Security Technology Lab The CSSM PKCS #11 Adaptation Layer Adapting the Technologies and Obtaining Module Integrity Using the CDSA Infrastructure Matthew.

Slides:



Advertisements
Similar presentations
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Advertisements

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
Chapter 14 – Authentication Applications
PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.
Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona.
Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards
1 PK-Enabling Toolkits August 27, CSOS Interfaces STATUS CHECKING Network Interface: HTTP Port 80 PKI Interface: PKCS 10 Request PKCS 7 Response.
Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Cryptography and Network Security Chapter 17
Security Chapters 14,15. The Security Environment Threats Security goals and threats.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Lecture 12 Security. Summary  PEM  secure  PGP  S/MIME.
Chapter 8 Web Security.
Public Key Infrastructure from the Most Trusted Name in e-Security.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
1 FIPS 140 Validation for a “System-on-a-Chip” September 27, 2005 NIST Physical Testing Workshop.
Trusted Computing Platform Alliance
The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.
Dr. V.N.Sastry Professor, IDRBT & Executive Secretary, MPFI to 84 October 30,
Russian cryptographic algorithms (GOST) in Cryptographic Message Syntax and S/MIME Grigory Chudov CRYPTO-PRO, Russia draft-leontiev-cryptopro-cpcms-00.txt.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
Firmware Storage : Technical Overview Copyright © Intel Corporation Intel Corporation Software and Services Group.
CDSA HRS NCITS M1 Meeting Catherine J. Tilton SAFLINK Sunset Hills Rd, Suite 106 Reston, VA Fax
COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.
© 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0 Security & Identity : From present to future Matt Flaherty, IBM Mary Ruddy, Meristic.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
Pairing Based Cryptography Standards Terence Spies VP Engineering Voltage Security
Faster Implementation of Modular Exponentiation in JavaScript
Creating and Managing Digital Certificates Chapter Eleven.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Russian cryptographic algorithms (GOST) in Internet X.509 Public Key Infrastructure Grigory Chudov Crypto-Pro Ltd., Russia draft-leontiev-cryptopro-cppk-00.txt.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
5/25/2018 2:39 AM © 2006 Microsoft Corporation. All rights reserved.
Cryptography and Network Security
KrypC Technologies Accelerated Blockchain Adoption.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Cryptography and Network Security
Security & .NET 12/1/2018.
Public Key Infrastructure from the Most Trusted Name in e-Security
CSCE 815 Network Security Lecture 16
The Secure Sockets Layer (SSL) Protocol
Module 8: Securing Network Traffic by Using IPSec and Certificates
Secure How do you do it? Need to worry about sniffing, modifying, end-user masquerading, replaying. If sender and receiver have shared secret keys,
Cryptography and Network Security
LAB 3: Digital Signature
Presentation transcript:

Security Technology Lab The CSSM PKCS #11 Adaptation Layer Adapting the Technologies and Obtaining Module Integrity Using the CDSA Infrastructure Matthew Wood RSA PKCS Workshop October 8th 1998

Security Technology Lab Summary What Is CDSA? The PKCS #11 Service Provider for CDSA The CDSA Integrity Model Bilateral Authentication Signing PKCS #11 Service Providers More Information

Security Technology Lab What Is CDSA? Layered Security Services CSSM Security API Common Security Services Manager Security Service Add-in Modules Service Provider Interfaces Applications CDSA defines a four-layer architecture for cross-platform, high-level security services CSSM defines a common API & SPI for security services, & an integrity foundation Service Providers implement selectable security services

Security Technology Lab CDSA Vendors Apple’s Security Architecture (MacOS * ) –CSP with ECC using Fast Elliptic Encryption (FEE) algorithm, crypto based on discrete logs over GF(p) or GF(2 n ); Smartcards to follow Hewlett-Packard (HPUX*) –Software CSP for initial release IBM KeyWorks * (Windows* 95, Windows NT*, AIX*, others ) –Shipped Sept-97 –Bsafe, PKCS #11 and CCA CSPs Motorola CipherNet * Toolkit (Windows* 95, Windows NT*) –160 and 210 ECC CSP; Smartcards to follow RSA Certificate Security Suite * (CSS) (Windows* 95, Windows NT*) –support for CDSA-based products in 1998 –BSafe and ECC CSPs (odd and even field characteristics) * These marks are the property of their respective owners.

Security Technology Lab The PKCS #11 Service Provider for CDSA Built using the Intel Multi- service Addin Framework (MAF) CSSM SPI MAF PKCS #11 AL PKCS #11 Module The Adaptation Layer (AL) translates CSSM data types to the corresponding PKCS #11 types The AL performs session management as required by the requests made through the CSSM SPI

Security Technology Lab PKCS #11 Service Provider Features Single code base for all PKCS #11 implementations (MAF/AL) Supports PKCS #11 v1.0 and v2.x (AL) Supports standard key and parameter formats (PKCS #1, PKCS #3, etc.) (MAF/AL) Provides integrity services to insure that the CSSM service provider is using the real PKCS #11 module (MAF) –The application will not be able to use the service provider if the PKCS #11 module is changed

Security Technology Lab The CDSA Integrity Model Mutual suspicion Components must have signed credentials –Certificates and a signed manifest Components must be signed Components must authenticate themselves and others –Bilateral authentication protocol Applications may authenticate themselves with the CSSM –The application may obtain higher strength cryptography with the proper credentials

Security Technology Lab The Signed Manifest Manifest executable: app.exe Manifest Hash Signed Manifest Hash PKCS#7 Signature Block Cert1Cert2Cert3 Signature Block executable: module.dll Section Name: MD5-Digest of Object Capabilities Object Reference Section Name: MD5-Digest of Object Capabilities Object Reference A signed manifest contains verification information about any number of objects, signed by any number of certificates.

Security Technology Lab Bilateral Authentication Object #1 Object #2 Manifest #2 Manifest #1 Step 1: Object #1 performs a self-check

Security Technology Lab Bilateral Authentication Object #1 Object #2 Manifest #2 Manifest #1 Step 1: Object #1 performs a self-check Step 2: Object #1 verifies Object #2 Trust

Security Technology Lab Bilateral Authentication Object #1 Object #2 Manifest #2 Manifest #1 Step 1: Object #1 performs a self-check Step 2: Object #1 verifies Object #2 Step 3: Object #2 performs a self-check Trust

Security Technology Lab Bilateral Authentication Object #1 Object #2 Manifest #2 Manifest #1 Step 1: Object #1 performs a self-check Step 2: Object #1 verifies Object #2 Step 3: Object #2 performs a self-check Step 4: Object #2 verifies Object #1 Trust

Security Technology Lab Bilateral Authentication Object #1 Object #2 Manifest #2 Manifest #1 Step 1: Object #1 performs a self-check Step 2: Object #1 verifies Object #2 Step 3: Object #2 performs a self-check Step 4: Object #2 verifies Object #1 Result: Mutual trust between objects Mutual Trust

Security Technology Lab Signing PKCS #11 Service Providers The PKCS #11 Service Provider (SP) for CSSM is signed as the first object in the manifest. –Provides the ability for the CSSM to verify the SP before loading and permits a self-check to be performed after being loaded. The PKCS #11 Module is signed as an additional object in the manifest. –The CSSM and SP are able to verify the PKCS #11 Module as part of the SP loading process.

Security Technology Lab Trust Relationships Bilateral authentication for the PKCS #11 Service Provider and unilateral authentication for the PKCS #11 Module. CSSM PKCS #11 Service Provider PKCS #11 Module bilateral unilateral

Security Technology Lab Obtaining Higher Levels of Trust Merge the CSSM service provider and the PKCS #11 module into a single object. Provides a complete bilateral authentication throughout the CDSA stack. CSSM PKCS #11 Service Provider PKCS #11 Module bilateral

Security Technology Lab More Information CDSA specification adopted by The OpenGroup: – CDSA Product Day slides from vendors: – Intel CDSA web site –Includes CDSA 1.2 specs, CDSA presentations and future CDSA-related specs. – Intel Platform Security Division Marketing –Mike Premi Phone: (503)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.