PrivateKey as Input parameter in JCA engine classes, specify

Peter Bendel (peter_bendel@de.ibm.com)
Wed, 5 Aug 1998 06:51:53 +0000

From: Peter Bendel <peter_bendel@de.ibm.com>
To: <java-security@java.sun.com>
Subject: PrivateKey as Input parameter in JCA engine classes, specify
Date: Wed, 5 Aug 1998 06:51:53 +0000

=0AHello,

here are some comments regarding the interfaces of JCA service provider=
s.

1)
JCA intends to be a framework for different provider packages which may=

implement their algorithms in software or hardware.
The concept of a security access module is to be a black box where the =
outside
world can request security related services
but cannot access private information within the SAM.

A smart card is an example of a hardware token where the private keys c=
annot be
accessed from the outside world.

The problem now is:

If you intend to use software that exploits signing on a smart card as =
a
service provider (e.g. for SignatureSPI) you have no access to the
private key used for signing (they are stored safely on card).

The private key can thus not be an input parameter of the initSign met=
hod of
this provider.
The input can only be an identifier or a reference to a key on the card=
.

By hardwiring the java.security.PrivateKey input parameter into the
Signature.initSign() method JCA makes it extremely difficult
if not impossible to keep a private key secret if the system running th=
e
virtual machine can be accessed by an intruder.

2)
A caller of the getInstance() methods can request a specific algorithm =
and
(optionally) a specific provider.
What is missing from my perspectivie is the ability to request a specif=
ic key
strength, which would result in only returing
a provider that supports the requested key strength

e.g. Signature.getInstance("SHA1withRSA", 512, "PROVIDER_2") for 512-bi=
t RSA.

Peter Bendel, Smartcard Solutions, Tel.: +49-7031-16-4650, Fax
-4888
Dept. 4969, Bldg. 7103-02, Room 02-025 Lotus Notes: bed@ibmde
IBM Deutschland Entwicklung GmbH Internet: peter_bendel@de.ibm.com

Please visit the OpenCard Framework's homepage at http://www.opencard.o=
rg=