SKF cryptographic device research
Outline
SKF standard interface is a state secret in smart password C language application programming interface standard key, many domestic Password vendors offer a development kit SKF interface for their products. Developers can through a unified SKF interface development cryptographic applications, access from different vendors of USB-Key, different forms of TF cards, smart cards and other cryptographic devices without and one equipment vendor's proprietary equipment or proprietary interface binding . First, SKF is a low-level cryptographic device application development interface, this interface does not support digital certificates and SSL communications function for the application of high-level passwords for application developers directly use the SKF application interface development code, a larger workload. Secondly, since the draft standard and SKF announced the official standard there are some differences in content, leading to realize there are some key differences different equipment manufacturers SKF, these differences lead to application developers is difficult to move from one device to another equipment supplier business, more difficult to support devices from two vendors in the same application, can not meet the needs of a typical application scenarios. In response to these problems, GmSSL project from version 2.0, with the perfect way to increase Engine support for SKF devices. GmSSL by introducing SKF framework libcrypto password library, implemented support for devices from different manufacturers SKF. SKF different devices can be dynamically invoked by EVP interfaces of the interface package SKF SKF Engine, so that the upper application and SSL library directly. GmSSL project also modified gmssl command-line tool in all relevant functions such enc, dgst, pkeyutl, sm2utl commands can support SKF engine, gmssl command-line tool also adds new commands provide SKF skf device management functions. Application developers after the completion of the initialization of the SKF devices through the command-line tool that provides direct by SKF engine support for existing cryptographic applications SKF devices only need to provide a SKF engine configuration file, and almost without any code development , can greatly reduce the workload of the cryptographic device development. In addition to the SKF engine, GmSSL project also provides for the PCI-E card password and password server machine SDF engine, the application can choose a low-cost device password or SKF high performance, high security level of SDF cryptographic device.
Logic devices
GmSSL support cryptographic hardware through ENGINE mechanism. In view of the "smart IC card and smart key password Application Interface Specification" published a standard to access state secret hardware C language API (below referred to SKF API), GmSSL access cryptographic hardware to support domestic state secret by SKF API ENGINE mechanism. SKF API in a device may comprise one or more applications (Application), each application may comprise a plurality of containers obtained (Container), each container can be stored in two pairs for encryption and signing key pair, and two respective certificate or certificate chain. Each container is only one type of ECC or RSA, ECC can not be mixed in a container and key RSA key. Thus, public key cryptography SKF API calculated in reference to the public key, the container by Container Handle characteristics of the interface such that applications do not need to distinguish between signing and encryption keys, to achieve SKF API will automatically select the corresponding type of adhesion from the vessel key. When using the public key and the access to the container, two applications require authentication, the device authentication of the first stage, second stage application authentication. The device authentication apparatus require full authentication key unique to the device, the device authentication key is a symmetric key of a fixed length. Access to a specific application that require the application-specific password authentication, password authentication password string is variable-length.
Management Tools
- Developers obtained after the cryptographic device, the cryptographic device first needs to be initialized, such as setting a password, to generate a key container, import keys and certificates.
- Gmssl can be accessed through the command-line tools skf SKF command and management equipment, passwords can be calculated by gmssl of pkey, pkeyutl and req commands and SKF engine, export public key certificate generation and other functions, functions This section describes the commands and skf usage.
- SKF interface includes device management, application management, key container management, management functions such as data objects, skf SKF command encapsulates the functional interface, enumerated device can be completed, and the application to create a key container, creating a signature private key to decrypt introduced private key, import the certificate and other functions.
Device Management
- Device management includes enumerate devices, printing device information, device settings tab to change the device authentication key and send test messages and other functions.
Enumeration equipment
$ ln -s /path/to/vendors/skf/libSKF.so ./libskf.so
$ gmssl skf -lib ./libskf.so -vendor wisec -listdevs
Device 0 : /media/guanzhi/99E1-9854