Latest improvements to PKCS #11 - OASISJun-2020 v3.1 2021 PKCS #11 Technical Committee - 2020 4 PKCS...
Transcript of Latest improvements to PKCS #11 - OASISJun-2020 v3.1 2021 PKCS #11 Technical Committee - 2020 4 PKCS...
Latest improvements
to PKCS #11
Co-Chairs:
- Tony Cox (Cryptsoft)
- Robert Relyea (Red Hat)
1 PKCS #11 Technical Committee - 2020
Making cryptographic integrations even easier
Synopsis
• Introductions
• Tony Cox - Cryptsoft
• Bob Relyea – Red Hat
• Development timeline
• What’s new in PKCS #11 v3.0
• Deployment of PKCS #11 v3.0
• PKCS #11 v3.1
• PKCS #11 v3.2
• Questions
2 PKCS #11 Technical Committee - 2020
Introductions
• Tony Cox
• VP Partners, Alliances & Standards - Cryptsoft
• Previous work includes authentication, identity management and PKI deployments
• OASIS PKCS #11 TC Co-Chair
• OASIS KMIP TC Co-Chair & SAM TC Co-Chair
• KMIP interoperability test lead
• Bob Relyea
• Principal Software Engineer - Red Hat
• Long Time NSS developer (since 1996)
• Worked for IBM, Netscape, iPlanet (aka Sun/Netscape Alliance), AOL, Red Hat, and IBM
• Currently part of the Red Hat Crypto Team responsible for NSS, OpenSSL, GnuTLS and indirectly responsible for all the crypto in Red Hat.
• OASIS PKCS #11 TC Co-Chair
3 PKCS #11 Technical Committee - 2020
PKCS #11 Development Timeline
OASIS PKCS #11
v2.40
Mar-2015
v2.40 E01
May-2015
v3.0
Jun-2020
v3.1 2021
4 PKCS #11 Technical Committee - 2020
PKCS #11 V3.0
5 PKCS #11 Technical Committee - 2020
What’s new in PKCS #11 v3.0
• New Interface Fetching Call
• New Interfaces for
• Message-based crypto (inc. returning IV for AEAD algorithms)
• User Login
• Cancelling Operations
• New Mechanisms
• AES XTS
• SHA3/SHAKE
• Definition for message-based AES_GCM/AES_CCM
• SP800-56A
• SP800-108 (Flexible KDF)
• HKDF
• Profile Objects
6 PKCS #11 Technical Committee - 2020
Deployment of PKCS #11 v3.0
• Cryptsoft KMIP Server PKCS #11 Modules
• Cryptsoft PKCS #11 SDKs
• Entrust (nCipher) 12.60
• NSS 3.53 (Mozilla, Red Hat, others)
• RHEL 7.9.z
• RHEL 8.2.z
• Utimaco SecurityServer 4.31
• Utimaco SecurityServer 4.40
7 PKCS #11 Technical Committee - 2020
PKCS #11 V3.1
8 PKCS #11 Technical Committee - 2020
What’s new in PKCS #11 v3.1
• New Mechanisms
• HSS – our first post-quantum algorithm
• IKE KDF
• New IV Generator (TLS 1.3)
• XML Test Cases for Profiles
• Documentation Changes
9 PKCS #11 Technical Committee - 2020
XML Based Test Cases for Profiles
• Standardized XML representation of test cases for
each profile
• Meaningful testing possible
• Significant step towards interoperability testing &
conformance
10 PKCS #11 Technical Committee - 2020
XML Based Test Cases for Profiles
11
Basic Example – no variables
PKCS #11 Technical Committee - 2020
XML Based Test Cases for Profiles
12
Basic Example – with Variables
PKCS #11 Technical Committee - 2020
PKCS#11 Documentation Changes
13 PKCS #11 Technical Committee - 2020
PKCS #11Base Specification V3.0
PKCS #11Specification V3.1
PKCS #11Current Mechanisms V3.0
Title Text
1. Introduction
2. Platform and compiler.….
3. General data types
4. Objects
5. Functions
6. PKCS #11 Conformance
Appendices
Title Text
1. Introduction
2. Mechanisms
3. PKCS #11 Conformance
4. Appendices
Title Text
1. Introduction
2. Platform and compiler.….
3. General data types
4. Objects
5. Functions
7. PKCS #11 Conformance
Appendices
6. Mechanisms
PKCS#11 Documentation Changes
Releases
2.40 3.0 3.1
Do
cu
men
ts
PKCS #11 Base Specification
PKCS #11 Specification
PKCS #11 Current Mechanisms
PKCS #11 Profiles
PKCS #11 Historical Mechanisms
14 PKCS #11 Technical Committee - 2020
PKCS #11 V3.2
15 PKCS #11 Technical Committee - 2020
What’s scoped for PKCS #11 v3.2
• Asynchronous processing for key generation
• Updates for CKM_ECDH_KEY_WRAP
• FIPS 140-3 changes
• XMSS
• Profile updates
16 PKCS #11 Technical Committee - 2020
Questions
17 PKCS #11 Technical Committee - 2020