RE: Revised OpenSSL hardware support

Ron Ramsay Mon, 16 Aug 1999 15:42:34 -0700
Thanks for the comments.

I used the phrase 'a crypto API' as a generic reference, CryptoAPI would
have been a direct reference to a proprietary product. But, yes,
cryptoki is what I meant.

Regarding symmetric keys: in SSL, symmetric keys are generated anew per
session (leaving aside reconnection) so it doesn't seem appropriate to
store them in hardware. Therefore, I wouldn't be surprised if OpenSSL
expects them to be visible - I don't see this as a BAD thing.

> -----Original Message-----
> From: Dr Stephen Henson [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, August 17, 1999 4:11 AM
> To:   [EMAIL PROTECTED]
> Subject:      Re: Revised OpenSSL hardware support
> 
> Ron Ramsay wrote:
> > 
> > Having a crypto API (pkcs11?) within the product would be very
> welcome.
> > 
> 
> I think you mean cryptoki. Crypto API is an MS thingy which we
> probably
> don't want...
> 
> > Personally, I think only asymmetric private key operations should be
> > performed in hardware and symmetric key operation would be performed
> as
> > they are now. This is because some applications would use smart
> cards
> > which normally are CPU impaired. If the hardware 'accelerates'
> symmetric
> > key operations then perhaps this could be enabled at compile time or
> run
> > time.
> > 
> 
> There are some cases where hardware symmetric key handling would be
> useful. Some crypto hardware include symmetric encryption acceleration
> and symmetric key protection. For example you could decrypt a block
> using a hardware private key and obtain a symmetric key and decrypt
> some
> data with it. Under PKCS#11 it can make sure the symmetric key is
> never
> revealed outside the library (or hardware). This is generally more
> secure than having the key visible in memory.
> 
> Curently symmetric key protection is a bit problematical because the
> EVP
> interface largely assumes the key is "visible" and it can do horrible
> things to it like change the IV or clone the context. 
> 
> Steve.
> -- 
> Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED] 
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the   OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
> 
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
RE: Revised OpenSSL hardware support

Reply via email to
