-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathReadMe.txt
231 lines (172 loc) · 10.2 KB
/
ReadMe.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
------------------------------------------------------------------------------------
PKCS#11 Load Test Tool
------------------------------------------------------------------------------------
---------------------------
OVERVIEW
---------------------------
Many Government agencies and commercial organizations use PKI security tokens or
smartcards that utilize various proprietary token or smartcard PKI implementations and/or
openly accredited standards such as FIPS-201 (PIV).
For US Government agencies FIPS-201 is normally mandatory. Both FIPS-201 and virtually
all proprietary and standards based PKI implementations implement PKCS#11 at the operating
system or middleware API level. This is essential for interoperability. This API is more
commonly called Cryptoki, pronounced crypto-key and short for cryptographic token interface
There has been little work done on tools to load test the entire PKI channel, which seems
to be a missing test tool given the complexity of the channel, which typically looks like;
Calling Application > Middleware or Windows Cryptoki > OS > PC/SC > USB > Reader > Token
Interface > JavaCard VM > FIPS-201 JC Applet > Hardware Crypto Engine and memory > Applet
> JCVM > Token Interface > Reader > USB > PC/SC > OS > Cryptoki > Calling Application
There are clearly many areas for issues in the channel above, and historically it has been
difficult to find problems such as memory leaks at the various software and hardware
levels. There is also the potential that some smartcards or tokens may have issues that
may reduce the useful life of the tokens well below the stated MTBF. It is also possible
that the security tokens may fail due to ‘false positives’ in their tamper prevention
mechanisms. Finally, it is useful to be able to test PKCS#11 implementations under
simulated load for performance purposes (i.e. against a HSM or Remote Desktop instance
via a LAN/WAN network).
This simple test tool has therefore been developed to perform a common PKI cryptographic
use-case using the Cryptoki PKCS#11 API many times in quick succession, providing a
‘load test’ environment that will validate or assist in identifying both integrity and
performance issues by inducing failures quickly.
The test sits at the application level and as such exercises the entire channel other
than the "Calling Application" in conjunction with PKCS#11 middleware. It exercises
authentication, encryption and digital signature functionality. Other testing would be
necessary to exercise the various possible applications (email, acrobat, word) that would
call Cryptoki.
The test tool can support multiple USB connected smartcard readers and cards/tokens in a
"round robin". With a round robin of two (2), 20,000 transactions can be reached with
most cards in 3 days of continuous testing. The tool is tested with up to 8 cards/readers
in the round robin.
?
---------------------------
SCOPE
---------------------------
The scope of this test tool is as follows:
1) Performs load testing against a PKCS#11 token to provide support in validating
reliability and integrity problems with existing implementations. The PKCS#11 commands
are a simple subset of the total PKCS#11 functionality.
a. Initialise a PKCS#11 library (using a configurable module path)
b. Detect the presence of all PKCS#11 slots and list the available tokens.
c. Read the GlobalPlatform CPLC IC Serial Number for each token using PC/SC
d. Perform a series of typical transactions against all available tokens, [n] number
of times.
One transaction consists of the following PKCS#11 operations:
i. Open Session (Read-only session)
ii. Login (Normal User)
iii. Query Objects (Find Private Key)
iv. Query Objects (Find Public Key)
v. Generate Random Data
vi. Encrypt Block (RSA PKCS)
vii. Digest (SHA-1)
viii. Generate Signature (RSA PKCS)
ix. Verify Signature (RSA PKCS)
x. Decrypt (RSA PKCS)
xi. Logout
xii. Close Session
2) Generate a simple set of reporting outputs in CSV format that record the IC Serial
Number, the output status and data of the above operations. Failures will be logged and
the operator prompted to proceed.
---------------------------
SCOPE EXCLUSIONS
---------------------------
a. The initialisation and personalization of PKCS11/PIV tokens
b. Broad testing of all PKCS11 functionality on a token
c. Broad testing of support for compatibility with commercially available PKCS11
tokens or library modules (Currently, the Charismatics Middleware 1.1 and several
FIPS-201 compliant cards have been provided).
---------------------------
INSTALLATION
---------------------------
This test tool is a self-contained Windows executable, and as such does not need
installation as such. However, it requires the following dependent components to be
installed and working:
a. Microsoft Windows 7 or above (64-bit)
http://www.microsoft.com/windows
b. Microsoft Visual C++ 2010 SP1 Redistributable Package (X64)
http://www.microsoft.com/en-au/download/details.aspx?id=13523
c. A PC-SC compliant smart-card reader
d. A suitable PKCS#11 Library
---------------------------
OPERATION
---------------------------
The test tool operates as a command-line executable, so familiarity with the DOS-style
command-prompt is recommended. By default, the test tool is named ‘PKCS11LoadTest.exe’.
The application has several command-line arguments that configure the behaviour of its
operation. To see a listing of these command-line parameters from within the application, including a description of each, run the executable with the ‘-H’ parameter (for help).
The command-line parameters are as follow:
PKCS11LoadTest [-D] -L <Library> -P <Pin> [-C Count] [-I Interval] [-H]
PARAMETER DESCRIPTION
-L REQUIRED - The full or relative path to the PKCS#11 Library Module
(See the PKCS#11 standard for more information).
Example: ‘-L C:\Windows\System32\cmp11.dll’
-P REQUIRED - The ASCII/Numeric PIN number for the active tokens.
Example: ‘-P 11111111’
-C The number of simulated transactions to perform in this session.
Example: ‘-C 10’
Default: 10
-I The amount of time to wait between transactions in milliseconds’
Example: ‘-I 1000’.
Default: 1000 (1 second)
-D If specified, the application will produce verbose debug information
to assist in diagnosing issues.
NOTE: If you want to use this flag, it is recommended that you pass
it first so that it takes effect immediately, even before further
options processing.
-H Displays the help message and exits.
At a minimum, the PKCS11 module path, User PIN and Key identifier must be supplied, for
example: X:\PKCS11LoadTest.EXE –L cmp11.dll –P 11111111 –K 9C07
NOTES:
a. When running multiple cards in a "round robin" the PIN for all cards must be the same.
b. A separate ‘.log’ file will be created for each card, using the CPLC IC Serial Number
as the name. These will always be appended to so you will need to delete previous
files manually if you wish to start from a clean file.
c. The log file format is an ASCII Comma-Separated Value (CSV) file and has the following
format:
TIMESTAMP,SERIAL,ITERATION,OPERATION,OUTCOME[,DATA]<CRLF>
WARNING! Because this test tool cycles transactions very fast, if an incorrect PIN is
used it is likely that the token will be locked before the operator has time
to respond. In some scenarios this may make the token un-recoverable due to
excess failed PIN attempts or if the System Operator (SO) PIN cannot be
obtained.
?
---------------------------
DEVELOPMENT
---------------------------
The test tool is written in C++, using Microsoft Visual Studio 2010 Professional Edition
- SP1 as the development environment. Aside from the runtime requirements above, there are
no special installation steps necessary.
To open the project, simply click on the PKCS11LoadTest.vcxproj file or PKCS11LoadTest
solution.
This project is hosted using Google Code at the following repository location:
https://code.google.com/p/pkcs11-load-test/
This project can be checked out anonymously, using the following subversion command:
svn checkout http://pkcs11-load-test.googlecode.com/svn/ pkcs11-load-test-read-only
---------------------------
LICENSE
---------------------------
This application is licensed under the MIT License, a copy of which is provided below:
The MIT License (MIT)
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
---------------------------
REFERENCES / STANDARDS
---------------------------
PKCS#11 http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-11-cryptograph
ic-token-interface-standard.htm
NOTE: This has been tested against library modules implementing PKCS#11 v2.11
and v2.20 only.
PCSC http://pcscworkgroup.com/
Hide details
Change log
r5 by [email protected] on Today (6 hours ago) Diff
[No log message]
Go to:
Double click a line to add a comment
Older revisions
r2 by [email protected] on Yesterday (36 hours ago) Diff
All revisions of this file
File info
Size: 9902 bytes, 219 lines
View raw file