VE 07KeyMgmt: Difference between revisions

Jump to navigation Jump to search

VE 07KeyMgmt (view source)

Revision as of 23:59, 9 August 2006

653 bytes removed ,  9 August 2006
→‎Key Management
Line 27: Line 27:
#* The Triple DES key derived from the user's password, used to encrypt the secret keys and private keys stored in the private key database.
#* The Triple DES key derived from the user's password, used to encrypt the secret keys and private keys stored in the private key database.
#* The 1024-bit DSA public keys for the software/firmware integrity test are stored along with the DSA signatures in the .chk files for the softoken (PKCS #11) and freebl shared libraries/DLLs. The DSA domain parameters (prime p, subprime q, base g) and public key (y) are stored in a straight binary format (i.e., not DER encoded).
#* The 1024-bit DSA public keys for the software/firmware integrity test are stored along with the DSA signatures in the .chk files for the softoken (PKCS #11) and freebl shared libraries/DLLs. The DSA domain parameters (prime p, subprime q, base g) and public key (y) are stored in a straight binary format (i.e., not DER encoded).
# PKCS #12 (or previously known as PFX) defines a protocol for wrapping (encrypting) and unwrapping (decrypting) private key material and related certificates for import/export.
# No passwords (e.g., the password for password-based encryption, or the private key database password) are stored on disk in plaintext.
# The exported private key is encrypted with a DES-EDE3 (Triple DES) key derived from a user provided password -- see PKCS #5 below.
# An extension of the PKCS #5 PBKDF1 key derivation function (see the <code>[http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/lowpbe.c.dep.html#nsspkcs5_PBKDF1Extended nsspkcs5_PBKDF1Extended]</code> function) is used to convert a user's password to a DES-EDE3 (three-key Triple DES) key that is used to encrypt a known plaintext to determine if it matches the password verifier stored in the database.
# No passwords (e.g., the export password for PKCS #12, or the private key database password) are stored on disk in plaintext.
# Prior to exiting the NSS cryptographic module, all passwords entered by users and private keys (stored on disk) are zeroized from memory.
# PKCS #5 is used to convert a user's password to a DES-EDE3 (Triple DES) key that is used to encrypt a known plaintext to determine if it matches the password stored in the database, or in the case of exported private key.
# Prior to exiting the Cryptographic Module, all passwords entered by users and private key (stored on disk) are zeroized from memory.
# PKCS #12 can be used to archive a wrapped (encrypted) private key for recovery purposes.
# Our use of DES and DES-EDE3, as called out in PKCS #12, are FIPS 46-3 validated.
# The NSS cryptographic module's Triple DES implementation conforms to FIPS 46-3. ( [http://csrc.nist.gov/cryptval/des/tripledesval.html TripleDES])
# The NSS cryptographic module's SHA-1 implementation conforms to FIPS 180-2. See [http://csrc.nist.gov/cryptval/shs/shaval.htm SHS].
# The NSS cryptographic module's DSA implementation conforms to FIPS 186-2. ([http://csrc.nist.gov/cryptval/dss/dsaval.htm DSA])


=Key Generation=
=Key Generation=
Wtchang
canmove, Confirmed users
937

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/31208"

Navigation menu