Cryptoki到CryptoAPI安全生产协议与标准管理.pptx
- 文档编号:18681655
- 上传时间:2023-09-07
- 格式:PPTX
- 页数:92
- 大小:1.10MB
Cryptoki到CryptoAPI安全生产协议与标准管理.pptx
《Cryptoki到CryptoAPI安全生产协议与标准管理.pptx》由会员分享,可在线阅读,更多相关《Cryptoki到CryptoAPI安全生产协议与标准管理.pptx(92页珍藏版)》请在冰点文库上搜索。
安全协议与标准2009,10PKCS#11andmoreOverviewAPIUsage:
SessionFunctionsSummaryFunctionsDetail/ExampleMechanisms:
Algorithm,ProtocolComparisonImplementationGSS-APIGCS-APICDSAMS-CAPIDEPOverviewIncryptography,PKCS#11isoneofthefamilyofstandardscalledPublic-KeyCryptographyStandards(PKCS),publishedbyRSALaboratories.Itdefinesaplatform-independentAPItocryptographictokens,suchasHardwareSecurityModulesandsmartcards.(ThePKCS#11standardnamestheAPICryptoki,butisoftenusedtorefertotheAPIaswellasthestandardthatdefinesit.)Sincethereisntarealstandardforcryptographictokens,thisAPIhasbeendevelopedtobeanabstractionlayerforthegenericcryptographictoken.ThePKCS#11APIdefinesmostcommonlyusedcryptographicobjecttypes(RSAkeys,X.509Certificates,DES/TripleDESkeys,etc.)andallthefunctionsneededtouse,create/generate,modifyanddeletethoseobjects.-PKCS#11islargelyadoptedtoaccesssmartcardsandHSMs.MostcommercialCertificationAuthoritysoftwareusesPKCS#11toaccesstheCAsigningkeyortoenrollusercertificates.Cross-platformsoftwarethatneedstousesmartcardsusesPKCS#11,suchasMozillaFirefoxandOpenSSL(usinganextension).NSS(inFirefox)“pkcs-11v2-20.doc”BackgroundPortablecomputingdevicessuchassmartcards,PCMCIAcards,andsmartdiskettesareidealtoolsforimplementingpublic-keycryptography,astheyprovideawaytostoretheprivate-keycomponentofapublic-key/private-keypairsecurely,underthecontrolofasingleuser.Withsuchadevice,acryptographicapplication,ratherthanperformingcryptographicoperationsitself,utilizesthedevicetoperformtheoperations,withsensitiveinformationsuchasprivatekeysneverbeingrevealed.Asmoreapplicationsaredevelopedforpublic-keycryptography,astandardprogramminginterfaceforthesedevicesbecomesincreasinglyvaluable.Thisstandardaddressesthisneed.kaMemorycardSmartcardPCMCIA/CardBusUSBflashdriveUSBKeyExpressCardPCIExpress口令之外口令登录指纹登录智能卡登录登录次数的限制PIN和lock功能SSO其他生物识别认证技术抽象:
TokenTheprimarygoalofCryptokiwasalower-levelprogramminginterfacethatabstractsthedetailsofthedevices,andpresentstotheapplicationacommonmodelofthecryptographicdevice,calleda“cryptographictoken”(orsimply“token”).Atokenisadevicethatstoresobjectsandcanperformcryptographicfunctions.(cryptoki是token的接口)GeneralCryptokiModelOtherSecurityLayersApplication1CryptokiOtherSecurityLayersApplicationkCryptokiDeviceContention/SynchronizationSlot1Token1(Device1)SlotnTokenn(Devicen)ObjectHierarchyCryptokidefinesthreeclassesofobjectObjectCertificateKeyDataSecretKeyPrivateKeyPublicKeyUsersThisversionofCryptokirecognizestwotokenusertypes.OnetypeisaSecurityOfficer(SO).Theothertypeisthenormaluser.TheroleoftheSOistoinitializeatokenandtosetthenormalusersPIN,andpossiblytomanipulatesomepublicobjects.Onlythenormaluserisallowedaccesstoprivateobjectsonthetoken,andthataccessisgrantedonlyafterthenormaluserhasbeenauthenticated.SessionCryptokirequiresthatanapplicationopenoneormoresessionswithatokentogainaccesstothetokensobjectsandfunctions.Asessionprovidesalogicalconnectionbetweentheapplicationandthetoken.Cryptokisupportsmultiplesessionsonmultipletokens.Asessioncanbearead/write(R/W)sessionoraread-only(R/O)session.SessioneventsSessioneventscausethesessionstatetochange.Thefollowingtabledescribestheevents:
EventOccurswhen.LogInSOtheSOisauthenticatedtothetoken.LogInUserthenormaluserisauthenticatedtothetoken.LogOuttheapplicationlogsoutthecurrentuser(SOornormaluser).CloseSessiontheapplicationclosesthesessionorclosesallsessions.DeviceRemovedthedeviceunderlyingthetokenhasbeenremovedfromitsslot.Read-OnlySessionStatesR/OPublicSessionR/OUserFunctionsLoginUserLogoutOpenSessionOpenSessionCloseSession/DeviceRemovedCloseSession/DeviceRemovedRead/WriteSessionStatesR/WSOFunctionsR/WPublicSessionLoginSOLogoutOpenSessionOpenSessionCloseSession/DeviceRemovedCloseSession/DeviceRemovedR/WUserFunctionsLoginUserLogoutOpenSessionCloseSession/DeviceRemovedAccesstoDifferentTypesObjectsbyDifferentTypesofSessionsTypeofsessionTypeofobjectR/OPublicR/WPublicR/OUserR/WUserR/WSOPublicsessionobjectR/WR/WR/WR/WR/WPrivatesessionobjectR/WR/WPublictokenobjectR/OR/WR/OR/WR/WPrivatetokenobjectR/OR/Wwithfork()ConsideraUNIXprocessPwhichbecomesaCryptokiapplicationbycallingC_Initialize,andthenusesthefork()systemcalltocreateachildprocessC.ifCneedstouseCryptoki,itneedstoperformitsownC_Initializecall.(andthenC_Finalizeaftersomeotheroperations)ifithasnoneedtouseCryptoki,itshouldimmediatelycallC_InitializeandthencallC_Finalize.withmulti-threadCryptokienablesapplicationstoprovideinformationtolibrariessothattheycangiveappropriatesupportformulti-threading.Inparticular,whenanapplicationinitializesaCryptokilibrarywithacalltoC_Initialize,itcanspecifyoneoffourpossiblemulti-threadingbehaviorsforthelibrary:
SummaryofCryptokiFunctionsCategoryFunctionDescriptionGeneralpurposeFunctionsC_InitializeinitializesCryptokiC_FinalizecleanupmiscellaneousCryptoki-associatedresourcesC_GetInfoobtainsgeneralinformationaboutCryptokiC_GetFunctionListobtainsentrypointsofCryptokilibraryfunctionsSlotandtokenanagementfunctionsSlotandtokenmanagementfunctionsC_GetSlotListobtainsalistofslotsinthesystemC_GetSlotInfoobtainsinformationaboutaparticularslotC_GetTokenInfoobtainsinformationaboutaparticulartokenC_WaitForSlotEventwaitsforaslotevent(tokeninsertion,removal,etc.)tooccurC_GetMechanismListobtainsalistofmechanismssupportedbyatokenC_GetMechanismInfoobtainsinformationaboutaparticularmechanismC_InitTokeninitializesatokenC_InitPINinitializesthenormalusersPINC_SetPINmodifiesthePINofthecurrentuserSessionManagementFunctionsSessionmanagementFunctionsC_OpenSessionopensaconnectionbetweenanapplicationandaparticulartokenorsetsupanapplicationcallbackfortokeninsertionC_CloseSessionclosesasessionC_CloseAllSessionsclosesallsessionswithatokenC_GetSessionInfoobtainsinformationaboutthesessionC_GetOperationStateobtainsthecryptographicoperationsstateofasessionC_SetOperationStatesetsthecryptographicoperationsstateofasessionC_LoginlogsintoatokenC_LogoutlogsoutfromatokenObjectmanagementfunctionsObjectmanagementfunctionsC_CreateObjectcreatesanobjectC_CopyObjectcreatesacopyofanobjectC_DestroyObjectdestroysanobjectC_GetObjectSizeobtainsthesizeofanobjectinbytesC_GetAttributeValueobtainsanattributevalueofanobjectC_SetAttributeValuemodifiesanattributevalueofanobjectC_FindObjectsInitinitializesanobjectsearchoperationC_FindObjectscontinuesanobjectsearchoperationC_FindObjectsFinalfinishesanobjectsearchoperationEncryption/DecryptionfunctionsEncryptionfunctionsC_EncryptInitinitializesanencryptionoperationC_Encryptencryptssingle-partdataC_EncryptUpdatecontinuesamultiple-partencryptionoperationC_EncryptFinalfinishesamultiple-partencryptionoperationDecryptionfunctionsC_DecryptInitinitializesadecryptionoperationC_Decryptdecryptssingle-partencrypteddataC_DecryptUpdatecontinuesamultiple-partdecryptionoperationC_DecryptFinalfinishesamultiple-partdecryptionoperationMessagedigestingfunctionsMessagedigestingfunctionsC_DigestInitinitializesamessage-digestingoperationC_Digestdigestssingle-partdataC_DigestUpdatecontinuesamultiple-partdigestingoperationC_DigestKeydigestsakeyC_DigestFinalfinishesamultiple-partdigestingoperationSigningandMACingfunctionsSigningandMACingfunctionsC_SignInitinitializesasignatureoperationC_Signsignssingle-partdataC_SignUpdatecontinuesamultiple-partsignatureoperationC_SignFinalfinishesamultiple-partsignatureoperationC_SignRecoverInitinitializesasignatureoperation,wherethedatacanberecoveredfromthesignatureC_SignRecoversignssingle-partdata,wherethedatacanberecoveredfromthesignatureFunctionsforverifyingsignaturesandMACsFunctionsforverifyingsignaturesandMACsC_VerifyInitinitializesaverificationoperationC_Verifyverifiesasignatureonsingle-partdataC_VerifyUpdatecontinuesamultiple-partverificationoperationC_VerifyFinalfinishesamultiple-partverificationoperationC_VerifyRecoverInitinitializesaverificationoperationwherethedataisrecoveredfromthesignatureC_VerifyRecoververifiesasignatureonsingle-partdata,wherethedataisrecoveredfromthesignatureDual-purposecryptographicfunctionsDual-purposecryptographicfunctionsC_DigestEncryptUpdatecontinuessimultaneousmultiple-partdigestingandencryptionoperationsC_DecryptDigestUpdatecontinuessimultaneousmultiple-partdecryptionanddigestingoperationsC_SignEncryptUpdatecontinuessimultaneousmultiple-partsignatureandencryptionoperationsC_DecryptVerifyUpdatecontinuessimultaneousmultiple-partdecryptionandverificationoperationsKeymanagementfunctionsKeymanagementfunctionsC_GenerateKeygeneratesasecretkeyC_GenerateKeyPairgeneratesapublic-key/private-keypairC_WrapKeywraps(encrypts)akeyC_UnwrapKeyunwraps(decrypts)akeyC_DeriveKeyderivesakeyfromabasekeyRandomnumbergenerationfunctionsRandomnumbergenerationfunctionsC_SeedRandommixesinadditionalseedmaterialtotherandomnumbergeneratorC_GenerateRandomgeneratesrandomdataParallelfunctionmanagementFunctionsParallelfunctionmanagementFunctionsC_GetFunctionStatuslegacyfunctionwhichalwaysreturnsCKR_FUNCTION_NOT_PARALLELC_CancelFunctionlegacyfunctionwhichalwaysreturnsCKR_FUNCTION_NOT_PARALLELCallbackfunctionCallbackfunctionapplication-suppliedfunctiontoprocessnotificationsfromCryptokiF
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Cryptoki CryptoAPI 安全生产 协议 标准 管理
![提示](https://static.bingdoc.com/images/bang_tan.gif)