Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 DMP: A proposal for Security Manager Interface Sergio Sagliocco Victoria Alvaro SecureLab, Technology Department.

Published byLynne Brown Modified over 9 years ago

Similar presentations

Presentation on theme: "1 DMP: A proposal for Security Manager Interface Sergio Sagliocco Victoria Alvaro SecureLab, Technology Department."— Presentation transcript:

1 1 DMP: A proposal for Security Manager Interface Sergio Sagliocco Victoria Alvaro SecureLab, Technology Department

2 2 SAV e Security Manager The Security Manager is a component of the SAV that permit the interaction with the cryptographic key material. It exports an applicative interface in order to execute high level operation The implementation of the Security manager is strongly related to how the private key and certificate are stored. For this reason is necessary to split the security manager in two layer: an applicative frontend and one or more cryptographic engines. For example a user could use a certificate in PKCS12 file, in Java Key store or in a smart card. So the user have to be able to choose the key management system able to manage own keys

3 3 Architecture SAV Manager Security Manager Engine PKCS12Engine CNSEngine CIE

4 4 Security Manager Engine Requirements Each engine exports a well know interface to the security manager. The interface permits to call the following services: Initialization / Finalization (i.e.: integrity check of the key store, initialization of the smart card reader,…) Login/Logout (i.e.: request of the PIN and unblock private key) Decryption Configuration (i.e.: path of the PKCS12 or java key store) Generation of a new key pair (enrollment) Installation of a certificate Enumeration of installed certificates Elimination of a installed certificate

5 5 Engine Interface Method NameInput ParameterOutput Parameter INIT-- LOGIN-- DECRYPTEncrypted buffer (i.e. PKCS7 format) Clear text buffer LOGOUT-- FINALIZE-- ENROLLKey Size, Distinguished Name, flag Certificate Request (i.e PKCS10 format) INSTALL(X509) Certificate- ENUMCERTidtypeArray of certificate IDs GETCERTid, idtipeCertificate GETKEYid, idtipePrivate Key (if possible) CONFIG-- GETINFO-Hash Table Attribute=Value

6 6 Notes Depending on implementation language, each method have to manage error conditions The CONFIG method have to manage the GUI required to configure the engine In the ENROLL method the flag parameter represents a bit mask indicating particular attributes (i.e. ability to export private key) Idtype represent the key to search and select a certificate (i.e.: Issuer plus Serial Number, public key hash, …). Id represents the value

7 7 Security Manager Interface The security manager exports an interface for the SAV manager This interface have to export engines services adding some method in order to manage the engines: –Enumeration of installed engines –Installation of new engines –Elimination of an installed engine –Engine configuration –Enabling / Disabling an installed engine In addition to the above methods the Security Manager can exports some utility functions like the following: –Hash calculation –Format conversion (PEM,DER,TXT,…) –Symmetric Encryption Functions (DES,AES,…) –…

8 8 Security Manager Interface Method NameInput ParameterOutput Parameter DECRYPTEncrypted buffer (i.e. PKCS7 format) Clear text buffer ENROLLKey Size, Distinguished Name, flag Certificate Request (i.e PKCS10 format) INSTALLEngine Name, (X509) Certificate - ENUMCERTidtypeArray of certificate IDs GETCERTid, idtipeCertificate ENUMENGINE-Array of engine names ADDENGINEName, PATH of the engine library - ENABLEEngine Name- DISABLEEngine Name- REMOVEENGINEEngine Name- CONFIGEngine Name- GETEINFOEngine NameHash Table Attribute=Value

9 9 Contacts Sergio Sagliocco SecureLab – Direzione Tecnologie mail: sergio.sagliocco@csp.it cell: +39 3486024078 tel. +39 011 4815140 CSP innovazione nelle ICT Sede via Livorno 60 - 10144 Torino Edificio Laboratori A1 Tel +39 011 4815111 Fax +39 011 4815001 E-mail: info@csp.it Seconda sede operativa Villa Gualino - Viale Settimio Severo 65 10133 Torino www.csp.it

Download ppt "1 DMP: A proposal for Security Manager Interface Sergio Sagliocco Victoria Alvaro SecureLab, Technology Department."

Similar presentations

ISEC: Excellence in Engineering Encrypted File System Key Recovery Philip Noble (520) 538-7608 or DSN 879-7608, U.S. Army Information.

ISEC: Excellence in Engineering Encrypted File System Key Recovery Philip Noble (520) or DSN , U.S. Army Information.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.

PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.
SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.

Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
Complete solution for chip cards preparing, personalization and applying M.Sc. GORAN KUNJADIĆ SIP Software and Services, Beograd,

Complete solution for chip cards preparing, personalization and applying M.Sc. GORAN KUNJADIĆ SIP Software and Services, Beograd,
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
© Southampton City Council Sean Dawtry – Southampton City Council Implementing a PKI The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council Implementing a PKI The Southampton Pathfinder for Smart Cards in public services.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Similar presentations

Ads by Google