SSL accelerator cards and PKCS#7 hardware token

Thread view:

noone - 13 Nov 2003 06:00 GMT

Can anyone in this ng with experience on:

1) Interfacing with an SSL accelerator card, with Java being an HTTP
client making a remote HTTPS connection ?

2) Interfacing with a or a PKCS#7 hardware token / HSM for non-SSL
related tasks ? ( e.g.: S/MIME )

Which cards do you recommend that is affordable enough?
( I know the HSM ones are very expensive )

Do you have to use a different / non-standard API provided by the
hardware vendor instead of using the JCE / JSSE implementation of the
hardware vendor ?

Isn't there a standard API for accessing PKCS#7 via Java, with the API
hiding the native code interface ?

Reply to this Message

Karl Scheibelhofer - 13 Nov 2003 08:38 GMT

> Can anyone in this ng with experience on:
>
[quoted text clipped - 3 lines]
> 2) Interfacing with a or a PKCS#7 hardware token / HSM for non-SSL
> related tasks ? ( e.g.: S/MIME )

i guess you mean PKCS#11, because PKCS#7 is about cryptograpic message
syntax and not directly related to crypto hardware. or do you mean
signing/decrypting PKCS#7 messages using a hardware token?
however, both is possible.

> Which cards do you recommend that is affordable enough?
> ( I know the HSM ones are very expensive )

that depends on what you want to use it for. a HSM (PCI-card or external
device) is useful on a server, whereas tokens like smart cards or USB tokens
are personal devices for carrying around.

> Do you have to use a different / non-standard API provided by the
> hardware vendor instead of using the JCE / JSSE implementation of the
> hardware vendor ?

to access crypto hardware, no matter is a HSM or a smart card or USB token,
i would recommend the PKCS#11 API. you may also consider MS Crypto API, but
then you may not be able to support other platforms than Windows. nearly
every smart card and USB token, and all HSMs come with PKCS#11 module. for
instance Netscape/Mozilla uses the PKCS#11 to access smart cards. thus, if a
hardware vendor supports Netscape/Mozilla the device usually comes with a
PKCS#11 module.

to access a PKCS#11 module from Java, you need a wrapper library with a
native bridge, because a PKCS#11 module is always a native code library (a
DLL or shard library). there is a PKCS#11 wrapper from IBM, and we (IAIK)
also provide a PKCS#11 wrapper which is available under an apache-style
license. you can read about it at
http://jce.iaik.tugraz.at/products/14_PKCS11_Wrapper/index.php and download
it from
http://jce.iaik.tugraz.at/download/evaluation/index.php#PKCS11Wrapper (free
registration required, link on top of page). this wrapper makes the crypto
functionality of the hardware accessible from Java. our wrapper comes with
documentation and a lot of sample code showing how to use it.
(by the way, a slightly modified version of this wrapper will be integrated
in Java 1.5 from SUN).

to integrate this crypto functionality into existing Java libraries like SSL
(JSSE), PKCS#7, or S/MIME, you often need a JCA/JCE provider for PKCS#11. we
also offer such a PKCS#11 Provider, but it is only for free for
non-commercial use; for commercial use, you need to buy a license. see
http://jce.iaik.tugraz.at/products/15_PKCS11_Provider/index.php and download
an fully functional evaluation version from
http://jce.iaik.tugraz.at/download/evaluation/index.php#PKCS11Provider (free
registration required, link on top of page). in addition to the
documentation, our PKCS#11 provider comes with a lot of demo code. it shows
how to use it for signing/verification of certificates, CRLs, OCSP messages,
PKCS#7 messages, how to integrate it in IAIK-SSL and JSSE, and how to use it
in applets. integration into our XML Signature and CMS-S/MIMEv3 library has
also been tested.

> Isn't there a standard API for accessing PKCS#7 via Java, with the API
> hiding the native code interface ?

no, there is no standard API for PKCS#7 in Java. the IAIK-JCE includes a
proprietary API for PKCS#7 (IAIK-JCE is part of the IAIK PKCS#11 Provider).

i hope this information is useful for you.

regards

Karl

--

Karl Scheibelhofer, IAIK - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Fax: +43 316 873 5520
http://jce.iaik.tugraz.at/

Reply to this Message

noone - 14 Nov 2003 05:44 GMT

>>Can anyone in this ng with experience on:
>>
[quoted text clipped - 8 lines]
> signing/decrypting PKCS#7 messages using a hardware token?
> however, both is possible.

Yes, you are right. I meant PKCS#11, not PKCS#7.

>>Which cards do you recommend that is affordable enough?
>>( I know the HSM ones are very expensive )
>
> that depends on what you want to use it for. a HSM (PCI-card or external
> device) is useful on a server, whereas tokens like smart cards or USB tokens
> are personal devices for carrying around.

Let's say I want one:

1) Where you can "offload" encryption / decryption to the hardware
token, which therefore include .. including but not limited to
accelerating SSL and S/MIME.

2) ... and another one that does the above [1] __and__ can be used as a
hardware keystore.

For starters, I would like to have one at home, so cost is important.

> to access a PKCS#11 module from Java, you need a wrapper library with a
> native bridge, because a PKCS#11 module is always a native code library (a
[quoted text clipped - 6 lines]
> registration required, link on top of page). this wrapper makes the crypto
> functionality of the hardware accessible from Java.

Cool! So is it fair to say that all crypto hardware are accessible via
PKCS#11 API? Meaning, a single shared library can access any crypto
hardware, as long as the hardware conforms to the PKCS#11 API /
interface / standard ?

> to integrate this crypto functionality into existing Java libraries like SSL
> (JSSE), PKCS#7, or S/MIME, you often need a JCA/JCE provider for PKCS#11. we
[quoted text clipped - 15 lines]
> no, there is no standard API for PKCS#7 in Java. the IAIK-JCE includes a
> proprietary API for PKCS#7 (IAIK-JCE is part of the IAIK PKCS#11 Provider).

I actually meant PCKS#11 here, but you answered the question already
anyway above ( JCA / JCE provider for PCSK#11 ).

> i hope this information is useful for you.
>
> regards
>
> Karl

Thanks,

John

Reply to this Message

Karl Scheibelhofer - 14 Nov 2003 09:47 GMT

> >>Can anyone in this ng with experience on:
> >>
[quoted text clipped - 26 lines]
> 2) ... and another one that does the above [1] __and__ can be used as a
> hardware keystore.

the PKCS#11 Provider has a Java KeyStore to access the crypto token's
contents.

> For starters, I would like to have one at home, so cost is important.

you may have a look at GNU PKCS#11. it is a pure software implementation of
a PKCS#11 module and safes keys, certificates, ... to disk. for windows, it
is a little work to get it running, but it costs nothing.
if you want a real crypto hardware, i guess a USB crypto token like Rainbow
iKey 3000 would be an option. at
http://jce.iaik.tugraz.at/products/14_PKCS11_Wrapper/tested_products/index.php
you can see the products we already tested ourselves. our customers used
even some more, which are not listed here, with our libraries.

> > to access a PKCS#11 module from Java, you need a wrapper library with a
> > native bridge, because a PKCS#11 module is always a native code library (a
[quoted text clipped - 11 lines]
> hardware, as long as the hardware conforms to the PKCS#11 API /
> interface / standard ?

the shared library of the PKCS#11 Wrapper remains the same. the shared
library which contains the actual PKCS#11 module of the hardware changes
with different hardware products. the manufacturer usually supplies this
shared library.

regards

Karl

> > to integrate this crypto functionality into existing Java libraries like SSL
> > (JSSE), PKCS#7, or S/MIME, you often need a JCA/JCE provider for PKCS#11. we
[quoted text clipped - 28 lines]
>
> John

Reply to this Message

SSL accelerator cards and PKCS#7 hardware token

Free Magazines