MozillaWiki

Security Policy: Difference between revisions

Page Discussion

Security Policy (view source)

Revision as of 20:52, 23 March 2007

39,876 bytes removed ,  23 March 2007
m
→‎Access Control Policy
Line 26: Line 26:




==Access Control Policy==


This section identifies the cryptographic keys and CSPs that the user has access to while performing a service, and the type of access the user has to the CSPs.
=== Security-Relevant Information ===
The NSS cryptographic module employs the following cryptographic keys and CSPs in the FIPS Approved mode of operation.
* AES secret keys: The module supports 128-bit, 192-bit, and 256-bit AES keys. The keys may be stored in memory or in the private key database (key3.db).
* Triple DES secret keys: 168-bit. The keys may be stored in memory or in the private key database (key3.db).
* HMAC secret keys: HMAC key size must be greater than or equal to half the size of the hash function output. The keys may be stored in memory or in the private key database (key3.db).
* DSA public keys and private keys: The module supports DSA key sizes of 512-1024 bits. The keys may be stored in memory or in the private key database (key3.db).
* RSA public keys and private keys (used for digital signatures and key transport): The module supports RSA key sizes of 1024-8192 bits. The keys may be stored in memory or in the private key database (key3.db).
* EC public keys and private keys (used for ECDSA digital signatures and EC Diffie-Hellman key agreement): The module supports elliptic curve key sizes of 163-571 bits. (See the section "Non-NIST-Recommended Elliptic Curves" below.) The keys may be stored in memory or in the private key database (key3.db).
* Diffie-Hellman public keys and private keys (used for key agreement): The module supports Diffie-Hellman public key sizes of 1024-2236 bits. The keys may be stored in memory or in the private key database (key3.db).
* TLS premaster secret (used in deriving the TLS master secret): 48-byte. Stored in memory.
* TLS master secret (used in the generation of symmetric cipher keys, IVs, and MAC secrets for TLS): 48-byte. Stored in memory.
* seed key of the Approved random number generator: 256-bit. Stored in memory.
* authentication data (passwords): Stored in the private key database (key3.db).
* audited events and audit data (Security Level 2 only): Stored in the system audit logs.
====Non-NIST-Recommended Elliptic Curves====
The '''basic ECC''' version of the NSS cryptographic module only implements the NIST-Recommended elliptic curves P-256, P-384, and P-521 in FIPS 186-2.
The '''extended ECC''' version of the NSS cryptographic module implements all the NIST-Recommended elliptic curves and the following non-NIST-Recommended curves:
* ANSI X9.62 prime curves
** prime192v2
** prime192v3
** prime239v1
** prime239v2
** prime239v3
* ANSI X9.62-1998 binary curves
** c2pnb163v1
** c2pnb163v2
** c2pnb163v3
** c2pnb176w1 (disallowed in ANSI X9.62-2005). Note: the NSS cryptographic module incorrectly named this curve c2pnb176'''v'''1.
** c2tnb191v1
** c2tnb191v2
** c2tnb191v3
** c2pnb208w1 (disallowed in ANSI X9.62-2005)
** c2tnb239v1
** c2tnb239v2
** c2tnb239v3
** c2pnb272w1 (disallowed in ANSI X9.62-2005)
** c2pnb304w1 (disallowed in ANSI X9.62-2005)
** c2tnb359v1
** c2pnb368w1 (disallowed in ANSI X9.62-2005)
** c2tnb431r1
* SEC 2 prime curves
** secp112r1
** secp112r2
** secp128r1
** secp128r2
** secp160k1
** secp160r1
** secp160r2
** secp192k1
** secp224k1
** secp256k1
* SEC 2 binary curves
** sect113r1
** sect113r2
** sect131r1
** sect131r2
** sect163r1
** sect193r1
** sect193r2
** sect239k1
Although FIPS 140-2 Implementation Guidance IG 1.6 allows the use of non-NIST-Recommended curves in the FIPS Approved mode of operation, we recommend that the non-NIST-Recommended curves not be used in the FIPS mode.
===Specification of Services===
The Crypto Officer role is assumed implicitly during installation or initialization of the module. The NSS User role is assumed explicitly by authenticating, or logging in, to the module. Some services require the user to assume the NSS User role. Other services do not impose any role requirement.
Each service is provided by a PKCS #11 function.  The following table lists the defined services and correlates role, service type and type of access to security-relevant information. Access type is Read/Write/Zeroize.
<table style="height: 2066px;" border="1">
    <tr valign="top">
      <td
style="text-align: center; vertical-align: middle; width: 101px;">
      <p><font face="Palatino"><font size="2"><b>Service
Category</b></font></font></p>
      </td>
      <td
style="text-align: center; font-weight: bold;">
      <p><font face="Palatino"><font size="2"><b>Role</b></font></font></p>
      </td>
      <td
style="text-align: center; vertical-align: middle; width: 155px;">
      <p style="width: 187px;"><font face="Palatino"><font
size="2"><b>Function Name</b></font></font></p>
      </td>
      <td
style="text-align: center; vertical-align: middle; width: 321px;">
      <p><font face="Palatino"><font size="2"><b>Description</b></font></font></p>
      </td>
      <td
style="width: 116px; font-weight: bold; text-align: center; vertical-align: middle;">
      <p><font face="Palatino"><font size="2"><b>CSPs<br>
Accessed</b></font></font></p>
      </td>
      <td style="text-align: center; vertical-align: middle;">
      <p><font face="Palatino"><font size="2"><b>Access
type,<br>
e.g.
RWZ</b></font></font></p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;">
      <p><font face="Palatino"><font size="2">FIPS
140-2 specific</font></font></p>
      </td>
      <td></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GetFunctionList</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">return
the list of FIPS 140-2 functions</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;" rowspan="3">
      <p><font face="Palatino"><font size="2">Module Initialization</font></font></p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>Crypto Officer</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_</font></font><font
face="Palatino"><font size="2">InitToken</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">initializes or re-initializes
a token</font></font></p>
      </td>
      <td style="width: 116px;">password and all keys</td>
      <td>
      <p align="center">Z</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>Crypto Officer</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_</font></font><font
face="Palatino"><font size="2">InitPIN</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">initializes
the normal user's password</font></font></p>
      </td>
      <td style="width: 116px;">password</td>
      <td>
      <p align="center">W</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;" rowspan="3">
      <p><font size="2"><font face="Palatino">General</font></font><br>
      <font size="2"><font face="Palatino">purpose</font></font></p>
      </td>
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_Initialize</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">initializes the module library for the FIPS mode of operation. This function provides the power-up self-test service</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_Finalize</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">finalizes (shuts down) the
module library</font></font></p>
      </td>
      <td style="width: 116px;">all keys</td>
      <td>
      <p align="center">Z</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GetInfo</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">obtains
general information about the module library</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;" rowspan="7">
      <p><font size="2"><font face="Palatino">Slot
and</font></font><br>
      <font size="2"><font face="Palatino">token</font></font><br>
      <font size="2"><font face="Palatino">management</font></font></p>
      </td>
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GetSlotList</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">obtains
a list of slots in the system</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GetSlotInfo</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">obtains
information about a particular slot</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GetTokenInfo</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">obtains
information about the token. This function provides the Show Status
service.</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GetMechansimList</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">obtains
a list of mechanisms supported by a token</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GetMechanismInfo</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">obtains
information about a particular mechanism</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_SetPIN</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">changes
the password of the current user</font></font></p>
      </td>
      <td style="width: 116px;">password</td>
      <td>
      <p align="center">RW</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;" rowspan="8">
      <p><font face="Palatino"><font size="2">Session
management</font></font></p>
      </td>
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_OpenSession</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">opens
a connection or "session" between an application and a particular token</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_CloseSession</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">closes
a session</font></font></p>
      </td>
      <td style="width: 116px;">session's keys</td>
      <td>
      <p align="center">Z</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_CloseAllSessions</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">closes
all sessions with a token</font></font></p>
      </td>
      <td style="width: 116px;">all keys</td>
      <td>
      <p align="center">Z</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GetSessionInfo</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">obtains
information about the session</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GetOperationState</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">saves
the state of the cryptographic operation in a session. This function is only implemented for message digest operations.</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_SetOperationState</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">restores
the state of the cryptographic operation in a session. This function is only implemented for message digest operations.</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_Login</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">logs
into a token</font></font></p>
      </td>
      <td style="width: 116px;">password</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_Logout</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">logs
out from a token</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;" rowspan="9">
      <p><font size="2"><font face="Palatino">Object</font></font><br>
      <font size="2"><font face="Palatino">management</font></font></p>
      </td>
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_CreateObject</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">creates
an object</font></font></p>
      </td>
      <td style="width: 116px;">key</td>
      <td>
      <p align="center">W</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_CopyObject</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">creates
a copy of an object</font></font></p>
      </td>
      <td style="width: 116px;">original key<br>
new key</td>
      <td style="text-align: center;"> R<br>
W</td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_DestroyObject</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">destroys
an object</font></font></p>
      </td>
      <td style="width: 116px;">key</td>
      <td>
      <p align="center">Z</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GetObjectSize</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">obtains
the size of an object in bytes</font></font></p>
      </td>
      <td style="width: 116px;">key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GetAttributeValue</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">obtains
an attribute value of an object</font></font></p>
      </td>
      <td style="width: 116px;">key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_SetAttributeValue</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">modifies
an attribute value of an object</font></font></p>
      </td>
      <td style="width: 116px;">key</td>
      <td>
      <p align="center">W</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_FindObjectsInit</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">initializes
an object search operation</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_FindObjects</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">continues
an object search operation</font></font></p>
      </td>
      <td style="width: 116px;">keys matching the search criteria</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_FindObjectsFinal</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">finishes
an object search operation</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;" rowspan="8">
      <p><font size="2"><font face="Palatino">Encryption</font></font>
      <font size="2"><font face="Palatino">and</font></font><br>
      <font size="2"><font face="Palatino">decryption</font></font></p>
      </td>
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_EncryptInit</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">initializes
an encryption operation</font></font></p>
      </td>
      <td style="width: 116px;">encryption key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_Encrypt</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">encrypts
single-part data</font></font></p>
      </td>
      <td style="width: 116px;">encryption key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_EncryptUpdate</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">continues
a multiple-part encryption operation</font></font></p>
      </td>
      <td style="width: 116px;">encryption key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_EncryptFinal</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">finishes
a multiple-part encryption operation</font></font></p>
      </td>
      <td style="width: 116px;">encryption key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_DecryptInit</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">initializes
a decryption operation</font></font></p>
      </td>
      <td style="width: 116px;">decryption key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_Decrypt</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">decrypts
single-part encrypted data</font></font></p>
      </td>
      <td style="width: 116px;">decryption key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_DecryptUpdate</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">continues
a multiple-part decryption operation</font></font></p>
      </td>
      <td style="width: 116px;">decryption key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_DecryptFinal</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">finishes
a multiple-part decryption operation</font></font></p>
      </td>
      <td style="width: 116px;">decryption key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;" rowspan="5">
      <p><font size="2"><font face="Palatino">Message</font></font><br>
      <font size="2"><font face="Palatino">digesting</font></font></p>
      </td>
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_DigestInit</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">initializes
a message-digesting operation</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_Digest</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">digests
single-part data</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_DigestUpdate</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">continues
a multiple-part digesting operation</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_DigestKey</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">continues
a multi-part message-digesting operation by digesting the value of a
secret key as part of the data already digested</font></font></p>
      </td>
      <td style="width: 116px;"><br>
key</td>
      <td>
      <p align="center"></p>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_DigestFinal</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">finishes
a multiple-part digesting operation</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;" rowspan="12">
      <p><font size="2"><font face="Palatino">Signature</font></font>
      <font size="2"><font face="Palatino">and</font></font><br>
      <font size="2"><font face="Palatino">verification</font></font></p>
      </td>
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_SignInit</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">initializes
a signature operation</font></font></p>
      </td>
      <td style="width: 116px;">signing/HMAC key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_Sign</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">signs
single-part data</font></font></p>
      </td>
      <td style="width: 116px;">signing/HMAC key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_SignUpdate</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">continues
a multiple-part signature operation</font></font></p>
      </td>
      <td style="width: 116px;">signing/HMAC key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_SignFinal</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">finishes
a multiple-part signature operation</font></font></p>
      </td>
      <td style="width: 116px;">signing/HMAC key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_SignRecoverInit</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">initializes
a signature operation, where the data can be recovered from the
signature</font></font></p>
      </td>
      <td style="width: 116px;">RSA signing key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_SignRecover</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">signs
single-part data, where the data can be recovered from the signature</font></font></p>
      </td>
      <td style="width: 116px;">RSA signing key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_VerifyInit</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">initializes
a verification operation</font></font></p>
      </td>
      <td style="width: 116px;">verification/HMAC key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_Verify</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">verifies
a signature on single-part data</font></font></p>
      </td>
      <td style="width: 116px;">verification/HMAC key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_VerifyUpdate</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">continues
a multiple-part verification operation</font></font></p>
      </td>
      <td style="width: 116px;">verification/HMAC key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_VerifyFinal</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">finishes
a multiple-part verification operation</font></font></p>
      </td>
      <td style="width: 116px;">verification/HMAC key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_VerifyRecoverInit</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">initializes
a verification operation where the data is recovered from the signature</font></font></p>
      </td>
      <td style="width: 116px;">RSA verification
key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_VerifyRecover</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">verifies
a signature on single-part data, where the data is recovered from the
signature</font></font></p>
      </td>
      <td style="width: 116px;">RSA verification
key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;" rowspan="4">
      <p><font size="2"><font face="Palatino">Dual-function</font></font><br>
      <font size="2"><font face="Palatino">cryptographic</font></font><br>
      <font size="2"><font face="Palatino">operations</font></font></p>
      </td>
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_DigestEncryptUpdate</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">continues
a multiple-part digesting and encryption operation </font></font>
      </p>
      </td>
      <td style="width: 116px;">encryption key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_DecryptDigestUpdate</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">continues
a multiple-part decryption and digesting operation </font></font>
      </p>
      </td>
      <td style="width: 116px;">decryption key</td>
      <td>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_SignEncryptUpdate</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">continues
a multiple-part signing and encryption operation </font></font>
      </p>
      </td>
      <td style="width: 116px;">signing/HMAC key<br>
encryption key</td>
      <td>
      <p align="center">R</p>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_DecryptVerifyUpdate</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">continues
a multiple-part decryption and verify operation </font></font>
      </p>
      </td>
      <td style="width: 116px;">decryption key<br>
verification/HMAC key</td>
      <td>
      <p align="center">R</p>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;" rowspan="5">
      <p><font size="2"><font face="Palatino">Key</font></font><br>
      <font size="2"><font face="Palatino">management</font></font></p>
      </td>
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GenerateKey</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">generates
a secret key</font></font></p>
      </td>
      <td style="width: 116px;">key</td>
      <td>
      <p align="center">W</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GenerateKeyPair</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">generates
a public-key/private-key pair</font></font></p>
      </td>
      <td style="width: 116px;">key pair</td>
      <td>
      <p align="center">W</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_WrapKey</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">wraps
(encrypts) a key</font></font></p>
      </td>
      <td style="width: 116px;">wrapping key<br>
key to be wrapped</td>
      <td>
      <p align="center">R</p>
      <p align="center">R</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_UnwrapKey</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">unwraps
(decrypts) a key</font></font></p>
      </td>
      <td style="width: 116px;">unwrapping key<br>
unwrapped key</td>
      <td>
      <p align="center">R</p>
      <p align="center">W</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"><small>NSS User</small></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_DeriveKey</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">derives
a key from a base key</font></font></p>
      </td>
      <td style="width: 116px;">base key<br>
derived key</td>
      <td>
      <p align="center">R</p>
      <p align="center">W</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;" rowspan="2">
      <p><font size="2"><font face="Palatino">Random
number</font></font><br>
      <font size="2"><font face="Palatino">generation</font></font></p>
      </td>
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_SeedRandom</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">mixes
in additional seed material to the random number generator</font></font></p>
      </td>
      <td style="width: 116px;">RNG seed key</td>
      <td>
      <p align="center">RW</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GenerateRandom</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">generates
random data. Performs continuous random number generator test</font></font></p>
      </td>
      <td style="width: 116px;">RNG seed key</td>
      <td>
      <p align="center">RW</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 101px;" rowspan="2">
      <p><font face="Palatino"><font size="2">Parallel function management</font></font></p>
      </td>
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_GetFunctionStatus</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">a legacy function, which simply returns the value 0x00000051 (function not parallel)</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
    <tr valign="top">
      <td style="width: 91px;"></td>
      <td style="width: 155px;">
      <p><font face="Palatino"><font size="2">FC_CancelFunction</font></font></p>
      </td>
      <td style="width: 321px;">
      <p><font face="Palatino"><font size="2">a legacy function, which simply returns the value 0x00000051 (function not parallel)</font></font></p>
      </td>
      <td style="width: 116px;">none</td>
      <td>
      <p align="center">-</p>
      </td>
    </tr>
</table>


== Mitigation of Other Attacks ==
== Mitigation of Other Attacks ==
Glen
219

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/52832"