--- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote : > > Are you trying force the card to do the HMAC, because you don't trust > the software to do it? Like trying to enforce some policy that hashs > must be done on the card? Or are you willing to let the PKCS#11 > software > to the hash?
I'd like the hash to be fully calculated on the hardware token. > In PKCS#11 terms use a mech like CKM_SHA1_RSA_PKCS or > CHM_MD5_RSA_PKCS? > > If you don't trust the software and are trying to make sure the card > did > the hash too, then your card should not expose CKM_RSA_PKCS or > CKM_RSA_X_509 otherwise the software could bypass your policy and > do the hash in software and send the hash to the card with > CKM_RSA_PKCS > to be signed. The PKCS#11 API contains CKM_MD5_HMAC / CKM_SHA_1_HMAC mecanisms : what are their use then, vs. the ones you mentionned ? > Since sending large amounts of data to the card to hash can be very > time consuming, it is usually done in software, and the hash sent > to the card to be signed. What I need to hash is quite small so that shouldn't be a problem. I'll tell you what I'm trying to do : I'd like to store my Internet passwords in a PKCS#11 token. And use it to authenticate to services, using a mechanism like <http://franklinmint.fm/2006/04/07/draft-sayre-http-hmac-digest-01.html>. For example, I use a Web browser on several computers, so I'd like to carry my credentials inside a token. Does it sound reasonable ? Regards, -- Damiano ALBANI ___________________________________________________________________________ Nouveau : téléphonez moins cher avec Yahoo! Messenger ! Découvez les tarifs exceptionnels pour appeler la France et l'international. Téléchargez sur http://fr.messenger.yahoo.com _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
