Security Policy: Difference between revisions

Jump to navigation Jump to search

Security Policy (view source)

Revision as of 22:02, 21 August 2006

134 bytes removed ,  21 August 2006
no edit summary
No edit summary
No edit summary
Line 202: Line 202:
'''Step 2:''' Use the <code>chmod</code> utility to set the file mode bits of the shared libraries/DLLs to '''0755''' so that all users can execute the library files, but only the files' owner can modify (i.e., write, replace, and delete) the files. For example, on most Unix and Linux platforms,
'''Step 2:''' Use the <code>chmod</code> utility to set the file mode bits of the shared libraries/DLLs to '''0755''' so that all users can execute the library files, but only the files' owner can modify (i.e., write, replace, and delete) the files. For example, on most Unix and Linux platforms,
   $ chmod 0755 libsoftokn3.so libfreebl*3.so libplc4.so libplds4.so libnspr4.so
   $ chmod 0755 libsoftokn3.so libfreebl*3.so libplc4.so libplds4.so libnspr4.so
The discretionary access control protects the binaries stored on disk from being tampered with.


'''Step 3:''' Use the <code>chmod</code> utility to set the file mode bits of the associated <code>.chk</code> files to '''0644'''. For example, on most Unix and Linux platforms,
'''Step 3:''' Use the <code>chmod</code> utility to set the file mode bits of the associated <code>.chk</code> files to '''0644'''. For example, on most Unix and Linux platforms,
Line 340: Line 341:


==Authentication Policy==
==Authentication Policy==
===Role-based Authentication===
The NSS cryptographic module uses role-based authentication.  It uses a single-role mechanism referred to above as a NSS User. Authentication shall always be required upon initializing the NSS cryptographic module in the FIPS mode. If a PKCS #11 function that requires authentication is called before the NSS User is authenticated, it returns the <code>CKR_USER_NOT_LOGGED_IN</code> error code. Call the PKCS #11 function <code>FC_Login</code> to provide the required authentication.


The NSS cryptographic module uses '''Role-Based Authentication''' to control access to the module. To perform sensitive services using the cryptographic module, an operator must explicitly request to assume the NSS User role by logging into the module, and perform an authentication procedure using information unique to that operator (individual password). Role-based authentication is used to safeguard a user's '''private key''' information. However, Discretionary Access Control (DAC) is used to safeguard all other NSS User information (e.g., the public key certificate database).
The NSS cryptographic module uses '''Role-Based Authentication''' to control access to the module. To perform sensitive services using the cryptographic module, an operator must explicitly request to assume the NSS User role by logging into the module, and perform an authentication procedure using information unique to that operator (individual password). Role-based authentication is used to safeguard a user's '''private key''' information. However, Discretionary Access Control (DAC) is used to safeguard all other NSS User information (e.g., the public key certificate database).


==Strength of Authentication Mechanism==
===Strength of Authentication Mechanism===


In FIPS mode, the NSS cryptographic module imposes the following requirements on the password.
In FIPS mode, the NSS cryptographic module imposes the following requirements on the password.
Line 1,361: Line 1,365:
* authentication data (passwords)
* authentication data (passwords)
* audited events and audit data
* audited events and audit data
== Means of Access ==
Prior to execution of the Client or Server products, the Security Libraries are stored on disk in compiled binary form. The NSS cryptographic module relies on Discretionary Access Controls (DAC) to protect the binary image from being tampered with.
== Role-based Authentication ==
The NSS cryptographic module uses role-based authentication.  It uses a single-role mechanism referred to above as a NSS User. Authentication shall always be required upon initializing the NSS cryptographic module in the FIPS mode. If a PKCS #11 function that requires authentication is called before the NSS User is authenticated, it returns the <code>CKR_USER_NOT_LOGGED_IN</code> error code. Call the PKCS #11 function <code>FC_Login</code> to provide the required authentication.


== Mitigation of Other Attacks ==
== Mitigation of Other Attacks ==
Line 1,525: Line 1,523:
== Platform List ==
== Platform List ==
* Level 1
* Level 1
** RHEL 4 x86
** Red Hat Enterprise Linux 4 x86
** Windows XP Service Pack 2
** Windows XP Service Pack 2
** 64-bit Solaris 10 AMD64
** 64-bit Solaris 10 AMD64
Line 1,532: Line 1,530:


* Level 2
* Level 2
** RHEL 4 x86_86
** Red Hat Enterprise Linux 4 x86_86
** 64-bit Trusted Solaris 8 SPARC
** 64-bit Trusted Solaris 8 SPARC


Wtchang
canmove, Confirmed users
937

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/32090"

Navigation menu