% ---------------------------- \subsection{PKCS\#11 Basics} % ---------------------------- \begin{frame}[fragile] \frametitle{Problem Statement} \begin{itemize} \item decouple applications from HW-interfaces \item prevent vendor lock-in \item abstract, independent API for HW-modules \end{itemize} \bigskip \begin{figure}[h] \centering \includegraphics[width=8cm]{images/pkcs11_problem-statement.png} \end{figure} \end{frame} % ---------------------------- \begin{frame} \frametitle{What is PKCS\#11?} \begin{itemize} \item Sub-Standard \#11 \item Cryptographic Token Interface \begin{itemize} \item API Specification for Interaction SW / HW \item Short-name: Cryptoki (cryptographic token interface) \end{itemize} \item Vendor/Company independent Standard \begin{itemize} \item developed by RSA Security LLC. \item managed by OASIS PKCS11 Technical Committee \end{itemize} \item current Version: 2.40 \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{PKCS\#11: Elements} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/pkcs11_elements.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[containsverbatim] \frametitle{PKCS\#11 in Applications} \begin{columns}[onlytextwidth] \begin{column}{0.5\textwidth} \begin{itemize} \item decouple application from key storage \item standardized API for key management \item standardized API for key usage \item hardware-based solutions: \begin{itemize} \item secure key store \item HW-based crypto operations \end{itemize} \end{itemize} \end{column} \begin{column}{0.5\textwidth} \begin{figure}[h] \centering \includegraphics[width=3cm]{images/pkcs11_appl-libs.png} \end{figure} \end{column} \end{columns} \end{frame} % ---------------------------- \subsection{PKCS\#11 Environments} % ---------------------------- \begin{frame} \frametitle{SmartCard} \begin{itemize} \item SmartCard (and Card-Reader) \item Interface: PKCS\#11 (Library provided by Vendor) \item Crypto Operations: on Device (detached, dedicated Java-CPU) \item Keystore: on Card (BB-RAM or Flash) \item PIN authorization: Callback or HW-Pin pad (in Reader) \end{itemize} \end{frame} % ---------------------------- \begin{frame} \frametitle{HSM} \begin{itemize} \item Hardware Security Modules (HSM) \item Interface: PKCS\#11 (Library provided by Vendor) \item Crypto Operations: on Device (detached, dedicated CPU) \item Keystore: on Device (BB-RAM or Flash) \item PIN authorization: Callback (Library) \end{itemize} \end{frame} % ---------------------------- \begin{frame} \frametitle{SoftToken} \begin{itemize} \item Implementation of Slot- and Token-Functions in SW \item Interface: PKCS\#11 (built-in) \item Crypto Operations: on CPU \item Keystore: DB or File-based \item PIN authorization: Callback (Library) \end{itemize} \end{frame} % ---------------------------- \subsection{PKCS\#11 Applications} % ---------------------------- \begin{frame} \frametitle{PKCS\#11 Usage} \begin{itemize} \item access token via engine (pkcs11) \item references to the keys (URI) \item features: \begin{itemize} \item key will not leave the token \item crypto operations are performed inside the token \item workload offloading \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[containsverbatim] \frametitle{PKCS\#11 usage II} \begin{itemize} \item specify engine as commandline parameter \item engine-specific keyform \item handle keys as PKCS\#11 URIs \item common processing for file-based (softhsm) and HW-based keystores (HSM) \end{itemize} \bigskip \begin{beamerboxesrounded}[shadow=true]{openssl: sign with private key in token} \begin{scriptsize} \begin{verbatim} openssl dgst \ -engine pkcs11 \ -keyform engine \ -sign "pkcs11:token=DevToken;object=devel;type=private" \ -out data.sig \ data \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[containsverbatim] \frametitle{PKCS\#11 usage III} \begin{itemize} \item openssl ENGINE API \item common processing for file-based (softhsm) and HW-based keystores (HSM) \end{itemize} \bigskip \begin{beamerboxesrounded}[shadow=true]{libssl: use private key in token} \begin{scriptsize} \begin{verbatim} int ssl_connect(SSL_CTX *ctx, BIO *server) { ENGINE *e; EVP_PKEY *evp_key; char *uri = "pkcs11:token=DevToken;object=devel;type=private"; e = ENGINE_by_id("pkcs11"); [...] evp_key = ENGINE_load_private_key(e, uri, NULL, NULL); [...] SSL_CTX_use_PrivateKey(ctx, evp_key); [...] server = BIO_new_ssl_connect(ctx); [...] } \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsection{PKCS\#11 Token Management} % ---------------------------- \begin{frame} \frametitle{Tools} \begin{itemize} \item several projects provide tooling for the token management \begin{itemize} \item opensc: p11tool \item gnutls: pkcs11-tool \end{itemize} \item manage token and its content \begin{itemize} \item set User/SO Pin \item generate/import/export keys \item list keys \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[containsverbatim] \frametitle{List Tokens and Keys} \begin{beamerboxesrounded}[shadow=true]{p11tool: list token URLs} \begin{scriptsize} \begin{verbatim} $ p11tool --list-token-urls pkcs11:model=p11-kit-trust;[...];token=System%20Trust pkcs11:model=SoftHSM%20v2;[...];token=DevToken \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \bigskip \begin{beamerboxesrounded}[shadow=true]{p11tool: list URLs of all objects} \begin{scriptsize} \begin{verbatim} # to list also sensitive objects (like private keys), a login to the token is # required $ p11tool --login --list-all --only-url pkcs11:token=DevToken Token 'DevToken' with URL 'pkcs11:model=SoftHSM%20v2;[...];token=DevToken' requires user PIN Enter PIN: pkcs11:model=SoftHSM%20v2;[...];token=DevToken;[...];object=client1;type=cert pkcs11:model=SoftHSM%20v2;[...];token=DevToken;[...];object=client1;type=public pkcs11:model=SoftHSM%20v2;[...];token=DevToken;[...];object=client1;type=private \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsection*{} \begin{frame} \frametitle{Resources} \begin{itemize} \item Standard \begin{itemize} \item \href{https://www.oasis-open.org/committees/tc_home.php}{OASIS PKCS 11 Technical Committee} \item \href{http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html}{PKCS\#11 CRYPTOKI Base Specification Version 2.40} \end{itemize} \item Tools \begin{itemize} \item \href{https://github.com/OpenSC/OpenSC/wiki}{OpenSC} \item \href{https://www.openssl.org/docs/manpages.html}{OpenSSL man pages} \end{itemize} \end{itemize} \end{frame}