Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ken Asnes RSA Laboratories July 2001

Published byOctavia Garrison Modified over 9 years ago

Similar presentations

Presentation on theme: "Ken Asnes RSA Laboratories July 2001"— Presentation transcript:

1 Ken Asnes RSA Laboratories kasnes@rsasecurity.com July 2001
PKCS #15 Introduction Ken Asnes RSA Laboratories July 2001

2 Agenda What is PKCS #15? How does it work? Conclusion

3 What is PKCS #15? It is a specification for organizing cryptographic data onto an authentication object. Smart cards Other token devices (ISO/IEC 7816) Soft PSD’s (eventually)

4 What is PKCS #15? Cont... It builds off of PKCS #11
It allows for Multiple PKCS #15 aware applications to live on the same card It will take the place of SSEID1 We can still support EIDAB1 and SSEID1 of course

5 How Does it work? (Are you SURE you want to know?)

6 Directory Structure MF PKCS #15 (DF) DIR (EF) Other DFs/EFs

7 DIR Optional File Contains the following DOs:
Mandatory if direct application file selection is not supported OR if Multiple PKCS #15 Applications reside on the card Contains the following DOs: OID (mandatory) Unique ID for the implementation ODF Path (mandatory) Path to the Object Directory File Token Info Path (optional) Points to the TokenInfo file. The Token Info file contains info that may be shared between PKSC #15 applications. Unused Path (optional) Points to a file that points to unused space

8 PKCS #15 Application Directory
Token Info (EF) ODF (EF) AODF (EF) PrKDF (EF) CDF (EF)

9 ODF Object Directory File
Mandatory File Contains pointers to other EF’s PrKDF PuKDF SKDF CDF DODF AODF

10 PrKDF Private Key Directory File
Optional File Holds the following: Private keys or references to them Keys May reside anywhere on the card Key attributes Labels Intended Usage Identifiers Cross references to pointers for Authentication Objects

11 PuKDF Public Key Directory File
Optional File Holds the following: Public keys or references to them Keys May reside anywhere on the card Key attributes If a corresponding private key exists they must share the same Identifier

12 SKDF Secret Key Directory File
Optional File Holds the following: Symmetrical keys or references to them Keys May reside anywhere on the card Key attributes Cross references to authentication objects

13 CDF Certificate Directory File
Optional File Holds the following: Certificates or references to them May reside anywhere on the card Certificate attributes Cross references to authentication objects If a corresponding private key exists they must share the same Identifier

14 DODF Data Object Directory File
Optional File For any data object other than keys or certificates Holds the following: Data objects or references to them Data object attributes Cross references to authentication objects

15 AODF Authentication Object Directory File
Optional File For any authentication object, such as PIN’s, that restrict access to other PKCS #15 objects (eg Keys) Holds the following: Authentication objects or references to them Authentication object attributes What object the AO is protecting Others will vary according to the auth object type

16 Token Info Mandatory File For Generic information about the token
Holds the following: Token Serial Number Supported file types Algorithms implemented Info can be shared between PKCS #15 Applications

17 Unused Space Optional File Keeps track of unused space in other EF’s
Holds the following: A Path field that points to an unused area Index/Offset and length must be present An authID component that signals the unused space is protected by an Authentication object Can be shared between PKCS #15 Applications

18 File Identifiers

19 Application Identifier
Concatenation of the Registered Identifier (RID) and the Proprietary application Identifier eXtension (PIX) for PKCS #15 And the Winner is: A B D 31 35

20 Adding new Objects Must have sufficient privileges
Unused space file (if used) Points to first free byte New object is written New record is added to ODF APPEND RECORD for Linear Record UPDATE BINARY for transparent object file May need garbage collection

21 Adding new Objects cont.
Must create a new EF then Update ODF as required Any time you add/remove a pointer which resides in the ODF Locate a new EF at a record with a tag of ‘00’ (denotes free space) ‘00’ is not a valid ASN.1 tag and can be used to mark empty space Consistent with ISO/IEC annex D (Because you needed to know)

22 Removing Objects Must have sufficient privileges
Either Tag the record to be remove with ‘00’ Leave the length bytes to make recalculating available space easier OR Rewrite the entire file Still leaving the length bytes

23 Modifying Objects Must have sufficient privileges
Remove the old file and Create a new one Expensive OR Update the record with the new information Cheaper Be careful with space requirements

24 Strengths and Weaknesses
Multiple Applications Multiple keys Multiple certificates Other data may be stored Weakness One extra step for Read/Write operations Slower Updates can be complicated

25 Conclusions PKCS #15 has a dynamic structure well suited for interoperability. Supports multiple applications Can store any PKCS #11 or CAPI object Keys, Certificates, Data Allows Multiple Token Types Allows Multiple PIN’s If the token Supports them PKCS #11 can be made to handle multiple PINS

Download ppt "Ken Asnes RSA Laboratories July 2001"

Similar presentations

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
Chapter 12: File System Implementation

Chapter 12: File System Implementation
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.

PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.
Chapter 4 : File Systems What is a file system?

Chapter 4 : File Systems What is a file system?
File Systems Examples.

File Systems Examples.
Chapter 10: File-System Interface

Chapter 10: File-System Interface
1 Chapter 11: File-System Interface  File Concept  Access Methods  Directory Structure  File System Mounting  File Sharing  Protection  Chapter.

1 Chapter 11: File-System Interface  File Concept  Access Methods  Directory Structure  File System Mounting  File Sharing  Protection  Chapter.
File Management Chapter 12. File Management A file is a named entity used to save results from a program or provide data to a program. Access control.

File Management Chapter 12. File Management A file is a named entity used to save results from a program or provide data to a program. Access control.
Chapter 10: File-System Interface

Chapter 10: File-System Interface
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 File-System Interface.

Dr. Kalpakis CMSC 421, Operating Systems. Fall File-System Interface.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
File Management Systems

File Management Systems
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
CS 104 Introduction to Computer Science and Graphics Problems Operating Systems (4) File Management & Input/Out Systems 10/14/2008 Yang Song (Prepared.

CS 104 Introduction to Computer Science and Graphics Problems Operating Systems (4) File Management & Input/Out Systems 10/14/2008 Yang Song (Prepared.
Recap of Feb 27: Disk-Block Access and Buffer Management Major concepts in Disk-Block Access covered: –Disk-arm Scheduling –Non-volatile write buffers.

Recap of Feb 27: Disk-Block Access and Buffer Management Major concepts in Disk-Block Access covered: –Disk-arm Scheduling –Non-volatile write buffers.
METU Department of Computer Eng Ceng 302 Introduction to DBMS Disk Storage, Basic File Structures, and Hashing by Pinar Senkul resources: mostly froom.

METU Department of Computer Eng Ceng 302 Introduction to DBMS Disk Storage, Basic File Structures, and Hashing by Pinar Senkul resources: mostly froom.
Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Chapter 13 Disk Storage, Basic File Structures, and Hashing.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Chapter 13 Disk Storage, Basic File Structures, and Hashing.
Chapter 12 File Management Systems

Chapter 12 File Management Systems
File Concept l Contiguous logical address space l Types: Data: numeric, character, binary Program: source, object (load image) Documents.

File Concept l Contiguous logical address space l Types: Data: numeric, character, binary Program: source, object (load image) Documents.

Similar presentations

Ads by Google