canmove, Confirmed users
937
edits
VE 07KeyMgmt: Difference between revisions
Jump to navigation
Jump to search
→Key Management
| Line 11: | Line 11: | ||
#* At Security Level 1, the operating system is restricted to a single operator mode of operation, which protects against unauthorized modification and substitution of the public keys and certificates stored in the private key and certificate databases. At Security Level 2, we use the discretionary access control mechanism of the operating system on the private key and certificate databases to protect against unauthorized modification and substitution of the public keys and certificates stored in the private key and certificate databases. | #* At Security Level 1, the operating system is restricted to a single operator mode of operation, which protects against unauthorized modification and substitution of the public keys and certificates stored in the private key and certificate databases. At Security Level 2, we use the discretionary access control mechanism of the operating system on the private key and certificate databases to protect against unauthorized modification and substitution of the public keys and certificates stored in the private key and certificate databases. | ||
# When the public keys reside in memory, they are protected by the OS from unauthorized modification and substitution. | # When the public keys reside in memory, they are protected by the OS from unauthorized modification and substitution. | ||
# The NSS cryptographic module uses the following cryptographic keys, cryptographic key components, and CSPs: | # The NSS cryptographic module uses the following cryptographic keys, cryptographic key components, and CSPs in the FIPS Approved mode of operation: | ||
#* secret keys (for | #* AES secret keys | ||
#* public keys and private keys (for | #* Triple DES secret keys | ||
#* seed keys (for the Approved RNG), and | #* HMAC secret keys | ||
#* DSA public keys and private keys | |||
#* RSA public keys and private keys (used for key transport and digital signatures) | |||
#* ECDSA public keys and private keys | |||
#* Diffie-Hellman public keys and private keys (used for key agreement) | |||
#* EC Diffie-Hellman public keys and private keys (used for key agreement) | |||
#* seed keys (for the Approved RNG) | |||
#* TLS premaster secret (used in deriving the TLS master secret) | |||
#* TLS master secret (used in the generation of symmetric cipher keys, IVs, and MAC keys for TLS) | |||
#* authentication data (passwords). | #* authentication data (passwords). | ||
# The 1024-bit DSA public keys for the software/firmware integrity test are stored along with the DSA signatures in the .chk files for the softoken (PKCS #11) and freebl shared libraries/DLLs. The DSA domain parameters (prime p, subprime q, base g) and public key (y) are stored in a straight binary format (i.e., not DER encoded). | # The 1024-bit DSA public keys for the software/firmware integrity test are stored along with the DSA signatures in the .chk files for the softoken (PKCS #11) and freebl shared libraries/DLLs. The DSA domain parameters (prime p, subprime q, base g) and public key (y) are stored in a straight binary format (i.e., not DER encoded). | ||