OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Suggestion of two new functions in pkcs11-Version 3

Currently, I am working with ATOS-Cards V5.3 developing ECDH-code to
exchange encrypted data between the smartcard and the host via a
USB-connected class3-reader from Reiner-SCT.

Since the cards now have "plenty" of memory (about 90kByte), it would be
interesting, to store not only keys, certificates etc. on the card, but
also store somewhat larger data (e.g. 10 to 50 kByte) on the card. But
to transfer the data between the card and the host, it would be good to
use the Diffie-Hellman key exchange, so as to encrypt the data on an
application level.

The current PKCS#11-standard does not allow to encrypt a data object
(CKA_VALUE) on the card directely by using a *handle* to this data. I
would suggest for the new standard a call "C_Encrypt_By_Handle()" which
would use
	1) a handle to a symmetric key derived from ECDH
	2) a handle to the CKA_VALUE-Object to encrypt

the outcome of the call could be a CKA_VALUE in the session, containing
the encrypted result. Then, by using the DH-Key on the host, the host
side can decrypt the data and use them as whished.

The new thing in this call is the second parameter, which is just a
handle to the data on the card.

Corresponding to this call, a second call "C_Decrypt_To_Handle()", which
receives encrypted data from the host, should decrypt the message and
place the result in a CKA_VALUE, returning the handle of the CKA_VALUE.

It would be advisable to add a new data object with attribute
CKA_PROTECTED_VALUE, so as to avoid transfer of these data from the card
without using an encryption with a key e.g. defined by a ECDH-Derivation.

These two functions would work similarly to the C_WrapKey() and
C_UnwrapKey(), but can use CKA_PROTECTED_VALUE-data of large sizes
instead of keys.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]