Howto Speed-Up pkcs11 initialization

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Howto Speed-Up pkcs11 initialization

Dominik Fischer
Hi,
I've measured how long the initialization of pkcs11 takes:
With my sc-reader (Omnikey Cardman 4000) it takes 11 seconds with
an OpenSC-Initialized (Starcos SPK 2.3) smartcard.

I'm using the pam_pkcs11 to authenticate the user.

Since there is no feedback to the user during this time, it "feels" veeeery
long.

Is there a way to speed this up? Maybe if I make some assumptions about
the PKCS#15 structure (only one key, only one certificate, ...).

Even if this change doesn't get in the opensc upstream, I would
appreciate any hint where (and what) I have to place (a "private") patch in
the sourcecode.

Thanks!
Dominik Fischer

--
GPG-Fingerprint: F44B 9E31 1654 BCB5 6FBA 910F 46E7 F60C EEF1 67BD

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Howto Speed-Up pkcs11 initialization

Stef Hoeben-2
Hi,

the init of the pkcs11 lib reads the entire card, that's indeed
something that should
be improved (but it's not trivial...)

What you could do is:
- put only the keys/cert(s) on the card that you need for the login
- reduce the size of the pkcs15 files (in the profile file, you'll need
to erase and create the card again)
- "pkcs15-tool -L" writes the certs to your user dir, so this probably
won't work if you are not
    yet logged in a user, but you could change the cache dir to be
user-independent
- see if there's a faster driver for the card (or a faster reader)

Hope that helps,
Stef

Dominik Fischer wrote:

Hi,
I've measured how long the initialization of pkcs11 takes:
With my sc-reader (Omnikey Cardman 4000) it takes 11 seconds with
an OpenSC-Initialized (Starcos SPK 2.3) smartcard.

I'm using the pam_pkcs11 to authenticate the user.

Since there is no feedback to the user during this time, it "feels" veeeery
long.

Is there a way to speed this up? Maybe if I make some assumptions about
the PKCS#15 structure (only one key, only one certificate, ...).

Even if this change doesn't get in the opensc upstream, I would
appreciate any hint where (and what) I have to place (a "private") patch in
the sourcecode.

Thanks!


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Howto Speed-Up pkcs11 initialization

Dominik Fischer
In reply to this post by Dominik Fischer
>
> I have similar experience.  pam_opensc was much faster... yeah, they're
> probably whole different beasts and pam_pkcs11 does more, but from the
> average end user point of view there's a big difference in simple tasks
> such as how long it takes to log in.

Do you mean the eid or the ldap part of pam_opensc (or both)?

I've optimized the ldap_mapper for my special needs (if you press
"enter" on login prompt, the "CN" field of the certificate is used to obtain
information from ldap server instead of looping over "getpwent()" ).
I fumble a bit on this. Maybe I will post some improvements on ldap_mapper
in the next days.

But: I've cut it down: for now the slowest part is the init_pkcs11_module()
call (11 seconds in my configuration).

This function does the following:

C_Initialize()
C_GetInfo()
C_GetSlotList()
C_GetSlotInfo() for all found Slots
C_GetTokenInfo() for all found Tokens


Hmmm... maybe I can optimize here? Do I need to call GetSlotList() if I assume
that there's only one slot containing a Token?

So far... I think I will add some debugging output in there to cut it down
even more.


--
GPG-Fingerprint: F44B 9E31 1654 BCB5 6FBA 910F 46E7 F60C EEF1 67BD

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Howto Speed-Up pkcs11 initialization

Ville Skyttä-2
On Mon, 2005-11-28 at 21:47 +0100, Dominik Fischer wrote:
> >
> > I have similar experience.  pam_opensc was much faster... yeah, they're
> > probably whole different beasts and pam_pkcs11 does more, but from the
> > average end user point of view there's a big difference in simple tasks
> > such as how long it takes to log in.
>
> Do you mean the eid or the ldap part of pam_opensc (or both)?

The "eid" one, I haven't tried the LDAP one.

(BTW, no need for a personal copy of mails, I'm on the list ;))

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Howto Speed-Up pkcs11 initialization

Andreas Jellinghaus-2
In reply to this post by Dominik Fischer
btw: I wonder if you could give pam_p11 a try?
it works fine for me, and is a lot faster than the
old pam_opensc (at least if you have many certificates
in your .eid/authorized_certificates). also less bugs.

but unlike pam_pkcs11 it does no checks (no signature
checks, no ca cert checks, no chain checks, no crl checks,
nothing. plain, simple, works great for me :).

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Howto Speed-Up pkcs11 initialization

Andreas Jellinghaus-2
In reply to this post by Dominik Fischer
oh, it would be nice if you could benchmark your
card/reader combo. e.g. using pkcs15-crypt to
sign or decipher some data. (I think we have an example
command sequence in the wiki, if not I can dig one up
for you).

for my egate with cryptoflex a normal sign operation
with all pkcs#15 overhead is still only one second :)
older cards/tokens are a lot slower.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Howto Speed-Up pkcs11 initialization

Dominik Fischer
In reply to this post by Andreas Jellinghaus-2
I need a ldap query for a whitelist check. As far as I know, pam_p11
does not support ldap?

Am Montag, 28. November 2005 23:45 schrieb Andreas Jellinghaus:

> btw: I wonder if you could give pam_p11 a try?
> it works fine for me, and is a lot faster than the
> old pam_opensc (at least if you have many certificates
> in your .eid/authorized_certificates). also less bugs.
>
> but unlike pam_pkcs11 it does no checks (no signature
> checks, no ca cert checks, no chain checks, no crl checks,
> nothing. plain, simple, works great for me :).
>
> Regards, Andreas
--
GPG-Fingerprint: F44B 9E31 1654 BCB5 6FBA 910F 46E7 F60C EEF1 67BD

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Howto Speed-Up pkcs11 initialization

Andreas Jellinghaus-2
Am Dienstag, 29. November 2005 06:25 schrieb Dominik Fischer:
> I need a ldap query for a whitelist check. As far as I know, pam_p11
> does not support ldap?

no, then you need to stick with pam_pkcs11.
pam_p11 only supports files :)

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Howto Speed-Up pkcs11 initialization

Jonsy (teleline)
In reply to this post by Dominik Fischer
El lun, 28-11-2005 a las 21:47 +0100, Dominik Fischer escribió:
> >
> > I have similar experience.  pam_opensc was much faster...

You can use "slot_num=xx" option at pam_pkcs11.conf if you
know the exact location of your token. By this way, pam_pkcs11
does not need to search for all available tokens

Please, try it and back report

> I've optimized the ldap_mapper for my special needs (if you press
> "enter" on login prompt, the "CN" field of the certificate is used to obtain
> information from ldap server instead of looping over "getpwent()" ).
> I fumble a bit on this. Maybe I will post some improvements on ldap_mapper
> in the next days

Please :-)

BTW: I'm restarting work on pam_pkcs11. Roadmap for 0.6 is:

1 Configurable way to retrieve CA certs, instead of fixed hash link
to retrieve CA's from "any source" -eg cacert file or ldap server-
2- Use lib_p11 instead of direct pkcs11.
3- New ODBC mapper
4- Fix bugs and add improvements received to current tree
5- Add pam_session and pam_password routines ( eg to change
PIN by mean of "passwd" command, and prepare to be pkinit aware )

Juan Antonio

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Howto Speed-Up pkcs11 initialization

Dominik Fischer
Am 29.11.2005 schrieb "Jonsy (teleline)" <[hidden email]>:

>You can use "slot_num=xx" option at pam_pkcs11.conf if you
>know the exact location of your token. By this way, pam_pkcs11
>does not need to search for all available tokens

I will try this. Thanks.

>
>BTW: I'm restarting work on pam_pkcs11. Roadmap for 0.6 is:
>
>1 Configurable way to retrieve CA certs, instead of fixed hash link
>to retrieve CA's from "any source" -eg cacert file or ldap server-
>2- Use lib_p11 instead of direct pkcs11.
>3- New ODBC mapper
>4- Fix bugs and add improvements received to current tree
>5- Add pam_session and pam_password routines ( eg to change
>PIN by mean of "passwd" command, and prepare to be pkinit aware )

Do you consider to implement OCSP (Online Certificate Status Protocol) for
CRL-Checks? Since the crl could get very large, downloading this is not
a performant solution.

Have you seen my small patch for debug.c? It sends output to syslog.
Which is
very helpfull (at least for me).

I've pam_pkcs11 in (experimental) use. What I miss are meaningfull
messages
to the application via the "conv" function. E.g. "There's no
Smartcard in the reader".
I've implemented this rudimentary (a "fast hack"). There should be a
common
function for this. This function should be usable by pam_pkcs11 and all
the mappers, if they need it.

If you like, I could post my hack, so you can have a look at it, but I'm
currently
reimplementing it. Perhaps it is better to wait for the new function :-).

Regards,
Dominik
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Howto Speed-Up pkcs11 initialization

Jonsy (teleline)
In reply to this post by Dominik Fischer
El vie, 09-12-2005 a las 14:10 +0100, Dominik Fischer escribió:
> > The new code look for certs, find the first one that get
> > map/find success, verify it acording rules and if -and only if-
> > needed, gets private key to verify signature
> > This should improve speed enought to be user friendly.
> > I expect to send patches to svn in a few days
>
> That sounds interesting. Is it possible to extract data (e.g.
> Subject) out of the certificate BEFORE the user has to
> enter the PIN?

Of course. Take a look at new pkcs11_inspect implementation
just commited to pam_pkcs11 svn. You'll find a real speedup

> I think of the following:
> - [G|X|K]DM prompts for username
> - User presses <ENTER>
> - pam_pkcs11 do initializing and extracts Username (CN) from
>   (first) certificate
> - pam_pkcs11 prompts for PIN, e.g.: "Please enter PIN for dominik: "
> - pam_pkcs11 checks certificate, matches user, etc.

Well, my code swaps last two items: the only real reason to ask
PIN _in_the_code_ is to check signature, and last patches makes
this check optional... so, I'll do all test, and when a valid
username is found I ask for pin and call C_Login() to
a) Check signature -if needed-
b) Ensure that the card is owned for his legitimate user

Otherwise I ask for pin (as every login program do), but drop it
to trash without calling C_Login()

> That would be nice for my "customers". Today they get confused
> about their PIN, LDAP-Password, Web-Password and "shredder" there
> cards by entering 3 times the wrong PIN.

Yes, it's a nightmare.... please, be patient... single-sign-on
is in the way... :-)

> By the way:
> I'm working on a PAM-Module (or an extension, maybe  to pam_pkcs11?)
> which allows to mount an encrypted filesystem for user's home.
> The key for the filesystem will be encrypted / decrypted with the
> smartcard.

As soon as I finish coding these features, I'll start to manage
pam_session and pam_password related items, to allow eg change
PIN by mean of password(1) command and mantain session tickets
(mental note: what's on pkinit? )

So, of course we are interested in your patches/code :-)

Cheers
Juan Antonio Martinez

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment