Re: [opensc-devel] Secure Messaging - How?

2010-04-06 Thread Andreas Jellinghaus 
Am Dienstag 06 April 2010 10:04:00 schrieb Anders Rundgren:
> OpenSC will get Secure Messaging some day it seems based on the Wiki.
> 
> What I don't understand is how you are supposed to use Secure Messaging
> since it works on the APDU-level which is invisible from PKCS #11.

I'm no expert, but I guess you need a card driver and profile that
is designed to work with secure messaging from ground up.

No idea how well PKCS#15 helps here. With some other cards you
only read a chip serial number or number given to the card 
(e.g. issuer serial number), and then start secure messaging
based on a key issued to the card. not sure if PKCS#15 has any
way to implement something like that.

Regards, Andreas
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Secure Messaging - How?

2010-04-06 Thread Viktor TARASOV 
Anders Rundgren wrote:
> OpenSC will get Secure Messaging some day it seems based on the Wiki.
>
> What I don't understand is how you are supposed to use Secure Messaging
> since it works on the APDU-level which is invisible from PKCS #11.
>   

It'll be implemented at the libopensc level.

In ideal case, the PKCS#11 level is not conscious of the secure 
transport layer (STL) presence.
(For a while, in my 'concept proof' implementation, I use a few PKCS#11 
API extensions.)

STL is used when it's imposed to use by operation's ACL.
For a while I consider the ACLs that require the SM, External 
Authentication, PINs and its combinations .

(Another possible, more simple implementation, is to secure the all 
APDUs at the 'send_apdu' level, just before reader->transmit. )

When ACL demands STL, the appropriate callbacks from the dynamically 
loadable SM module is used
to initialize and execute secure transaction. This deviation from the 
normal processing takes place at the libopensc level .

There two types of this SM loadable module:
'local' -- has direct access to the keysets, mostly used for the tests;
'distant'  -- communicates with some distant entity that is capable to 
securize an APDU or to generate secured one.

> Anders
>   

Kind wishes,
Viktor.

> ___
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>   


-- 
Viktor Tarasov  

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

[opensc-devel] Secure Messaging - How?

2010-04-06 Thread Anders Rundgren 
OpenSC will get Secure Messaging some day it seems based on the Wiki.

What I don't understand is how you are supposed to use Secure Messaging
since it works on the APDU-level which is invisible from PKCS #11.

Anders
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel