LSM-PKCS11 is a project intended to support the implementation of Lite Security Modules. The targets of such implementations are PKIs (Public Keys Infrastructures) for intra-company and network applications, requiring a non-trivial security level but not so 'budgeted' to allow the acquisition of true (certified) HSMs, whose cost starts from as little as some thousands dollars.
The basic component of LSM-PKCS11 is a multi-threaded daemon that can be hosted on a little dedicated system, running Linux (or if you like it, Windows NT/2000XP as well), to support a set of cryptographics operations released by OpenSSL library on some well-protected files (Security Boxes) hosting cryptographics items like public and private keys, secret keys, data objects, certificates and so on.
The daemon services can be accessed via a TCP/IP connection with the support of a shared library (DLL in Windows environment) conforming to the PKCS#11 standard developed by RSA Laboratories, also known as Criptoki . PKCS#11 is part of the Public-Key Cryptography Standards (PKCS).
Developing LSM-PKCS#11 I tried to adhere as much as possible to the PKCS#11 standard specifications, so to allow a full integration with applications using PKCS#11 interface to access security tokens for digital signature, verification, and other cryptographic facilities.
The first version of the package supports only the minimum of cryptographic mechanisms:
RSA, DSA, DES and DES3 encryption and decryption,
RSA and DSA digital signature and verification,
MD2, MD5 and SHA1 digesting,
But after full initial testing, the package will be easily extended to support more and more cryptographic mechanisms.
The initial deployement didn't cost too much (just a month of evenings and holidays, thanks to the patience of my wife Laura). But after the first step any help is welcome, in the aim to consolidate the package. Remaing activities are:
the deployment of a serious test environment,
the extension of cryptographic capabilities,
the deployment of configuration utilities.
What's New in This Release: [ read full changelog ]
· The project was resumed and integrated with a client digital signature package, namely S3.
· More extensive tests were performed using the Mozilla NSS library.
· Many bugs were fixed. This is the first release candidate.