Ron Ramsay wrote:
>
> Having a crypto API (pkcs11?) within the product would be very welcome.
>
I think you mean cryptoki. Crypto API is an MS thingy which we probably
don't want...
> Personally, I think only asymmetric private key operations should be
> performed in hardware and symmetric key operation would be performed as
> they are now. This is because some applications would use smart cards
> which normally are CPU impaired. If the hardware 'accelerates' symmetric
> key operations then perhaps this could be enabled at compile time or run
> time.
>
There are some cases where hardware symmetric key handling would be
useful. Some crypto hardware include symmetric encryption acceleration
and symmetric key protection. For example you could decrypt a block
using a hardware private key and obtain a symmetric key and decrypt some
data with it. Under PKCS#11 it can make sure the symmetric key is never
revealed outside the library (or hardware). This is generally more
secure than having the key visible in memory.
Curently symmetric key protection is a bit problematical because the EVP
interface largely assumes the key is "visible" and it can do horrible
things to it like change the IV or clone the context.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
