I-PKCS#11 (Cryptoki) iyindinganiso eyakhiwe i-RSA Laboratories yezinhlelo ezisebenzisanayo ezinamathokheni e-cryptographic, amakhadi ahlakaniphile, namanye amadivayisi afanayo kusetshenziswa isixhumi esibonakalayo sohlelo esisetshenziswa ngamalabhulali.
Izinga le-PKCS#11 le-cryptography yesi-Russian lisekelwa ikomiti lokulinganisa lobuchwepheshe “I-Cryptographic Information Protection” ().
Uma sikhuluma ngamathokheni ngokusekelwa kwe-cryptography yesiRashiya, khona-ke singakhuluma ngamathokheni esofthiwe, amathokheni wesofthiwe kanye ne-hardware namathokheni we-hardware.
Amathokheni e-Cryptographic ahlinzeka ngakho kokubili ukugcinwa kwezitifiketi namapheya okhiye (okhiye basesidlangalaleni nabayimfihlo) kanye nokusebenza kokusebenza kwe-cryptographic ngokuhambisana nezinga le-PKCS#11. Isixhumanisi esibuthakathaka lapha ukugcinwa kokhiye oyimfihlo. Uma ukhiye osesidlangalaleni ulahlekile, ungahlala uwubuyisa usebenzisa ukhiye oyimfihlo noma uwuthathe kusitifiketi. Ukulahlekelwa/ukucekelwa phansi kokhiye oyimfihlo kunemiphumela emibi, isibonelo, ngeke ukwazi ukususa ukubethela amafayela abethelwe ngokhiye wakho osesidlangalaleni, futhi ngeke ukwazi ukubeka isiginesha ye-elekthronikhi (ES). Ukuze ukhiqize isiginesha ye-elekthronikhi, uzodinga ukukhiqiza ipheya yokhiye abasha futhi, ngemali ethile, uthole isitifiketi esisha kwesinye seziphathimandla zokunikeza izitifiketi.
Ngenhla sishilo isoftware, i-firmware namathokheni wehadiwe. Kodwa singacabangela olunye uhlobo lwethokheni ye-cryptographic - ifu.
Namuhla ngeke umangaze muntu ... Konke ama-flash drive acishe afane nalawo ethokheni yefu.
Into eyinhloko lapha ukuphepha kwedatha egcinwe kuthokheni yefu, ngokuyinhloko okhiye abayimfihlo. Ingabe ithokheni yefu inganikeza lokhu? Sithi - YEBO!
Ngakho-ke ithokheni yefu isebenza kanjani? Isinyathelo sokuqala ukubhalisa iklayenti efwini lethokheni. Ukwenza lokhu, insiza kufanele ihlinzekwe ekuvumela ukuthi ufinyelele ifu futhi ubhalise igama lakho lokungena/isidlaliso kulo:
Ngemva kokubhalisa efwini, umsebenzisi kufanele aqalise ithokheni yakhe, okungukuthi usethe ilebula yethokheni futhi, okubaluleke kakhulu, usethe i-SO-PIN kanye namakhodi we-PIN yomsebenzisi. Lokhu kuthenga kufanele kwenziwe ngesiteshi esivikelekile/ esibethelwe kuphela. Insiza ye-pk11conf isetshenziselwa ukuqalisa ithokheni. Ukuze ubethele isiteshi, kuhlongozwa ukuthi kusetshenziswe i-algorithm yokubethela I-Magma-CTR (GOST R 34.13-2015).
Ukuze kuthuthukiswe ukhiye okuvunyelwene ngawo ngesisekelo sokuthi i-traffic phakathi kweklayenti neseva izovikelwa/ibethelwe, kuhlongozwa ukuba kusetshenziswe umthetho olandelwayo we-TK 26 onconyiwe. - .
Kuhlongozwa ukuthi kusetshenziswe njengephasiwedi ngesisekelo lapho ukhiye owabiwe uzokhiqizwa khona . Njengoba sikhuluma nge-cryptography yesiRashiya, kungokwemvelo ukukhiqiza amaphasiwedi esikhathi esisodwa usebenzisa izindlela CKM_GOSTR3411_12_256_HMAC, CKM_GOSTR3411_12_512_HMAC noma CKM_GOSTR3411_HMAC.
Ukusetshenziswa kwalo mshini kuqinisekisa ukuthi ukufinyelela ezintweni zethokheni yomuntu siqu efwini ngamakhodi e-SO kanye ne-USER PIN kutholakala kuphela kumsebenzisi ozifakile esebenzisa insiza. pk11conf.
Yilokho kuphela, ngemva kokuqeda lezi zinyathelo, ithokheni yefu isilungele ukusetshenziswa. Ukuze ufinyelele ithokheni yefu, udinga nje ukufaka umtapo wezincwadi we-LS11CLOUD ku-PC yakho. Uma usebenzisa ithokheni yefu ezinhlelweni zokusebenza ezinkundleni zokuxhumana ze-Android ne-iOS, i-SDK ehambisanayo inikezwa. Yile labhulali ezocaciswa lapho uxhuma ithokheni yefu kusiphequluli se-Redfox noma ebhalwe kufayela elithi pkcs11.txt le. Ilabhulali ye-LS11CLOUD iphinde ihlanganyele nethokheni efwini ngeshaneli evikelekile esekelwe ku-SESPAKE, edalwe lapho kubizwa umsebenzi we-PKCS#11 C_Qalisa!
Yilokho kuphela, manje usungakwazi uku-oda isitifiketi, usifake kuthokheni yakho yefu futhi uye kuwebhusayithi yezinsizakalo zikahulumeni.
Source: www.habr.com