安全协议与标准03-从Cryptoki到CryptoAPI

ΓВ安全协议与标准linfb@sdu.edu.cn2009,10ΓВPKCS#11andmore•Overview↓•APIUsage:Session↓•FunctionsSummary↓•FunctionsDetail/Example↓•Mechanisms:Algorithm,Protocol↓•Comparison↓•Implementation↓•GSS-API↓•GCS-API↓•CDSA↓•MS-CAPI↓•DEPΓВOverview•Incryptography,PKCS#11isoneofthefamilyofstandardscalledPublic-KeyCryptographyStandards(PKCS),publishedbyRSALaboratories.•Itdefinesaplatform-independentAPItocryptographictokens,suchasHardwareSecurityModulesandsmartcards.(ThePKCS#11standardnamestheAPICryptoki,butisoftenusedtorefertotheAPIaswellasthestandardthatdefinesit.)•Sincethereisn'tarealstandardforcryptographictokens,thisAPIhasbeendevelopedtobeanabstractionlayerforthegenericcryptographictoken.–ThePKCS#11APIdefinesmostcommonlyusedcryptographicobjecttypes(RSAkeys,X.509Certificates,DES/TripleDESkeys,etc.)andallthefunctionsneededtouse,create/generate,modifyanddeletethoseobjects.ΓВ-•PKCS#11islargelyadoptedtoaccesssmartcardsandHSMs.–MostcommercialCertificationAuthoritysoftwareusesPKCS#11toaccesstheCAsigningkeyortoenrollusercertificates.–Cross-platformsoftwarethatneedstousesmartcardsusesPKCS#11,suchasMozillaFirefoxandOpenSSL(usinganextension).•NSS(inFirefox)•“pkcs-11v2-20.doc”ΓВBackground•Portablecomputingdevicessuchassmartcards,PCMCIAcards,andsmartdiskettesareidealtoolsforimplementingpublic-keycryptography,astheyprovideawaytostoretheprivate-keycomponentofapublic-key/private-keypairsecurely,underthecontrolofasingleuser.•Withsuchadevice,acryptographicapplication,ratherthanperformingcryptographicoperationsitself,utilizesthedevicetoperformtheoperations,withsensitiveinformationsuchasprivatekeysneverbeingrevealed.•Asmoreapplicationsaredevelopedforpublic-keycryptography,astandardprogramminginterfaceforthesedevicesbecomesincreasinglyvaluable.•Thisstandardaddressesthisneed.ΓВka•Memorycard•Smartcard•PCMCIA/CardBus•USBflashdrive•USBKey•ExpressCard•PCIExpressΓВ口令之外•口令登录•指纹登录•智能卡登录•登录次数的限制•PIN和lock功能•SSOΓВ其他生物识别认证技术•ΓВ抽象：Token•TheprimarygoalofCryptokiwasalower-levelprogramminginterfacethatabstractsthedetailsofthedevices,andpresentstotheapplicationacommonmodelofthecryptographicdevice,calleda“cryptographictoken”(orsimply“token”).•Atokenisadevicethatstoresobjectsandcanperformcryptographicfunctions.•（cryptoki是token的接口）ΓВGeneralCryptokiModel•OtherSecurityLayersApplication1CryptokiOtherSecurityLayersApplicationkCryptokiDeviceContention/SynchronizationSlot1Token1(Device1)SlotnTokenn(Devicen)ΓВObjectHierarchy•CryptokidefinesthreeclassesofobjectObjectCertificateKeyDataSecretKeyPrivateKeyPublicKeyΓВUsers•ThisversionofCryptokirecognizestwotokenusertypes.–OnetypeisaSecurityOfficer(SO).–Theothertypeisthenormaluser.•TheroleoftheSOistoinitializeatokenandtosetthenormaluser’sPIN,andpossiblytomanipulatesomepublicobjects.•Onlythenormaluserisallowedaccesstoprivateobjectsonthetoken,andthataccessisgrantedonlyafterthenormaluserhasbeenauthenticated.ΓВSession•Cryptokirequiresthatanapplicationopenoneormoresessionswithatokentogainaccesstothetoken’sobjectsandfunctions.•Asessionprovidesalogicalconnectionbetweentheapplicationandthetoken.•Cryptokisupportsmultiplesessionsonmultipletokens.•Asessioncanbearead/write(R/W)sessionoraread-only(R/O)session.ΓВSessionevents•Sessioneventscausethesessionstatetochange.•Thefollowingtabledescribestheevents:EventOccurswhen...LogInSOtheSOisauthenticatedtothetoken.LogInUserthenormaluserisauthenticatedtothetoken.LogOuttheapplicationlogsoutthecurrentuser(SOornormaluser).CloseSessiontheapplicationclosesthesessionorclosesallsessions.DeviceRemovedthedeviceunderlyingthetokenhasbeenremovedfromitsslot.ΓВRead-OnlySessionStates•R/OPublicSessionR/OUserFunctionsLoginUserLogoutOpenSessionOpenSessionCloseSession/DeviceRemovedCloseSession/DeviceRemovedΓВRead/WriteSessionStates•R/WSOFunctionsR/WPublicSessionLoginSOLogoutOpenSessionOpenSessionCloseSession/DeviceRemovedCloseSession/DeviceRemovedR/WUserFunctionsLoginUserLogoutOpenSessionCloseSession/DeviceRemovedΓВAccesstoDifferentTypesObjectsbyDifferentTypesofSessionsTypeofsessionTypeofobjectR/OPublicR/WPublicR/OUserR/WUserR/WSOPublicsessionobjectR/WR/WR/WR/WR/WPrivatesessionobjectR/WR/WPublictokenobjectR/OR/WR/OR/WR/WPrivatetokenobjectR/OR/WΓВwithfork()•ConsideraUNIXprocessPwhichbecomesaCryptokiapplicationbycallingC_Initialize,andthenusesthefork()systemcalltocreateachildprocessC.•ifCneedstouseCryptoki,itneedstoperformitsownC_Initializecall.(andthenC_Finalizeaftersomeotheroperations)•ifithasnoneedtouseCryptoki,itshouldimmediatelycallC_InitializeandthencallC_Finalize.ΓВwithmulti-thread•Cryptokienablesapplicationstoprovideinformationtolibrariessothattheycangiveappropriatesupportformulti-threading.•Inparticular,whenanapplicationinitializesaCryptokilibrarywithacalltoC_Initialize,itcanspecifyoneoffourpossiblemulti-threadingbehaviorsforthelibrary:ΓВSummaryofCryptokiFunctionsCategoryFunctionDescriptionGeneralpurposeFunctionsC_InitializeinitializesCryptokiC_FinalizecleanupmiscellaneousCryptoki-associatedresourcesC_GetInfoobtainsgeneralinformationaboutCryptokiC_GetFunctionListobtainsentrypointsofCryptokilibraryfunctionsΓВSlota