In this document we'll give an introduction to hardware assisted cryptography. We'll talk a bit about PKCS #11, the 'standard' API for smartcards and hardware cryptography modules. We'll also discuss the OpenSSL EVP API, which has, amongst others, a PKCS #11 backend.
We'll also give some pointers about how one would go about getting these magical machines working, with some specific examples of the hardware we've had the honour of playing with. In the main part of this document, we'll give two tutorials on programming your own applications to talk to these machines.
Some knowledge on cryptography is assumed. Mainly, we won't discuss specific algorithms or best practices. They depend largely on the intended use, and there are other, more extensive documents that handle these subjects. In examples given, we keep to a few commonly used algorithms, but this is in no way a reason to choose them over others.
Thanks go out to the gentle people at AEP Networks, for providing a Keyper HSM to test with.
This document is available in its entirety in a PDF version suitable for either viewing or printing.
The code examples can be found
in this directory
This is version 1.0 of the document, dated May 2008. If you find an error, have any comments, or would like to see this document extended, please let me know at jelte@NLnetLabs.nl