Cryptography in Solaris

The Solaris Cryptographic Framework has been my main project for the past 4 years at Sun. Solaris 10 will be the first release where we have public interfaces to cryptography APIs in userland and in the kernel. To find out more about the Solaris Cryptographic Framework have a look at the docs.sun.com guide. It has support for automatic failover between hardware and software and includes implementations of common cryptographic algorithms, some of them optimized for SPARCv9 and AMD64.

One of my favourite things about the Solaris Cryptographic Framework is the ability to specify system wide policy about what algorithms applications that use the framework are allowed to use. For example disabling the software DES from userland and kernel is as simple as this:

# cryptoadm disable provider=des mechanism=CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC
# cryptoadm disable provider='/usr/lib/security/$ISA/pkcs11_softtoken.so' mechanism=CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC

Where "des" is the name of the kernel provider and "pkcs11_softtoken.so" is the userland provider.

In addition to the cryptographic support Solaris 10 also has support for SASL and improved GSS-API support with the introduction of an SPEGO mechanism.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Darrenmoffat-Oracle

Search

Categories
Archives
« May 2015
MonTueWedThuFriSatSun
    
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
       
Today