DMP A proposal for Security Manager Interface

Document Sample
DMP A proposal for Security Manager Interface Powered By Docstoc
					DMP: A proposal for Security Manager Interface

Sergio Sagliocco Victoria Alvaro SecureLab, Technology Department

1

SAV e Security Manager

•The Security Manager is a component of the SAV that permit the interaction with the cryptographic key material. It exports an applicative interface in order to execute high level operation •The implementation of the Security manager is strongly related to how the private key and certificate are stored. For this reason is necessary to split the security manager in two layer: an applicative frontend and one or more cryptographic engines. •For example a user could use a certificate in PKCS12 file, in Java Key store or in a smart card. •So the user have to be able to choose the key management system able to manage own keys

2

Architecture

SAV Manager

Security Manager

Engine PKCS12

Engine CNS

Engine CIE

3

Security Manager Engine Requirements

•Each engine exports a well know interface to the security manager. The interface permits to call the following services: •Initialization / Finalization (i.e.: integrity check of the key store, initialization of the smart card reader,…) •Login/Logout (i.e.: request of the PIN and unblock private key)

•Decryption
•Configuration (i.e.: path of the PKCS12 or java key store) •Generation of a new key pair (enrollment) •Installation of a certificate

•Enumeration of installed certificates
•Elimination of a installed certificate

4

Engine Interface

Method Name INIT LOGIN DECRYPT LOGOUT FINALIZE ENROLL INSTALL ENUMCERT GETCERT

Input Parameter Encrypted buffer (i.e. PKCS7 format) Key Size, Distinguished Name, flag (X509) Certificate idtype id, idtipe

Output Parameter Clear text buffer Certificate Request (i.e PKCS10 format) Array of certificate IDs Certificate

GETKEY
CONFIG GETINFO

id, idtipe
-

Private Key (if possible)
Hash Table Attribute=Value

5

Notes

•

Depending on implementation language, each method have to manage error conditions The CONFIG method have to manage the GUI required to configure the engine In the ENROLL method the flag parameter represents a bit mask indicating particular attributes (i.e. ability to export private key) Idtype represent the key to search and select a certificate (i.e.: Issuer plus Serial Number, public key hash, …). Id represents the value

•

•

•

6

Security Manager Interface

• •

The security manager exports an interface for the SAV manager This interface have to export engines services adding some method in order to manage the engines: – – – – – Enumeration of installed engines Installation of new engines Elimination of an installed engine Engine configuration Enabling / Disabling an installed engine

•

In addition to the above methods the Security Manager can exports some utility functions like the following: – Hash calculation – Format conversion (PEM,DER,TXT,…) – Symmetric Encryption Functions (DES,AES,…) – …

7

Security Manager Interface
Method Name DECRYPT ENROLL INSTALL ENUMCERT GETCERT ENUMENGINE ADDENGINE ENABLE DISABLE REMOVEENGINE CONFIG GETEINFO Input Parameter Encrypted buffer (i.e. PKCS7 format) Key Size, Distinguished Name, flag Engine Name, (X509) Certificate idtype id, idtipe Name, PATH of the engine library Engine Name Engine Name Engine Name Engine Name Engine Name Output Parameter Clear text buffer Certificate Request (i.e PKCS10 format) Array of certificate IDs Certificate Array of engine names Hash Table Attribute=Value

8

Contacts

Sergio Sagliocco SecureLab – Direzione Tecnologie mail: sergio.sagliocco@csp.it cell: +39 3486024078 tel. +39 011 4815140

CSP innovazione nelle ICT Sede via Livorno 60 - 10144 Torino Edificio Laboratori A1 Tel +39 011 4815111 Fax +39 011 4815001 E-mail: info@csp.it Seconda sede operativa Villa Gualino - Viale Settimio Severo 65 10133 Torino

www.csp.it
9


				
DOCUMENT INFO
Shared By:
Stats:
views:5
posted:2/12/2009
language:English
pages:9
Ancient Babylon Ancient Babylon
About