VE 07KeyMgmt: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
mNo edit summary
No edit summary
Line 3: Line 3:
'''Key Management'''
'''Key Management'''


# The SSL2.0 and SSL3.0 specification details how public key certificates are exchanged over the network.
# Our private key and certificate databases (for both client and server products) is a B-tree (DBM) indexed flat file (regular file).
# Our private key and certificate databases [for both client and server products] is a B-tree (DBM) indexed flat file [regular file].
# The private key is stored encrypted using DES-EDE3 (triple-DES) in all cases -- export or domestic, FIPS or non-FIPS.
# The private key is stored encrypted using DES-EDE3 [triple-DES] [in all cases -- export or domestic, FIPS or non-FIPS].
# The private keys are not stored in plaintext.
# The private keys are not stored in plain text.
# In non-internal cryptographic service providers (see PKCS #11 specification), the CSP provides its own implementation of key storage -- this document describes just the internal CSPs provided in NSS.
# In non-internal cryptographic service providers [see PKCS#11 specification], the CSP provides its own implementation of key storage -- this document describes just the internal CSPs provided in NSS.
# The X509 v3 certificates are stored DER encoded in the DBM file.
# The X509v3 certificates are stored DER encoding in the DBM file.
# The certificates are not encrypted, but are digitally signed by the Certification Authority (CA) that created them.
# The certificates are not encrypted, but are digitally signed by the Certification Authority [CA] that created them.
# PKCS #12 (or previously known as PFX) defines a protocol for wrapping (encrypting) and unwrapping (decrypting) private key material and related certificates for import/export.
# PKCS#12 (or previously known as PFX) defines a protocol for wrapping (encrypting) and unwrapping (decrypting) private key material and related certificates for import/export.
# The exported private key is encrypted with a DES-EDE3 (triple-DES) key derived from a user provided password -- see PKCS #5 below.
# The exported private key is encrypted with a DES-EDE3 [triple-DES] key derived from a user provided password -- see PKCS#5 below.
# No passwords (e.g., the export password for PKCS #12, or the private key database password) are stored on disk in plaintext.
# No passwords (e.g., the export password for PKCS#12, or the private key database password) are stored on disk in plain text.
# PKCS #5 is used to convert a user's password to a DES-EDE3 (triple-DES) key that is used to encrypt a known plaintext to determine if it matches the password stored in the database, or in the case of exported private key.
# PKCS#5 is used to convert a users password to a DES-EDE3 [triple-DES] key that is used to encrypted a known plain-text to determine if it matches the password stored in the database, or in the case of exported private key.
# Prior to exiting the Cryptographic Module, all plaintext session IDs (for SSL), passwords entered by users, and private key (stored on disk) are zeroed from memory.
# Prior to exiting the Cryptographic Module, all plain text session ids (for SSL), passwords entered by users, and private key (stored on disk) are zeroed from memory.
# PKCS #12 can be used to archive a wrapped (encrypted) private key for recovery purposes.
# PKCS#12 can be used to archive a wrapped (encrypted) private key for recovery purposes.
# Our use of DES and DES-EDE3, as called out in PKCS #12, are FIPS 46-3 validated.
# Our use of DES and DES-EDE3, as called out in PKCS#12, are FIPS 46-3 validated.
# NSS's triple-DES implementation conforms to FIPS 46-3. ( [http://csrc.nist.gov/cryptval/des/tripledesval.html TripleDES])
# NSS's triple-DES implementation conforms to FIPS 46-3. ( [http://csrc.nist.gov/cryptval/des/tripledesval.html TripleDES])
# NSS's SHA-1 implementation conforms to FIPS 180-2. See [http://csrc.nist.gov/cryptval/shs/shaval.htm SHS].
# NSS's SHA-1 implementation conforms to FIPS 180-2. See [http://csrc.nist.gov/cryptval/shs/shaval.htm SHS].
# NSS's DSA implementation conforms to FIPS 186-2. ([http://csrc.nist.gov/cryptval/dss/dsaval.htm DSA])
# NSS's DSA implementation conforms to FIPS 186-2. ([http://csrc.nist.gov/cryptval/dss/dsaval.htm DSA])
# All key/certificate management operations of the NSS cryptogrpahic service provides (CSPs) are FIPS 140-2 validated.
# All key/certificate management operations of the NSS cryptogrpahic service providers (CSPs) are FIPS 140-2 validated.


'''Key Generation'''
'''Key Generation'''


The prime numbers that are generated for both RSA and DSA are tested using FIPS 186 [2.1. A PROBABILISTIC PRIMALITY TEST] --
The prime numbers that are generated for both RSA and DSA are tested using FIPS 186-2 [APPENDIX 2.1. A PROBABILISTIC PRIMALITY TEST] --
Rabin test.
Miller-Rabin test.


'''Key Distribution Technique'''
'''Key Establishment Technique'''


Not applicable.
Not applicable.

Revision as of 23:16, 8 May 2006

This is a draft document

Key Management

  1. Our private key and certificate databases (for both client and server products) is a B-tree (DBM) indexed flat file (regular file).
  2. The private key is stored encrypted using DES-EDE3 (triple-DES) in all cases -- export or domestic, FIPS or non-FIPS.
  3. The private keys are not stored in plaintext.
  4. In non-internal cryptographic service providers (see PKCS #11 specification), the CSP provides its own implementation of key storage -- this document describes just the internal CSPs provided in NSS.
  5. The X509 v3 certificates are stored DER encoded in the DBM file.
  6. The certificates are not encrypted, but are digitally signed by the Certification Authority (CA) that created them.
  7. PKCS #12 (or previously known as PFX) defines a protocol for wrapping (encrypting) and unwrapping (decrypting) private key material and related certificates for import/export.
  8. The exported private key is encrypted with a DES-EDE3 (triple-DES) key derived from a user provided password -- see PKCS #5 below.
  9. No passwords (e.g., the export password for PKCS #12, or the private key database password) are stored on disk in plaintext.
  10. PKCS #5 is used to convert a user's password to a DES-EDE3 (triple-DES) key that is used to encrypt a known plaintext to determine if it matches the password stored in the database, or in the case of exported private key.
  11. Prior to exiting the Cryptographic Module, all plaintext session IDs (for SSL), passwords entered by users, and private key (stored on disk) are zeroed from memory.
  12. PKCS #12 can be used to archive a wrapped (encrypted) private key for recovery purposes.
  13. Our use of DES and DES-EDE3, as called out in PKCS #12, are FIPS 46-3 validated.
  14. NSS's triple-DES implementation conforms to FIPS 46-3. ( TripleDES)
  15. NSS's SHA-1 implementation conforms to FIPS 180-2. See SHS.
  16. NSS's DSA implementation conforms to FIPS 186-2. (DSA)
  17. All key/certificate management operations of the NSS cryptogrpahic service providers (CSPs) are FIPS 140-2 validated.

Key Generation

The prime numbers that are generated for both RSA and DSA are tested using FIPS 186-2 [APPENDIX 2.1. A PROBABILISTIC PRIMALITY TEST] -- Miller-Rabin test.

Key Establishment Technique

Not applicable.

Entity Association Assurance

The public and private keys are correlated based on Distinguished Name information contained in the public key certificate, or in the private key information fields. The X.500 standard describes how this correlation is accomplished.

Manually Distributed Secret Keys

Not applicable.

Manually Distributed Secret Key Procedures

Not applicable.


Random Number Generator

TBS.

Retrieved from "https://wiki.mozilla.org/index.php?title=VE_07KeyMgmt&oldid=25317"