The Public Key Infrastructure (PKI) in PKCS #11

Infineon Security Platform

Infineon Security Platform Solution

The Public Key Infrastructure (PKI) in PKCS #11

The PKCS #11 standard defines a common interface for creating, using, and administrating certificates and cryptographic keys. Each implementation of this interface provides a specific approach to the underlying technology, as PKCS #11 makes no statement about the cryptographic token that realizes the core functionality. Solutions on market exist, which are based on software as well as on smart cards or specialized hardware cryptographic modules. Each PKCS #11 compliant library implements its own way how to include such special devices and how to utilize them to generate and handle cryptographic relevant data.

As PKCS #11 defines a platform independent interface, different solutions from a wide range of manufacturers exist and the standard is supported on a lot of platforms and operating systems.

PKCS #11 compliant libraries provide their functionality through a well defined interface. Depending on the primary target of an implementation, a PKCS #11 library may support only a subset of the defined interface.

To build up a PKI, the applications utilizing a PKCS #11 module require access to a persistent storage that provides a secure and reliable data storage for user certificates and private keys. PKCS #11 makes no statement about this storage mechanism. As a common used mechanism, directory services have proven to be a usable way to provide the requested functionality. Access to such directory services is very often realized using the lightweight directory access protocol (LDAP).

Windows 2000 / XP does not contain a native PKCS #11 library, so this feature has to be added by third party products. The Infineon Security Platform Solution Software comprises a library implementing the PKCS #11 interface, which utilizes the Trusted Platform Module to perform the most sensitive cryptographic operations like key generation.

Several independent implementations of the standard can be located on the same system. It is a common feature that applications using these libraries have to be configured in an extra step to  correctly access the respective modules.

Applications based on PKCS #11 have nevertheless to implement all the administrative work needed to provide the data required to handle the PKCS #11 functionality.

Application developers can take advantage of the complete functionality of public key-based security mechanisms by using different PKCS #11 implementation modules without need to make any changes to the platform or the software system they are operating on. Furthermore, enterprises will also be able to administrate their environment and applications with tools and policies that are consistent all over the organization.

To enable other users to read encrypted messages or to verify signed e-mails the user certificates have to be stored in a public directory. This directory is normally located on a server that is reachable from within the concerned organization unit.

 

The basic components of a public key infrastructure include digital certificates, certificate revocation lists, and certification authorities. Enterprise administrators must ensure that a public key infrastructure is in place before they actually start using public key cryptography in their networks.

Setting up a PKI within an organization involves the following steps:

  • Installing a certificate server
  • Defining a third party certificate service provider
  • Configuring Mozilla Firefox to utilize the Infineon Security Platform PKCS #11 library
  • Obtaining certificates from a certification authority for client authentication

This guide gives you an overview of some of the items listed above and points you to links that provide more information on these topics.

After an upgrade of Security Platform Solution Software, applications that use Security Platform Solution through the PKCS#11 interface may not work as expected, because the PKCS#11 DLL (ifxtpmck.dll) is now located in the Security Platform Solution Software installation directory. In former product versions, it was located in the system32 directory. Applications have to be reconfigured to load ifxtpmck.dll from the new location.

©Infineon Technologies AG