Presentation is loading. Please wait.

Presentation is loading. Please wait.

14 Sept 00 PKCS#11 Interoperability/Conformance Testing John Hughes PKIForum meeting Montreal - 14 September 00.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "14 Sept 00 PKCS#11 Interoperability/Conformance Testing John Hughes PKIForum meeting Montreal - 14 September 00."— Presentation transcript:

1 14 Sept 00 PKCS#11 Interoperability/Conformance Testing John Hughes PKIForum meeting Montreal - 14 September 00

2 2 14 Sept 00PKCS#11 Interoperability Testing Application PKCS#11 PKCS#11 Library “Device” Status Info Status Info Init Card Init Card Login/logout setPIN Login/logout setPIN Read/Write Data Read/Write Data Enc/Dec Sign/Verify Enc/Dec Sign/Verify Typical PKCS#11 Architecture

3 3 14 Sept 00PKCS#11 Interoperability Testing Application PKCS#11 PKCS#11 Library Status Info Status Info Init Card Init Card Login/logout setPIN Login/logout setPIN Read/Write Data Read/Write Data Enc/Dec Sign/Verify Enc/Dec Sign/Verify PKCS#11 Device Library PKCS#11 Device Library PKCS#11 Device Library PKCS#11 Device Library Common Approach

4 4 14 Sept 00PKCS#11 Interoperability Testing Why are we feeling pain - 1? PKI/Crypto Platform Supplier PKCS#11 DLL Driver Application PKCS#11 We do not want device specific changes to our code base

5 5 14 Sept 00PKCS#11 Interoperability Testing Why are we feeling pain - 2? We have a relativity sophisticated use - our full PSE “profile” is: –support for data objects - varying size –mechanisms CKM_RSA_PKCS_KEY_PAIR_GEN single part CKM_RSA_PKCS decryption CKM_RSA_PKCS verification SIGN/SIGN_RECOVER –C_GenerateRandom –2 key pairs stored on card –optional storage of certificates Our Universal Token Support (UTS) uses a subset of this for existing Tokens (e.g iD2 tokens with PKCS#15)

6 6 14 Sept 00PKCS#11 Interoperability Testing What did we do? Created a PKCS#11 workbench that simulated how our PKI/Crypto engine used PKCS#11. (“Entegrity PKCS#11 Workbench”) Provided it as source (under license) to PKCS#11 device supplier

7 7 14 Sept 00PKCS#11 Interoperability Testing Qualification Process (simplified) EntegritySupplier Provide Workbench source Ran tests Provided resultsExamined results Passed? Run PKI/Crypto platform Tests Qualified Device Aim of workbench to resolve “most” of errors prior to full tests

8 8 14 Sept 00PKCS#11 Interoperability Testing Evolution As we test more and more devices we are adding in extra “nuances” and tests

9 9 14 Sept 00PKCS#11 Interoperability Testing Status We have/are testing 13 PKCS#11devices from 6 suppliers working on either Wintel or Solaris platforms Total of 20 implementations Statistics: –only 6 implementations have fully passed our tests –we are waiting for patches from 4 of the suppliers

10 10 10 14 Sept 00PKCS#11 Interoperability Testing Common problems - 1 Inverted parameters for public and private keys in C_GenerateKeyPair: –a change occurred between PKCS#11 1.x and 2.x, Netscape did not change and several vendors decided to be compatible with them rather than following the standard. Version of PKCS#1 padding. –Most use 1.5 - but 1 started to use 2.0 Incomplete or wrong mechanism lists and key usage attributes

11 11 11 14 Sept 00PKCS#11 Interoperability Testing Common problems - 2 Disallowing of generating keys with a given usage if the library does not support a mechanism. –Some vendors refuse to allow CKA_ENCRYPT attribute if they don't support decryption on the card. Our view is that if they don't support encryption, they just shouldn't list the mechanism as available, this will prevent us from using the key for that purpose even if the key itself is marked as supporting encryption. Device supplier being more lenient on the Attributes assigned when an object is being created. No support for Data Objects PIN problems (min, max sizes and changing values)

12 12 12 14 Sept 00PKCS#11 Interoperability Testing Entegrity PKCS#11 Workbench tests Login/logout/session –successful/unsuccessful logins –changing passwords, min password size Data Objects –object creation/search/read/modify/deletion (small and large) within a session and across sessions (public and private) Status Information –version, manufacturer, status flags –mechanism list Cryptographic operations –key generation, random no generation –asymmetric - sign/verify/encrypt/decrypt tests (RSA) –symmetric - encrypt/decrypt (DES)

13 13 13 14 Sept 00PKCS#11 Interoperability Testing Workbench principles - 1 Designed to be extensible. Although focused on RSA and 3DES relatively easy to change to use other algos: cout << "Starting BASIC CRYPTO: simple sign, verify, encrypt and decrypt" << endl; SHOULD_NOT_THROW( openSession( theSelectedSlotID, &s1 ), true ); SHOULD_NOT_THROW( login( s1, "1111" ), true ); SHOULD_NOT_THROW( destroyAllObjects( s1 ), true ); SHOULD_NOT_THROW( openSession( theSelectedSlotID, &s2, true ), true ); SHOULD_NOT_THROW( testAsymm( s1, s2, CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_RSA_PKCS, 1024, 2 ), true ); SHOULD_NOT_THROW( destroyAllObjects( s1 ), true ); SHOULD_NOT_THROW( testSymm( s1, s2, CKM_DES3_KEY_GEN, CKM_DES3_ECB, 64, 2 ), true ); SHOULD_NOT_THROW( closeSession( s2 ), false ); SHOULD_NOT_THROW( logout( s1 ), false ); SHOULD_NOT_THROW( closeSession( s1 ), false ); cout << "Ended BASIC CRYPTO: simple sign, verify, encrypt and decrypt" << endl;}

14 14 14 14 Sept 00PKCS#11 Interoperability Testing Workbench principles - 2 Error handling rv = (*theFunctionList->C_GetMechanismInfo)( theSelectedSlotID, aMechId, &info); errorCheck( rv, "C_GetMechanismInfo" ); // Error handling routine void errorCheck(CK_RV rv, string funcName, CK_RV expectedResponse ) { if( rv == CKR_FUNCTION_NOT_SUPPORTED ) throw Pkcs11_Exc_FNS( funcName ); else if( rv != expectedResponse ) { cout << "Expected " << hex << expectedResponse << " (" << getErrorDescription(expectedResponse) << ") from " << funcName << ", received rv = " << hex << rv << " (" << getErrorDescription(rv) << ")" << endl; throw Pkcs11_Exc( funcName, rv ); }

15 15 15 14 Sept 00PKCS#11 Interoperability Testing So how can we progress? In discussion with RSA concerning making the Entegrity PKCS#11 Workbench “open source” How this can be accomplished and successfully managed is going to be discussed at the PKCS workshop in Boston Issues: –who maintains and develops the source? –do we need an accreditation scheme for the emerging profiles - and who does the testing? It’s in all our interests that PKCS#11 devices become as “plug and play” as possible

Download ppt "14 Sept 00 PKCS#11 Interoperability/Conformance Testing John Hughes PKIForum meeting Montreal - 14 September 00."

Similar presentations

PKCS-11 Protocol for Enterprise Key Management

PKCS-11 Protocol for Enterprise Key Management
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
A Profile Of PKCS #11 V2.11 For Mobile Devices Magnus Nyström PKCS Workshop 2002.

A Profile Of PKCS #11 V2.11 For Mobile Devices Magnus Nyström PKCS Workshop 2002.
CT-KIP Magnus Nyström, RSA Security OTPS Workshop, October 2005.

CT-KIP Magnus Nyström, RSA Security OTPS Workshop, October 2005.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.

PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.

Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
PKI Implementation in the Real World

PKI Implementation in the Real World
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00.

13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Similar presentations

Ads by Google