Cryptoki Library
WWPass Cryptoki library complies with PKCS #11 Cryptographic Token Interface Standard developed by RSA Laboratories.
The standard defines a cross-platform set of functions providing access to cryptographic hardware devices. The library could be considered as a cryptographic token "driver". The main functionality of this library (and the underlying device) is to support a Public Key Infrastructure (PKI), i.e. the device may be used to store key pairs and X.509 certificates safely and to decrypt and sign messages.
Applications
- Mozilla fully supports PKCS #11 - both Firefox and Thunderbird can be configured to utilize cryptographic tokens.
- Another important application employing PKCS #11 standard is OpenVPN. This application allows users to reach corporate networks safely from any where, e.g. public Internet access point. This feature improves mobility and convenience for users without compromising security.
- PKCS #11 may also be used for Linux authentication. This may be done using the pam_pkcs11 module which is included into the Linux authentication chains. Launching of the Linux screensaver may be triggered by removing the PassKey, while waking up the screensaver is only possible by inserting the PassKey.
How WWPass Key Storage works
With WWPass no application data can be kept permanently in a PassKey. All RSA key pairs and certificates are stored in WWPass Data Containers within our core network. The most important point here is that sensitive private data can never be seen by WWPass or even User Terminal. All cryptographic calculations requiring RSA private keys take place inside the PassKey. RSA private keys are encrypted and decrypted only within the PassKey.
The following three important features are specific to WWPass solution
- The key storage capacity is not limited to the smart card EEPROM size
- In case of a lost PassKey, the PKI data is accessible by employing a replacement PassKey
- PassKey authentication requires Internet access. However OpenVPN and mail applications are useless without Internet access anyway. Even Linux authentication based on certificates should access Internet to check if certificate is revoked or still valid.