This project is not only used for key management. And I am looking on how to combined the key management part of it into KMF (Thanks for your advice!). And I list more details on how it work: -------------------------------------------------- People may ask, why another cryptosystem? After all, we already have so much cryptosystems.
The disadvantage of current systems and applications is not because they are insecure, but because they are too hard to use, especially for non security experts. An example is: in a team all members use GPG to protect the transferred secret documents, at first every member must generate his own key pair, and then collect all the public keys of team members. Then import every public key into local keyring file stored on the hard disk. Until these hard works are all done, then GPG can be used to encrypt a file to be sent. The trouble is just begin, somebody may find his hard disk gone bad or just lost the keyring file because of a reinstall of OS, so the private key will be lost. Then all the previous encrypted documents can not be read any more. And he must re-generate key pair and inform all team members. >From the above story we can find two limitations of current cryptosystems. The >first is from public key. We must get recipient's public key before >communication with him. If we can get the recipient's public key, we can not >send a encrypted message to him. The second problem is from the private key. >The private key is very important, and must be saved securely and >persistently. Hard disk is not a good choice. In this project we solve these questions by two manners. We use CPK, an identity based cryptography for signing and encryption, instead of certificate based cryptography. The email address of user is the public key of the user, so the need of get recipient's public key is eliminated. And we use USB token to save the private key. A USB token is like a USB memory stick with smaller size. People can catch it on his keyring (the physical one). The private key can be survive even the computer is destroyed. Look the sample: Step 1: Alice get the USB token from security administrator. The public key is user's e-mail address, the private key is initialized and stored in the token. And system parameters are also stored in the token. Step 2: Alice send a signed and encrypted file to others. The command is listed below: $ cpk --recipient [EMAIL PROTECTED] --sign --encrypt secret-letter.txt | mail [EMAIL PROTECTED] The USB token should be plugged into the computer at that time. Step 3: Bob use his token to decrypt and verify the letter. $ cpk --decrypt secret-letter.txt.cpk It is an attractive system; it can make applications and key management more easier. What we want to do is to implement this on Solaris and change current security applications more easier. I am new to Solaris, I have build a simple command line tool on Solaris (based on OpenSSL) and working on Solaris USB token driver. I look forward advices on how to build this system into the crypto architecture and key management architecture. So this system can be used as a service by any applications. This message posted from opensolaris.org _______________________________________________ opensolaris-discuss mailing list [email protected]
