summaryrefslogtreecommitdiff
path: root/security/pkcs/frm_pkcs11.tex
diff options
context:
space:
mode:
Diffstat (limited to 'security/pkcs/frm_pkcs11.tex')
-rw-r--r--security/pkcs/frm_pkcs11.tex251
1 files changed, 251 insertions, 0 deletions
diff --git a/security/pkcs/frm_pkcs11.tex b/security/pkcs/frm_pkcs11.tex
new file mode 100644
index 0000000..61b6286
--- /dev/null
+++ b/security/pkcs/frm_pkcs11.tex
@@ -0,0 +1,251 @@
+% ----------------------------
+\subsection{PKCS\#11 Basics}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Problem Statement}
+\begin{itemize}
+\item decouple applications from HW-interfaces
+\item prevent vendor lock-in
+\item abstract, independent API for HW-modules
+\end{itemize}
+\bigskip
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/pkcs11_problem-statement.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{What is PKCS\#11?}
+\begin{itemize}
+\item Sub-Standard \#11
+\item Cryptographic Token Interface
+ \begin{itemize}
+ \item API Specification for Interaction SW / HW
+ \item Short-name: Cryptoki (cryptographic token interface)
+ \end{itemize}
+\item Vendor/Company independent Standard
+ \begin{itemize}
+ \item developed by RSA Security LLC.
+ \item managed by OASIS PKCS11 Technical Committee
+ \end{itemize}
+\item current Version: 2.40
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{PKCS\#11: Elements}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/pkcs11_elements.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[containsverbatim]
+\frametitle{PKCS\#11 in Applications}
+\begin{columns}[onlytextwidth]
+ \begin{column}{0.5\textwidth}
+ \begin{itemize}
+ \item decouple application from key storage
+ \item standardized API for key management
+ \item standardized API for key usage
+ \item hardware-based solutions:
+ \begin{itemize}
+ \item secure key store
+ \item HW-based crypto operations
+ \end{itemize}
+ \end{itemize}
+ \end{column}
+ \begin{column}{0.5\textwidth}
+ \begin{figure}[h]
+ \centering
+ \includegraphics[width=3cm]{images/pkcs11_appl-libs.png}
+ \end{figure}
+ \end{column}
+\end{columns}
+\end{frame}
+
+% ----------------------------
+\subsection{PKCS\#11 Environments}
+
+% ----------------------------
+\begin{frame}
+\frametitle{SmartCard}
+\begin{itemize}
+\item SmartCard (and Card-Reader)
+\item Interface: PKCS\#11 (Library provided by Vendor)
+\item Crypto Operations: on Device (detached, dedicated Java-CPU)
+\item Keystore: on Card (BB-RAM or Flash)
+\item PIN authorization: Callback or HW-Pin pad (in Reader)
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{HSM}
+\begin{itemize}
+\item Hardware Security Modules (HSM)
+\item Interface: PKCS\#11 (Library provided by Vendor)
+\item Crypto Operations: on Device (detached, dedicated CPU)
+\item Keystore: on Device (BB-RAM or Flash)
+\item PIN authorization: Callback (Library)
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{SoftToken}
+\begin{itemize}
+\item Implementation of Slot- and Token-Functions in SW
+\item Interface: PKCS\#11 (built-in)
+\item Crypto Operations: on CPU
+\item Keystore: DB or File-based
+\item PIN authorization: Callback (Library)
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsection{PKCS\#11 Applications}
+
+% ----------------------------
+\begin{frame}
+\frametitle{PKCS\#11 Usage}
+\begin{itemize}
+\item access token via engine (pkcs11)
+\item references to the keys (URI)
+\item features:
+ \begin{itemize}
+ \item key will not leave the token
+ \item crypto operations are performed inside the token
+ \item workload offloading
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[containsverbatim]
+\frametitle{PKCS\#11 usage II}
+\begin{itemize}
+\item specify engine as commandline parameter
+\item engine-specific keyform
+\item handle keys as PKCS\#11 URIs
+\item common processing for file-based (softhsm) and HW-based keystores (HSM)
+\end{itemize}
+\bigskip
+\begin{beamerboxesrounded}[shadow=true]{openssl: sign with private key in token}
+\begin{scriptsize}
+\begin{verbatim}
+openssl dgst \
+ -engine pkcs11 \
+ -keyform engine \
+ -sign "pkcs11:token=DevToken;object=devel;type=private" \
+ -out data.sig \
+ data
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[containsverbatim]
+\frametitle{PKCS\#11 usage III}
+\begin{itemize}
+\item openssl ENGINE API
+\item common processing for file-based (softhsm) and HW-based keystores (HSM)
+\end{itemize}
+\bigskip
+\begin{beamerboxesrounded}[shadow=true]{libssl: use private key in token}
+\begin{scriptsize}
+\begin{verbatim}
+int ssl_connect(SSL_CTX *ctx, BIO *server)
+{
+ ENGINE *e;
+ EVP_PKEY *evp_key;
+
+ char *uri = "pkcs11:token=DevToken;object=devel;type=private";
+
+ e = ENGINE_by_id("pkcs11");
+ [...]
+ evp_key = ENGINE_load_private_key(e, uri, NULL, NULL);
+ [...]
+ SSL_CTX_use_PrivateKey(ctx, evp_key);
+ [...]
+ server = BIO_new_ssl_connect(ctx);
+ [...]
+}
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsection{PKCS\#11 Token Management}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Tools}
+\begin{itemize}
+\item several projects provide tooling for the token management
+ \begin{itemize}
+ \item opensc: p11tool
+ \item gnutls: pkcs11-tool
+ \end{itemize}
+\item manage token and its content
+ \begin{itemize}
+ \item set User/SO Pin
+ \item generate/import/export keys
+ \item list keys
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[containsverbatim]
+\frametitle{List Tokens and Keys}
+\begin{beamerboxesrounded}[shadow=true]{p11tool: list token URLs}
+\begin{scriptsize}
+\begin{verbatim}
+$ p11tool --list-token-urls
+pkcs11:model=p11-kit-trust;[...];token=System%20Trust
+pkcs11:model=SoftHSM%20v2;[...];token=DevToken
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\bigskip
+\begin{beamerboxesrounded}[shadow=true]{p11tool: list URLs of all objects}
+\begin{scriptsize}
+\begin{verbatim}
+# to list also sensitive objects (like private keys), a login to the token is
+# required
+$ p11tool --login --list-all --only-url pkcs11:token=DevToken
+Token 'DevToken' with URL 'pkcs11:model=SoftHSM%20v2;[...];token=DevToken' requires user PIN
+Enter PIN:
+pkcs11:model=SoftHSM%20v2;[...];token=DevToken;[...];object=client1;type=cert
+pkcs11:model=SoftHSM%20v2;[...];token=DevToken;[...];object=client1;type=public
+pkcs11:model=SoftHSM%20v2;[...];token=DevToken;[...];object=client1;type=private
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+% ----------------------------
+
+\subsection*{}
+\begin{frame}
+\frametitle{Resources}
+\begin{itemize}
+\item Standard
+ \begin{itemize}
+ \item \href{https://www.oasis-open.org/committees/tc_home.php}{OASIS PKCS 11 Technical Committee}
+ \item \href{http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html}{PKCS\#11 CRYPTOKI Base Specification Version 2.40}
+ \end{itemize}
+\item Tools
+ \begin{itemize}
+ \item \href{https://github.com/OpenSC/OpenSC/wiki}{OpenSC}
+ \item \href{https://www.openssl.org/docs/manpages.html}{OpenSSL man pages}
+ \end{itemize}
+\end{itemize}
+\end{frame}
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-09 18:36:50 +0000