callbacks

Notify

quy trnh thng botCryptoki

XEM XT AN NINH - L mt giao din vi cc thit b m ha, Cryptoki cung cp mt c s cho an ninh trong mt my tnh hoc h thng truyn thng. Hai trong s cc tnh nng c th ca giao din to iu kin bo m l : 1.Truy cp n cc i tngttrntoken, vc th lchc nng m ha, imt s PIN.V vy, sccthitm ho mthc hincc m thng bolkhng; PINcng rt cn thit. 2.Bo v ti a choic nh du "sensitive" c th cc ttoken, cng khng phi xutthng quaccchc nng m ha(mc dchng c th csnh l key). CC KIU D LIU Thng tin tng qut Cryptoki th hinthng tin chung vicc loi sau y: o CK_VERSION l mt cu trc m t cc phin bn ca Cryptoki. o CK_INFO cung cp thng tin chung v Cryptoki. o CK_NOTIFICATION lit k cc loi thng bo m Cryptoki cung cp cho ng dng. Cc kiu slot v token o CK_SLOT_ID l mt gi tr Cryptoki c giao xc nh mt slot. o CK_SLOT_ID_PTR trti 1CK_SLOT_ID. o CK_SLOT_INFO cung cp thng tinv1 slot. o CK_SLOT_INFO_PTR trn mtcu trcCK_SLOT_INFO. o CK_TOKEN_INFO cung cpthng tin vmt m thng bo. o CK_TOKEN_INFO_PTR trn mtcu trcCK_TOKEN_INFO. Cc kiu session o CK_SESSION_HANDLE l mt gi tr Cryptoki giao xc nh mt token. o CK_SESSION_HANDLE_PTRtrtiCK_SESSION_HANDLE. o CK_USER_TYPE lit kccloica ngi s dngCryptoki. o CK_STATE lit kccSession. o CK_SESSION_INFO cung cp thng tinvmt session. o CK_SESSION_INFO_PTR trn mtcu trcCK_SESSION_INFO. Cc kiu object o CK_OBJECT_HANDLE l mt nh danh m thng bo c th cho mt i tng. o CK_OBJECT_HANDLE_PTR tr ti CK_OBJECT_HANDLE. o CK_OBJECT_CLASS l mt gi tr xc nh cc lp hc (hoc cc loi) ca cc i tng m Cryptoki cng nhn. o CK_OBJECT_CLASS_PTR tr n cu trc CK_OBJECT_CLASS o CK_KEY_TYPE l mt gi tr xc nh mt loi quan trng. o CK_CERTIFICATE_TYPE l mt gi tr xc nh mt loi giy chng nhn. o CK_ATTRIBUTE_TYPE l mt gi tr xc nh mt loi thuc tnh.

Trang 8


o CK_ATTRIBUTE l mt cu trc bao gm cc loi, chiu di v gi tr ca mt thuc tnh. o CK_ATTRIBUTE_PTR tr n cu trc CK_ATTRIBUTE. Mechanisms o CK_MECHANISM_TYPE l mt gi tr xc nh mt loi c ch. o CK_MECHANISM_TYPE_PTR tr cu trc CK_MECHANISM_TYPE. o CK_MECHANISM l mt cu trc xc nh mt c ch c th. o CK_MECHANISM_PTR tr n cu trc CK_MECHANISM. o CK_MECHANISM_INFO l mt cu trc cung cp thng tin v mt c ch c th. o CK_MECHANISM_INFO_PTR tr n cu trc CK_MECHANISM_INFO. o CK_RC2_CBC_PARAMS l mt cu trc cung cp cc thng s c ch CKM_RC2_CBC. Functions o CK_ENTRY o CK_RV OBJECTS

Hnh di y minhcc chi tit cacc i tng1 key:

Trang 9


Cc thuc tnh c bn Bng sau y xc nhcc thuc tnhchungtitt c cc i tng:

Data objects

Certificate objectsTrang 10


Key objects

Public key objects

Private key objects

Secret key objects

Trang 11


FUNTIONS Chc nng ca Cryptoki c t chc thnh cc loi sau y: Mc ch chung Qun l slot and token Qun l session Qun l object M ha v gii m Message digesting Ch k v xc thc Qun l key Qun l function Callback

Trang 12


Trang 13


MECHANISMS - Phn ny m t cc c chmphin bn nycaCryptokihcho cc hot ngm ho . Bngsau y tm ttcc c chvng dng ca chng.

Trang 14

Documents

PKCS#11