Feature: Dev Crypto Userspace API
Allow the user space applications directly or indirectly through existing crypto libraries interfacing with the kernel crypto implementation.
- Targeted release: Fedora 14
- Last updated: 2010-07-13
- Percentage of completion: 5%
The /dev/crypto is a special device which is currently in development for the upstream kernel inclusion. This device allows user space applications to directly call the cryptographic routines that are part of the Linux kernel code. Similar device is available also on other kernels.
Separation of the cryptographic primitives into the kernel allows fulfilling the requirements of the new U.S. Government standards (such as FIPS-140-3) in regards to the implementation and usage of the cryptographic algorithms on general purpose operating systems.
This separation allows isolation of the private and secret keys from the user space applications so these critical security parameters (CSP) are not leaked in case the user space applications are for example exploited by malicious users. It also allows proper auditing of any administrative manipulation with these CSP.
Benefit to Fedora
Fedora will be able to declare being the leader in developing and enabling users of the cryptographic algorithms to comply with the newest government standards.
Required steps are:
- /dev/crypto interface built into the kernel
- user space library allowing easy access to the /dev/crypto interface
Optional steps (maybe a feature for Fedora 15):
- PKCS#11 module directly pluggable into the Mozilla NSS crypto library
- Configurable replacement of the crypto implementation in other system crypto libraries such as OpenSSL or libgcrypt
How To Test
The accomplishment of this feature does not require much testing. Mainly the testing will be provided by the tests included in the build of the user space API library. More testing will need to be done when the integration with the existing system crypto libraries is implemented. This testing will be necessary to ensure that by using this kernel API instead of the native crypto algorithm implementations the crypto algorithms supported still work correctly.
No visible changes.
None external dependencies.
None necessary for the required parts of the feature. We would simply not ship the library if it is not completed.
- /dev/crypto kernel cryptographic algorithms interface for user space applications is available in Fedora 14. This feature allows calling the cryptographic algorithms implementations which are included in the kernel, directly from the user space applications and libraries. By separating the cryptographic implementations from the user space higher isolation of critical security parameters (such as private and secret keys) from the potentially exploitable user space code can be reached.
Comments and Discussion