ejbca-develop

[Ejbca-develop] Problem Creating a CVC CA in ejbca 6.2.0

[Christian F. <pu...@fe...>]

Hello,

while trying to create a CVC CA in EJBCA Community I got following message:

CVC CA type is not available in this version of EJBCA

Does that mean community edition does not support CVC?

best reagrds
Christian

Re: [Ejbca-develop] Problem Creating a CVC CA in ejbca 6.2.0

[Tomas G. <to...@pr...>]

On 2014-07-15 13:38, Christian Felsing wrote:
> Hello,
>
> while trying to create a CVC CA in EJBCA Community I got following message:
>
> CVC CA type is not available in this version of EJBCA
>
> Does that mean community edition does not support CVC?

That is correct. Since it's so specific for country/government usage 
there is no possibility to maintain it for free, and the community is 
pretty small.

Cheers,
Tomas

>
> best reagrds
> Christian
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

Re: [Ejbca-develop] Problem Creating a CVC CA in ejbca 6.2.0

[Christian F. <pu...@fe...>]

Am 15.07.14 15:29, schrieb Tomas Gustavsson:
> 
> On 2014-07-15 13:38, Christian Felsing wrote:
>> Hello,
>>
>> while trying to create a CVC CA in EJBCA Community I got following message:
>>
>> CVC CA type is not available in this version of EJBCA
>>
>> Does that mean community edition does not support CVC?
> 
> That is correct. Since it's so specific for country/government usage 
> there is no possibility to maintain it for free, and the community is 
> pretty small.
> 
> Cheers,
> Tomas

CVC is not only for government related applications, there is an open source project sc-hsm which also supports CVC, because that
card will claim to be suitable for CVC applications. With this card ejbca may become a solution für CVC based application besides
government applications.

At demo.openscdp.org s a demo for EAC-PKI applications.

cheers
Christian

Re: [Ejbca-develop] Problem Creating a CVC CA in ejbca 6.2.0

[Tomas G. <to...@pr...>]

On 2014-07-16 08:50, Christian Felsing wrote:
> Am 15.07.14 15:29, schrieb Tomas Gustavsson:
>>
>> On 2014-07-15 13:38, Christian Felsing wrote:
>>> Hello,
>>>
>>> while trying to create a CVC CA in EJBCA Community I got following message:
>>>
>>> CVC CA type is not available in this version of EJBCA
>>>
>>> Does that mean community edition does not support CVC?
>>
>> That is correct. Since it's so specific for country/government usage
>> there is no possibility to maintain it for free, and the community is
>> pretty small.
>>
>> Cheers,
>> Tomas
>
> CVC is not only for government related applications, there is an open source project sc-hsm which also supports CVC, because that
> card will claim to be suitable for CVC applications. With this card ejbca may become a solution für CVC based application besides
> government applications.
>
> At demo.openscdp.org s a demo for EAC-PKI applications.

Cool. I have seen discussions about using CVC also for other things. 
Would be cool if the website mentioned those use cases a little?

Unfortunately ePassport and eID has for the last years been the main 
financing for the developers of EJBCA and SignServer. Unfortunately some 
(only a few) large corporations find that it is nice to have others 
developing software for them, so they can participate in the same 
tenders with a low price (since they don't do the development).
This is the main drivers for all Enterprise version of Open Source 
software today I would say, the need to finance the development balanced 
with wealthy corporations (only some) over-using the community.

Cheers,
Tomas

>
> cheers
> Christian
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

Re: [Ejbca-develop] Problem Creating a CVC CA in ejbca 6.2.0

[Andreas S. <and...@ca...>]

I guess I have to clarify how the SmartCard-HSM relates to CVCs:

In it's core, the SmartCard-HSM is a secure key store for RSA and ECC
keys, that unlike other PKI token has key management function that you
normally find in large (and expensive) HSMs (Key Backup, Cluster
Operation, Key Offloading).

One of these function is the ability to have a trusted channel between
the device and the RA/CA. This trusted channel is established using Chip
Authentication known from ePassports and eID cards. But while in
Passports the authenticity of the chip authentication public key is
based on passive authentication and the docsigner / CSCA certificate,
the authenticity in the SC-HSM is proved using a CVC based PKI.

Just like in EAC, where you have a CVCA, DVCA and terminal certificate,
in a SmartCard-HSM you have a Scheme Root CA (CRCA), Device Issuer CA
(DICA) and a device certificate. The ECC public key for chip
authentication is certified in the device certificate and linked to the
unique id of the SmartCard-HSM.

In addition, newly generated public keys are exported in the
authenticated CVC request format as per TR-03110. The inner signature is
provided by the private key, the outer signature by the device
authentication key or any other key on the device. The later is used in
an EAC PKI to renew certificates.

The SmartCard-HSM can of course be used with EJBCA, either via OpenSC or
using the multithreading-enabled PKCS#11 Module from the sc-hsm-embedded
project.

Andreas


On 07/16/2014 08:50 AM, Christian Felsing wrote:
> Am 15.07.14 15:29, schrieb Tomas Gustavsson:
>>
>> On 2014-07-15 13:38, Christian Felsing wrote:
>>> Hello,
>>>
>>> while trying to create a CVC CA in EJBCA Community I got following message:
>>>
>>> CVC CA type is not available in this version of EJBCA
>>>
>>> Does that mean community edition does not support CVC?
>>
>> That is correct. Since it's so specific for country/government usage 
>> there is no possibility to maintain it for free, and the community is 
>> pretty small.
>>
>> Cheers,
>> Tomas
> 
> CVC is not only for government related applications, there is an open source project sc-hsm which also supports CVC, because that
> card will claim to be suitable for CVC applications. With this card ejbca may become a solution für CVC based application besides
> government applications.
> 
> At demo.openscdp.org s a demo for EAC-PKI applications.
> 
> cheers
> Christian
> 
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 


-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com

Re: [Ejbca-develop] Problem Creating a CVC CA in ejbca 6.2.0

[Tomas G. <to...@pr...>]

Yeah, I read on the demo page about CA as a service, where you keep the CA keys on the smart card, in your control. 
This is a very interesting and innovative concept I think.  Very cool, and we'll done. 

/Tomas 

On July 16, 2014 10:11:09 PM CEST, Andreas Schwier <and...@ca...> wrote:
>I guess I have to clarify how the SmartCard-HSM relates to CVCs:
>
>In it's core, the SmartCard-HSM is a secure key store for RSA and ECC
>keys, that unlike other PKI token has key management function that you
>normally find in large (and expensive) HSMs (Key Backup, Cluster
>Operation, Key Offloading).
>
>One of these function is the ability to have a trusted channel between
>the device and the RA/CA. This trusted channel is established using
>Chip
>Authentication known from ePassports and eID cards. But while in
>Passports the authenticity of the chip authentication public key is
>based on passive authentication and the docsigner / CSCA certificate,
>the authenticity in the SC-HSM is proved using a CVC based PKI.
>
>Just like in EAC, where you have a CVCA, DVCA and terminal certificate,
>in a SmartCard-HSM you have a Scheme Root CA (CRCA), Device Issuer CA
>(DICA) and a device certificate. The ECC public key for chip
>authentication is certified in the device certificate and linked to the
>unique id of the SmartCard-HSM.
>
>In addition, newly generated public keys are exported in the
>authenticated CVC request format as per TR-03110. The inner signature
>is
>provided by the private key, the outer signature by the device
>authentication key or any other key on the device. The later is used in
>an EAC PKI to renew certificates.
>
>The SmartCard-HSM can of course be used with EJBCA, either via OpenSC
>or
>using the multithreading-enabled PKCS#11 Module from the
>sc-hsm-embedded
>project.
>
>Andreas
>
>
>On 07/16/2014 08:50 AM, Christian Felsing wrote:
>> Am 15.07.14 15:29, schrieb Tomas Gustavsson:
>>>
>>> On 2014-07-15 13:38, Christian Felsing wrote:
>>>> Hello,
>>>>
>>>> while trying to create a CVC CA in EJBCA Community I got following
>message:
>>>>
>>>> CVC CA type is not available in this version of EJBCA
>>>>
>>>> Does that mean community edition does not support CVC?
>>>
>>> That is correct. Since it's so specific for country/government usage
>
>>> there is no possibility to maintain it for free, and the community
>is 
>>> pretty small.
>>>
>>> Cheers,
>>> Tomas
>> 
>> CVC is not only for government related applications, there is an open
>source project sc-hsm which also supports CVC, because that
>> card will claim to be suitable for CVC applications. With this card
>ejbca may become a solution für CVC based application besides
>> government applications.
>> 
>> At demo.openscdp.org s a demo for EAC-PKI applications.
>> 
>> cheers
>> Christian
>> 
>>
>------------------------------------------------------------------------------
>> Want fast and easy access to all the code in your enterprise? Index
>and
>> search up to 200,000 lines of code with a free copy of Black Duck
>> Code Sight - the same software that powers the world's largest code
>> search on Ohloh, the Black Duck Open Hub! Try it now.
>> http://p.sf.net/sfu/bds
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> 
>
>
>-- 
>
>    ---------    CardContact Software & System Consulting
>   |.##> <##.|   Andreas Schwier
>   |#       #|   Schülerweg 38
>   |#       #|   32429 Minden, Germany
>   |'##> <##'|   Phone +49 571 56149
>    ---------    http://www.cardcontact.de
>                 http://www.tscons.de
>                 http://www.openscdp.org
>                 http://www.smartcard-hsm.com
>
>
>------------------------------------------------------------------------------
>Want fast and easy access to all the code in your enterprise? Index and
>search up to 200,000 lines of code with a free copy of Black Duck
>Code Sight - the same software that powers the world's largest code
>search on Ohloh, the Black Duck Open Hub! Try it now.
>http://p.sf.net/sfu/bds
>_______________________________________________
>Ejbca-develop mailing list
>Ejb...@li...
>https://lists.sourceforge.net/lists/listinfo/ejbca-develop

[Ejbca-develop] SmartCard-HSM as remote key store / Was:Re: Problem Creating a CVC CA in ejbca 6.2.0

[Andreas S. <and...@ca...>]

Would be interesting to get something like this integrated with EJBCA.

That shouldn't be too complicated: The server side is just a small
servlet that provides the APDU channel via HTTP to the device on the
client side. The servlet talks to OCF on the server and a JCE Provider
on top of it.

The CA would just need to access the private key operation via JCE.

Andreas

On 07/16/2014 10:17 PM, Tomas Gustavsson wrote:
> Yeah, I read on the demo page about CA as a service, where you keep the CA keys on the smart card, in your control. 
> This is a very interesting and innovative concept I think.  Very cool, and we'll done. 
> 
> /Tomas 
> 
> On July 16, 2014 10:11:09 PM CEST, Andreas Schwier <and...@ca...> wrote:
>> I guess I have to clarify how the SmartCard-HSM relates to CVCs:
>>
>> In it's core, the SmartCard-HSM is a secure key store for RSA and ECC
>> keys, that unlike other PKI token has key management function that you
>> normally find in large (and expensive) HSMs (Key Backup, Cluster
>> Operation, Key Offloading).
>>
>> One of these function is the ability to have a trusted channel between
>> the device and the RA/CA. This trusted channel is established using
>> Chip
>> Authentication known from ePassports and eID cards. But while in
>> Passports the authenticity of the chip authentication public key is
>> based on passive authentication and the docsigner / CSCA certificate,
>> the authenticity in the SC-HSM is proved using a CVC based PKI.
>>
>> Just like in EAC, where you have a CVCA, DVCA and terminal certificate,
>> in a SmartCard-HSM you have a Scheme Root CA (CRCA), Device Issuer CA
>> (DICA) and a device certificate. The ECC public key for chip
>> authentication is certified in the device certificate and linked to the
>> unique id of the SmartCard-HSM.
>>
>> In addition, newly generated public keys are exported in the
>> authenticated CVC request format as per TR-03110. The inner signature
>> is
>> provided by the private key, the outer signature by the device
>> authentication key or any other key on the device. The later is used in
>> an EAC PKI to renew certificates.
>>
>> The SmartCard-HSM can of course be used with EJBCA, either via OpenSC
>> or
>> using the multithreading-enabled PKCS#11 Module from the
>> sc-hsm-embedded
>> project.
>>
>> Andreas
>>
>>
>> On 07/16/2014 08:50 AM, Christian Felsing wrote:
>>> Am 15.07.14 15:29, schrieb Tomas Gustavsson:
>>>>
>>>> On 2014-07-15 13:38, Christian Felsing wrote:
>>>>> Hello,
>>>>>
>>>>> while trying to create a CVC CA in EJBCA Community I got following
>> message:
>>>>>
>>>>> CVC CA type is not available in this version of EJBCA
>>>>>
>>>>> Does that mean community edition does not support CVC?
>>>>
>>>> That is correct. Since it's so specific for country/government usage
>>
>>>> there is no possibility to maintain it for free, and the community
>> is 
>>>> pretty small.
>>>>
>>>> Cheers,
>>>> Tomas
>>>
>>> CVC is not only for government related applications, there is an open
>> source project sc-hsm which also supports CVC, because that
>>> card will claim to be suitable for CVC applications. With this card
>> ejbca may become a solution für CVC based application besides
>>> government applications.
>>>
>>> At demo.openscdp.org s a demo for EAC-PKI applications.
>>>
>>> cheers
>>> Christian
>>>
>>>
>> ------------------------------------------------------------------------------
>>> Want fast and easy access to all the code in your enterprise? Index
>> and
>>> search up to 200,000 lines of code with a free copy of Black Duck
>>> Code Sight - the same software that powers the world's largest code
>>> search on Ohloh, the Black Duck Open Hub! Try it now.
>>> http://p.sf.net/sfu/bds
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejb...@li...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>
>>
>> -- 
>>
>>    ---------    CardContact Software & System Consulting
>>   |.##> <##.|   Andreas Schwier
>>   |#       #|   Schülerweg 38
>>   |#       #|   32429 Minden, Germany
>>   |'##> <##'|   Phone +49 571 56149
>>    ---------    http://www.cardcontact.de
>>                 http://www.tscons.de
>>                 http://www.openscdp.org
>>                 http://www.smartcard-hsm.com
>>
>>
>> ------------------------------------------------------------------------------
>> Want fast and easy access to all the code in your enterprise? Index and
>> search up to 200,000 lines of code with a free copy of Black Duck
>> Code Sight - the same software that powers the world's largest code
>> search on Ohloh, the Black Duck Open Hub! Try it now.
>> http://p.sf.net/sfu/bds
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 


-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com

Re: [Ejbca-develop] SmartCard-HSM as remote key store / Was:Re: Problem Creating a CVC CA in ejbca 6.2.0

[Andreas K. <ku...@tr...>]

Hi Andreas,
> Would be interesting to get something like this integrated with EJBCA.
>
> That shouldn't be too complicated: The server side is just a small
> servlet that provides the APDU channel via HTTP to the device on the
> client side. The servlet talks to OCF on the server and a JCE Provider
> on top of it.
>
> The CA would just need to access the private key operation via JCE.
I would go with any security enhancement ... but dtmo the
cv-certificates do make sense when two cards interact. If one and is a
server with 'usual' security level it does not provide any benefit, does
it? Just just a strong link to chain but leave the other links weak as
they are ...

Greetings,

Andreas Kuehne


-- 
Andreas Kühne 
phone: +49 177 293 24 97 
mailto: ku...@tr...

Trustable Ltd. Niederlassung Deutschland Ströverstr. 18 - 59427 Unna Amtsgericht Hamm HRB 5868

Directors Andreas Kühne, Heiko Veit

Company UK Company No: 5218868 Registered in England and Wales 

Re: [Ejbca-develop] SmartCard-HSM as remote key store / Was:Re: Problem Creating a CVC CA in ejbca 6.2.0

[Andreas S. <and...@ca...>]

After the client connects to the server, the server reads the device and
device issuer CV-certificates from the SmartCard-HSM and verifies the
integrity and authenticity of the device authentication public key. This
public key is then used to establish symmetric session keys using ECDH
and an ephemeral key pair at the server. The session keys are
subsequently used to protect all APDU exchange between the server and
the remote device. This happens in the OCF layer and is transparent at
the JCE layer.

Using this mechanism, the CA server knows that he talks to an identified
and authentic remote device. Encryption and MACing in the secure channel
protects all data exchanged, in particular data to be signed by the
private key in the remote device.

CV certificates are used because they are considerably smaller that
X.509 certificates.

The mechanics are similar to TLS server authentication, with the smart
card as the server and X.509 certificates replaced by CV-certificates.
The protection is actually on the APDU layer, HTTP is just used as
transport channel to carry APDU exchange.

Andreas

On 07/21/2014 01:45 PM, Andreas Kuehne wrote:
> Hi Andreas,
>> Would be interesting to get something like this integrated with EJBCA.
>>
>> That shouldn't be too complicated: The server side is just a small
>> servlet that provides the APDU channel via HTTP to the device on the
>> client side. The servlet talks to OCF on the server and a JCE Provider
>> on top of it.
>>
>> The CA would just need to access the private key operation via JCE.
> I would go with any security enhancement ... but dtmo the
> cv-certificates do make sense when two cards interact. If one and is a
> server with 'usual' security level it does not provide any benefit, does
> it? Just just a strong link to chain but leave the other links weak as
> they are ...
> 
> Greetings,
> 
> Andreas Kuehne
> 
> 


-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com

Re: [Ejbca-develop] SmartCard-HSM as remote key store / Was:Re: Problem Creating a CVC CA in ejbca 6.2.0

[Tomas G. <to...@pr...>]

So for EJBCA a new CryptoToken is probably needed, in order to use your 
the provider (sine it is not generic PKCS#11).

That's a very isolated code though, and can be done in an almost 
pluggable way I think.

Cheers,
Tomas

On 2014-07-21 14:43, Andreas Schwier wrote:
> After the client connects to the server, the server reads the device and
> device issuer CV-certificates from the SmartCard-HSM and verifies the
> integrity and authenticity of the device authentication public key. This
> public key is then used to establish symmetric session keys using ECDH
> and an ephemeral key pair at the server. The session keys are
> subsequently used to protect all APDU exchange between the server and
> the remote device. This happens in the OCF layer and is transparent at
> the JCE layer.
>
> Using this mechanism, the CA server knows that he talks to an identified
> and authentic remote device. Encryption and MACing in the secure channel
> protects all data exchanged, in particular data to be signed by the
> private key in the remote device.
>
> CV certificates are used because they are considerably smaller that
> X.509 certificates.
>
> The mechanics are similar to TLS server authentication, with the smart
> card as the server and X.509 certificates replaced by CV-certificates.
> The protection is actually on the APDU layer, HTTP is just used as
> transport channel to carry APDU exchange.
>
> Andreas
>
> On 07/21/2014 01:45 PM, Andreas Kuehne wrote:
>> Hi Andreas,
>>> Would be interesting to get something like this integrated with EJBCA.
>>>
>>> That shouldn't be too complicated: The server side is just a small
>>> servlet that provides the APDU channel via HTTP to the device on the
>>> client side. The servlet talks to OCF on the server and a JCE Provider
>>> on top of it.
>>>
>>> The CA would just need to access the private key operation via JCE.
>> I would go with any security enhancement ... but dtmo the
>> cv-certificates do make sense when two cards interact. If one and is a
>> server with 'usual' security level it does not provide any benefit, does
>> it? Just just a strong link to chain but leave the other links weak as
>> they are ...
>>
>> Greetings,
>>
>> Andreas Kuehne
>>
>>
>
>

Re: [Ejbca-develop] SmartCard-HSM as remote key store / Was:Re: Problem Creating a CVC CA in ejbca 6.2.0

[Andreas S. <and...@ca...>]

Hi Tomas,

let me know if you would like to get some SmartCard-HSM samples.

I'm not really a J2EE expert, so I'm probably not in position to code that.

Andreas

On 07/22/2014 12:48 PM, Tomas Gustavsson wrote:
> 
> So for EJBCA a new CryptoToken is probably needed, in order to use your 
> the provider (sine it is not generic PKCS#11).
> 
> That's a very isolated code though, and can be done in an almost 
> pluggable way I think.
> 
> Cheers,
> Tomas
> 
> On 2014-07-21 14:43, Andreas Schwier wrote:
>> After the client connects to the server, the server reads the device and
>> device issuer CV-certificates from the SmartCard-HSM and verifies the
>> integrity and authenticity of the device authentication public key. This
>> public key is then used to establish symmetric session keys using ECDH
>> and an ephemeral key pair at the server. The session keys are
>> subsequently used to protect all APDU exchange between the server and
>> the remote device. This happens in the OCF layer and is transparent at
>> the JCE layer.
>>
>> Using this mechanism, the CA server knows that he talks to an identified
>> and authentic remote device. Encryption and MACing in the secure channel
>> protects all data exchanged, in particular data to be signed by the
>> private key in the remote device.
>>
>> CV certificates are used because they are considerably smaller that
>> X.509 certificates.
>>
>> The mechanics are similar to TLS server authentication, with the smart
>> card as the server and X.509 certificates replaced by CV-certificates.
>> The protection is actually on the APDU layer, HTTP is just used as
>> transport channel to carry APDU exchange.
>>
>> Andreas
>>
>> On 07/21/2014 01:45 PM, Andreas Kuehne wrote:
>>> Hi Andreas,
>>>> Would be interesting to get something like this integrated with EJBCA.
>>>>
>>>> That shouldn't be too complicated: The server side is just a small
>>>> servlet that provides the APDU channel via HTTP to the device on the
>>>> client side. The servlet talks to OCF on the server and a JCE Provider
>>>> on top of it.
>>>>
>>>> The CA would just need to access the private key operation via JCE.
>>> I would go with any security enhancement ... but dtmo the
>>> cv-certificates do make sense when two cards interact. If one and is a
>>> server with 'usual' security level it does not provide any benefit, does
>>> it? Just just a strong link to chain but leave the other links weak as
>>> they are ...
>>>
>>> Greetings,
>>>
>>> Andreas Kuehne
>>>
>>>
>>
>>
> 
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 


-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com

Re: [Ejbca-develop] SmartCard-HSM as remote key store / Was:Re: Problem Creating a CVC CA in ejbca 6.2.0

[Tomas G. <to...@pr...>]

Thanks Andreas,

It would be great fun to test. Honestly though, it will be hard to get 
the time to do it without business driver at this time unfortunately.
There's just too much to do just to have business running.

Cheers,
Tomas

On 2014-07-28 10:11, Andreas Schwier wrote:
> Hi Tomas,
>
> let me know if you would like to get some SmartCard-HSM samples.
>
> I'm not really a J2EE expert, so I'm probably not in position to code that.
>
> Andreas
>
> On 07/22/2014 12:48 PM, Tomas Gustavsson wrote:
>>
>> So for EJBCA a new CryptoToken is probably needed, in order to use your
>> the provider (sine it is not generic PKCS#11).
>>
>> That's a very isolated code though, and can be done in an almost
>> pluggable way I think.
>>
>> Cheers,
>> Tomas
>>
>> On 2014-07-21 14:43, Andreas Schwier wrote:
>>> After the client connects to the server, the server reads the device and
>>> device issuer CV-certificates from the SmartCard-HSM and verifies the
>>> integrity and authenticity of the device authentication public key. This
>>> public key is then used to establish symmetric session keys using ECDH
>>> and an ephemeral key pair at the server. The session keys are
>>> subsequently used to protect all APDU exchange between the server and
>>> the remote device. This happens in the OCF layer and is transparent at
>>> the JCE layer.
>>>
>>> Using this mechanism, the CA server knows that he talks to an identified
>>> and authentic remote device. Encryption and MACing in the secure channel
>>> protects all data exchanged, in particular data to be signed by the
>>> private key in the remote device.
>>>
>>> CV certificates are used because they are considerably smaller that
>>> X.509 certificates.
>>>
>>> The mechanics are similar to TLS server authentication, with the smart
>>> card as the server and X.509 certificates replaced by CV-certificates.
>>> The protection is actually on the APDU layer, HTTP is just used as
>>> transport channel to carry APDU exchange.
>>>
>>> Andreas
>>>
>>> On 07/21/2014 01:45 PM, Andreas Kuehne wrote:
>>>> Hi Andreas,
>>>>> Would be interesting to get something like this integrated with EJBCA.
>>>>>
>>>>> That shouldn't be too complicated: The server side is just a small
>>>>> servlet that provides the APDU channel via HTTP to the device on the
>>>>> client side. The servlet talks to OCF on the server and a JCE Provider
>>>>> on top of it.
>>>>>
>>>>> The CA would just need to access the private key operation via JCE.
>>>> I would go with any security enhancement ... but dtmo the
>>>> cv-certificates do make sense when two cards interact. If one and is a
>>>> server with 'usual' security level it does not provide any benefit, does
>>>> it? Just just a strong link to chain but leave the other links weak as
>>>> they are ...
>>>>
>>>> Greetings,
>>>>
>>>> Andreas Kuehne
>>>>
>>>>
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Want fast and easy access to all the code in your enterprise? Index and
>> search up to 200,000 lines of code with a free copy of Black Duck
>> Code Sight - the same software that powers the world's largest code
>> search on Ohloh, the Black Duck Open Hub! Try it now.
>> http://p.sf.net/sfu/bds
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>
>

Re: [Ejbca-develop] SmartCard-HSM as remote key store / Was:Re: Problem Creating a CVC CA in ejbca 6.2.0

[Anders R. <and...@gm...>]

I have built a plugin to EJBCA that does secure messaging
so it is possible at least.  You can test it here:

https://mobilepki.org/scc

Yes, it is my take on secure messaging :-)

Anders

On 2014-08-04 13:47, Tomas Gustavsson wrote:
> Thanks Andreas,
>
> It would be great fun to test. Honestly though, it will be hard to get
> the time to do it without business driver at this time unfortunately.
> There's just too much to do just to have business running.
>
> Cheers,
> Tomas
>
> On 2014-07-28 10:11, Andreas Schwier wrote:
>> Hi Tomas,
>>
>> let me know if you would like to get some SmartCard-HSM samples.
>>
>> I'm not really a J2EE expert, so I'm probably not in position to code that.
>>
>> Andreas
>>
>> On 07/22/2014 12:48 PM, Tomas Gustavsson wrote:
>>>
>>> So for EJBCA a new CryptoToken is probably needed, in order to use your
>>> the provider (sine it is not generic PKCS#11).
>>>
>>> That's a very isolated code though, and can be done in an almost
>>> pluggable way I think.
>>>
>>> Cheers,
>>> Tomas
>>>
>>> On 2014-07-21 14:43, Andreas Schwier wrote:
>>>> After the client connects to the server, the server reads the device and
>>>> device issuer CV-certificates from the SmartCard-HSM and verifies the
>>>> integrity and authenticity of the device authentication public key. This
>>>> public key is then used to establish symmetric session keys using ECDH
>>>> and an ephemeral key pair at the server. The session keys are
>>>> subsequently used to protect all APDU exchange between the server and
>>>> the remote device. This happens in the OCF layer and is transparent at
>>>> the JCE layer.
>>>>
>>>> Using this mechanism, the CA server knows that he talks to an identified
>>>> and authentic remote device. Encryption and MACing in the secure channel
>>>> protects all data exchanged, in particular data to be signed by the
>>>> private key in the remote device.
>>>>
>>>> CV certificates are used because they are considerably smaller that
>>>> X.509 certificates.
>>>>
>>>> The mechanics are similar to TLS server authentication, with the smart
>>>> card as the server and X.509 certificates replaced by CV-certificates.
>>>> The protection is actually on the APDU layer, HTTP is just used as
>>>> transport channel to carry APDU exchange.
>>>>
>>>> Andreas
>>>>
>>>> On 07/21/2014 01:45 PM, Andreas Kuehne wrote:
>>>>> Hi Andreas,
>>>>>> Would be interesting to get something like this integrated with EJBCA.
>>>>>>
>>>>>> That shouldn't be too complicated: The server side is just a small
>>>>>> servlet that provides the APDU channel via HTTP to the device on the
>>>>>> client side. The servlet talks to OCF on the server and a JCE Provider
>>>>>> on top of it.
>>>>>>
>>>>>> The CA would just need to access the private key operation via JCE.
>>>>> I would go with any security enhancement ... but dtmo the
>>>>> cv-certificates do make sense when two cards interact. If one and is a
>>>>> server with 'usual' security level it does not provide any benefit, does
>>>>> it? Just just a strong link to chain but leave the other links weak as
>>>>> they are ...
>>>>>
>>>>> Greetings,
>>>>>
>>>>> Andreas Kuehne
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Want fast and easy access to all the code in your enterprise? Index and
>>> search up to 200,000 lines of code with a free copy of Black Duck
>>> Code Sight - the same software that powers the world's largest code
>>> search on Ohloh, the Black Duck Open Hub! Try it now.
>>> http://p.sf.net/sfu/bds
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejb...@li...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>
>>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>