[Security-devroom] Talk submission: unifying access to PKCS #11 tokens

[Nikos Mavrogiannopoulos]

Affiliation:
GnuTLS, Katholieke Universiteit Leuven & IBBT

Bio: Original author of the GnuTLS cryptographic library. Has worked
on several security
related projects and products. Currently works as a researcher in K.U.Leuven.

Talk Duration: 30 minutes
Cryptographic services in modern operating systems today are being
accessed by applications by using libraries, either high level ones
that hide all details, or low level ones that force the user to deal
with an amount of (un)interesting details of each cryptographic
algorithm.
Applications in the GNU/Linux and *BSD operating systems usually share
the same libraries for cryptographic operations and protocols. Those
can be one of Botan, OpenSSL, NSS, GnuTLS and maybe some more. This is
quite a variety of choices which we believe is because of the
different programming style that each library enforces, the different
algorithms it provides and the ease of usage, which are subjective
issues that depend on the eye of the beholder.

However this diversity of cryptographic libraries has some
disadvantages. For operations such as signing/encryption involving
PKCS #11 hardware tokens, or software modules, objects need to be
referenced. Currently there is no uniform way of referencing those
objects and each of the libraries has its own conventions or delegate
the burden of referencing objects to the application. This in effect
makes sharing of those object references between different
applications impossible and users are required to learn each
application's unique interface. Moreover the fact that usually there
are more than one PKCS #11 providers in a system, but no way to
globally enable them for all cryptographic applications, leaves the
burden of setup to users.

We will discuss the challenges posed and and propose a solution.