A PKCS #11 Signing Provider for OpenSSL - Reinhard Buendgen, IBM
HTML-код
- Опубликовано: 3 окт 2023
- A PKCS #11 Signing Provider for OpenSSL - Reinhard Buendgen, IBM
In this presentation, the authors describe how a hardware security module (HSM) can be used to strengthen the security of a TLS connection implemented with openSSL 3.x. The presentation points out that the openSSL and PKCS #11 APIs are not really compatible. This is due to openSSL and PKCS #11 data structures for keys, the openSSL 3.0 provider architectures and how physical HSMs implement the PKCS #11 standard. One conclusion from this analysis is that implementing a generic PKCS #11 provider for today's openSSL provider scheme leads to complications in many ways. However, it is possible to separate the keys used in a TLS protocol into two key subspaces: non-ephemeral keys used in the handshake all other keys. It is possible to implement a provider for the first key subspace which comprises the signing keys used by TLS. The pkcs11-sign provider described in this presentation uses a PKCS #11 interface to call signing functions in an HSM. We hope this presentation triggers a fruitful discussion on how to better combine the two most popular cryptographic APIs.