EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PKCS#11 - security token, object's remains in memory?

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
Posted: 04/20/2009 08:53:01
by Arsen Gevorgyan (Standard support level)
Joined: 01/09/2009
Posts: 8

protected override TElMemoryCertStorage GetCertStor ()
TElMemoryCertStorage storage = new TElMemoryCertStorage();
TElPKCS11CertStorage tokenStorage = new TElPKCS11CertStorage();
tokenStorage.DLLName = DllName;

bool ro = tokenStorage.Module.get_Slot(0).ReadOnly;
TElPKCS11SessionInfo session = tokenStorage.OpenSession(0, ro);
session.Login(1, “SOME PIN CODE”);
storage.Add(tokenStorage.get_Certificates(0, true);
return storage;

We are using PKCS#11 component to work with USB Security token. There is a x.509 certificate in the token. Using the code above we are getting certificate from token. Everything is working fine when token plugged in. But, the problem is that the code working even if token is NOT plugged in to PC (working ones, then we removes physically token. But the certificate is still possible to get using the code above.)
This is a security gap in our application. Could you please advice what is wrong in the code above and how we can make sure that "OpenSession" and "Login" is not working when token is not physically plugged in.
Posted: 04/20/2009 09:14:09
by Eugene Mayevski (EldoS Corp.)

Are you saying that OpenSession would work for the second time, if the token has been removed after first OpenSession?

If yes, then this looks like caching done by PKCS#11 driver. Most drivers have an option to cache certificates and make them accessible (without private keys of course) even when the token is not available.

Sincerely yours
Eugene Mayevski



Topic viewed 1223 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!