If you have specific questions, let me know
My application is the Replicator, a program that maintains a mirror of
a set of files on subscriber client machines using only ordinary HTTP
protocol.
I would like to extend it to serve the original requestors, a group of
internationals drug researchers sharing confidential data. They want
to be able segregate the database into groups and allow individuals
access to some subset of those files.
I thought I might handle it this way.
I issue thumbdrives to each user, each with an embedded private key,
that is not changeable or discoverable.
I encrypt the various sections of the database with a different
symmetric key. I then send a copy of the keys to the sections of the
database they are permitted to access to the various subscribers
encrypted with their public keys.
The private key cannot be duplicated, though of course I have no
control of a subscriber sharing decrypted information inappropriately.
I can cut off access to updates to data, by changing the symmetric key
of a section of the database and resending the encrypted keys to the
subscribers via an automated, transparent process. I can also
re-encrypt and resend data. This blocks further access, though of
course does not block access to any thing previously decrypted.
In the world of drug research, participants are very cautious about
what data they share with whom. Currently, everyone sees everything.
This inhibits sharing.
I can't seem to get any information that would let me know how to CODE
this. All is glowing warm fuzzy sales literature telling me how
wonderfully secure all will be.
I presume there must be some sort of PKCS11 driver. I presume there
is some way I can get it at, much the way I can get at a
private-public key in a keystore, but some algorithms I request are
actually computed by the thumbdrive itself. Presumably then the set
is very limited.
At the minimum I need a way to decrypt a symmetric key with a fob's
private key and get the fob to disclose it public key.
Failing that, I need some one-way mechanism to load the fob with some
private keys, in a way that is not reproducible or discoverable, and
have it do some sort of hash/decrypt with them on chip for me later.
What I would hope to find is COMPLETE sample code for various
applications, and install instructions for the drivers, or perhaps
software simulators for the fobs so you experiment with the software
and the fob's abilities without having to buy a great basket of them
just to find out what they can do.