 |
|||||
 |
|||||
 |
|||||
 |
|||||
 |
|||||
 |
|||||
| |||||
|
![[Intel Navigation Header]](/web/19961220014926im_/http://www.intel.com/sites/developer/pix/header.gif){kind=small}
Background Information
There are several data security and encryption standards in the personal computer industry
that cover areas like cryptography, key management, and digital signatures. However, what is
missing is a mechanism that comprehends and integrates all these various standards and presents
a common interface both for application developers and cryptographic service providers.
Common Data Security Architecture (CDSA) is our vision of how to address the need for such a
security manager, and is being presented here in an experimental fashion to invite review and
comment.
The CDSA specification, the figure shows,is composed of three parts:
- A collection of System Security Services
- A Common Security Services Manager (CSSM)
- Add-in modules that implement cryptographic operations and trust-model-specific policies
The CSSM is, in turn, made up of four components:
- Cryptographic Services Manager - Manages the selection and use of cryptographic
algorithms and key management. The manager allows applications to query a Cryptographic Service
Provider (CSP) and determine if it is available, what algorithms are supported, and the
identification of keys stored within the CSP. A CSP typically performs operations like
encryption, decryption, digital signatures, key pair generation, random number generation
and key exchange.
- Certificate Services Manager - Responsible for creation, storage, and use of digital
certificates. The manager allows an application to view, find, and retrieve a particular
certificate as well.
- Trust Policy Manager - Manages what actions can be performed by a certificate. Trust
policies are determined by certificate authorities, institutions that issue certificates, or
applications. Multiple trust modules managed by the Trust Policy Manager are developed to
specify what actions can be performed by a certificate
- Database Services Manager - Stores and manages digital certificates. The Database Services Manager uses a Database Library Interface (DLI) to access a user-defined database. All records are protected from undetected tampering by computing an associated digital signature when a record is written to the database. Signatures are verified when records are read from the database
In addition, integrity services provide a way to check that the CSSM installation on the machine has not changed.
The lowest layer provides complete extensibility to the architecture through add-in modules that conform to the various interfaces like the Service Provider Interface (SPI), Trust Policy Interface (TPI), Certificate Library Interface (CLI) and Database Library Interface (DLI). For example, SPI allows the addition of CSPs and the TPI implements model-specific and application-specific policies applied to certificates.
System Security Services (which can be built above CSSM) include protocols to implement secure communications, electronic commerce, private data storage, and utilities for installing and managing the security infrastructure itself
Please send comments to cdsa@ibeam.intel.com