Previous section.

Architecture for Public-Key Infrastructure (APKI)
Copyright © 1998 The Open Group

Hardware Security Devices in the PKI Architecture

It is expected that this section will be revised in a future version of the PKI Architecture to reflect current work within The Open Group on biometric and other authentication devices in conjunction with PKI and SSO architectures.

The PKI Architecture is intended to support at least two kinds of hardware security device: security tokens and cryptographic modules.

Security Tokens

This class of device includes Smartcards, memory cards, time-synchronized tokens, and challenge-response tokens. These devices may provide cryptographic primitives and services, Virtual Smartcard services, and authentication functions.

Smartcards are assumed by the PKI Architecture to provide Virtual Smartcard services. They will also frequently also provide at least the key activation and signing components of cryptographic services; they may also provide other cryptographic services.

Memory cards provide only storage; Virtual Smartcard services involving state maintenance (for example, key activation) or cryptography will have to be provided by the memory card's software drivers.

Hardware Security Devices illustrates how Smartcards and memory cards can be used to support the Virtual Smartcard services.

Figure: Hardware Security Devices

Time-synchronized and challenge-response tokens provide only authentication functionality, and will typically be integrated into the PKI Architecture through modifications to the system security-enabling services (particularly the logon and obtain credentials components of those services).

Cryptographic Modules

This class of device includes chipsets, bus-connected cryptographic adaptors, and remote cryptographic servers providing cryptographic primitives and services, but not providing user authentication functions.

Cryptographic modules are assumed by the PKI Architecture to provide the full range of cryptographic services (and they may provide direct access to some cryptographic primitives for the convenience of designers of new cryptographic services).

Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.

Contents Next section Index