PKCS#11 (Cryptoki) is a standard developed by RSA Laboratories for the interaction of programs with cryptographic tokens, smart cards and other similar devices using a unified programming interface that is implemented through libraries.
The PKCS#11 standard for Russian cryptography is supported by the technical committee for standardization "Cryptographic Information Protection" ().
If we talk about tokens with support for Russian cryptography, then we can talk about software tokens, software and hardware tokens and hardware tokens.
Cryptographic tokens provide both the storage of certificates and key pairs (public and private keys) and the performance of cryptographic operations in accordance with the PKCS#11 standard. The weak link here is the storage of the private key. If the public key is lost, then it can always be restored using the private key or taken from the certificate. The loss/destruction of a private key has sad consequences, for example, you will not be able to decrypt files encrypted with your public key, you will not be able to put an electronic signature (ES). To generate an ES, you will need to generate a new key pair and get a new certificate at one of the certification centers for a certain amount of money.
Above we mentioned software, software-hardware and hardware tokens. But you can consider another type of cryptographic token - a cloud one.
Today you won't surprise anyone . All cloud flash drives are almost one to one inherent in the cloud token.
The main thing here is the security of the data stored in the cloud token, primarily private keys. Can this cloud token provide? We say YES!
And so how does the cloud token work? The first step is to register the client in the token cloud. To do this, a utility should be provided that allows you to access the cloud and register your login / nickname in it:
After registering in the cloud, the user must initialize his token, namely, set the token label and, most importantly, set the SO-PIN and user PIN codes. These operations should only be carried out over a secure/encrypted channel. The pk11conf utility is used to initialize the token. To encrypt the channel, it is proposed to use an encryption algorithm Magma-CTR (GOST R 34.13-2015).
To develop an agreed key, on the basis of which the traffic between the client and the server will be protected / encrypted, it is proposed to use the protocol recommended by TC 26 β .
As a password, on the basis of which the shared key will be generated, it is proposed to use . Since we are talking about Russian cryptography, it is natural to generate one-time passwords using mechanisms CKM_GOSTR3411_12_256_HMAC, CKM_GOSTR3411_12_512_HMAC or CKM_GOSTR3411_HMAC.
The use of this mechanism ensures that access to personal token objects in the cloud via SO and USER PINs is available only to the user who installed them using the utility pk11conf.
Everything, after completing these steps, the cloud token is ready for use. To access the cloud token, it is enough to install the LS11CLOUD library on the PC. When using a cloud token in applications on Android and iOS platforms, the corresponding SDK is provided. It is this library that will be indicated when connecting the cloud token in the Redfox browser or written in the pkcs11.txt file for. The LS11CLOUD library also interacts with the token in the cloud via a secure channel based on SESPAKE, created by calling the PKCS#11 C_Initialize!
That's all, now you can order a certificate, install it in your cloud token and go to the > government services website.
Source: habr.com