170 likes | 326 Views
The CSSM PKCS #11 Adaptation Layer. Adapting the Technologies and Obtaining Module Integrity Using the CDSA Infrastructure. Matthew Wood matthew.d.wood@intel.com RSA PKCS Workshop October 8th 1998. Summary. What Is CDSA? The PKCS #11 Service Provider for CDSA The CDSA Integrity Model
E N D
The CSSM PKCS #11 Adaptation Layer Adapting the Technologies and Obtaining Module Integrity Using the CDSA Infrastructure Matthew Wood matthew.d.wood@intel.com RSA PKCS Workshop October 8th 1998
Summary • What Is CDSA? • The PKCS #11 Service Provider for CDSA • The CDSA Integrity Model • Bilateral Authentication • Signing PKCS #11 Service Providers • More Information
Security Service Add-in Modules What Is CDSA? CDSA defines afour-layer architecturefor cross-platform, high-level security services Applications Layered Security Services CSSM definesa common API & SPIfor security services,& an integrity foundation CSSM Security API Common Security Services Manager Service Provider Interfaces Service Providersimplement selectable security services
CDSA Vendors • Apple’s Security Architecture (MacOS*) • CSP with ECC using Fast Elliptic Encryption (FEE) algorithm, crypto based on discrete logs over GF(p) or GF(2n); Smartcards to follow • Hewlett-Packard (HPUX*) • Software CSP for initial release • IBM KeyWorks*(Windows* 95, Windows NT*, AIX*, others ) • Shipped Sept-97 • Bsafe, PKCS #11 and CCA CSPs • Motorola CipherNet* Toolkit (Windows* 95, Windows NT*) • 160 and 210 ECC CSP; Smartcards to follow • RSA Certificate Security Suite* (CSS) (Windows* 95, Windows NT*) • support for CDSA-based products in 1998 • BSafe and ECC CSPs (odd and even field characteristics) * These marks are the property of their respective owners.
Built using the Intel Multi-service Addin Framework (MAF) The Adaptation Layer (AL) translates CSSM data types to the corresponding PKCS #11 types The AL performs session management as required by the requests made through the CSSM SPI The PKCS #11 Service Provider for CDSA CSSM SPI MAF PKCS #11 AL PKCS #11 Module
PKCS #11 Service Provider Features • Single code base for all PKCS #11 implementations (MAF/AL) • Supports PKCS #11 v1.0 and v2.x (AL) • Supports standard key and parameter formats (PKCS #1, PKCS #3, etc.) (MAF/AL) • Provides integrity services to insure that the CSSM service provider is using the real PKCS #11 module (MAF) • The application will not be able to use the service provider if the PKCS #11 module is changed
The CDSA Integrity Model • Mutual suspicion • Components must have signed credentials • Certificates and a signed manifest • Components must be signed • Components must authenticate themselves and others • Bilateral authentication protocol • Applications may authenticate themselves with the CSSM • The application may obtain higher strength cryptography with the proper credentials
Section Name: Section Name: MD5-Digest of Object MD5-Digest of Object Capabilities Capabilities Object Reference Object Reference The Signed Manifest Signature Block Manifest PKCS#7 Signature Block Cert1 Cert2 Cert3 executable: app.exe ManifestHash SignedManifestHash executable: module.dll A signed manifest contains verification information about any number of objects, signed by any number of certificates.
Bilateral Authentication Step 1: Object #1 performs a self-check Object #1 Manifest #1 Object #2 Manifest #2
Bilateral Authentication Step 1: Object #1 performs a self-check Object #1 Manifest #1 Step 2: Object #1 verifies Object #2 Trust Object #2 Manifest #2
Bilateral Authentication Step 1: Object #1 performs a self-check Object #1 Manifest #1 Step 2: Object #1 verifies Object #2 Trust Step 3: Object #2 performs a self-check Object #2 Manifest #2
Bilateral Authentication Step 1: Object #1 performs a self-check Object #1 Manifest #1 Step 2: Object #1 verifies Object #2 Trust Trust Step 3: Object #2 performs a self-check Object #2 Manifest #2 Step 4: Object #2 verifies Object #1
Bilateral Authentication Step 1: Object #1 performs a self-check Object #1 Manifest #1 Step 2: Object #1 verifies Object #2 Mutual Trust Step 3: Object #2 performs a self-check Object #2 Manifest #2 Step 4: Object #2 verifies Object #1 Result: Mutual trust between objects
Signing PKCS #11 Service Providers • The PKCS #11 Service Provider (SP) for CSSM is signed as the first object in the manifest. • Provides the ability for the CSSM to verify the SP before loading and permits a self-check to be performed after being loaded. • The PKCS #11 Module is signed as an additional object in the manifest. • The CSSM and SP are able to verify the PKCS #11 Module as part of the SP loading process.
Trust Relationships • Bilateral authentication for the PKCS #11 Service Provider and unilateral authentication for the PKCS #11 Module. CSSM bilateral unilateral PKCS #11 Service Provider unilateral PKCS #11 Module
Obtaining Higher Levels of Trust • Merge the CSSM service provider and the PKCS #11 module into a single object. • Provides a complete bilateral authentication throughout the CDSA stack. CSSM bilateral PKCS #11 Service Provider PKCS #11 Module
More Information • CDSA specification adopted by The OpenGroup: • http://www.opengroup.org/pubs/catalog/c707.htm • CDSA Product Day slides from vendors: • http://www.opengroup.org/security/meetings/jul98/index.htm • Intel CDSA web site • Includes CDSA 1.2 specs, CDSA presentations and future CDSA-related specs. • http://developer.intel.com/ial/security/ • Intel Platform Security Division Marketing • Mike Premi • Phone: (503) 264-2842 • E-mail: mike.premi@intel.com