EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PKCS#11 - security token, object's remains in memory?

Posted: 04/20/2009 08:53:01
by Arsen Gevorgyan (Standard support level)
Joined: 01/09/2009
Posts: 8

protected override TElMemoryCertStorage GetCertStor ()
TElMemoryCertStorage storage = new TElMemoryCertStorage();
TElPKCS11CertStorage tokenStorage = new TElPKCS11CertStorage();
tokenStorage.DLLName = DllName;

bool ro = tokenStorage.Module.get_Slot(0).ReadOnly;
TElPKCS11SessionInfo session = tokenStorage.OpenSession(0, ro);
session.Login(1, “SOME PIN CODE”);
storage.Add(tokenStorage.get_Certificates(0, true);
return storage;

We are using PKCS#11 component to work with USB Security token. There is a x.509 certificate in the token. Using the code above we are getting certificate from token. Everything is working fine when token plugged in. But, the problem is that the code working even if token is NOT plugged in to PC (working ones, then we removes physically token. But the certificate is still possible to get using the code above.)
This is a security gap in our application. Could you please advice what is wrong in the code above and how we can make sure that "OpenSession" and "Login" is not working when token is not physically plugged in.
Posted: 04/20/2009 09:14:09
by Eugene Mayevski (Team)

Are you saying that OpenSession would work for the second time, if the token has been removed after first OpenSession?

If yes, then this looks like caching done by PKCS#11 driver. Most drivers have an option to cache certificates and make them accessible (without private keys of course) even when the token is not available.

Sincerely yours
Eugene Mayevski



Topic viewed 1265 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!