1. CPK Cryptosystem
Combined Public Key Cryptosystem
Theory and Practice
May 14, 2008 Network and Information Security Lab, Peking University
2. Timeline
Public Key Identity Based
Cryptography, Cryptography, X.509 Certificate v1,
Public file the first idea X.500, CA
Diffie, Hellman Shamir ITU-T
1978 1986
1976 1984 1988
Kohnfelder first IBS scheme
Certificate Idea Shamir
May 14, 2008 Network and Information Security Lab, Peking University
3. Timeline
PGP,
Web of Trust
Zimmerman SPKI,SDSI
No Practical IBE scheme
was founded since
1984
1995
1991 1996 2000
X.509 Certificate v3,
PKIX
May 14, 2008 Network and Information Security Lab, Peking University
4. Timeline
First Practical CPK
IBE scheme from Weil Pairing key management, IBE, IBS
Boneh, Franklin Nan, Chen
2001
2004
Cocks
IBE,
not bandwidth efficient
May 14, 2008 Network and Information Security Lab, Peking University
5. Public File
• Public File (1976)
• Public File ( trusted directory ) is a key
directory that users could consult to find other
user’s public key
May 14, 2008 Network and Information Security Lab, Peking University
6. Certificate
• Loren Kohnfelder, “Toward a Practical Public-
Key Cryptosystem”
• Separate trust and look-up
May 14, 2008 Network and Information Security Lab, Peking University
8. PEM (Privacy Enhanced Mail)
• PEM use ITU’s X.509 Certificate
• X.509 in PEM VS X.509 in X.500
• Bind name and public key
• Access control
• DN can’t be accepted
• Failed :(
May 14, 2008 Network and Information Security Lab, Peking University
9. PGP
• Global distinguished name, by email address
• Need no global TTP or CA
• Web of trust
May 14, 2008 Network and Information Security Lab, Peking University
10. PKIX
Architecture Certificate
May 14, 2008 Network and Information Security Lab, Peking University
11. SPKI
• Simple Public Key Infrastructure, by C. Ellison
• Emphasizes on authorization rather than
authentication
• SPKI Certificates bind attributes to Public Key
directly
May 14, 2008 Network and Information Security Lab, Peking University
13. PKI Challenges
89 PKI in federal agencies of US from 1998 to 2005
May 14, 2008 Network and Information Security Lab, Peking University
14. Identity Based Cryptography
• Idea from Shamir 1984, the public key can be
arbitrary string.
• The private key is generated by a trusted
authority named PKG (private key generator)
and distributed to users.
• Shamir’s original motivation was to simplify
the certificate management in email system.
• Identity based encryption (IBE), identity based
signature scheme (IBS).
May 14, 2008 Network and Information Security Lab, Peking University
15. IBC Schemes
• 1986 first IBS scheme
• 2001 first practical IBE scheme
❖ Boneh-Franklin IBE from pairing
❖ Cocks IBE
• 2004 CPK (Combined Public Key)
❖ Support IBE and IBS
May 14, 2008 Network and Information Security Lab, Peking University
16. y Certificates
Certificate vs Identity
Serial Number: 206
Certificate for: Bob Smith
Company: Fox Consulting
Issued By: Awfully Big Certificate Co.
Email Address: bsmith@home.net
Activation: Jan. 10, 2000
bsmith@home.net
Expiration: Jan. 10, 2002
24219743597430832a2187b6219a
Public Key:
75430d843e432f21e09bc080da43
509843
ABC’s digital signature
0a213fe67de49ac8e9602046fa7de2239316ab233dec
70095762121aef4fg66854392ab02c4
May 14, 2008 Network and Information Security Lab, Peking University
17. Encryption in PKI
Encryption
Sender Recipient
Recipient’s
Certificate
Certificate
Certificate
Request
Online Certificate
Database
At least 3 steps
May 14, 2008 Network and Information Security Lab, Peking University
18. Encryption in CPK
Identity Based Encryption
Encryption Public Key is
Sender Recipient’s identity, Recipient
i.e. the phone number
Only 1 step!
May 14, 2008 Network and Information Security Lab, Peking University
19. Encryption in CPK
Identity Based Encryption
Encryption Public Key is
Sender Recipient’s identity, Recipient
i.e. the phone number
Only 1 step!
May 14, 2008 Network and Information Security Lab, Peking University
20. Definition
• Setup run by PKG, with the security
parameter t as input, the public system
params, and the secret master-key which will
be kept inside PKG, as output.
• Extract run by PKG, with the params,
master-key and the user’s identity string ID as
input, the user’s private key dID as output. The
output private key will be sent back to user
through secure channel.
May 14, 2008 Network and Information Security Lab, Peking University
21. Definition (cont.)
• Encrypt run by user, with params, recipient’s
ID and message M as input; encrypted cipher
text C as output. Sender should get trusted
copy of params before encrypt.
• Decrypt run by receiver, with params, his
private key dID and the cipher text C as input;
the decrypted plaintext M as output. Receiver
should authenticate himself to the PKG and
retrieve his private key dID before decrypt.
May 14, 2008 Network and Information Security Lab, Peking University
22. Definition of IBS
• Also include four algorithms:
❖ Setup, Extract, Sign and Verify
• The signer’s private key is generated from
PKG, PKG can forge a signature.
• So IBS can not be used in “non-negative”
applications.
May 14, 2008 Network and Information Security Lab, Peking University
23. Applications
• Alternative to PKI, without key and certificate
management.
• Expiration of public keys
• Delegations of decryption keys
May 14, 2008 Network and Information Security Lab, Peking University
24. Key Revocation in PKI
• Check the validation of certificate/public key
before apply it.
❖ CRL (Certificate Revocation List)
❖ OCSP (Online Certificate Status Protocol)
May 14, 2008 Network and Information Security Lab, Peking University
25. Revocation in IBC
• Identity can be revoked, such as hardware
serial number.
• Identity can not be revoked, such as email
address, phone number: Identity’ = Identity ||
time. The private key for identity appended
with time is not valid for a limited period.
❖ Example: alice@gmail.com || MAY2008
• Mechanisms similar to PKI.
May 14, 2008 Network and Information Security Lab, Peking University
26. CPK (Combined Public Key)
• One of identity based cryptography scheme
• CPK (Combined Public Key)
❖ At first, it is a key management scheme
❖ Second, it provides identity based
encryption and and signature scheme.
May 14, 2008 Network and Information Security Lab, Peking University
27. Elliptic Curve Cryptography
G is a point on elliptic curve,
n is the order of cyclic group
<G>
Private key d is random
selected integer in [1, n-1]
Corresponding public key Q =
dG.
y 2 = x3 + ax + b (mod p)
May 14, 2008 Network and Information Security Lab, Peking University
28. Private Matrix Generation
In PKG
private matrix
···
s11 s12 s1n
Rand integers
RNG ···
s21 s22 s2n
sij ∈R [1, n − 1] . . .
..
. . .
.
. . .
···
sm1 sm2 smn
The trusted authority PKG (Private Key Generator) generates a
m×n matrix in which elements are randomly generated ECC
private keys (integers in [1, n-1]). The private matrix should be kept
secretly in PKG.
May 14, 2008 Network and Information Security Lab, Peking University
29. Public Matrix Generation
In PKG
public matrix
private matrix
···
s11 G s12 G s1n G
···
s11 s12 s1n
···
s21 G s22 G s2n G
···
s21 s22 s2n
. . .
. . . ..
..
. . .
. . . .
.
. . .
. . .
···
sm1 G sm2 G smn G
···
sm1 sm2 smn
key pair
Public Matrix is generated by PKG from the Private Matrix,
elements in Public Matrix is the public key of corresponding
private key in Private Matrix. The public matrix is publicly available
for all users.
May 14, 2008 Network and Information Security Lab, Peking University
30. Map Algorithm
h1 , h2 , . . . , hn ← H(ID)
Map algorithm H(ID) is a cryptographic hash algorithm, maps
an arbitrary string ID to column indexes of private matrix and
public matrix.
hi is the index of i-th column of public/private matrix.
May 14, 2008 Network and Information Security Lab, Peking University
31. Private Key Extraction
ID
In PKG
Input user’s identity ID
Map identity to indexes of matrix
h1 , h2 , . . . , hn ← H(ID)
···
s11 s12 s1n Select one element through
···
s21 s22 s2n each column of the private
. . .
..
matrix by the index
. . .
.
. . .
···
sm1 sm2 smn
Add selected private keys,
the result is user’s private key
n−1
corresponding to his identity
dID = shi ,i (mod p)
ID.
i=0
May 14, 2008 Network and Information Security Lab, Peking University
32. Public Key Extraction
ID
In User
Input user’s identity ID
Map identity to indexes of matrix
h1 , h2 , . . . , hn ← H(ID)
···
s11 G s12 G s1n G Select one element through
··· each column of the Public
s21 G s22 G s2n G
. . .
..
matrix by the index
. . .
.
. . .
···
sm1 G sm2 G smn G
Add (elliptic curve point add)
selected private keys, the
n−1
result is user’s public key
QID = shi i G corresponding to his identity
i=0
ID.
May 14, 2008 Network and Information Security Lab, Peking University
33. Identity Based Encryption
CPK-Encrypt (Message, ID, PublicMatrix) {
CPK-ExtractPublicKey (ID, PublicMatrix) -> PublicKey
ECIES-Encrypt (Message, PublicKey) -> Ciphertext
}
CPK-Decrypt (Ciphertext, PrivateKey) {
ECIES-Decrypt (Ciphertext, PrivateKey) -> Plaintext
}
ECIES: Elliptic Curve Integrated Encryption Scheme
May 14, 2008 Network and Information Security Lab, Peking University
34. Identity Based Signature
CPK-Sign (Message, PrivateKey) {
ECDSA-Sign (Message, PrivateKey) -> Signature
}
CPK-Verify (Message, PublicMatrix, SignerID, Signature) {
CPK-ExtractPublicKey(PublicMatrix, SignerID) -> PublicKey
ECDSA-Verify(Message, Signature, PublicKey);
}
ECDSA: Elliptic Curve Digital Signature Algorithm
May 14, 2008 Network and Information Security Lab, Peking University
35. Big Picture
h1 , h2 , . . . , hn ← H(ID)
···
s11 s12 s1n
n−1
H(ID)
···
s21 s22 s2n
dID = shi ,i (mod p)
. . .
..
. . .
.
. . . i=0
···
sm1 sm2 smn
···
s11 G s12 G s1n G
H(ID) n−1
···
s21 G s22 G s2n G
QID =
. . . shi i G
..
. . .
.
. . . i=0
···
sm1 G sm2 G smn G
May 14, 2008 Network and Information Security Lab, Peking University
36. Security
• Collisions
❖ 32×32 require map algorithm provides
32×5 = 160 bits
❖ Birthday after 280 accounts
• Collusion
❖ 32×32 require 1024 non-linear related
collusion private keys.
May 14, 2008 Network and Information Security Lab, Peking University
37. Collusion Resistance
• Verification only applications, small matrix
• Without the threat of large scale collusion:
matrix size compatible to collusion scale.
• With the threat of large scale collusion:
❖ extend matrix size
❖ protect private key by hardware
❖ revoke the matrix periodically
May 14, 2008 Network and Information Security Lab, Peking University
38. CPK USB Token
CPK USB Token
AES,
CPK ECC
SHA1
32-Bit PubKey
USB
Secure Crypto
Interface
CPU Engine
0.6s per ECDSA signature
Tamper Resistant Key Storage
generation or ECDH
computation
May 14, 2008 Network and Information Security Lab, Peking University
39. Collision Resistance
• Expand matrix size.
❖ matrix size larger than MAX collusion
amount.
• Tamper resistant module for the protection of
private keys.
❖ Smart Card,
❖ USB Secure Token,
❖ TPM, etc.
May 14, 2008 Network and Information Security Lab, Peking University
40. Original Scheme
h1 , h2 , . . . , hn ← H(ID)
···
s11 s12 s1n
n−1
H(ID)
···
s21 s22 s2n
dID = shi ,i (mod p)
. . .
..
. . .
.
. . . i=0
···
sm1 sm2 smn
···
s11 G s12 G s1n G
H(ID) n−1
···
s21 G s22 G s2n G
QID =
. . . shi i G
..
. . .
.
. . . i=0
···
sm1 G sm2 G smn G
May 14, 2008 Network and Information Security Lab, Peking University
41. Generalized Scheme
General DH group ❮g❯, private key is s, public key is gs.
Map
H(ID) → a1 , a2 , . . . , an , ai ∈ Z∗
p
Algorithm
n
H(ID)
Extract
dID =
{s1 , s2 , . . . , sn } ai si
Public Key
i=1
Private Key Set User’s Private Key
n
H(ID)
Extract
{g s1 , g s2 , . . . , g sn } QID = (g si )ai
Private Key
i=1
Public Key Set User’s Public Key
May 14, 2008 Network and Information Security Lab, Peking University
42. Extensions
• CPK can be established on any cryptosystems
with the property that the combination of key
pairs are still valid keypair.
• For example:
❖ Cryptosystems based on Diffie-Hellman
Group, in which private key is integer d, the
corresponding public key is gd
❖ Cryptosystems based on elliptic curve
cryptography.
May 14, 2008 Network and Information Security Lab, Peking University
43. Extensions
• The CPK scheme can convert any
cryptosystem with key combination property
into identity based cryptosystem, not only IBE
and IBS, but also:
❖ Identity based Signcryption by converting
signcryption schemes based on DH group.
❖ Identity based short signature, convert BLS
short signature to identity based short
signature (160 bits signature compare to
320 bit DSA or ECDSA signature).
May 14, 2008 Network and Information Security Lab, Peking University
44. Advantage of CPK
• Simple
• Efficient, especially for resource constrained
environment, such as embedded device.
• Support different cryptosystems, ElGamal
(ElGamal Encryption, DSA, ...), Elliptic Curve
Cryptography, Pairing Based Cryptography
and others.
May 14, 2008 Network and Information Security Lab, Peking University
45. Key Length
Bits of ECC Pairing
RSA
Security (CPK) (BF-IBE)
80 160 512 1024
112 224 1024 2048
128 256 1536 3072
192 384 3840 7680
256 512 7680 15360
May 14, 2008 Network and Information Security Lab, Peking University
46. Performance
• CPK (on Core 2 1.83GHz CPU)
❖ ~ 400 times/s CPK-ECIES encryption,
decryption CPK-ECDSA signature
verification. ~1900 times/s CPK-ECDSA
signature generation
• Pairing (P3 1GHz CPU)
❖ ~ 30 to 90 times of pairing computation
• CPK is faster and require less codes.
May 14, 2008 Network and Information Security Lab, Peking University
47. Real-world Applications
Secure Email
May 14, 2008 Network and Information Security Lab, Peking University
48. CPK Secure Mail
Original mail Enveloped mail
To: alice@pku.edu.cn
To: alice@pku.edu.cn
Encryption From: bob@pku.edu.cn
From: bob@pku.edu.cn
key ID Title: xxxxxx
Title: hello
CPK
Contents:
Contents:
xxxxxxxxxxxxxxxxxxxx
this is the plaintext To be
xxxxxxxxxxxxxxxxxxxx
message to be signed encrypted
xxxxxxxxxxxxxxxxxxxx
and encrypted by CPK. Data
xxx
Signature:
xxxxxxxxxxxxxxxxx
May 14, 2008 Network and Information Security Lab, Peking University
49. Real-world Applications
WebIBC:
Identity Based Cryptography
for Client Side Security
in Web Applications
May 14, 2008 Network and Information Security Lab, Peking University
50. Target
• Web based applications like Gmail or Google
Doc can do harm to user security and privacy.
• Our solution: bring public key cryptography to
Web browsers, include public key encryption
and signature generation.
• All the cryptography operations and key usage
are inside the browser and implemented in
JavaScript and HTML only, require no plug-ins
and provider “open source” guarantee.
May 14, 2008 Network and Information Security Lab, Peking University
51. Challenges
• Private key: JavaScript can not read keys in
local file system.
• Public key: acquire other’s public key or
certificate is not easy for JavaScript programs
in Web browser.
May 14, 2008 Network and Information Security Lab, Peking University
52. Solution
• Private key: utilize fragment identifier in
bookmark URL as the private key storage. The
fragment identifier in URL will never be
transfered through the Internet.
http://www.domain.com/#skey=sdfBksLdfljksDjfls=
fragment identifier
fragment identifier starts from #
• Public key: in CPK, i.e. identity based
cryptosystem, the email address and other
meaningful string is the public key.
May 14, 2008 Network and Information Security Lab, Peking University
53. Workflow
% setup
PKG
ID
!
y
ske
quot;
# mpk.js
& save
Browser
) do
$U Secure
( RL
we Channel
bib
c.js Public
,m
'm pk Channel
.js
ess
age
WebApp
* forward
May 14, 2008 Network and Information Security Lab, Peking University
54. Workflow
1. The authority trusted by Alice and Bob
establishes a PKG, which will generate the
system parameters including the public matrix.
2. Web application embeds WebIBC into these
systems together with the public system
parameters released by the PKG.
3. Alice registers to the PKG with her ID.
4. PKG returns Alice’s private key.
May 14, 2008 Network and Information Security Lab, Peking University
55. Workflow
5. Alice can append the private key as an
fragment identifier to the Web application’s
URL, then save it as a bookmark into the
browser.
6. Now Alice can use this bookmark to log into
the web application. It should be noted that
the browser will send the URL without the
fragment identifier, so the private key is
secure.
May 14, 2008 Network and Information Security Lab, Peking University
56. Workflow
7. The WebIBC JavaScript files will also be
downloaded from the server, including the
public matrix of system.
8. Alice uses this web application as normal,
entering Bob’s email address and message
content into the form. When Alice presses the
send button, WebIBC JavaScript programs will
get the email address from the form as public
key and get private key from URL, encrypt and
sign the message.
May 14, 2008 Network and Information Security Lab, Peking University
57. Workflow
9. Then message will be sent to the server.
10. Because the message has been protected, the
Web application can do no evil to the message
but only forward it to Bob. Bob can also login
into his web application and decrypt the
message by his private key in the fragment
identifier and verify the message through the
public matrix, similar to Alice.
May 14, 2008 Network and Information Security Lab, Peking University
58. Performance
0.5KB 2KB 10KB
Safari 1383.7 1,492 2,071
Firefox 1,523 1,661 2,401
IE 1,459 1,698 2,791
Opera 2,110 2,349 3,628
4000 ms
0.5 KB
2 KB
10 KB
3000 ms
2000 ms
1000 ms
0
Safari Firefox IE Opera
May 14, 2008 Network and Information Security Lab, Peking University
59. Real-world Applications
Code Signing
May 14, 2008 Network and Information Security Lab, Peking University
60. CPK Code Signing
• Code signing is the process of digitally signing
executables and scripts to confirm the
software author and guarantee that the code
has not been altered.
• All sorts of code should be signed, including
tools, applications, scripts, libraries, plug-ins,
and other “code-like” data.
May 14, 2008 Network and Information Security Lab, Peking University
61. Code Signing Overview
• A unique identifier, used to identify the code or
to determine to which groups or categories
the code belongs.
• A collection of checksums of the various parts
of the program, such as the identifier, the main
executable, the resource files.
• A digital signature, which signs the seal to
guarantee its integrity.
May 14, 2008 Network and Information Security Lab, Peking University
62. What it can do
• Content Source: End users can confirm that
the software really comes from the publisher
who signed it.
• Content Integrity: End users can verify that the
software has not been altered or corrupted
since it was signed.
May 14, 2008 Network and Information Security Lab, Peking University
63. What it can NOT do
• It can’t guarantee that the code is free of
security vulnerabilities.
• It can’t guarantee that a program will not load
unsafe or altered code—such as untrusted
plug-ins—during execution.
• It can’t determine how much to “trust” the
code.
• Attacks from administrator.
May 14, 2008 Network and Information Security Lab, Peking University
64. Other Disadvantages
• The user is likely to be bothered with
additional dialog boxes and prompts for
unsigned code that they don’t see with signed
code, and unsigned code might not work as
expected with some system components.
• Computation and storage overhead.
May 14, 2008 Network and Information Security Lab, Peking University
65. Code Signing Applications
• Anti-virus, anti-rootkit
• Parent control
• Trusted computing.
May 14, 2008 Network and Information Security Lab, Peking University
66. Code Signing on Linux
Codesign
User-space
Daemon
exec()
Netlink Socket
sys_execve()
LSM Hook
Codesign
Kernel Module
True/False
mmap()
May 14, 2008 Network and Information Security Lab, Peking University
67. Code Signing on Linux
• Codesign Tool: used to create, check, and
display code signatures.
• Kernel Module: Implement LSM (Linux
Security Module) hook to check the signature
in ELF.
• User-space Daemon: Do the checking, called
by kernel module through Netlink socket.
May 14, 2008 Network and Information Security Lab, Peking University
68. Code Signing Extension
Check
Policy DB
Engine
enterprise admin
Intranet
Host Host Host
Daemon Daemon Daemon
Kernel Module Kernel Module Kernel Module
host root host root host root
May 14, 2008 Network and Information Security Lab, Peking University
69. CPK Code Signing in Solaris
• Support signing on ELF binary, Java byte code
and shell scripts.
• Based on Solaris kernel level cryptographic
framework
❖ MPI (multi-precision integer library)
❖ ECC (elliptic curve cryptography library)
❖ Block cipher, Digest algorithms ...
May 14, 2008 Network and Information Security Lab, Peking University
70. User Space
execl( ) execle() execv()
execve ( )
execve()
_syscall( SYS_execve )
Kernel Space
May 14, 2008 Network and Information Security Lab, Peking University
71. Kernel Space
uts/common/os/exec.c
exece()
exec_common()
gexec()
switch (exectype)
elf a.out script java
elfexec() aoutexec() intpexec() javaexec()
functions in kernel modules: uts/common/exec/*
May 14, 2008 Network and Information Security Lab, Peking University
72. Kernel Space (with CPK)
uts/common/os/exec.c
exece()
exec_common()
gexec()
switch (exectype)
elf a.out script java
elfexec() intpexec() javaexec()
with CPK with CPK
signature signature
checking checking
May 14, 2008 Network and Information Security Lab, Peking University
73. CPK Kernel Modules
uts/common/exec/elf uts/common/exec/intp
(with CPK checking) (with CPK checking)
common/crypto/cpk
Policy Pub Matrix
common/ common/
common/
crypto/ crypto/
mpi
ecc sha1,sha2
May 14, 2008 Network and Information Security Lab, Peking University
74. Real-world Applications
CPK in Solaris
May 14, 2008 Network and Information Security Lab, Peking University
75. CPK Crypto Library
• A module of libcrypto
• Support error stack
• Support Id based cryptography
• Support ASN.1 encoding
• Support PKCS #7 cryptography message
syntax
May 14, 2008 Network and Information Security Lab, Peking University
76. Compatible to Standards
• SECG (Standards for Efficient Cryptography
Group) SEC 1: Elliptic Curve Cryptography,
version 1.7 (current working draft).
• IBCS (Identity Based Cryptography Standard),
the identity syntax (draft).
• PKCS #7: Cryptography Message Syntax
• PKCS #11:Cryptographic Token Interface
• ASN.1/DER encoding
May 14, 2008 Network and Information Security Lab, Peking University
77. Supported Platforms
• Solaris, loadable module
• POSIX, CPK library
• Win32, CPK library, require pthread Win32
• Java, on Solaris with Cryptographic
Framework supported.
May 14, 2008 Network and Information Security Lab, Peking University
78. CPK Soft Token
CPK Software Stack
!/B/,F;;
!$E
2F?,
$G$HH,F;;
)%C(8* !quot;#
$%&'()*+,#&-*+./0*,123$45667
4%8/+9',$+:;-%,<+/)*=%+>
?*-/,48%-,189@;>0'66A'%7
2+%B9C*+,#&-*+./0*,123$45667
$%))/&C, 2F?, ;>0'66D ;>0'66D ;>0'66D
I9&*,J%%8>9- )%C(8* 0;>A'% >*+&*8A'% '%.--%>*&A'%
89@0;>
May 14, 2008 Network and Information Security Lab, Peking University
79. CPK Hard Token
CPK Hard Token (current)
7quot;3'1-.%(839.%:$5.(;<=7!>??@
7<=(A$%B9quot;0.3
#&4560
#&41'4
)'.%(D.E.#
12.3
=.%3.#(D.E.#
!quot;#$%&'()!*+(,%$-./quot;%0
Cquot;0.3(A$%B/$%.
May 14, 2008 Network and Information Security Lab, Peking University
80. OpenSolaris cryptoadm
# cryptoadm list -vm
Provider: /SunStudioProjects/p11/dist/Debug/Sun12-Solaris-x86/libcpkp11.so
Number of slots: 1
Slot #1
Description: CPK Crypto Softtoken
Manufacturer: Guan Zhi
PKCS#11 Version: 2.20
Hardware Version: 0.0
Firmware Version: 0.0
Token Present: True
Slot Flags: CKF_TOKEN_PRESENT
Token Label: CPK PKCS#11 Software token
Manufacturer ID: Guan Zhi
Model: 1.0
Serial Number:
Hardware Version: 0.0
Firmware Version: 0.0
UTC Time:
PIN Length: 0-0
Flags:
May 14, 2008 Network and Information Security Lab, Peking University