IBM Public Key Cryptography Standard (PKCS)

README

This README file provides information about the IBM Public Key Cryptography Standard (PKCS).


Contents


Overview

As public-key cryptography begins to see wide application and acceptance one thing is increasingly clear: If it is going to be as effective as the underlying technology allows it to be, there must be interoperability standards. Even though vendors may agree on the basic public-key techniques, compatibility between implementations is by no means guaranteed. Interoperability requires strict adherence to an agreed-upon standard format for transferred data. The standards described here provide such a basis for interoperability.

RSA calls the standards described here "Public-Key Cryptography Standards," or "PKCS" for short. The standards consist of a number of components, including PKCS #1, #3, #5, #6, #7, #8, #9, #10 and #12. (PKCS #2 and #4 are no longer active; both have been incorporated into the current PKCS #1). For more information on the PKCS standards,consult the RSA Public-Key Cryptography Standards.

The standards presented here evolved from the following broad design goals:

  1. To maintain compatibility with PEM (the Internet Privacy-Enhanced Mail protocols, described in RFCs 1421-1424) wherever possible, at least to the extent of being able to share certificates and to translate encrypted and/or signed messages back and forth between PEM and PKCS.
  2. To extend beyond PEM in being able to handle arbitrary binary data (not just ASCII data), to handle a richer set of attributes in (extended) certificates, to handle Diffie-Hellman key agreement [DH76], and to handle a richer set of features in digitally signed and enveloped data.
  3. To describe a standard suitable for incorporation in future Open Systems Interconnection (OSI, described in X.200) standards. The standards here are based on the use of OSI standard ASN.1 (Abstract Syntax Notation One, described in X.208) and BER (Basic Encoding Rules, described in X.209) to describe and represent data.

PKCS describes the syntax for messages in an abstract manner, and gives complete details about algorithms. However, it does not specify how messages are to be represented, although BER is the logical choice. Thus PKCS implementations are free to exchange messages in any manner, depending on character set, record size constraints, and the like, as long as the abstract meaning of the messages can be preserved from sender to recipient.

The following is a description of the PKCS packages supplied with the IBM Security Software Development Kit, Java Technology Edition. Note that the IBM PKCS packages require Java 2 and a cryptographic provider to run. The PKCS packages were tested with the IBM JCE provider.

PKCS #1

The pkcs1 package is an implementation of the RSA Encryption Standard as described in PKCS #1 Version 1.5.

PKCS #5

The pkcs5 package is an implementation of the PBKDF1 and PBES1 algorithms described in PKCS#5 Version 2.0. PKCS #5 describes a method for encrypting an octet string with a secret key derived from a password (i.e. password-based encryption standard).

PKCS #7

The pkcs7 package is an implementation of PKCS #7 Version 1.5. PKCS #7 describes a general syntax for data that may have cryptography applied to it, such as digital signatures and digital envelopes. The IBM PKCS implementation supports all the content types defined in this standard, such as Data, SignedData, and EnvelopedData.

PKCS #8

The pkcs8 package is an implementation of PKCS #8 Version 1.2. PKCS #8 describes a syntax for private-key information. Private-key information includes a private key for some public-key algorithm and a set of attributes.

PKCS #9

The pkcs9 package is an implementation of PKCS #9 Version 1.1 (with a number of version 2.0 enhancements). This package includes object representations for the attributes described in the PKCS #9 specifications. PKCS #9 attributes are used in PKCS #7, #8, and #10.

PKCS #10

The pkcs10 package is an implementation of PKCS #10 Version 1.0. PKCS #10 describes a syntax for certification requests. A certification request consists of a distinguished name, a public key, and optionally a set of attributes, collectively signed by the entity requesting certification.

PKCS #12

The pkcs12 package is an implementation of PKCS #12 Version 1.0. PKCS #12 describes a transfer syntax for personal identity information, including private keys, certificates, miscellaneous secrets, and extensions.

pkcsutil

The pkcsutil package provides supporting classes for the various PKCS classes.

S/MIME

The S/MIME package provides supporting classes for the encoding and decoding of S/MIME messages. For more information see S/MIME Home.


Using PKCS

The PKCS packages run with Java 2. After installation, the PKCS classes are located in the javadir\jre\lib\ext\ibmpkcs.jar file. (javadir is the directory where you installed the Runtime Environment.)

To use encryption and other JCE functions, you need the IBM JCE package as part of your Java extensions directory. With the IBM JCE provider, remember to modify your java.security file to specify IBM JCE as your provider after the default Sun provider. The following is an example:

security.provider.1=sun.security.provider.Sun security.provider.2=com.ibm.crypto.provider.IBMJCE

Documentation

For information about the PKCS classes and methods, consult the Javadoc documentation. This documentation is in the javadir\docs\pkcs\pkcsdocs.jar file and on Unix in the javadir/docs/pkcs/pkcsdocs.jar file (javadir is the directory where you installed the Runtime Environment.)

For information about how to use the PKCS classes and methods, consult the PKCS and S/MIME Programming Guide in javadir\docs\pkcs\pguide\index.html and on a Unix system in javadir/docs/pkcs/pguide/index.html (javadir is the directory where you installed the Runtime Environment.)


Additional Cryptography Support

Windows Support: INSTALLATION

If you have configured PKCS to support Windows cryptographic providers and certificate stores then you have to install a DLL that maps Java calls to the Windows operating system. Put the DLL win32/mscapi.dll into your Windows system directory which is on the path (c:/windows, c:/winnt, etc.).

The installation files can be found within docs\native-support.zip

PKCS#11 Token Support: INSTALLATION

PKCS will try to load the DLL "jpkcs11". This name is mangled into a platform dependent library name (jpkcs11.dll on Windows and libjpkcs11.so on most other Unix platforms). This mangled filename is searched in an OS dependent way. You can either put the DLLs into a standard directory or customize the lookup of DLLs. Details depend on your operating system and your JVM.

On Windows put the DLLs (jpkcs11.dll, pkcslog.dll, and pseudotoken.dll) into the Windows system directory which is on the path (c:/windows, c:/winnt, ...).

On most of the other platforms set the environment variable LD_LIBRARY_PATH to include the directory where you installed the shared libraries. The installation files can be found within docs\native-support.zip (on Unix systems they are in docs/native-support.zip).

PKCS#11 Token Support: DEBUGGING

The DLL pkcslog will log all communication between a PKCS#11 DLL and PKCS to a file. Set the environment variable "PKCSLOG" to the token DLL and use "pkcslog" instead of the token DLL name in the constructor of a SSLPKCS11Token. A file pkcslog.txt is written in the current directory of the process.

The "pseudotoken" DLL is a very simple PKCS#11 module that allows to perform some very basic tests in case you do not have a hardware token with a PKCS#11 DLL at hand.


Notices

This edition applies to IBM PKCS and to all subsequent releases and modifications until otherwise indicated in new editions.

Copyright International Business Machines Corporation 2000. All rights reserved.

Note to U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the users responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the information. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this information at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.


Trademarks

IBM is a trademark of International Business Machines Corporation in the U.S., or other countries, or both.

Java is a trademark of Sun Microsystems, Inc. in the U.S. and other countries. The Java technology is owned and exclusively licensed by Sun Microsystems, Inc.

Other company, product, and service names may be trademarks or service marks of others.

THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IBM DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE AND MERCHANTABILITY WITH RESPECT TO THE INFORMATION IN THIS DOCUMENT. BY FURNISHING THIS DOCUMENT, IBM GRANTS NO LICENSES TO ANY PATENTS OR COPYRIGHTS.

(c) Copyright IBM Corporation, 2000. All rights reserved.

(c) Copyright 1997, 1999 Sun Microsystems, Inc.
901 San Antonio Rd., Palo Alto, CA 94303 USA.
All rights reserved.