1 / 17

The CSSM PKCS #11 Adaptation Layer

Learn about adapting technologies using the CDSA infrastructure and maintaining module integrity. This resource explores the CSSM API, PKCS #11 service providers, CDSA integrity model, bilateral authentication, and more for robust security services.

tseaton
Download Presentation

The CSSM PKCS #11 Adaptation Layer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The CSSM PKCS #11 Adaptation Layer Adapting the Technologies and Obtaining Module Integrity Using the CDSA Infrastructure Matthew Wood matthew.d.wood@intel.com RSA PKCS Workshop October 8th 1998

  2. Summary • What Is CDSA? • The PKCS #11 Service Provider for CDSA • The CDSA Integrity Model • Bilateral Authentication • Signing PKCS #11 Service Providers • More Information

  3. Security Service Add-in Modules What Is CDSA? CDSA defines afour-layer architecturefor cross-platform, high-level security services Applications Layered Security Services CSSM definesa common API & SPIfor security services,& an integrity foundation CSSM Security API Common Security Services Manager Service Provider Interfaces Service Providersimplement selectable security services

  4. CDSA Vendors • Apple’s Security Architecture (MacOS*) • CSP with ECC using Fast Elliptic Encryption (FEE) algorithm, crypto based on discrete logs over GF(p) or GF(2n); Smartcards to follow • Hewlett-Packard (HPUX*) • Software CSP for initial release • IBM KeyWorks*(Windows* 95, Windows NT*, AIX*, others ) • Shipped Sept-97 • Bsafe, PKCS #11 and CCA CSPs • Motorola CipherNet* Toolkit (Windows* 95, Windows NT*) • 160 and 210 ECC CSP; Smartcards to follow • RSA Certificate Security Suite* (CSS) (Windows* 95, Windows NT*) • support for CDSA-based products in 1998 • BSafe and ECC CSPs (odd and even field characteristics) * These marks are the property of their respective owners.

  5. Built using the Intel Multi-service Addin Framework (MAF) The Adaptation Layer (AL) translates CSSM data types to the corresponding PKCS #11 types The AL performs session management as required by the requests made through the CSSM SPI The PKCS #11 Service Provider for CDSA CSSM SPI MAF PKCS #11 AL PKCS #11 Module

  6. PKCS #11 Service Provider Features • Single code base for all PKCS #11 implementations (MAF/AL) • Supports PKCS #11 v1.0 and v2.x (AL) • Supports standard key and parameter formats (PKCS #1, PKCS #3, etc.) (MAF/AL) • Provides integrity services to insure that the CSSM service provider is using the real PKCS #11 module (MAF) • The application will not be able to use the service provider if the PKCS #11 module is changed

  7. The CDSA Integrity Model • Mutual suspicion • Components must have signed credentials • Certificates and a signed manifest • Components must be signed • Components must authenticate themselves and others • Bilateral authentication protocol • Applications may authenticate themselves with the CSSM • The application may obtain higher strength cryptography with the proper credentials

  8. Section Name: Section Name: MD5-Digest of Object MD5-Digest of Object Capabilities Capabilities Object Reference Object Reference The Signed Manifest Signature Block Manifest PKCS#7 Signature Block Cert1 Cert2 Cert3 executable: app.exe ManifestHash SignedManifestHash executable: module.dll A signed manifest contains verification information about any number of objects, signed by any number of certificates.

  9. Bilateral Authentication Step 1: Object #1 performs a self-check Object #1 Manifest #1 Object #2 Manifest #2

  10. Bilateral Authentication Step 1: Object #1 performs a self-check Object #1 Manifest #1 Step 2: Object #1 verifies Object #2 Trust Object #2 Manifest #2

  11. Bilateral Authentication Step 1: Object #1 performs a self-check Object #1 Manifest #1 Step 2: Object #1 verifies Object #2 Trust Step 3: Object #2 performs a self-check Object #2 Manifest #2

  12. Bilateral Authentication Step 1: Object #1 performs a self-check Object #1 Manifest #1 Step 2: Object #1 verifies Object #2 Trust Trust Step 3: Object #2 performs a self-check Object #2 Manifest #2 Step 4: Object #2 verifies Object #1

  13. Bilateral Authentication Step 1: Object #1 performs a self-check Object #1 Manifest #1 Step 2: Object #1 verifies Object #2 Mutual Trust Step 3: Object #2 performs a self-check Object #2 Manifest #2 Step 4: Object #2 verifies Object #1 Result: Mutual trust between objects

  14. Signing PKCS #11 Service Providers • The PKCS #11 Service Provider (SP) for CSSM is signed as the first object in the manifest. • Provides the ability for the CSSM to verify the SP before loading and permits a self-check to be performed after being loaded. • The PKCS #11 Module is signed as an additional object in the manifest. • The CSSM and SP are able to verify the PKCS #11 Module as part of the SP loading process.

  15. Trust Relationships • Bilateral authentication for the PKCS #11 Service Provider and unilateral authentication for the PKCS #11 Module. CSSM bilateral unilateral PKCS #11 Service Provider unilateral PKCS #11 Module

  16. Obtaining Higher Levels of Trust • Merge the CSSM service provider and the PKCS #11 module into a single object. • Provides a complete bilateral authentication throughout the CDSA stack. CSSM bilateral PKCS #11 Service Provider PKCS #11 Module

  17. More Information • CDSA specification adopted by The OpenGroup: • http://www.opengroup.org/pubs/catalog/c707.htm • CDSA Product Day slides from vendors: • http://www.opengroup.org/security/meetings/jul98/index.htm • Intel CDSA web site • Includes CDSA 1.2 specs, CDSA presentations and future CDSA-related specs. • http://developer.intel.com/ial/security/ • Intel Platform Security Division Marketing • Mike Premi • Phone: (503) 264-2842 • E-mail: mike.premi@intel.com

More Related