Sorry, I mis-read your note. The comments are about having a card
do the hash then use it with an RSA key, rather then do a HMAC
with a secret key.
But see below too.
Damiano ALBANI wrote:
--- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote :
Are you trying force the card to do the HMAC, because you don't trust
the software to do it? Like trying to enforce some policy that hashs
must be done on the card? Or are you willing to let the PKCS#11
software
to the hash?
I'd like the hash to be fully calculated on the hardware token.
In PKCS#11 terms use a mech like CKM_SHA1_RSA_PKCS or
CHM_MD5_RSA_PKCS?
If you don't trust the software and are trying to make sure the card
did
the hash too, then your card should not expose CKM_RSA_PKCS or
CKM_RSA_X_509 otherwise the software could bypass your policy and
do the hash in software and send the hash to the card with
CKM_RSA_PKCS
to be signed.
The PKCS#11 API contains CKM_MD5_HMAC / CKM_SHA_1_HMAC mecanisms : what
are their use then, vs. the ones you mentionned ?
No. Sorry about that.
Since sending large amounts of data to the card to hash can be very
time consuming, it is usually done in software, and the hash sent
to the card to be signed.
What I need to hash is quite small so that shouldn't be a problem.
I'll tell you what I'm trying to do : I'd like to store my Internet
passwords in a PKCS#11 token. And use it to authenticate to services,
using a mechanism like
<http://franklinmint.fm/2006/04/07/draft-sayre-http-hmac-digest-01.html>.
For example, I use a Web browser on several computers, so I'd like to
carry my credentials inside a token.
Does it sound reasonable ?
Yes if the browsers support calling a smart card to do the HMAC.
Are there any? If not this might be the biggest challenge.
Regards,
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
