This discussion is archived
3 Replies Latest reply: Sep 6, 2012 2:03 AM by 959791 RSS

Controlling access to the PKCS11 interface with an on-card applet

959791 Newbie
Currently Being Moderated
Hey everyone,

I wonder if it is possible to control the access to a smart card's PKCS11 interface with an on-card applet. I think I read somewhere, that the PKCS11 interface is independent from the JVM running on the smart card. I will use JavaCard 3.0.2 connected, just in case the answer to this issue should be version-dependent. If it is not possible I also wonder if there is any way to create an strong auth token e.g. a certificate in a smart card applet.

many thanks
  • 1. Re: Controlling access to the PKCS11 interface with an on-card applet
    816119 Journeyer
    Currently Being Moderated
    I wonder if it is possible to control the access to a smart card's PKCS11 interface with an on-card applet
    i think no. Actually your question is not clear. What does it mean "to control access to PKCS11 interface", why does anybody need it? It is possible to create applet which supports functions needed by PKCS11 such as store data, certificate, key objects and crypto operations. But applet is not enough. One needs also to create *.dll for windows or *.so for linux library which provides PKCS11 API for smart-card with the applet.
    I think I read somewhere, that the PKCS11 interface is independent from the JVM running on the smart card
    pkcs11 specification know nothing about JVM. It is API described in C language to work with tokens which are not mandatory java cards.
    If it is not possible I also wonder if there is any way to create an strong auth token e.g. a certificate in a smart card applet
    why not, i do not know what is "strong auth" though.
  • 2. Re: Controlling access to the PKCS11 interface with an on-card applet
    safarmer Expert
    Currently Being Moderated
    The cryptoki interface should already handle the authentication and access control. You still need to provide a user or SO PIN to access the P11 token so the P11 applet would already need to handle this. Using a smart card is no different to using a dedicated HSM. As mentioned, there is middleware required for the host to use a PC/SC based smartcard for a P11 token.

    - Shane
  • 3. Re: Controlling access to the PKCS11 interface with an on-card applet
    959791 Newbie
    Currently Being Moderated
    Ok , I see I should have been even more specfic in the first place. What I want to do is not simple authentication via PKCS11, but I want to control access to the PKCS11 interface. The user is supposed to ensure certain preconditions on the host he is using via remote attestation to the smart card before being able to use the PKCS11 interface to authenticate himself to another party. So what I am basically trying to do is advanced access control on the smart card's functionality. So instead/in addition to a PIN I would like to create another access control mechanism. The reason why I ask for PKCS11 is that it would be the easiest, as most widely deployed, solution. But at some point in my research I read an article mentioning, that the cryptographic functions on the card are executed outside the JVM, thus it might not be possible to control them from inside the JVM. I have considered extending the muscle applet, but I can use the JavaCard connected functionality so I might have to rewrite large parts of it and I would like to get an answer to this issue before putting a lot of work into it. I am aware, that JC connceted is fully backward compatible, but the new functionalities are very tempting, and I think that I can have more possibilities with the new API. If I cannot control access to this interface, I would have to create a token of my own on the card. I am doing this as part of my bachelor thesis just in case anyone wonders why one would even want to try that.

    Edited by: 956788 on 06.09.2012 02:02

    Edited by: 956788 on 06.09.2012 02:03

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points