2010/10/19 Martin Paljak <mar...@paljak.pri.ee>: > Hello, > > On Tue, Oct 19, 2010 at 13:38, Martin Boßlet > <martin.boss...@googlemail.com> wrote: >> I noticed that libp11 (and enginePkcs11, too) only allows to create >> signatures where the hash was computed in software. The PKCS#11 device >> will simply apply the signature algorithm, and the PKCS#1.5 padding is >> created manually. But many devices actually provide support for >> performing the whole procedure on the device (i.e. hashing, signature >> and padding). Some people even consider it a security risk if not the >> entire procedure takes place on the device (tbd). Regardless of that, >> wouldn't it be a nice addition to add support for this in both >> libraries? >> I'd be glad to help out myself, is it possible to contribute? > > Of course [1] ! > > The reason why hashing is usually done on the host side is speed. > Documents I usually sign are around 100K or even bigger and the smart > card reader interface is not the fastest on earth.
Note: I have not checked the OpenSC or libp11 implementation. A good compromise is to compute the hash value on the host (for speed) except the last round. The last hash round is computed inside the card just before the padding and signature. With that scheme you have both speed and security. Bye > [1] http://www.opensc-project.org/opensc/wiki/GetInvolved -- Dr. Ludovic Rousseau _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
