Presentation is loading. Please wait.

Presentation is loading. Please wait.

Peter Gutmann http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ A PKCS #11 Test Suite Peter Gutmann http://www.cs.auckland.ac.nz/~pgut001/cryptlib/

Published byAnnis Boone Modified over 9 years ago

Similar presentations

Presentation on theme: "Peter Gutmann http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ A PKCS #11 Test Suite Peter Gutmann http://www.cs.auckland.ac.nz/~pgut001/cryptlib/"— Presentation transcript:

1 Peter Gutmann http://www.cs.auckland.ac.nz/~pgut001/cryptlib/
A PKCS #11 Test Suite Peter Gutmann

2 Typical Token Use Gimme a private key Find Generate Sign this
Decrypt this Go away Note: No connection between key fetch and use

3 Testing Strategy General initialisation Low-level tests Open session
Log on if necessary if not initialised Initialise device Log on Low-level tests for each algorithm, mode Create session object Load key Encrypt/decrypt or hash Actually it currently does the hash in S/W for speed reasons

4 Testing Strategy (ctd)
Algorithm correctness test Compare cryptlib native object with PKCS #11 token object output cryptlib self-test checks against standard test vectors Encrypt with native object, decrypt with token object

5 Testing Strategy (ctd)
Key generation test if not write-protected Create signature key Use signature key to sign CA certificate Update token with certificate Create RSA signature + encryption key Use CA key to sign certificate Fairly simple to extend this to do DSA if required

6 Testing Strategy (ctd)
Key read test Instantiate public-key (= certificate) object Instantiate private-key object Uses either previously generated keys (R/W token) or existing keys (R/O token) High-level test Generate S/MIME signed message Generate S/MIME encrypted message Really a test of cryptlib rather than the token

7 Configuring cryptlib Set the driver path Update the config options
cryptSetAttributeString( CRYPT_UNUSED, CRYPT_OPTION_DEVICE_PKCS11_DVR01, "c:/winnt/system32/cryptoki.dll" ); cryptSetAttributeString( CRYPT_UNUSED, CRYPT_OPTION_DEVICE_PKCS11_DVR01, ”/usr/shlib/cryptoki.so" ); Update the config options cryptSetAttribute( CRYPT_UNUSED, CRYPT_OPTION_CONFIGCHANGED, TRUE ); Restart cryptlib to load the new driver Windows users may want to reboot their machine three or four times as well

8 cryptlib Architecture
cryptlib is based on objects and attributes like PKCS #11 Security kernel enforces ACL’s for Each object Each attribute read/written/deleted for each object

9 Action Objects Equivalent to PKCS #11 session objects
Encryption contexts encapsulate the functionality of a security algorithm DES object RSA object SHA-1 object HMAC-SHA object Often associated with another object, eg public key context with certificate

10 Key and Certificate Containers
Contain one or more token objects (keys, certificates, CRL’s, etc) Session objects when written to persistent storage become token objects PKCS #11 devices can act as container objects Appear as an (often large) collection of encryption contexts or certificate objects

11 Object Security Each objects has an ACL managed by the security kernel
Object attributes have their own ACL’s Example attribute: Triple DES key attribute label = CRYPT_CTXINFO_KEY type = octet string permissions = write-once size = 192 bits min…192 bits max Kernel checks all data passing in and out of the architecture Works like PKCS #11 attributes but with strong security checks

12 Interobject Communications
Objects communicate via message-passing Example: Load a key msg.source: Subject (thread/process/user) msg.target: Encryption context object msg.type: Write attribute msg.data: Attribute, type = Key, value = … Kernel checks the target object’s ACL Kernel checks the attribute’s ACL Kernel forwards message to target object Messages are sent via krnlSendMessage All cryptlib functionality is implemented this way Never trace into the send message calls (you’ll end up stepping through the security kernel)

13 Implementation details
Architecture design allows various levels of functionality to be encapsulated in separate modules and/or hardware Crypto accelerator  encryption contexts Crypto device (eg PKCS #11)  basic sign/encrypt level Secure coprocessor (eg IBM 4758)  certificate/envelope/ session object

14 Initialisation Open device by name (“device::token”)
Access slot by name (GetTokenInfo) OpenSession (first CKF_RW_SESSION, then R/O if that fails) for each cryptlib capability Use GetMechanismInfo to Set up key min, max size for non-default values Set up function pointers for encrypt, decrypt, sign, verify, keygen

15 Initialisation (ctd) Once complete, cryptlib has mappings for all native capabilities to PKCS #11 capabilities Example: Software DES Hardware RSA

16 Basic Operations Encryption contexts are created via the token
cryptCreateContext( &cryptContext, CRYPT_ALGO_DES, CRYPT_MODE_CBC ); cryptEncrypt( cryptContext, “ ”, 8 ); cryptDestroyContext( cryptContext ); cryptDeviceCreateContext( cryptDevice, &cryptContext, CRYPT_ALGO_DES, CRYPT_MODE_CBC );

17 Basic Operations (ctd)
Most operations are mapped directly to PKCS #11 functions capabilityInfoinitKey  CreateObject with pre-set CK_ATTRIBUTE template capabilityInfogenerateKey  GenerateKey/GenerateKeyPair with pre-set CK_ATTRIBUTE template Currently not used for conventional encryption since software is (much) faster capabilityInfoencryptFunction  Set up CK_MECHANISM if required EncryptInit Encrypt

18 Encryption/Signing Issues
Zero-padding/truncation for PKC operations Decrypt vs unwrap Unwrap key  generic secret key object Read secret key value  Decrypt  unwrap + lateral thinking By extension, (RSA) signing  unwrap + lateral thinking

19 Advanced Operations Device acts as a keyset
cryptKeysetOpen( &cryptKeyset, CRYPT_KEYSET_MYSQL, “keyserver” ); cryptGetPublicKey( cryptKeyset, &cryptCert, CRYPT_KEYID_NAME, “My key” ); cryptKeysetClose( cryptKeyset ); cryptDeviceOpen( &cryptDevice, CRYPT_DEVICE_PKCS11, “Datakey” ); cryptGetPublicKey( cryptDevice, &cryptCert, CRYPT_KEYID_NAME, “My key” ); cryptDeviceClose( cryptDevice );

20 Advanced Operations (ctd)
Again, operations are mapped to PKCS #11 functions deviceInfosetItem  CreateObject with certificate data and attributes deviceInfogetItem  Locate object (see later slides) if public key or cert create cryptlib native object if private key create device object attach certificate to private key if necessary

21 Advanced Operations (ctd)
deviceInfogetItem (ctd) GetAttributeValue to get key size, usage flags, label, etc Set cryptlib attributes and ACL’s based on PKCS #11 attributes (eg decrypt-only, no external access) deviceInfodeleteItem  DestroyObject

22 Finding Keys Public keys Look for a certificate with the given label
Look for a public key with the given label OK, look for any public key Look for a private key with the given label, then use the key ID to find the matching certificate

23 Finding Keys (ctd) Private keys Useful concept: Multiple virtual slots
Look for a private key with the given label Look for a certificate with the given label, then use the key ID to find the matching private key Look for a private key marked as a decryption key Look for a private key marked as an unwrap key Some implementations mark keys as unwrap-only (no decryption) See decryption tricks section Useful concept: Multiple virtual slots Encryption key slot Signing key slot Nonrepudiation key slot

24 Key-finding Quirks >1 key with a given label
Mislabelled keys (cert = signature-only, key labelled decrypt-only) Works for PKCS #11, not for cryptlib No calls allowed between FindObjectsFirst/Find/Final FindObjectsFinal is optional, even with v2 drivers

25 Common Bugs Length range check is == rather than >=
Space-padded strings are null-terminated Query functions return garbage values in some fields Many variations on this (key sizes, capabilities, etc etc) This really screws up cryptlib, which adapts to the driver capabilities based on queries Fields are set to disallowed values (eg all ones in a bitflag value) “This DES mechanism does digital signatures”

26 Booby Traps Reading more than one attribute at a time is dangerous
A single nonpresent attributes can result in no data being returned for any attribute Read attributes one at a time Key generation may be indicated via CKF_GENERATE_KEY_PAIR and/or an xxxGenerateKeyPair mechanism What does CKF_WRITE_PROTECTED mean anyway? Perform various experiments to see what you can get away with Astound and amaze the driver developers (“Our driver can do RC4?”)

27 Where to get it cryptlib Direct link to source code
Direct link to source code ftp://ftp.franken.de/pub/crypt/cryptlib/beta/ cl30beta02.zip 02  03, 04, 05, ... Direct link to docs ftp://ftp.franken.de/pub/crypt/cryptlib/beta/ manual.pdf Read the “Installation” section of the docs before using it!

Download ppt "Peter Gutmann http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ A PKCS #11 Test Suite Peter Gutmann http://www.cs.auckland.ac.nz/~pgut001/cryptlib/"

Similar presentations

PKCS-11 Protocol for Enterprise Key Management

PKCS-11 Protocol for Enterprise Key Management
Web security: SSL and TLS

Web security: SSL and TLS
SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Similar presentations

Ads by Google