Is there any repository where one can find standard applets introduced in Global Platform or ETSI or other standards (e.g. Security Domain, Contactless Registry Service, etc.) ???
Unfortunately not. Usually these applets (Security Domains, USIM, RAM/RFM OTA, ...) require some native integration in the operating system because the standard JavaCard API is not sufficient here, e.g. think of the necessary Milenage or TUAK algorithm needed for the network authentication of an USIM - there is no JavaCard cryptographic support for this (OK, Milenage could leverage the AES as primitive).
Hence all the implementations are custom implementations by the vendors. Because SIMs/eUICCs are also in control of a mobile network operator there is also no use case why this could be useful to an individual developer which can another reason why nothing is available as OS here.
Related
When I run pkcs11-tool I always need to specify a module:
pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L
What is this module for and how pkcs11-tool use it? Which are the other possible modules I can use? What is the difference between them?
I tried to use another one ("/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so"), but I always get an empty slot, so I suppose there is a difference in the purpose of the modules ?
The modules are used as middleware to the actual device like smart cards, USB tokens and hardware security modules (HSMs) or even software emulations for PKCS#11.
You can think of it as a hardware driver mapping PKCS#11 to the concrete device, with some modules offering vendor-specific algorithms, login mechanisms etc.
Some known modules are listed here:
http://wiki.ncryptoki.com/Known-PKCS-11-modules.ashx
Using OpenSC, you already have support for a lot of different devices:
https://github.com/OpenSC/OpenSC/wiki/Supported-hardware-(smart-cards-and-USB-tokens)
So given you stick to those devices listed there and don't use any special function not supported by OpenSC, you should use OpenSC.
Has anyone used CKO_VENDOR_DEFINED to create a key or a data object?
There is hardly any documentation (including the mother load from Oasis) about how to do it, or which attributes are applicable/not-applicable.
Unfortunately, but hopefully understandably, I can not describe exactly what I am trying to do.
But the gist of it is that I need to be able to have a bit more attribute<=>mechanism flexibility with our kind of keys and the ability to modify a key on the token.
I'd really appreciate any pointers or help.
You can take a look at OpenPGP extension to PKCS #11 where CKC_OPENPGP is defined as:
#define CKC_OPENPGP (CKC_VENDOR_DEFINED|0x00504750)
I've seen also commercial implementations introducing CK*_VENDOR_DEFINED extensions this way.
(AFAIK) vendor defined object types must be implemented inside the HSM unit firmware (in theory, the host-side cryptoki library could introduce some additional "virtual" object types, but this probably would not make any sense as the overall security model would stay the same -- because the host-side cryptoki code runs in an untrusted execution environment).
If you need more control than provided by the vanilla PKCS#11 you have some choices:
Use existing vendor extensions -- some vendors add their own extensions designed to solve common use-cases. Read your documentation or contact your vendor directly.
Implement a custom firmware -- some products allow the end-user to run a custom code inside the HSM device. You can implement your model this way.
SafeNet ProtectServer:
SafeNet ProtectServer HSMs offer a unique level of flexibility for
application developers to create their own firmware and execute it
within the secure confines of the HSM. Known as functionality modules,
the toolkits provide a comprehensive facility to develop and deploy
custom firmware.
Thales nShield:
Most nShield HSMs also support the unique ability to host critical
applications within the hardened security boundary, so you can
establish tamper-resistant business processes in addition to
protecting cryptographic operations.
Utimaco CryptoServer:
The CryptoServer Software Development Kit (SDK) is the professional
development environment for all Utimaco Hardware Security Modules. It
enables integrators and end-users to create specific applications,
e.g. proprietary algorithms, custom key derivation procedures or
complex protocols that run in the tamper-proof environment of the
CryptoServer Hardware Security Module. As the SDK provides full access
to the Utimaco base firmware, custom firmware modules can be developed
in a very short time frame.
Use some other technology -- do not use HSMs at all and leverage some other secure device. Specifically smartcards might be a viable alternative as some of them can be programmed (at least Java Card or MULTOS ones). On the other hand the performance and range of supported algorithms is quite limited here (depends on your use-case).
Is there any known effort to build a generic software framework/library for building distributed/P2P systems on the wider internet[1]? Something that ideally should provide basic services such as peer autodiscovery, autoconfiguration (wrt NAT/firewall issues, bootstrapping), fault-tolerance (churn-resistance, adaptivity, replication), differentiated transports (reliable, unreliable, unicast, anycast, multicast, broadcast), basic storage (DHT-like) and events notification (pubsub).
So, basically something like Hazelcast but not limited to walled-garden server-to-server applications. This would be tremendously useful to easily build distributed applications.
[1] with "wider internet" I mean the public internet, including mobile, residential, eventually connected and possibly byzantine endpoints
you will find different option and technologies depending on the framework you want to use.
For instance for Java based applications you might want to have a look at the JXTA technology.
What is API?
What is Importance of it?
give me example of it?
how can developer use API?
For a broad answer to your question you can check wikipedia:
http://en.wikipedia.org/wiki/Application_programming_interface
An API is an abstraction that describes an interface for the interaction with a set of functions used by components of a software system. The software providing the functions described by an API is said to be an implementation of the API.
An application programming interface (API) is an interface implemented by a software program which enables it to interact with other software. It facilitates interaction between different software programs similar to the way the user interface facilitates interaction between humans and computers. An API is implemented by applications, libraries, and operating systems to determine their vocabularies and calling conventions, and is used to access their services. It may include specifications for routines, data structures, object classes, and protocols used to communicate between the consumer and the implementer of the API
What Good Are They?
APIs allow us to tie functionality into websites that would otherwise take an enormous amount of time and effort to build from scratch. APIs are a sanctioned way of reusing someone else’s functionality without having to build it all yourself.
http://en.wikipedia.org/wiki/Application_programming_interface
The question is pretty simple, is it possible to create a FIPS 140-2 compliant server in Perl? Especially, is it possible without modifying any of the C code for the modules? If it's not possible in straight Perl, what would be the easiest way to go about it from a C perspective?
I'm basically creating a mini-httpd that only serves up a single file, but due to security restrictions it needs to be served up on SSL under FIPS compliance.
I don't know all of the rules when it comes to FIPS 140-2. However, unlike HIPAA and PCI-DSS its a standard that governs the strength of cryptography and doesn't take the system as a whole into consideration. Parts of OpenSSL can be FIPS 140-2 compliant and this library is exposed to perl via the Crypt::OpenSSL module. You just have to make sure your key size is large enough for the level of FIPS certification you need and that you don't violate a one of the many Cryptographic Issues.
Take a look at Mozilla's FIPS strategy. Triple DES is most likely to be Open Source. I am unaware of any certified FIPS 140-2 solutions in Perl.
Most implementation approvals are very restrictive, such as being on a certain hardware platform, CPU, and OS version. If you are on one of those platforms, you can often piggyback on the OS approval, such as Windows 7, Redhat, etc.