Hi, How does GlobalPlatform's SCP fits into this picture? Anders
Martin Paljak wrote: > Hello, > > PKCS#11 is an API for cryptographic devices that perform cryptographic > operations. > The API itself does not mandate the use of hardware (in fact, there are > several competing software PKCS#11 modules) but in the context of OpenSC, a > smart card library, it is obvious that the interface provided by OpenSC deals > exclusively with smart cards. > It would be reasonable to expect that all of the operations exposed via > PKCS#11 take place inside the security boundaries of the cryptographic smart > card module. > > Most of the time, if smart cards are used, they are used because they can > generate keys on the card that never leave the card. Sometimes pre-generated > keys are loaded to smart cards for transportation or use. But usually smart > cards are used for security reasons and the only security smart cards provide > is the physical and logical access control to the plaintext key material. > > OpenSC has currently a very lax implementation of the actual functionality as > well as for the flags that should signal the difference. These flags are: > (from PKCS#15) native, sensitive, extractable, alwaysSensitive, > neverExtractable and local > > related PKCS#11 functions: > C_WrapKey > C_UnwrapKey > > and usage flags: wrap, unwrap > and also includes transparent key generation in software. > > To make it clear and meet the expectations of the user, I would like to > suggest to remove all code from OpenSC that would generate or reveal > plaintext key material in software, outside the smart card. If keys are to be > generated somewhere else and transfered in plaintext, then there are tools > that can do it (like openssl genrsa) and OpenSC can limit itself to > implementing only functionality that really deals with the smart card, inside > the crypto module. > > In addition to my interest in using key wrapping functionality I found the > code behind pkcs15-init --extractable and --insecure somewhat odd. > > What do you think? _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
