[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Suggestion of two new functions in pkcs11-Version 3
Currently, I am working with ATOS-Cards V5.3 developing ECDH-code to exchange encrypted data between the smartcard and the host via a USB-connected class3-reader from Reiner-SCT. Since the cards now have "plenty" of memory (about 90kByte), it would be interesting, to store not only keys, certificates etc. on the card, but also store somewhat larger data (e.g. 10 to 50 kByte) on the card. But to transfer the data between the card and the host, it would be good to use the Diffie-Hellman key exchange, so as to encrypt the data on an application level. The current PKCS#11-standard does not allow to encrypt a data object (CKA_VALUE) on the card directely by using a *handle* to this data. I would suggest for the new standard a call "C_Encrypt_By_Handle()" which would use 1) a handle to a symmetric key derived from ECDH 2) a handle to the CKA_VALUE-Object to encrypt the outcome of the call could be a CKA_VALUE in the session, containing the encrypted result. Then, by using the DH-Key on the host, the host side can decrypt the data and use them as whished. The new thing in this call is the second parameter, which is just a handle to the data on the card. Corresponding to this call, a second call "C_Decrypt_To_Handle()", which receives encrypted data from the host, should decrypt the message and place the result in a CKA_VALUE, returning the handle of the CKA_VALUE. It would be advisable to add a new data object with attribute CKA_PROTECTED_VALUE, so as to avoid transfer of these data from the card without using an encryption with a key e.g. defined by a ECDH-Derivation. These two functions would work similarly to the C_WrapKey() and C_UnwrapKey(), but can use CKA_PROTECTED_VALUE-data of large sizes instead of keys. yours wully
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]