22
edits
Changes
→Access to Cryptographic Keys, CSPs, and Plaintext Data
===Access to Cryptographic Keys, CSPs, and Plaintext Data===
Cryptographic keys, CSPs, and plaintext data are stored in the NSS databases. The NSS cryptographic module creates its database files with the '''0600''' permission bits so that only the owner can read or modify the database files. (See the [http://mxr.mozilla.org/security/ident?i=dbsopen <code>dbsopen()</code> ] or [[http://mxr.mozilla.org/security/ident?i=dbopen <code>dbopen()</code> ] calls in the [http://wwwmxr.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/pcertdb.c.dep.html#ident?i=nsslowcert_OpenPermCertDB <code>nsslowcert_OpenPermCertDB</code>], [http://wwwmxr.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/keydb.c.dep.html#ident?i=nsslowkey_OpenKeyDB <code>nsslowkey_OpenKeyDB</code>], and [http://wwwmxr.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/pk11db.c.dep.html#ident?i=secmod_OpenDB <code>secmod_OpenDB</code>] functions.) For example,
$ ls -l *.db
-rw------- 1 wtchang wtchang 65536 May 15 22:16 cert8.db
-rw------- 1 wtchang wtchang 32768 May 15 22:16 key3.db
-rw------- 1 wtchang wtchang 32768 May 15 22:15 secmod.db
or
-rw------- 1 gb staff 9216 May 6 10:22 cert9.db
-rw------- 1 gb staff 11264 May 6 10:22 key4.db
Since the cryptographic keys and CSPs are stored in encrypted form, the owner needs to assume the NSS User role by authenticating with the password to decrypt the cryptographic keys and CSPs stored in the private key database.
