Latest improvements

to PKCS #11

Co-Chairs:

- Tony Cox (Cryptsoft)

- Robert Relyea (Red Hat)

1 PKCS #11 Technical Committee - 2020

Making cryptographic integrations even easier

Synopsis

• Introductions

• Tony Cox - Cryptsoft

• Bob Relyea – Red Hat

• Development timeline

• What’s new in PKCS #11 v3.0

• Deployment of PKCS #11 v3.0

• PKCS #11 v3.1

• PKCS #11 v3.2

• Questions

2 PKCS #11 Technical Committee - 2020

Introductions

• Tony Cox

• VP Partners, Alliances & Standards - Cryptsoft

• Previous work includes authentication, identity management and PKI deployments

• OASIS PKCS #11 TC Co-Chair

• OASIS KMIP TC Co-Chair & SAM TC Co-Chair

• KMIP interoperability test lead

• Bob Relyea

• Principal Software Engineer - Red Hat

• Long Time NSS developer (since 1996)

• Worked for IBM, Netscape, iPlanet (aka Sun/Netscape Alliance), AOL, Red Hat, and IBM

• Currently part of the Red Hat Crypto Team responsible for NSS, OpenSSL, GnuTLS and indirectly responsible for all the crypto in Red Hat.

• OASIS PKCS #11 TC Co-Chair

3 PKCS #11 Technical Committee - 2020

PKCS #11 Development Timeline

OASIS PKCS #11

v2.40

Mar-2015

v2.40 E01

May-2015

v3.0

Jun-2020

v3.1 2021

4 PKCS #11 Technical Committee - 2020

PKCS #11 V3.0

5 PKCS #11 Technical Committee - 2020

What’s new in PKCS #11 v3.0

• New Interface Fetching Call

• New Interfaces for

• Message-based crypto (inc. returning IV for AEAD algorithms)

• User Login

• Cancelling Operations

• New Mechanisms

• AES XTS

• SHA3/SHAKE

• Definition for message-based AES_GCM/AES_CCM

• SP800-56A

• SP800-108 (Flexible KDF)

• HKDF

• Profile Objects

6 PKCS #11 Technical Committee - 2020

Deployment of PKCS #11 v3.0

• Cryptsoft KMIP Server PKCS #11 Modules

• Cryptsoft PKCS #11 SDKs

• Entrust (nCipher) 12.60

• NSS 3.53 (Mozilla, Red Hat, others)

• RHEL 7.9.z

• RHEL 8.2.z

• Utimaco SecurityServer 4.31

• Utimaco SecurityServer 4.40

7 PKCS #11 Technical Committee - 2020

PKCS #11 V3.1

8 PKCS #11 Technical Committee - 2020

What’s new in PKCS #11 v3.1

• New Mechanisms

• HSS – our first post-quantum algorithm

• IKE KDF

• New IV Generator (TLS 1.3)

• XML Test Cases for Profiles

• Documentation Changes

9 PKCS #11 Technical Committee - 2020

XML Based Test Cases for Profiles

• Standardized XML representation of test cases for

each profile

• Meaningful testing possible

• Significant step towards interoperability testing &

conformance

10 PKCS #11 Technical Committee - 2020

XML Based Test Cases for Profiles

11

Basic Example – no variables

PKCS #11 Technical Committee - 2020

XML Based Test Cases for Profiles

12

Basic Example – with Variables

PKCS #11 Technical Committee - 2020

PKCS#11 Documentation Changes

13 PKCS #11 Technical Committee - 2020

PKCS #11Base Specification V3.0

PKCS #11Specification V3.1

PKCS #11Current Mechanisms V3.0

Title Text

1. Introduction

2. Platform and compiler.….

3. General data types

4. Objects

5. Functions

6. PKCS #11 Conformance

Appendices

Title Text

1. Introduction

2. Mechanisms

3. PKCS #11 Conformance

4. Appendices

Title Text

1. Introduction

2. Platform and compiler.….

3. General data types

4. Objects

5. Functions

7. PKCS #11 Conformance

Appendices

6. Mechanisms

PKCS#11 Documentation Changes

Releases

2.40 3.0 3.1

Do

cu

men

ts

PKCS #11 Base Specification

PKCS #11 Specification

PKCS #11 Current Mechanisms

PKCS #11 Profiles

PKCS #11 Historical Mechanisms

14 PKCS #11 Technical Committee - 2020

PKCS #11 V3.2

15 PKCS #11 Technical Committee - 2020

What’s scoped for PKCS #11 v3.2

• Asynchronous processing for key generation

• Updates for CKM_ECDH_KEY_WRAP

• FIPS 140-3 changes

• XMSS

• Profile updates

16 PKCS #11 Technical Committee - 2020

Questions

17 PKCS #11 Technical Committee - 2020