Security Technology Lab The CSSM PKCS #11 Adaptation Layer Adapting the Technologies and Obtaining Module Integrity Using the CDSA Infrastructure Matthew Wood matthew. d. wood@intel. com RSA PKCS Workshop October 8 th 1998
Security Technology Lab Summary • • • What Is CDSA? The PKCS #11 Service Provider for CDSA The CDSA Integrity Model Bilateral Authentication Signing PKCS #11 Service Providers More Information
Security Technology Lab What Is CDSA? CDSA defines a four-layer architecture for cross-platform, high-level security services Applications Layered Security Services CSSM defines a common API & SPI for security services, & an integrity foundation Service Providers implement selectable security services CSSM Security API Common Security Services Manager Service Provider Interfaces Security Service Add-in Modules
Security Technology Lab CDSA Vendors • Apple’s Security Architecture (Mac. OS*) – CSP with ECC using Fast Elliptic Encryption (FEE) algorithm, crypto based on discrete logs over GF(p) or GF(2 n); Smartcards to follow • Hewlett-Packard (HPUX*) • • • – Software CSP for initial release IBM Key. Works* (Windows* 95, Windows NT*, AIX*, others ) – Shipped Sept-97 – Bsafe, PKCS #11 and CCA CSPs Motorola Cipher. Net* Toolkit (Windows* 95, Windows NT*) – 160 and 210 ECC CSP; Smartcards to follow RSA Certificate Security Suite* (CSS) (Windows* 95, Windows NT*) – support for CDSA-based products in 1998 – BSafe and ECC CSPs (odd and even field characteristics) * These marks are the property of their respective owners.
Security Technology Lab The PKCS #11 Service Provider for CDSA • Built using the Intel Multiservice Addin Framework (MAF) • The Adaptation Layer (AL) translates CSSM data types to the corresponding PKCS #11 types The AL performs session management as required by the requests made through the CSSM SPI • CSSM SPI MAF PKCS #11 AL PKCS #11 Module
Security Technology Lab PKCS #11 Service Provider Features • Single code base for all PKCS #11 implementations (MAF/AL) • Supports PKCS #11 v 1. 0 and v 2. x (AL) • Supports standard key and parameter formats (PKCS #1, PKCS #3, etc. ) (MAF/AL) • Provides integrity services to insure that the CSSM service provider is using the real PKCS #11 module (MAF) – The application will not be able to use the service provider if the PKCS #11 module is changed
Security Technology Lab The CDSA Integrity Model • Mutual suspicion • Components must have signed credentials – Certificates and a signed manifest • Components must be signed • Components must authenticate themselves and others – Bilateral authentication protocol • Applications may authenticate themselves with the CSSM – The application may obtain higher strength cryptography with the proper credentials
Security Technology Lab The Signed Manifest Signature Block Manifest PKCS#7 Signature Block Cert 1 Cert 2 Cert 3 Section Name: Manifest Hash Signed Manifest Hash MD 5 -Digest of Object Capabilities Object Reference executable: app. exe Section Name: MD 5 -Digest of Object Capabilities Object Reference executable: module. dll A signed manifest contains verification information about any number of objects, signed by any number of certificates.
Security Technology Lab Bilateral Authentication Step 1: Object #1 performs a self-check Object #1 Object #2 Manifest #1 Manifest #2
Security Technology Lab Bilateral Authentication Step 1: Object #1 performs a self-check Step 2: Object #1 verifies Object #2 Object #1 Manifest #1 Trust Object #2 Manifest #2
Security Technology Lab Bilateral Authentication Step 1: Object #1 performs a self-check Step 2: Object #1 verifies Object #2 Step 3: Object #2 performs a self-check Object #1 Manifest #1 Trust Object #2 Manifest #2
Security Technology Lab Bilateral Authentication Step 1: Object #1 performs a self-check Step 2: Object #1 verifies Object #2 Step 3: Object #2 performs a self-check Step 4: Object #2 verifies Object #1 Manifest #1 Trust Object #2 Manifest #2
Security Technology Lab Bilateral Authentication Step 1: Object #1 performs a self-check Step 2: Object #1 verifies Object #2 Step 3: Object #2 performs a self-check Step 4: Object #2 verifies Object #1 Result: Mutual trust between objects Object #1 Manifest #1 Mutual Trust Object #2 Manifest #2
Security Technology Lab Signing PKCS #11 Service Providers • The PKCS #11 Service Provider (SP) for CSSM is signed as the first object in the manifest. – Provides the ability for the CSSM to verify the SP before loading and permits a self-check to be performed after being loaded. • The PKCS #11 Module is signed as an additional object in the manifest. – The CSSM and SP are able to verify the PKCS #11 Module as part of the SP loading process.
• Bilateral authentication for the PKCS #11 Service Provider and unilateral authentication for the PKCS #11 Module. CSSM bilateral PKCS #11 Service Provider unilateral PKCS #11 Module unilateral Security Technology Lab Trust Relationships
Security Technology Lab Obtaining Higher Levels of Trust • Merge the CSSM service provider and the PKCS #11 module into a single object. • Provides a complete bilateral authentication throughout the CDSA stack. CSSM bilateral PKCS #11 Service Provider PKCS #11 Module
Security Technology Lab More Information • CDSA specification adopted by The Open. Group: – http: //www. opengroup. org/pubs/catalog/c 707. htm • CDSA Product Day slides from vendors: – http: //www. opengroup. org/security/meetings/jul 98/index. htm • Intel CDSA web site – Includes CDSA 1. 2 specs, CDSA presentations and future CDSA-related specs. – http: //developer. intel. com/ial/security/ • Intel Platform Security Division Marketing – Mike Premi • Phone: (503) 264 -2842 • E-mail: mike. premi@intel. com
Скачать презентацию Security Technology Lab The CSSM PKCS 11 Adaptation
d93b11164acf0655d26bf90fc90fe602.ppt