Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Technology Lab The CSSM PKCS #11 Adaptation Layer Adapting the Technologies and Obtaining Module Integrity Using the CDSA Infrastructure Matthew.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Technology Lab The CSSM PKCS #11 Adaptation Layer Adapting the Technologies and Obtaining Module Integrity Using the CDSA Infrastructure Matthew."— Presentation transcript:

1

2 Security Technology Lab The CSSM PKCS #11 Adaptation Layer Adapting the Technologies and Obtaining Module Integrity Using the CDSA Infrastructure Matthew Wood matthew.d.wood@intel.com RSA PKCS Workshop October 8th 1998

3 Security Technology Lab Summary What Is CDSA? The PKCS #11 Service Provider for CDSA The CDSA Integrity Model Bilateral Authentication Signing PKCS #11 Service Providers More Information

4 Security Technology Lab What Is CDSA? Layered Security Services CSSM Security API Common Security Services Manager Security Service Add-in Modules Service Provider Interfaces Applications CDSA defines a four-layer architecture for cross-platform, high-level security services CSSM defines a common API & SPI for security services, & an integrity foundation Service Providers implement selectable security services

5 Security Technology Lab CDSA Vendors Apple’s Security Architecture (MacOS * ) –CSP with ECC using Fast Elliptic Encryption (FEE) algorithm, crypto based on discrete logs over GF(p) or GF(2 n ); Smartcards to follow Hewlett-Packard (HPUX*) –Software CSP for initial release IBM KeyWorks * (Windows* 95, Windows NT*, AIX*, others ) –Shipped Sept-97 –Bsafe, PKCS #11 and CCA CSPs Motorola CipherNet * Toolkit (Windows* 95, Windows NT*) –160 and 210 ECC CSP; Smartcards to follow RSA Certificate Security Suite * (CSS) (Windows* 95, Windows NT*) –support for CDSA-based products in 1998 –BSafe and ECC CSPs (odd and even field characteristics) * These marks are the property of their respective owners.

6 Security Technology Lab The PKCS #11 Service Provider for CDSA Built using the Intel Multi- service Addin Framework (MAF) CSSM SPI MAF PKCS #11 AL PKCS #11 Module The Adaptation Layer (AL) translates CSSM data types to the corresponding PKCS #11 types The AL performs session management as required by the requests made through the CSSM SPI

7 Security Technology Lab PKCS #11 Service Provider Features Single code base for all PKCS #11 implementations (MAF/AL) Supports PKCS #11 v1.0 and v2.x (AL) Supports standard key and parameter formats (PKCS #1, PKCS #3, etc.) (MAF/AL) Provides integrity services to insure that the CSSM service provider is using the real PKCS #11 module (MAF) –The application will not be able to use the service provider if the PKCS #11 module is changed

8 Security Technology Lab The CDSA Integrity Model Mutual suspicion Components must have signed credentials –Certificates and a signed manifest Components must be signed Components must authenticate themselves and others –Bilateral authentication protocol Applications may authenticate themselves with the CSSM –The application may obtain higher strength cryptography with the proper credentials

9 Security Technology Lab The Signed Manifest Manifest executable: app.exe Manifest Hash Signed Manifest Hash PKCS#7 Signature Block Cert1Cert2Cert3 Signature Block executable: module.dll Section Name: MD5-Digest of Object Capabilities Object Reference Section Name: MD5-Digest of Object Capabilities Object Reference A signed manifest contains verification information about any number of objects, signed by any number of certificates.

10 Security Technology Lab Bilateral Authentication Object #1 Object #2 Manifest #2 Manifest #1 Step 1: Object #1 performs a self-check

11 Security Technology Lab Bilateral Authentication Object #1 Object #2 Manifest #2 Manifest #1 Step 1: Object #1 performs a self-check Step 2: Object #1 verifies Object #2 Trust

12 Security Technology Lab Bilateral Authentication Object #1 Object #2 Manifest #2 Manifest #1 Step 1: Object #1 performs a self-check Step 2: Object #1 verifies Object #2 Step 3: Object #2 performs a self-check Trust

13 Security Technology Lab Bilateral Authentication Object #1 Object #2 Manifest #2 Manifest #1 Step 1: Object #1 performs a self-check Step 2: Object #1 verifies Object #2 Step 3: Object #2 performs a self-check Step 4: Object #2 verifies Object #1 Trust

14 Security Technology Lab Bilateral Authentication Object #1 Object #2 Manifest #2 Manifest #1 Step 1: Object #1 performs a self-check Step 2: Object #1 verifies Object #2 Step 3: Object #2 performs a self-check Step 4: Object #2 verifies Object #1 Result: Mutual trust between objects Mutual Trust

15 Security Technology Lab Signing PKCS #11 Service Providers The PKCS #11 Service Provider (SP) for CSSM is signed as the first object in the manifest. –Provides the ability for the CSSM to verify the SP before loading and permits a self-check to be performed after being loaded. The PKCS #11 Module is signed as an additional object in the manifest. –The CSSM and SP are able to verify the PKCS #11 Module as part of the SP loading process.

16 Security Technology Lab Trust Relationships Bilateral authentication for the PKCS #11 Service Provider and unilateral authentication for the PKCS #11 Module. CSSM PKCS #11 Service Provider PKCS #11 Module bilateral unilateral

17 Security Technology Lab Obtaining Higher Levels of Trust Merge the CSSM service provider and the PKCS #11 module into a single object. Provides a complete bilateral authentication throughout the CDSA stack. CSSM PKCS #11 Service Provider PKCS #11 Module bilateral

18 Security Technology Lab More Information CDSA specification adopted by The OpenGroup: –http://www.opengroup.org/pubs/catalog/c707.htm CDSA Product Day slides from vendors: –http://www.opengroup.org/security/meetings/jul98/index.htm Intel CDSA web site –Includes CDSA 1.2 specs, CDSA presentations and future CDSA-related specs. –http://developer.intel.com/ial/security/ Intel Platform Security Division Marketing –Mike Premi Phone: (503) 264-2842 E-mail: mike.premi@intel.com

Download ppt "Security Technology Lab The CSSM PKCS #11 Adaptation Layer Adapting the Technologies and Obtaining Module Integrity Using the CDSA Infrastructure Matthew."

Similar presentations

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.

PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.
Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona.

Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona.
Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards

Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards
1 PK-Enabling Toolkits August 27, 2001. 2 CSOS Interfaces STATUS CHECKING Network Interface: HTTP Port 80 PKI Interface: PKCS 10 Request PKCS 7 Response.

1 PK-Enabling Toolkits August 27, CSOS Interfaces STATUS CHECKING Network Interface: HTTP Port 80 PKI Interface: PKCS 10 Request PKCS 7 Response.
Cryptography and Network Security

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.

Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17

Similar presentations

Ads by Google