Based on openssl-engine-0.9.6c, we have developed a new engine which allows
openssl applications and Apache-mod_ssl servers to use through a PKCS#11
interface the security functions provided by the Bull cc2000 cryptographic
card, taking advantage of key storage in secure memory and acceleration of
RSA and random functions.
This development is tested on a Linux machine with a cc2000 crypto
accelerator which increases raw server throughput to 400 requests per
second.
We added these methods to the openssl engine because openssl-engine doesn't
allow to create the RSA keys, and RSA keys must be introduced in the crypto
card indepently of openssl. With the cc2000 card, RSA keys are introduced
using PKCS#11 C_GenerateKeyPair standard function.
To be able to use the openssl commands allowing to generate and handle RSA
keys,the trustway engine introduces 4 additionnal entries in the RSA method:
- rsa_generate_key
- i2d_RSAPrivateKey
- d2i_RSAPrivateKey
- d2i_RSAPublicKey
Other RSA methods (rsa_pub_enc, rsa_pub_dec, rsa_priv_enc, rsa_pub_enc,
rsa_sign, rsa, rsa_verify) are also available.
The Trustway (PKCS#11) engine identifier is "trustway".
The server certificate must be created as using the trustway engine, in
order to generate the corresponding RSA key pair directly in the cc2000
crypto card. These keys are CKA_TOKEN (permanent). A modified version of
openssl CA.sh, "CA-trustway.sh" does that.
Temporary RSA keys are created through the application (mod_ssl i.e.) by
calling the trustway engine. Obviously, these keys are CKA_SESSION
(temporary). As they are session objects, they are destroyed when the
PKCS#11 session is closed when the process terminates.
The functions which initialize and terminate the engine library take charge
of loading and unloading the PKCS#11 shared library. Ours is based on
"gpkcs11".
PKCS#11 C_Initialize function is called just once.
For a given process, each RSA cryptographic operation carried out by the
engine uses the same PKCS#11 session.
Two patch files openssl-engine-0.9.6c-tw.patch and
mod_ssl-2.8.8-1.3.24-tw.patch are provided to be applied to openssl-engine
and modssl. The vew engine code is in the file "hw_trustway.c". Some
installation, and configuration procedures are also provided in our release.
These patches will be available soon on our Web server. Until that you can
ask for them by email.
Afchine
______________________________________
[EMAIL PROTECTED]
Bull Trustway R&D - Networking & Security
http://www.servers.bull.com/trustway
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
