1 / 9

Proposals for Amendments to PKCS#11

Proposals for Amendments to PKCS#11. Secondary Authentication WTLS support TLS amendment. Secondary Authentication. Present support in PKCS#11 Sec 6.7 (depreciated) Via CKF_PROTECTED_AUTHENTICATION_PATH Appendix D Via virtual tokens (a token for each (private object) PIN) Analysis

dung
Download Presentation

Proposals for Amendments to PKCS#11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proposals for Amendments to PKCS#11 Secondary Authentication WTLS support TLS amendment

  2. Secondary Authentication • Present support in PKCS#11 • Sec 6.7 (depreciated) • Via CKF_PROTECTED_AUTHENTICATION_PATH • Appendix D • Via virtual tokens (a token for each (private object) PIN) • Analysis • The 6.7 approach was not complete + impact on applications • The Appendix D approach is demanding a lot of logic and additional memory space for a simple task

  3. Secondary Authentication Proposal With attributes: CKA_SECONDARY_AUTH CKA_AUTH_PIN_FLAGS CKA_AUTH_PIN CKA_AUTH_PIN_LEN Private keyobject New flags: CKF_AUTH_PIN_AUTHENTICATED • C_SignInit(...); • tests if secondary authentication is required • returns CKR_SECONDARY_AUTHENTICATION_REQUIRED • C_AuthenticateObject (…); • sets flag • C_SignInit(…): • tests if secondary authentication is required • resets flag • performs signing New interface parts are in blue !!!

  4. Secondary Authentication Proposal With attributes: CKA_SECONDARY_AUTH CKA_AUTH_PIN_FLAGS CKA_AUTH_PIN CKA_AUTH_PIN_{MIN,MAX}LEN CKA_AUTH_NEW_PIN Internal flags: CKF_AUTH_PIN_AUTHENTICATED Private keyobject • C_SignInit(...); • - tests if secondary authentication is required • returns CKR_SECONDARY_AUTHENTICATION_REQUIRED • C_SetAttributeValue • Enter (or change) PIN • C_SignInit(…): • tests if secondary authentication is required • performs signing New interface parts are in blue !!!

  5. Secondary Authentication Proposal With attributes: CKA_SECONDARY_AUTH CKA_CLASS = SECRET KEY CKA_ACCESS_EXEC = OBJH,never,always CKA_ACCESS_{READ,WRITE,DELETE} CKA_ENUM PIN: CKA_CLASS =CKO_AUTHENTICATION CKA_AUTH_TYPE = PIN CKA_VALUE CKA_NEW_VALUE CKA_MIN_LEN CKA_MAX_LEN CKA_BAD_TRYS CKA_MAX_TRY CKA_STATUS=1:LOCKED, 2:INIT CKA_ACCESS_UNLOCK = PUK Internal flags: CKF_AUTH_PIN_AUTHENTICATED Private keyobject • C_SignInit(...); • - tests if secondary authentication is required • returns CKR_SECONDARY_AUTHENTICATION_REQUIRED • C_SetAttributeValue • Enter (or change) PIN • C_SignInit(…): • tests if secondary authentication is required • performs signing New interface parts are in blue !!!

  6. WTLS support • WTLS is a WAP TLS derivative • Although WTLS has its limitations there is an existing infrastructure of WAP gateways that use it.

  7. WTLS support • CK_WLTS_RANDOM_DATA • CK_WTLS_PARAMS • CK_WTLS_MASTER_KEY_DERIVE_PARAMS • CK_WTLS_PRF_PARAMS • CK_WTLS_KEY_MAT_OUT • CK_WTLS_KEY_MAT_PARAMS • CKM_WTLS_PRE_MASTER_KEY_GEN • CKM_WTLS_PRF • CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE • CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE

  8. TLS amendment Currently the PKCS#11 does not support a direct use of the TLS PRF. • Some TLS (protocol) implementations need support for the TLS PRF (directly) like for WTLS (WIM has only PRF) • The TLS PRF is useful for other purposes (than handshake only)

  9. TLS • CK_TLS_PARAMS • CKM_TLS_PRF

More Related