Introduction to the Cryptographic Framework

Language:

The Cryptographic Framework provides a common store of algorithms and PKCS #11 libraries to handle cryptographic requirements. The PKCS #11 libraries are implemented according to the RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) standard.

Figure 1-1 Cryptographic Framework Levels

image:Graphic shows the Application and Kernel levels of the Cryptographic Framework and the plugins at those two levels.

At the kernel level, the framework currently handles cryptographic requirements for ZFS, Kerberos and IPsec, as well as hardware. User-level consumers include the OpenSSL engine, Java Cryptographic Extensions (JCE), libsasl, and IKE (Internet Key Protocol). The kernel SSL (kssl) proxy uses the Cryptographic Framework. For more information, see SSL Kernel Proxy Encrypts Web Server Communications in Securing the Network in Oracle Solaris 11.2 and the ksslcfg (1M) man page.

Export law in the United States requires that the use of open cryptographic interfaces be licensed. The Cryptographic Framework satisfies the current law by requiring that kernel cryptographic providers and PKCS #11 cryptographic providers be signed. For further discussion, see the information about the elfsign command in User-Level Commands in the Cryptographic Framework.

The framework enables providers of cryptographic services to have their services used by many consumers in Oracle Solaris. Another name for providers is plugins. The framework supports three types of plugins:

User-level plugins – Shared objects that provide services by using PKCS #11 libraries, such as /var/user/$USER/pkcs11_softtoken.so.1.
Kernel-level plugins – Kernel modules that provide implementations of cryptographic algorithms in software, such as AES.

Many of the algorithms in the framework are optimized for x86 with the SSE2 instruction set and for SPARC hardware. For T-Series optimizations, see Cryptographic Framework and SPARC T-Series Servers.
Hardware plugins – Device drivers and their associated hardware accelerators. The Niagara chips and Oracle's ncp and n2cp device drivers are one example. A hardware accelerator offloads expensive cryptographic functions from the operating system. Sun Crypto Accelerator 6000 board is one example.

The framework implements a standard interface, the PKCS #11, v2.20 amendment 3 library, for user-level providers. The library can be used by third-party applications to reach providers. Third parties can also add signed libraries, signed kernel algorithm modules, and signed device drivers to the framework. These plugins are added when the Image Packaging System (IPS) installs the third-party software. For a diagram of the major components of the framework, see Figure 1–1.