HSM for Dummies

3 The Interface: The Key to the Application PKCS#11 Cryptographic Token Interface Standard This standard (also called Cryptoki) is an API for HSMs (in a broad sense) that store cryptographic information and run cryptographic operations. PKCS are essentially Public Key Cryptography Standards developed from 1991 onwards by the RSA Laboratories. PKCS#11 was developed up to Version 2.30 by RSA Labs. The Organization for Advancement of Structured Information Standards (OASIS) took over the development in 2013. This interface is currently the most widely used generic interface for accessing security modules. Benefits One of the key benefits of the PKCS#11 interface is interoperability between application and security module. PKCS#11 also offers a universal approach for symmetric as well as asymmetric cryptographic methods. Downsides However great the aforementioned interoperability may be, many manufacturers have installed enhancements, or vendor defined mechanisms, in their PKCS#11 implementation, and so have reduced the benefit of manufacturer neutrality to absurdity. The standard has also developed such a high level of complexity that attacks on the interface in particular have very high success rates with sequences of commands. Take a look at this article, http://www.dsi.unive.it/ ~focardi/Articoli/bmfs-ASA09.pdf, which describes the problem very well. JCE: Java Cryptography Extension The Java Cryptography Extension (JCE) is an interface of the Java programming language, and at the same time a framework for cryptographic tasks such as encryption, signature generation and key management. It’s been part of the Java platform since JDK 1.4. The JCE is part of the Java Cryptography Architecture (JCA). The split into JCE and JCA meant that in the past the API could comply with US restrictions for cryptography. Because the JCA contains only hash functions, key generators and so on, they could be freely exported. The JCE is based on a provider model that enables programmers to link in different cryptographic models. The JCE is independent of the implementation of the 23 /bmfs-ASA09.pdf