Section C Table II: Difference between revisions

Revision as of 21:42, 12 April 2006

</tbody>

Table II. Services

Name of Service

Description of Service in Terms of Routines

Certificate
Storage and
Retrieval

This private service consists of six routines used to perform certificate storage and retrieval including SEC_OpenPermCertDB(), AddCertToPermDB(), SEC_TraversePermCerts(), SEC_FindPermCertByKey(), SEC_DeletePermCertificate(), and CERT_ClosePermCertDB().

Digital
Signatures

This private service consists of the one routine used to perform DSA signature generation, DSA_SignDigest(), and the one routine used to perform DSA signature verification, DSA_VerifyDigest(). This service also consists of the three routines used for RSA signature generation, verification, and entity association: RSA_Sign(), RSA_CheckSign(), and RSA_CheckSignRecover(), and the three raw routines used for RSA signature generation, verification, and entity association: RSA_SignRaw(), RSA_CheckSignRaw(), and RSA_CheckSignRecoverRaw(). In general, the key generation service must be invoked prior to invoking this service.

Encryption/
Decryption

This private service consists of the four routines used to perform DES Encryption/Decryption including DES_CreateContext(), DES_Encrypt(), DES_Decrypt(), and DES_DestroyContext(). Single-key DES service is provided by using the NSS_DES and NSS_DES_CBC modes with DES_CreateContext(). Triple-DES service is provided by using the NSS_DES_EDE3 and NSS_DES_EDE3_CBC modes with DES_CreateContext().

Hashing

This public service consists of the eight routines used to perform SHA-1 hashing including SHA1_NewContext(), SHA1_CloneContext(), SHA1_Begin(), SHA1_Update(), SHA1_End(), SHA1_HashBuf(), SHA1_Hash(), and SHA1_DestroyContext().

Key
Generation

This private service is utilized to perform key generation and consists of the six routines used to perform DSA key generation including PQGParamGen(), PQG_ParamGenSeedLen(), PQG_VerifyParams(), DSA_CreateKeyGenContext(), DSA_NewKey(), and DSA_NewKeyFromSeed(), and the b>one routine used for RSA private key generation called RSA_NewKey() (only used for entity association in public key exchange). When RSA_NewKey() is used in public key exchange between two parties, the Pairwise Consistency Test requires routines to check this symmetric algorithm. These consist of two routines used for entity association which include RSA_EncryptBlock(), and RSA_DecryptBlock(), and two raw routines used for entity association which include RSA_EncryptRaw(), and RSA_DecryptRaw().

PKCS #5
Password-Based
Encryption

The PKCS #5 API specifies a standard interface based upon the PKCS #5 standard which allows this private service to be used to perform password-based encryption and consists of the five routines including SEC_PKCS5GetSalt(), SEC_PKCS5GetIV(), SEC_PKCS5GetKey(), SEC_PKCS5CipherData(), and SEC_PKCS5CreateAlgorithmID().

PKCS #11

The PKCS #11 API specifies a standard interface based upon the PKCS #11 standard which allows for the selection of a FIPS PUB 140-1 mode of operation that provides both public and private services as well as a means of authentication into all private services, creates and maintains entry points for all FIPS PUB 140-1 specific routines including pk11_fipsPowerUpSelfTest() at initialization as well as on demand for subsequent logins, and enforces a pairwise consistency check on all key generation algorithms. NSS's FIPS PUB 140-1 PKCS #11 implementation defines the following standard crypto API: <tbody> </tbody>

Category	Function	Description
FIPS PUB 140-2 specific	FC_GetFunctionList	Return the list of FIPS PUB 140-1 functions
General purpose	FC_Initialize	initializes Cryptoki
	FC_Finalize	finalizes Cryptoki (1.1)
	FC_GetInfo	obtains general information about Cryptoki
Slot and token management	FC_GetSlotList	obtains a list of slots in the system
	FC_GetSlotInfo	obtains information about a particular slot
	FC_GetTokenInfo	obtains information about a particular token
	FC_GetMechansimList	obtains a list of mechanisms supported by a token
	FC_GetMechanismInfo	obtains information about a particular mechanism
	FC_InitToken	initializes a token
	FC_InitPIN	initializes the normal user?s PIN
	FC_SetPIN	modifies the PIN of the current user
Session management	FC_OpenSession	opens a connection or "session" between an application and a particular token
	FC_CloseSession	closes a session
	FC_CloseAllSessions	closes all sessions with a token
	FC_GetSessionInfo	obtains information about the session
	FC_GetOperationState	saves the state of the cryptographic operation in a session (1.1)
	FC_SetOperationState	restores the state of the cryptographic operation in a session (1.1)
	FC_Login	logs into a token
	FC_Logout	logs out from a token
Object management	FC_CreateObject	creates an object
	FC_CopyObject	creates a copy of an object
	FC_DestroyObject	destroys an object
	FC_GetObjectSize	obtains the size of an object in bytes
	FC_GetAttributeValue	obtains an attribute value of an object
	FC_SetAttributeValue	modifies an attribute value of an object
	FC_FindObjectsInit	initializes an object search operation
	FC_FindObjects	continues an object search operation
	FC_FindObjectsFinal	finishes an object search operation (1.1)
Encryption and decryption	FC_EncryptInit	initializes an encryption operation
	FC_Encrypt	encrypts single-part data
	FC_EncryptUpdate	continues a multiple-part encryption operation
	FC_EncryptFinal	finishes a multiple-part encryption operation
	FC_DecryptInit	initializes a decryption operation
	FC_Decrypt	decrypts single-part encrypted data
	FC_DecryptUpdate	continues a multiple-part decryption operation
	FC_DecryptFinal	finishes a multiple-part decryption operation
Message digesting	FC_DigestInit	initializes a message-digesting operation
	FC_Digest	digests single-part data
	FC_DigestUpdate	continues a multiple-part digesting operation
	FC_DigestKey	continues a multi-part message-digesting operation by digesting the value of a secret key as part of the data already digested (1.1)
	FC_DigestFinal	finishes a multiple-part digesting operation
Signature and verification	FC_SignInit	initializes a signature operation
	FC_Sign	signs single-part data
	FC_SignUpdate	continues a multiple-part signature operation
	FC_SignFinal	finishes a multiple-part signature operation
	FC_SignRecoverInit	initializes a signature operation, where the data can be recovered from the signature
	FC_SignRecover	signs single-part data, where the data can be recovered from the signature
	FC_VerifyInit	initializes a verification operation
	FC_Verify	verifies a signature on single-part data
	FC_VerifyUpdate	continues a multiple-part verification operation
	FC_VerifyFinal	finishes a multiple-part verification operation
	FC_VerifyRecoverInit	initializes a verification operation where the data is recovered from the signature
	FC_VerifyRecover	verifies a signature on single-part data, where the data is recovered from the signature
Dual-function cryptographic operations	FC_DigestEncryptUpdate	continues a multiple-part digesting and encryption operation (1.1)
	FC_DecryptDigestUpdate	continues a multiple-part decryption and digesting operation (1.1)
	FC_SignEncryptUpdate	continues a multiple-part signing and encryption operation (1.1)
	FC_DecryptVerifyUpdate	continues a multiple-part decryption and verify operation (1.1)
Key management	FC_GenerateKey	generates a secret key
	FC_GenerateKeyPair	generates a public-key/private-key pair
	FC_WrapKey	wraps (encrypts) a key
	FC_UnwrapKey	unwraps (decrypts) a key
	FC_DeriveKey	derives a key from a base key
Random number generation	FC_SeedRandom	mixes in additional seed material to the random number generator
Random number generation	FC_GenerateRandom	generates random data
Function management	FC_GetFunctionStatus	obtains updated status of a function running in parallel with the application
Function management	FC_CancelFunction	cancels a function running in parallel with the application
Callbacks	Notify	processes notifications from Cryptoki

PKCS #12
Personal
Information
Exchange

The PKCS #12 API will specify a standard interface based upon

the forthcoming PKCS #12 standard which allows this private service to be used to exchange data such as private keys and certificates between

two parties and consists of the eight routines including SEC_PKCS12CreateExportContext, SEC_PKCS12CreatePasswordPrivSafe(), SEC_PKCS12AddCertAndKey(), SEC_PKCS12Encode(), SEC_PKCS12DestroyExportContext(), SEC_PKCS12DecoderStart(), SEC_PKCS12DecoderUpdate(), and SEC_PKCS12DecoderFinish().

Prime
Number
Generation

This public service consists of the two routines used for generating a prime number including mpp_make_prime() and mpp_pprime().

Private Key
Storage and
Retrieval

This private service is utilized to perform private key storage and retrieval and consists of the seven routines including SECKEY_OpenKeyDB(), SECKEY_TraverseKeys(), SECKEY_UpdateKeyDBPass1() SECKEY_UpdateKeyDBPass2(), SECKEY_FindKeyByPublicKey(), SECKEY_DeleteKey(), and SECKEY_CloseKeyDB().

Pseudorandom
Number
Generation

This public service consists of the four routines used for global pseudorandom number generation including RNG_RNGInit(), RNG_GenerateGlobalRandomBytes(), RNG_RandomUpdate(), and RNG_RNGShutdown(), and the three routines used for seeding pseudorandom number generation including RNG_GetNoise(), RNG_SystemInfoForRNG(), and RNG_FileForRNG(). A continuous pseudorandom number generator test is performed whenever a new pseudorandom number is generated.

SSL Session ID
Cache
(Secret
Management)

This public service consists of the five routines used to perform session ID cache management including SSL_ConfigServerSessionIDCache(), ssl_FreeSID(), ssl_LookupSID(), ssl_ChooseSessionIDProcs(), and SSL_ClearSessionCache().

TLS pseudorandom function (PRF)

TLS pseudorandom function (PRF) is utilized by SSL 3.0 protocol to produce FIPS 140-1 compliant hashes of security relevant data items [pre-master secret]. See <a href="../sslchanges/index.html">SSL changes in Security Module 1.01</a> for full details.

Section C Table II: Difference between revisions

Revision as of 21:42, 12 April 2006

Navigation menu

Search