diff options
| author | Holger Dengler <dengler@linutronix.de> | 2019-01-28 11:34:02 +0100 |
|---|---|---|
| committer | Holger Dengler <dengler@linutronix.de> | 2019-03-07 11:20:54 +0100 |
| commit | 1f0693a098449fcf095d1110545cfba1d4f76b1b (patch) | |
| tree | 522b8de85bb35d3224bd1c482bbb4556fb5ebc77 | |
| parent | f2ad604403ef931b6ea19ca4fee426a82fba4adb (diff) | |
security: Add PKCS#11 slides
The PKCS11 slides describe the main elements of the standard and how
the interfaces can be used in applications.
Signed-off-by: Holger Dengler <dengler@linutronix.de>
| -rw-r--r-- | images/pkcs11.odg | bin | 0 -> 15477 bytes | |||
| -rw-r--r-- | images/pkcs11_appl-libs.png | bin | 0 -> 26534 bytes | |||
| -rw-r--r-- | images/pkcs11_elements.png | bin | 0 -> 33122 bytes | |||
| -rw-r--r-- | images/pkcs11_problem-statement.png | bin | 0 -> 30412 bytes | |||
| -rw-r--r-- | security/Kconfig | 1 | ||||
| -rw-r--r-- | security/pkcs/Kconfig | 7 | ||||
| -rw-r--r-- | security/pkcs/Makefile | 1 | ||||
| -rw-r--r-- | security/pkcs/frm_pkcs11.tex | 251 | ||||
| -rw-r--r-- | security/pkcs/frm_pkcs_all.tex | 23 | ||||
| -rw-r--r-- | security/pkcs/pres_pkcs11.tex | 26 |
10 files changed, 309 insertions, 0 deletions
diff --git a/images/pkcs11.odg b/images/pkcs11.odg Binary files differnew file mode 100644 index 0000000..c8d5e0c --- /dev/null +++ b/images/pkcs11.odg diff --git a/images/pkcs11_appl-libs.png b/images/pkcs11_appl-libs.png Binary files differnew file mode 100644 index 0000000..cc79d99 --- /dev/null +++ b/images/pkcs11_appl-libs.png diff --git a/images/pkcs11_elements.png b/images/pkcs11_elements.png Binary files differnew file mode 100644 index 0000000..78e8575 --- /dev/null +++ b/images/pkcs11_elements.png diff --git a/images/pkcs11_problem-statement.png b/images/pkcs11_problem-statement.png Binary files differnew file mode 100644 index 0000000..b316f35 --- /dev/null +++ b/images/pkcs11_problem-statement.png diff --git a/security/Kconfig b/security/Kconfig index 25636f4..ae3901e 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -9,4 +9,5 @@ if SECURITY source "security/firewall/Kconfig" source "security/vpn/Kconfig" source "security/firewall_ex/Kconfig" + source "security/pkcs/Kconfig" endif diff --git a/security/pkcs/Kconfig b/security/pkcs/Kconfig new file mode 100644 index 0000000..1beae12 --- /dev/null +++ b/security/pkcs/Kconfig @@ -0,0 +1,7 @@ +config SECURITY_PKCS11 + bool "PKCS#11" + default y + help + Content: + - tbd + diff --git a/security/pkcs/Makefile b/security/pkcs/Makefile new file mode 100644 index 0000000..e212682 --- /dev/null +++ b/security/pkcs/Makefile @@ -0,0 +1 @@ +obj-$(CONFIG_SECURITY_PKCS11) += pres_pkcs11.pdf diff --git a/security/pkcs/frm_pkcs11.tex b/security/pkcs/frm_pkcs11.tex new file mode 100644 index 0000000..61b6286 --- /dev/null +++ b/security/pkcs/frm_pkcs11.tex @@ -0,0 +1,251 @@ +% ---------------------------- +\subsection{PKCS\#11 Basics} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Problem Statement} +\begin{itemize} +\item decouple applications from HW-interfaces +\item prevent vendor lock-in +\item abstract, independent API for HW-modules +\end{itemize} +\bigskip +\begin{figure}[h] +\centering +\includegraphics[width=8cm]{images/pkcs11_problem-statement.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{What is PKCS\#11?} +\begin{itemize} +\item Sub-Standard \#11 +\item Cryptographic Token Interface + \begin{itemize} + \item API Specification for Interaction SW / HW + \item Short-name: Cryptoki (cryptographic token interface) + \end{itemize} +\item Vendor/Company independent Standard + \begin{itemize} + \item developed by RSA Security LLC. + \item managed by OASIS PKCS11 Technical Committee + \end{itemize} +\item current Version: 2.40 +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{PKCS\#11: Elements} +\begin{figure}[h] +\centering +\includegraphics[width=8cm]{images/pkcs11_elements.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{PKCS\#11 in Applications} +\begin{columns}[onlytextwidth] + \begin{column}{0.5\textwidth} + \begin{itemize} + \item decouple application from key storage + \item standardized API for key management + \item standardized API for key usage + \item hardware-based solutions: + \begin{itemize} + \item secure key store + \item HW-based crypto operations + \end{itemize} + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \begin{figure}[h] + \centering + \includegraphics[width=3cm]{images/pkcs11_appl-libs.png} + \end{figure} + \end{column} +\end{columns} +\end{frame} + +% ---------------------------- +\subsection{PKCS\#11 Environments} + +% ---------------------------- +\begin{frame} +\frametitle{SmartCard} +\begin{itemize} +\item SmartCard (and Card-Reader) +\item Interface: PKCS\#11 (Library provided by Vendor) +\item Crypto Operations: on Device (detached, dedicated Java-CPU) +\item Keystore: on Card (BB-RAM or Flash) +\item PIN authorization: Callback or HW-Pin pad (in Reader) +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{HSM} +\begin{itemize} +\item Hardware Security Modules (HSM) +\item Interface: PKCS\#11 (Library provided by Vendor) +\item Crypto Operations: on Device (detached, dedicated CPU) +\item Keystore: on Device (BB-RAM or Flash) +\item PIN authorization: Callback (Library) +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{SoftToken} +\begin{itemize} +\item Implementation of Slot- and Token-Functions in SW +\item Interface: PKCS\#11 (built-in) +\item Crypto Operations: on CPU +\item Keystore: DB or File-based +\item PIN authorization: Callback (Library) +\end{itemize} +\end{frame} + +% ---------------------------- +\subsection{PKCS\#11 Applications} + +% ---------------------------- +\begin{frame} +\frametitle{PKCS\#11 Usage} +\begin{itemize} +\item access token via engine (pkcs11) +\item references to the keys (URI) +\item features: + \begin{itemize} + \item key will not leave the token + \item crypto operations are performed inside the token + \item workload offloading + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{PKCS\#11 usage II} +\begin{itemize} +\item specify engine as commandline parameter +\item engine-specific keyform +\item handle keys as PKCS\#11 URIs +\item common processing for file-based (softhsm) and HW-based keystores (HSM) +\end{itemize} +\bigskip +\begin{beamerboxesrounded}[shadow=true]{openssl: sign with private key in token} +\begin{scriptsize} +\begin{verbatim} +openssl dgst \ + -engine pkcs11 \ + -keyform engine \ + -sign "pkcs11:token=DevToken;object=devel;type=private" \ + -out data.sig \ + data +\end{verbatim} +\end{scriptsize} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{PKCS\#11 usage III} +\begin{itemize} +\item openssl ENGINE API +\item common processing for file-based (softhsm) and HW-based keystores (HSM) +\end{itemize} +\bigskip +\begin{beamerboxesrounded}[shadow=true]{libssl: use private key in token} +\begin{scriptsize} +\begin{verbatim} +int ssl_connect(SSL_CTX *ctx, BIO *server) +{ + ENGINE *e; + EVP_PKEY *evp_key; + + char *uri = "pkcs11:token=DevToken;object=devel;type=private"; + + e = ENGINE_by_id("pkcs11"); + [...] + evp_key = ENGINE_load_private_key(e, uri, NULL, NULL); + [...] + SSL_CTX_use_PrivateKey(ctx, evp_key); + [...] + server = BIO_new_ssl_connect(ctx); + [...] +} +\end{verbatim} +\end{scriptsize} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\subsection{PKCS\#11 Token Management} + +% ---------------------------- +\begin{frame} +\frametitle{Tools} +\begin{itemize} +\item several projects provide tooling for the token management + \begin{itemize} + \item opensc: p11tool + \item gnutls: pkcs11-tool + \end{itemize} +\item manage token and its content + \begin{itemize} + \item set User/SO Pin + \item generate/import/export keys + \item list keys + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{List Tokens and Keys} +\begin{beamerboxesrounded}[shadow=true]{p11tool: list token URLs} +\begin{scriptsize} +\begin{verbatim} +$ p11tool --list-token-urls +pkcs11:model=p11-kit-trust;[...];token=System%20Trust +pkcs11:model=SoftHSM%20v2;[...];token=DevToken +\end{verbatim} +\end{scriptsize} +\end{beamerboxesrounded} +\bigskip +\begin{beamerboxesrounded}[shadow=true]{p11tool: list URLs of all objects} +\begin{scriptsize} +\begin{verbatim} +# to list also sensitive objects (like private keys), a login to the token is +# required +$ p11tool --login --list-all --only-url pkcs11:token=DevToken +Token 'DevToken' with URL 'pkcs11:model=SoftHSM%20v2;[...];token=DevToken' requires user PIN +Enter PIN: +pkcs11:model=SoftHSM%20v2;[...];token=DevToken;[...];object=client1;type=cert +pkcs11:model=SoftHSM%20v2;[...];token=DevToken;[...];object=client1;type=public +pkcs11:model=SoftHSM%20v2;[...];token=DevToken;[...];object=client1;type=private +\end{verbatim} +\end{scriptsize} +\end{beamerboxesrounded} +\end{frame} +% ---------------------------- + +\subsection*{} +\begin{frame} +\frametitle{Resources} +\begin{itemize} +\item Standard + \begin{itemize} + \item \href{https://www.oasis-open.org/committees/tc_home.php}{OASIS PKCS 11 Technical Committee} + \item \href{http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html}{PKCS\#11 CRYPTOKI Base Specification Version 2.40} + \end{itemize} +\item Tools + \begin{itemize} + \item \href{https://github.com/OpenSC/OpenSC/wiki}{OpenSC} + \item \href{https://www.openssl.org/docs/manpages.html}{OpenSSL man pages} + \end{itemize} +\end{itemize} +\end{frame} diff --git a/security/pkcs/frm_pkcs_all.tex b/security/pkcs/frm_pkcs_all.tex new file mode 100644 index 0000000..5c7c571 --- /dev/null +++ b/security/pkcs/frm_pkcs_all.tex @@ -0,0 +1,23 @@ +% ---------------------------- +\subsection{PKCS Overview} + +% ---------------------------- +\begin{frame} +\frametitle{What is PKCS?} +\begin{itemize} +\item Public Key Cryptography Standards (PKCS) + \begin{itemize} + \item Set of Standards + \item Specification of asymmetric Cryptographic Systems + \item Standardize Aspects and Usage + \end{itemize} +\item Examples: + \begin{itemize} + \item PKCS\#1: RSA Cryptography Specifications + \item PKCS\#7: Cryptographic Message Syntax (CMS) + \item PKCS\#11: Cryptographic Token Interface (Cryptoki) + \item PKCS\#12: Personal Information Exchange Syntax Standard + \item etc. + \end{itemize} +\end{itemize} +\end{frame} diff --git a/security/pkcs/pres_pkcs11.tex b/security/pkcs/pres_pkcs11.tex new file mode 100644 index 0000000..5e60e7c --- /dev/null +++ b/security/pkcs/pres_pkcs11.tex @@ -0,0 +1,26 @@ +\input{configpres} + +\title{PKCS\#11} +\maketitle + +% ---------------------------- +\begin{frame} +\frametitle{Overview} +\tableofcontents +\end{frame} + +% ---------------------------- +\section{Public-Key Cryptography Standards} + +% ---------------------------- +\input{security/pkcs/frm_pkcs_all.tex} + +% ---------------------------- +\section{PKCS\#11} + +% ---------------------------- +\input{security/pkcs/frm_pkcs11.tex} + +% ---------------------------- +\subsection*{} +\input{tailpres} |
