HP UX Security Products and Features Software manual Interaction between CSP and Applications

Page 26

Common Data Security Architecture (CDSA) White Paper

Cryptography Service Provider (CSP) API

Interaction between CSP and Applications

The application selects a CSP and requests CSSM to attach to it. The CSSM returns a CSP handle to the application that uniquely identifies the pairing of the application thread to the CSP module instance. This handle is used by the application to identify the CSP in the future.

The application establishes a “session,” a framework in which the CSP will perform cryptographic operations.

The application creates an operation “context,” which must exist prior to starting CSP operations and is deleted as soon as possible upon completion of the operation.

Depending on the class of cryptographic operations, individualized attributes are available for the cryptographic context.

When creating the context, the application specifies an algorithm and may also initialize a session key, pass an initialization vector and/or pass padding information to complete the description of the session.

A successful return value from the create function to the application indicates the desired CSP is available. Functions are also provided to manage the created context.

All cryptographic services requested by applications are channeled to the CSP via the CSSM. The CSP uses the CSSM module information files and query mechanism for disclosing detailed information about its cryptographic services to the application. For example, a CSP may register with the CSSM:

Encryption is supported. The algorithms present are RC2 with cipher block chaining for key sizes 40 and 56 bits.

During the session, the CSP may perform cryptographic operations such as encryption, decryption, digital signaturing, key and key-pair generation, random number generation, message digest, key wrapping, key unwrapping, and key exchange. Cryptographic services can be implemented by an add-in module of hardware and software or by software alone.

Cryptographic operations might take place:

as a single call to perform an operation and obtain a result.

as a sequence of calls, starting with an initialization call, followed by one or more update calls, and ending with a completion (final) call. Usually, the result is available after the final function completes its execution. Staged encryption/decryption are an exception, in that each update call generates a portion of the result.

The CSP is responsible for the secure storage of private keys created during a CSP session. Context information is not persistent; it is not saved permanently in a file or database.

When a context is no longer required, the application calls CSSM_DeleteContext to delete the session’s context information. Resources that were allocated for that context can be reclaimed

26

Chapter 1

Page 25 Page 27
Image 26
Page 25 Page 27
Contents Contents Sample Install Program Generating the Credential File Migrating to Cdsa ZIP format Private Key FileCommon Data Security Architecture Cdsa White Paper ChapterGlossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and AcronymsGlossary of Cdsa Terms and Acronyms RC2 Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms HP’s Implementation of Cdsa What Is CDSA?What Is CDSA? HP-UX Cdsa Product OverviewWhat Is CDSA? Cdsa Components in HP-UX Cdsa Components on HP-UXWhat Is CDSA? Libraries Cdsa in the Context of Other Security ApplicationsExample of Cdsa APIs Used for Applications vs. Shared CDSA, shown relative to higher-level protocols and user ApplicationsHP’s Paradigm Shift Common Security Services Manager Cssm Common Security Services Manager Cssm APICssm Module Information Files Cssmnotlongfilenamesys Public/Private Key Algorithms Cryptography Service Provider CSP APICryptography Service Provider CSP API Dual Asymmetric Key AlgorithmSymmetric Key Algorithm Authenticating a Digital Signature RC2 or RC4Cryptography Service Provider CSP API Hash Interaction between CSP and Applications CSP Operations Cryptography Service Provider CSP API Cryptography Service Provider CSP API Extensibility Functions Supported Functions and AlgorithmsCssmalgidcdmf Cssmalgiddsa Cssmalgiddh Purpose Pass-Through ID Certificate Library Services CL API Certificate Library Services CL APIWhat is a Certificate? Outline of a Generic CertificateCertificate Revocation List CRL and Operations Interaction between Certificate Library and Application Certificate Library Interface Operations on CertificatesInteraction between Cssm and Certificate Library Interface Certificate Library Services CL API Certificate Library Services CL API Certificate Library Services CL API INTELX509V3PASSTHROUGHCREATEENCODEDNAME INTELX509V3PASSTHROUGHENCODENAME INTELX509V3PASSTHROUGHENCODEALGID INTELX509V3PASSTHROUGHREADCERTFROMFILE INTELX509V3PASSTHROUGHENCODEREVOKEDCERTLIST INTELX509V3PASSTHROUGHFINDSUPPORTINGCSP INTELX509V3PASSTHROUGHCSSMKEYTOSPKI Introduction to Add-in Modules Introduction to Add-in ModulesRole of Add-In Modules in the Cdsa Framework Design Criteria for Add-In Modules Global Unique Identifier GuidInitializer Code to Register Services with Cssm Add-In Module Install ProgramTo Install an Add-In Library How to Create a Cdsa Add-In Module for How to Create a Cdsa Add-In Module for HP-UXLd -b -o libmylib.1 +I MyAddInInit Implementing Integrity Checking in Add-In Modules Programming Self-Check Functions into the Initializer How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX Typeprocedure How to Create a Cdsa Add-In Module for HP-UX Or specify the following for CL/TP/DL add-ins With a Cssm capable of integrity checking Certificate Chain Validating the CSP CredentialsCredential File Validating the CSP CredentialsValidation Sequence Verifying a Certificate ChainIntegrity Check prior to Loading Verifying the signature on the .SF fileSHA-1 Self Check 11 Verifying the validity of the CSP libraryBilateral Authentication In-Memory vs. Static CheckingConcluding Remarks Concluding RemarksFurther References Concluding Remarks Sample Install Program Appendix aAppendix a Appendix a Cssmapimemoryfuncs Appendix a Else if argc != Destpath Sample Install Program Appendix a Sample Install Program Generating the Credential File Appendix BHP Signing Policy for CSP Add-In Vendors for Cdsa Version HP Signing Policy for CSP Add-In Vendors for Cdsa VersionSample Add-in Module Code Appendix CAppendix C Appendix C Sample Add-in Module Code Appendix C Cssmreturn = Null Sample Add-in Module Code == Cssmfail Cssmmodulefuncs Appendix C Sample Add-in Module Code Appendix C Sample Add-in Module Code Data 100 Appendix C 101 102 Appendix C 103 104 Functions Needed for Add-in Module Integrity Appendix D 105106 Trouble Shooting HP Cdsa Appendix E 107108 Cdsa API ErrorsCdsa API Errors Appendix E 109 110 Appendix E 111 112 Appendix E 113 114 Appendix E 115 116 Appendix E 117 118 Cdsa Start Up Errors when calling CSSMModuleAttachCdsa Start Up Errors when calling CSSMModuleAttach Appendix E 119 120 Using DDE to Debug Cdsa ApplicationsDebugging Core Dumps Migrating to Cdsa Appendix F 121122 Appendix F 123 DL data structures 124ZIP format Appendix G 125126 Appendix G 127 128 Private Key File Appendix H 129Private Key File Contention 130
Related manuals
Manual 62 pages 27.73 Kb
Top Page Image Contents