We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Unifying access to PKCS#11 tokens

00:00

Formal Metadata

Title
Unifying access to PKCS#11 tokens
Alternative Title
security 1600 pkcs11
Title of Series
Number of Parts
64
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
ryptographic services in modern operating systems today are being accessed by applications by using libraries, either high level ones that hide all details, or low level ones that force the user to deal with an amount of (un)interesting details of each cryptographic algorithm. Applications in the GNU/Linux and *BSD operating systems usually share the same libraries for cryptographic operations and protocols. Those can be one of Botan, OpenSSL, NSS, GnuTLS and maybe some more. This is quite a variety of choices which we believe is because of the different programming style that each library enforces, the different algorithms it provides and the ease of usage, which are subjective issues that depend on the eye of the beholder. However this diversity of cryptographic libraries has some disadvantages. For operations such as signing/encryption involving PKCS #11 hardware tokens, or software modules, objects need to be referenced. Currently there is no uniform way of referencing those objects and each of the libraries has its own conventions or delegate the burden of referencing objects to the application. This in effect makes sharing of those object references between different applications impossible and users are required to learn each application's unique interface. Moreover the fact that usually there are more than one PKCS #11 providers in a system, but no way to globally enable them for all cryptographic applications, leaves the burden of setup to users.
Module (mathematics)Presentation of a groupObject-oriented programmingAliasingMultiplication signToken ringAuthorizationComputer animation
Information securityToken ringKey (cryptography)Computer hardwareModule (mathematics)PlastikkarteData storage deviceOperator (mathematics)Antivirus softwarePlug-in (computing)CASE <Informatik>Computer animation
PlastikkarteElectronic mailing listModule (mathematics)WebsitePublic key certificateComputer programmingComputer configurationNumberType theoryObject-oriented programmingNormal (geometry)Operator (mathematics)Computer filePublic-key cryptographyDirectory serviceCartesian coordinate systemServer (computing)Key (cryptography)Order (biology)Identity managementFood energyAreaPhysical systemMathematicsLevel (video gaming)Computer animation
Uniform resource locatorEndliche ModelltheoriePublic key certificateObject-oriented programmingCategory of beingPosition operatorPublic-key cryptographyGraph coloringQuicksortComputer fileSystem identificationOpen setBitConfiguration spaceStructural loadKey (cryptography)Software bugModule (mathematics)Different (Kate Ryan album)Software developerProjective planeContext awarenessUser interfaceComputer configurationFormal verificationPhysical systemType theoryCartesian coordinate systemLevel (video gaming)PlastikkarteObject-oriented programmingFile systemUniqueness quantificationToken ringNumberSpacetimeError messageStreaming mediaSoftware testingPlug-in (computing)Observational studyHypothesisCASE <Informatik>MultiplicationDirectory serviceImplementationOrder (biology)MehrplatzsystemStandard errorProduct (business)Computer animation
File systemLevel (video gaming)Uniform resource locatorObject-oriented programmingDifferent (Kate Ryan album)Configuration spaceData storage devicePlastikkarteCartesian coordinate systemMechanism designInternet service providerSoftware testingFront and back endsPhysical systemStructural loadLatent heatPerformance appraisalEquivalence relationBit rateCryptographyWindows RegistryCASE <Informatik>Module (mathematics)Computer fileOrder (biology)User interfaceGraphical user interfaceSocial class2 (number)Descriptive statisticsSoftwareReal numberCuboidInformation securityIdentity managementSingle-precision floating-point formatCross-platformWeb applicationWeb 2.0WeightLimit (category theory)Product (business)Web pageOvalMultiplication signEndliche ModelltheorieHTTP cookieArmSelf-organizationObject-oriented programmingData recoverySoftware frameworkVideoconferencingBounded variationUniqueness quantificationGoodness of fitPublic-key cryptographyComputer animation
ImplementationView (database)InformationComputing platformComputer fileObject-oriented programmingCartesian coordinate systemFile systemGraphical user interfaceToken ringGUI widgetGame controllerSingle-precision floating-point formatPhysical systemSoftware frameworkMiddlewareCodePublic key certificateUniform resource locatorRepetitionComputer programmingPasswordConfiguration spaceEndliche ModelltheorieNP-hardInstance (computer science)Software developerPoint (geometry)Device driverOvalLatent heatFeedbackProcess (computing)Different (Kate Ryan album)Usability2 (number)Game theoryComputer configurationMultiplication signVideoconferencingDistribution (mathematics)Electronic signatureRingnetzObservational studyRight angleObject-oriented programmingOpen setQuicksortPlug-in (computing)Pivot elementNichtlineares GleichungssystemCategory of beingGraph coloringLecture/Conference
ImplementationPoint (geometry)Computer animationLecture/Conference
Transcript: English(auto-generated)
Thank you. Hello, everyone. I'm Nikos Mavriadopoulos. I'm the author of Genius Alias. And I'm going to talk about unifying access to geographic objects. If you're wondering what is it, I will explain it here in the presentation. Now, then, the presentation is the first time I'm going to talk about, probably, you know already,
as you've seen in the previous presentations. But I will elaborate on what are the geographic tokens and modules are. What are geographic objects? What do I mean by it? And what do I mean by access to the objects? And what are the open issues that we face today?
And also about the modules. How do we access them today? And what issues do we have? So as you may know or not, the tokens are various hardware things that we use not only to store keys, and actually not to store keys, but to use operation on keys
without actually accessing the keys. So when you insert a geographic token on a card reader, a smart card, or a USB token, you insert it on your PC. You can perform geographic operations, but you are sure that after you remove the token, the PC doesn't have any access to the key.
So there can also be software tokens. NomCaring is a security module that is pure in software, and all of these tokens can be accessed in a common way. Here, it says API. What do they contain? They can contain geographic keys,
the corresponding certificates, and probably a list of trust certificates. So they can contain stuff that you can use to authenticate yourself to some site or some other party. And they are mainly accessed through the biggest 11 modules.
What are these modules? The biggest 11 modules are just normal server libraries that provide you access to a consistent API that gives you access to operations, the geographic operations. If you search your system, probably you have some library in this directory.
Now I'm going to talk about accessing objects and what are their issues. So in typical applications today, geographic applications, when you want to provide your identity,
they ask you for a key file and a certificate file. What are these? It's a file that contains your private key and your certificate. Let's say if you use the New DLS click, in order to connect to a site, you can specify at the command line a key and a certificate.
But when you want to specify a key that resides on a token, you have to use the very special options. Really, I don't remember how these are not going to sell. It's pretty hard almost in every program to do. And even worse, some programs require you to enter
the slot number of the smart card, let's say. If you have a smart card reader that has many slots, it might require you to type the slot number. You don't really care about that. So what are the problems? Objects are referenced in a way that is really unique
per application. We don't like that. Why should I specify different options for opening a cell and different for New DLS and different for any other library? So what requirements we have for that? How can I identify an object
in a unique way? Object has an object ID. Now, the whole context is PK-611. Every object has an object ID. It has a type. It can be a certificate, a private key. It can be some other data. And also there is a token ID
which says this object resides on this token. So you don't copy a different object that resides on another token but might have the same ID. And also what we want is how are we going to access this object?
Via which module? So if you use OpenSC and you want to access a PK-611 card, you want to specify that I want to access this module via the OpenSC interface, not some other interface that is not in your system. So some examples.
Let's say in OpenSC, in order to specify a private key and a certificate that resides on a token, you have to specify an ID something like this. In OpenSC cell, if you use the PK-611 OpenSC engine, it's some other different ID. But
a nice thing that occurred in this 11 implementation is that they created the concept of PK-611 URLs. This is a standardized way to specify tokens standardized via ES. It's specified on this
draft. And it can be used to uniquely describe a token and also an object you can specify both things. This is how it looks like. I think it's more readable than saying the PK-611 helper stream.
Although it might be a bit intimidating, it's pretty clean what this means. This object is a certificate. The same concept. That ID resides on that token made by this manufacturer and
this model. What are the advantages of using URLs to identify objects? We can describe all tokens. It doesn't care about any slots.
It can be used to share between applications. If all applications decide to standardize this URL stream, you can copy a position of your certificate URL from one application to the other.
A nice concept property is that it can be used in command line. It's purely text. You can say if you use genu you can specify instead of the key file you can put
the PK-611 URL and Node.js will just load your certificate and you probably keep it from the smart card. This is a compatible way to specify keys that are either on your file system or reside on a token.
This is the proposal what we propose as a Node.js product to describe objects on a token. I want to talk about a different problem that is mainly for developers to work with PK-611 modules.
We had these problems implementing PK-611 support in Node.js. There is no system-wide way to read to know which PK-611 libraries to use. In my system there are many
libraries, but I don't want to use them all. How can we system-wide specify these libraries should be there. They should be loaded by Node.js or by OpenSL or by any other product. We don't have this today. Also, PK-611 has issues where multiple users use a module.
I'm going to talk about the first one first. There is a proposed file system here. It is standard that you put all the modules in that directory and then OpenSL will load them. It has a problem.
I found there some testing modules that as long as you use it in Node.js you get some errors in the standard error. This is not nice. Also, I found that OpenSL has two libraries that have the same identification as PK-611. When you list objects
they give you the same objects and the same URLs. So, it is impossible to use this directory and load all the libraries from that. So, for Kubernetes we use a special configuration file. Although, this is not a solution. We want something better.
So, this is another problem today. Another problem. Access to modules. In Linux, in Debian or so, it is very common to have setups like this.
You can have a layout where an application is using two subsystems. One subsystem is using LUTI-LS and the other is using OpenSL. Let's say, it is supposed that both use objects from PK-611. Even from different libraries from the same library. What will happen when subsystem B
is no longer used by the application. So, it is a dynamically loaded library and the application unloads it. OpenSL will clean up and will also clean up PK-611. Then LUTI-LS will stay
looking at nothing. It will have no backend. Either the application will crash or it will be just unused. So, this is the second problem of PK-611. We will need a way to make it useful by multiple uses
in the same application. In order to solve these issues, Steph Walter who will be presenting next is working on that on a solution called P11Kit.
So, what I've told you actually is what open problems we have. I proposed a solution only to the first one and the others are still open. So, today we have no common way to specify objects.
PK-611 URLs might be solutions that we like in the DLS. We have problems accessing modules in a single application and problems with the configuration is not there. Are there any questions?
Sorry, I don't hear you. Who has adopted this URL scheme? Has anybody adopted it? The Oracle PK-611 module uses and LUTI-LS already uses it. I'm not hearing. I'm not hearing.
Maybe I can testify it's a real problem in smartcards. We do a lot of testing and it's very usual that you can log a smartcard with one application and then you cannot stop another application. So, your piece of software is really really important for the community.
I would say it's an absolute priority. Have you made experiments? So, I think what about other SSL and security libraries? About other libraries? I think you focus on GNU-TLS right now? Actually, I had several problems I had during the evaluation of this thing on GNU-TLS, but I think
the same problems exist in other libraries. Every library has its own way of specifying objects. NSS has its own way. It has a web interface or something. I don't think you can show them online. I don't know. The same problems are there. It's nice if they're solved in all of them.
You're saying that all the applications should be using the common configuration file. The rate should be specified which modules should be used. But that would be quite platform-specific because you would have to have a specification
for the main of the system to be used. What do you mean? For example, if you want to have a cross-platform solution that supports Mac OS level 3P Windows, you would have to find a way to do that compared to other classes. Could you close the door?
I really can't. In the case of Unix-like systems, that would be easy to accomplish because most Unix file systems comply with the FHS. In the case of Windows, it gets files all over the place. It would be a good question where such a configuration file should be placed.
You mean about solutions that also covers Windows? I suppose Windows will use something different. It will not use a configuration file. Maybe something in the registry. Still, in the end, you can't push a standard for that. In Windows, you don't really care because it has its own framework for cryptography.
Although, it also runs in Windows. Maybe it is easier to use the C-11 or the CSP thing in Windows. I don't know. How can it be cross-platform? A configuration file cross-platform in Windows and in Linux?
I don't know. That's the thing that I'm actually applying. Quite a platform-specific solution. It could be at least for all classic systems that have a classic system. I think that rather than a configuration file, if it's going to be really cross-platform, then it needs to be a configuration API
as in a library provider that uses whatever system-specific backend to store configuration as equivalent for that system. I think a plain file might be it will work
fantastically well on POSIX-ish systems, but it might not be enough to cover others as well. Another question that I thought of here. The PKCS-11 URLs, have you seen them used in a GUI anywhere? Is the Oracle thing a graphical user interface?
I only use it in a command line. Usually in a GUI you wouldn't see them. You would see only the description of your object and you could also copy the object from one application to the other. When you copy, you don't care what what do you copy. It's like we're copying files.
Except the file is just one object or just one it has one atom of identity a single field of identity. It's pretty unique. Azure is unique, but if you have
a graphical user interface the wrong way to do it is to have a text box where you paste the PKCS-11 URL. You can drag and drop. It would be a nice mechanism to drag and drop. You just transfer the URLs. So that was my question.
Have you seen it implemented anywhere in Oracle? I don't know. The only other implementation I have seen is Oracle but it's also a command line. We are implementing it in the GUI library. OK. The idea
is that we will see some kind of three widgets and then select the one you want and then internally the URL will be used without the user even seeing the URL. Is that the idea? I suppose so. So that answers his question which is in a GUI the URLs will not be seen at all.
The question in RFC or whatever the document was, it's also done by Oracle guys. So basically it's a chicken and egg thing. It's done by Oracle guys but it has a lot of feedback from me and Steph.
How is the IETF process going? It's just information in RFC. When they say they are ready it can be published in information in RFC. It's not a standard. I think there are two issues with the thing. One is that the URL emits the actual
path to the file name what the application eventually has to do. It has to deal over the shared library. The second thing is that somebody asked about cross-platform usability. The thing is that Linux or Unix the free Unix is the only platform which doesn't have any kind of
system API which the Fedora guys are trying to fix by resorting to a single platform support the triple rep library which is NSS which kind of solves it because it just has its own internal kind of a thing that for instance all the models you want to use which is of course not reusable
which causes you to use NSS which is also not a failure I think for most Linux users. It can be one solution but the first thing you said that you don't have the library there. I don't think you want to have the library there. What you can do actually is have the library name there the name of the library
so as long as the application has as I said you need a configuration file or something that you can know which library to load as long as you have them you can know which library to load the object from. You split the configuration into two you're going to have the application specific one or you're going to depend on the
file system you're at the standard and you have your own URL specification and you split the problem into more pieces you have to manage from my point of view. Yeah, actually when you have a big problem it's better to split it solve it. The idea is fake, you know, a dragon problem.
It's like, it's like, that's something that's actually missing is people say that, you know, no one wants to cut it, how can they work together, but the free desktop has a lot of standards that you know, like fragment that you know, that should work across applications with different frameworks. It's a good idea because you have small
controllers that have a proprietary middleware and you have an OpenSC implementation so if you have the URL you have the the password program you could have an application and use the same URL using the in the web. So it's not good to hard code
things that aren't necessarily relevant to the URL. It's definitely interesting. For me, the best thing is not to drag and drop, but the fact that you're going to use the old options, specify a key file and a certificate file to read the URL and then act appropriately. So you don't really need
obscure options, let's say because you have an ID or something you just use the old options and specify this URL. Another question, is there a reference implementation actually implementing using the URLs? The development release is the URL. Right, because it needs to be very easily
kind of usable again. I have one question. I'm not sure if it's really relevant to the topic but I'm just wondering if there's any access control in these URLs. Can you prevent other applications from accessing
cryptographic tokens that have to be plugged into the system? Usually tokens are protected by a pin or something. So it depends on the token, how whether the driver will allow you to access or not. I don't know, probably Martin you know better about how tokens basically
what the URL tries to do is the URL is the resource specifying just point to the resource how the token actually protects its resources it's totally up to the token implementations. It's left outside of package s11 even. Thank you. If there are no more questions.
No. Thank you.