HP UX Security Products and Features Software manual Self Check

Page 69

Common Data Security Architecture (CDSA) White Paper

Validating the CSP Credentials

Figure 1-11 Verifying the validity of the CSP library

.MF file, containing hash of

shared library and library name

CSP file

	SHA-1	Are	.CSP shared
		SHA-1	No library has been
	HASH
		hashes	tampered with.
	function
		equal?	STOP!

Yes

CSP shared library is valid

5.If the values match, the shared library is loaded. If the hashes do not match, CDSA execution will terminate.

The Self Check

Once an HP-UX shared library is loaded, it is initialized. Then control is returned to the function that initiated loading of the shared library.

In the self check, the CSP add-in module that has just been loaded checks itself, to make sure it has not been tampered with.

1.The signer’s public key is extracted from the CSP shared library and used to directly verify the signature on .SF ﬁle. No chaining validation is necessary.

2.After the signature is validated, the SHA-1 hash of the section in the .MF ﬁle referring to the shared library just loaded is calculated and compared with the hash in the .SF ﬁle.

3.If these hashes match, a hash of the CSP shared library is calculated and compared to the hash in the .MF ﬁle.

4.If the hash matches (indicating the .MF ﬁle has not been tampered with), control is returned back to the function which initiated loading of the shared library.

Chapter 1

69

Image 69

Contents Contents Migrating to Cdsa ZIP format Private Key File Sample Install Program Generating the Credential FileChapter Common Data Security Architecture Cdsa White PaperGlossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and AcronymsGlossary of Cdsa Terms and Acronyms RC2 Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms Glossary of Cdsa Terms and Acronyms What Is CDSA? What Is CDSA?HP’s Implementation of Cdsa HP-UX Cdsa Product OverviewWhat Is CDSA? Cdsa Components on HP-UX Cdsa Components in HP-UXWhat Is CDSA? Cdsa in the Context of Other Security Applications Example of Cdsa APIs Used for Applications vs. SharedLibraries Applications CDSA, shown relative to higher-level protocols and userHP’s Paradigm Shift Common Security Services Manager Cssm API Common Security Services Manager CssmCssm Module Information Files Cssmnotlongfilenamesys Cryptography Service Provider CSP API Cryptography Service Provider CSP APIPublic/Private Key Algorithms Dual Asymmetric Key AlgorithmSymmetric Key Algorithm RC2 or RC4 Authenticating a Digital SignatureCryptography Service Provider CSP API Hash Interaction between CSP and Applications CSP Operations Cryptography Service Provider CSP API Cryptography Service Provider CSP API Supported Functions and Algorithms Extensibility FunctionsCssmalgidcdmf Cssmalgiddsa Cssmalgiddh Purpose Pass-Through ID What is a Certiﬁcate? Certiﬁcate Library Services CL APICertiﬁcate Library Services CL API Outline of a Generic CertiﬁcateCertiﬁcate Revocation List CRL and Operations Interaction between Certiﬁcate Library and Application Operations on Certiﬁcates Interaction between Cssm and Certiﬁcate Library InterfaceCertiﬁcate Library Interface Certiﬁcate Library Services CL API Certiﬁcate Library Services CL API Certiﬁcate Library Services CL API INTELX509V3PASSTHROUGHCREATEENCODEDNAME INTELX509V3PASSTHROUGHENCODENAME INTELX509V3PASSTHROUGHENCODEALGID INTELX509V3PASSTHROUGHREADCERTFROMFILE INTELX509V3PASSTHROUGHENCODEREVOKEDCERTLIST INTELX509V3PASSTHROUGHFINDSUPPORTINGCSP INTELX509V3PASSTHROUGHCSSMKEYTOSPKI Introduction to Add-in Modules Role of Add-In Modules in the Cdsa FrameworkIntroduction to Add-in Modules Global Unique Identiﬁer Guid Design Criteria for Add-In ModulesInitializer Add-In Module Install Program Code to Register Services with CssmTo Install an Add-In Library How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module forLd -b -o libmylib.1 +I MyAddInInit Implementing Integrity Checking in Add-In Modules Programming Self-Check Functions into the Initializer How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX How to Create a Cdsa Add-In Module for HP-UX Typeprocedure How to Create a Cdsa Add-In Module for HP-UX Or specify the following for CL/TP/DL add-ins With a Cssm capable of integrity checking Credential File Validating the CSP CredentialsCertiﬁcate Chain Validating the CSP CredentialsVerifying a Certiﬁcate Chain Validation SequenceVerifying the signature on the .SF ﬁle Integrity Check prior to LoadingSHA-1 11 Verifying the validity of the CSP library Self CheckIn-Memory vs. Static Checking Bilateral AuthenticationConcluding Remarks Further ReferencesConcluding Remarks Concluding Remarks Appendix a Sample Install ProgramAppendix a Appendix a Cssmapimemoryfuncs Appendix a Else if argc != Destpath Sample Install Program Appendix a Sample Install Program Appendix B Generating the Credential FileHP Signing Policy for CSP Add-In Vendors for Cdsa Version HP Signing Policy for CSP Add-In Vendors for Cdsa VersionAppendix C Sample Add-in Module CodeAppendix C Appendix C Sample Add-in Module Code Appendix C Cssmreturn = Null Sample Add-in Module Code == Cssmfail Cssmmodulefuncs Appendix C Sample Add-in Module Code Appendix C Sample Add-in Module Code Data 100 Appendix C 101 102 Appendix C 103 104 Appendix D 105 Functions Needed for Add-in Module Integrity106 Appendix E 107 Trouble Shooting HP CdsaCdsa API Errors Cdsa API Errors108 Appendix E 109 110 Appendix E 111 112 Appendix E 113 114 Appendix E 115 116 Appendix E 117 Cdsa Start Up Errors when calling CSSMModuleAttach Cdsa Start Up Errors when calling CSSMModuleAttach118 Appendix E 119 Using DDE to Debug Cdsa Applications Debugging Core Dumps120 Appendix F 121 Migrating to Cdsa122 Appendix F 123 124 DL data structuresAppendix G 125 ZIP format126 Appendix G 127 128 Appendix H 129 Private Key File130 Private Key File Contention

Related manuals

Manual 62 pages 27.73 Kb