Contents
NB, should move this to Roots/HSM or similar ...
Mission
The PKCS#11 Taskforce is set up to provide the missing standardisation, testing, development and lobbying for the PKCS#11 environment, to make it a useful environment. PKCS#11 is a standard from RSA Security: http://www.rsasecurity.com/rsalabs/node.asp?id=2133
Registry
PKCS#11 is a standard from RSA Security, which defines a C API for Crypto Hardware drivers (SmartCards, Tokens, High-Security Modules, TPM´s, ...)
The big usability problem with PKCS#11 is the registration of PKCS#11 drivers in the system, so that applications can automatically find all available PKCS#11 drivers on a system. The standard just covers the C-API and is completely missing a driver registry guideline, or something similar.
The result of this situation is that the driver vendors install the drivers anywhere on the filesystem (some put it in /usr/lib, some somewhere completely else). So the users have to manually find the drivers (how?) and configure every application that wants to use them with the exact pathes of all the drivers they want to use (which doesn´t work in practice).
Our proposal is to use directories as registry for PKCS#11 drivers. Those directories only contain the drivers (lib*.so, *.DLL), put additional material somewhere else.
Current directories:
- Unix: /usr/lib/pkcs11/
- Unix: /usr/lib64/pkcs11/
- Solaris: /usr/lib/pkcs11/$ISA/ ($ISA is the architecture: /usr/lib/pkcs11/64/ , ... )
- Windows: WINDOWS\SYSTEM32\pkcs11\*.dll
If you are a vendor, developer or distributor, please adopt those directories, and make your driver install itself there.
Currently supporting Vendors/Distributors (please add yourself): |
|
Promised to support with the next version (please add yourself): |
Novell(SuSE), Sun(Solaris), QCA http://delta.affinix.com/qca/ , OpenSC |
PKCS11 in FHS Proposal
Now I would suggest the following addition to FHS:
/usr/lib/pkcs11 : PKCS#11 drivers Purpose PKCS#11 is a standard for an interface to Cryptography hardware (SmartCards, USB Tokens, High Security Modules, Trusted Platform Modules, ... all together referred as "Hardware Tokens") /usr/lib/pkcs11 includes libraries (shared objects) which conform to the PKCS#11 standard of RSA Security, and can be used by any user applications. They are not intended to be executed directly by users or shell scripts. [22] Only the libraries/drivers themselves are supposed to be in the /usr/lib/pkcs11 directory, other driver specific files should reside in a single driver-specific subdirectory under /usr/lib. If a driver uses a subdirectory, all architecture-dependent data exclusively used by the application must be placed within that subdirectory, except the driver itself. [23] ---------------- Specific Options For historical reasons, drivers can by symlinked from other directories. For the future, everyone is asked to migrate to the new structure. [24]
Feedback
- Ludovic Rousseau said that it should be in /lib instead of /usr/lib, since PAM modules could need the libraries for root to be able to login, before /usr is mounted. Any opinions?
AndreasJellinghaus (one of the OpenSC developers)
Other TODOs
- localisation/internationalisation
- security model administrator vs. user
- usability study
- quality assurance of the drivers and the applications
- automatic regression testing of the driver by the application/framework
- upgrade of the software-tokens (GPKCS11 and soft-pkcs11) to fully usable tokens
- API and free reference implementation for the registry service (?)
- better distribution of drivers
Quality Assurance
We are currently thinking about building up a testing lab to intensively test and improve the available PKCS#11 drivers. Unless somebody comes up with better ideas, it is planned to create a "CAcert certified PKCS#11 driver" program.
Distribution
We believe that it is necessary that all Linux distributions contain the necessary drivers for all the SmartCards out there. So we will try to collect the PKCS#11 drivers, and push them to the distributors for inclusion, to make them publically available.
Drivers
Please add/correct your listing yourself. http://janus.liebregts.nl/pkcs11/smartc.html
Name |
URL |
Vendor |
Status |
GPKCS |
TC Trustcenter |
does not link correctly on newer distributions |
|
soft-pkcs11 |
Love Hörnquist Åstrand |
not enough features yet |
|
Athena |
Athena-SCS |
not tried |
|
Arx |
Arx |
not tried |
|
Aladdin |
Aladdin |
not tried |
|
Litronic Netsign |
Litronic |
not tried |
|
NCipher HSM |
NCipher |
not tried |
|
SafeNet HSM |
not tried |
||
IButton |
Dallas Semiconductor/Maxim |
lot of stability issues |
|
OpenSC |
OpenSC |
not tried |
|
openCryptoki |
IBM |
|
Found Drivers
AET |
c:/winnt/system32/aetpkss1.dll |
Aladdin eToken |
c:/winnt/system32/etpkcs11.dll |
Chrysalis |
c:/winnt/system32/cryst32.dll |
Chrysalis |
c:/program files/luna/cryst201.dll |
Datakey |
c:/winnt/system32/pkcs201n.dll |
Datakey (for Entrust) |
c:/winnt/system32/dkck201.dll |
Datakey/iKey (NB: buggy, use 201) |
c:/winnt/system32/dkck232.dll |
Eracom (old, OK) |
c:/program files/eracom/cprov sw/cryptoki.dll |
Eracom (new, buggy) |
c:/program files/eracom/cprov runtime/cryptoki.dll |
Eutron |
c:/winnt/system32/sadaptor.dll |
Gemplus |
c:/winnt/system32/pk2priv.dll |
Gemplus |
c:/program files/gemplus/gclib.dll |
IBM |
c:/winnt/system32/cryptoki.dll |
nCipher |
c:/winnt/system32/cknfast.dll |
Nexus |
c:/winnt/system32/nxpkcs11.dll |
Orga Micardo |
c:/winnt/system32/micardoPKCS11.dll |
Rainbow HSM (for USB use Datakey dvr) |
c:/winnt/system32/cryptoki22.dll |
Safelayer HSM (for USB use Datakey dvr) |
c:/winnt/system32/p11card.dll |
Schlumberger |
c:/winnt/system32/slbck.dll |
Spyrus |
c:/winnt/system32/SpyPK11.dll |
Applications
Name |
URL |
Information |
pkcs11-tool |
Commandline tool |
|
OpenSSL |
Crypto library with PKCS#11 support |
|
cryptlib |
Crypto library with PKCS#11 support |
|
Mozilla( Firefox, Thunderbird) |
Browser, Email Client with NSS-based PKCS#11 support. |
|
XMLSec |
XML Encryption and Signature |
|
Psi |
XMPP/Jabber Client |