VE 07KeyMgmt: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
''This is a draft document'' | ''This is a draft document'' | ||
''(*s indicate points needing reviewers' attention.)'' | |||
'''Key Management''' | '''Key Management''' | ||
# The SSL2.0 and SSL3.0 specification details how public key certificates are exchanged over the network. | # The SSL2.0 and SSL3.0 specification details how public key certificates are exchanged over the network. | ||
# The Certificate Download [Communicator 4.0] specification details how X509 v3 CA , user, and S/MIME certificates can be downloaded and installed over the network. | # The Certificate Download [Communicator 4.0] specification details how X509 v3 CA , user, and S/MIME certificates can be downloaded and installed over the network. * | ||
# The Netscape Extensions for User Key Generation Communicator 4.0 Version specification details the extensions that cause RSA and DSA keys to be generated. | # The Netscape* Extensions for User Key Generation Communicator 4.0 Version specification details the extensions that cause RSA and DSA keys to be generated. | ||
# Our private key and certificate databases [for both client and server products] is a B-tree (DBM) indexed flat file [regular file]. | # Our private key and certificate databases [for both client and server products] is a B-tree (DBM) indexed flat file [regular file]. | ||
# The private key is stored encrypted using DES-EDE3 [triple-DES] [in all cases -- export or domestic, FIPS or non-FIPS]. | # The private key is stored encrypted using DES-EDE3 [triple-DES] [in all cases -- export or domestic, FIPS or non-FIPS]. | ||
# The private keys | # The private keys are not stored in plain text. | ||
# In non-internal cryptographic service providers [see PKCS#11 specification], the CSP provides its own implementation of key storage -- this document describes just the internal CSPs provided in Netscape products. | # In non-internal cryptographic service providers [see PKCS#11 specification], the CSP provides its own implementation of key storage -- this document describes just the internal CSPs provided in Netscape products. | ||
# The X509v3 certificates are stored DER encoding in the DBM file. | # The X509v3 certificates are stored DER encoding in the DBM file. | ||
| Line 15: | Line 16: | ||
# PKCS#12 (or previously known as PFX) defines a protocol for wrapping (encrypting) and unwrapping (decrypting) private key material and related certificates for import/export. | # PKCS#12 (or previously known as PFX) defines a protocol for wrapping (encrypting) and unwrapping (decrypting) private key material and related certificates for import/export. | ||
# The exported private key is encrypted with a DES-EDE3 [triple-DES] key derived from a user provided password -- see PKCS#5 below. | # The exported private key is encrypted with a DES-EDE3 [triple-DES] key derived from a user provided password -- see PKCS#5 below. | ||
# | # No passwords (e.g., the export password for PKCS#12, or the private key database password) are stored on disk in plain text. | ||
# PKCS#5 is used to convert a users password to a DES-EDE3 [triple-DES] key that is used to encrypted a known plain-text to determine if it matches the password stored in the database, or in the case of exported private key. | # PKCS#5 is used to convert a users password to a DES-EDE3 [triple-DES] key that is used to encrypted a known plain-text to determine if it matches the password stored in the database, or in the case of exported private key. | ||
# Prior to exiting the Cryptographic Module, all plain text session ids (for SSL), passwords entered by users, and private key (stored on disk) are | # Prior to exiting the Cryptographic Module, all plain text session ids (for SSL), passwords entered by users, and private key (stored on disk) are zeroed from memory. | ||
# PKCS#12 can be used to archive a wrapped (encrypted) private key for recovery purposes. | # PKCS#12 can be used to archive a wrapped (encrypted) private key for recovery purposes. | ||
# Our use of DES and DES-EDE3, as called out in PKCS#12, are FIPS 46-2 validated. | # Our use of DES and DES-EDE3, as called out in PKCS#12, are FIPS 46-2 validated. | ||
# See DES Certificate Number 6, indicates that Netscape's DES implementation conforms to FIPS 46-2. | # See DES Certificate Number 6, indicates that Netscape's DES implementation conforms to FIPS 46-2. | ||
# See DES-EDE3 Certificate Number 10, indicates that Netscape's triple-DES implementation also conforms to FIPS 46-2. | # See DES-EDE3 Certificate Number 10, indicates that Netscape's triple-DES implementation also conforms to FIPS 46-2. | ||
# See SHA-1 Certificate Number 3, indicates that Netscape's SHA-1 implementation conforms to FIPS 180-1. | # See SHA-1 Certificate Number 3, indicates that Netscape's SHA-1 implementation conforms to FIPS 180-1. * | ||
# See DSA Certificate Number 3, indicates that Netscape's DSA implementation conforms to FIPS 186. | # See DSA Certificate Number 3, indicates that Netscape's DSA implementation conforms to FIPS 186. * | ||
# All key/certificate management operations of the Netscape software cryptogrpahic service provides (CSPs) are FIPS 140-1 validated. | # All key/certificate management operations of the Netscape software cryptogrpahic service provides (CSPs) are FIPS 140-1 validated. | ||
Revision as of 00:03, 23 February 2006
This is a draft document
(*s indicate points needing reviewers' attention.)
Key Management
- The SSL2.0 and SSL3.0 specification details how public key certificates are exchanged over the network.
- The Certificate Download [Communicator 4.0] specification details how X509 v3 CA , user, and S/MIME certificates can be downloaded and installed over the network. *
- The Netscape* Extensions for User Key Generation Communicator 4.0 Version specification details the extensions that cause RSA and DSA keys to be generated.
- Our private key and certificate databases [for both client and server products] is a B-tree (DBM) indexed flat file [regular file].
- The private key is stored encrypted using DES-EDE3 [triple-DES] [in all cases -- export or domestic, FIPS or non-FIPS].
- The private keys are not stored in plain text.
- In non-internal cryptographic service providers [see PKCS#11 specification], the CSP provides its own implementation of key storage -- this document describes just the internal CSPs provided in Netscape products.
- The X509v3 certificates are stored DER encoding in the DBM file.
- The certificates are not encrypted, but are digitally signed by the Certification Authority [CA] that created them.
- PKCS#12 (or previously known as PFX) defines a protocol for wrapping (encrypting) and unwrapping (decrypting) private key material and related certificates for import/export.
- The exported private key is encrypted with a DES-EDE3 [triple-DES] key derived from a user provided password -- see PKCS#5 below.
- No passwords (e.g., the export password for PKCS#12, or the private key database password) are stored on disk in plain text.
- PKCS#5 is used to convert a users password to a DES-EDE3 [triple-DES] key that is used to encrypted a known plain-text to determine if it matches the password stored in the database, or in the case of exported private key.
- Prior to exiting the Cryptographic Module, all plain text session ids (for SSL), passwords entered by users, and private key (stored on disk) are zeroed from memory.
- PKCS#12 can be used to archive a wrapped (encrypted) private key for recovery purposes.
- Our use of DES and DES-EDE3, as called out in PKCS#12, are FIPS 46-2 validated.
- See DES Certificate Number 6, indicates that Netscape's DES implementation conforms to FIPS 46-2.
- See DES-EDE3 Certificate Number 10, indicates that Netscape's triple-DES implementation also conforms to FIPS 46-2.
- See SHA-1 Certificate Number 3, indicates that Netscape's SHA-1 implementation conforms to FIPS 180-1. *
- See DSA Certificate Number 3, indicates that Netscape's DSA implementation conforms to FIPS 186. *
- All key/certificate management operations of the Netscape software cryptogrpahic service provides (CSPs) are FIPS 140-1 validated.