ModuleInterfaces: Difference between revisions
| Line 6: | Line 6: | ||
== Logical Interfaces == | == Logical Interfaces == | ||
The following four logical interfaces have been designed within the NSS module. | |||
* Data input interface: function input arguments that specify plaintext data; ciphertext or signed data; cryptographic keys (plaintext or encrypted) and initialization vectors; and passwords that are to be input to and processed by the NSS module. | |||
* Data output interface: function output arguments that receive plaintext data; ciphertext data and digital signatures; and cryptographic keys (plaintext or encrypted) and initialization vectors from the NSS module. | |||
* Control input interface: function input arguments that specify commands or select algorithms, modes | |||
* Status output interface: function return codes or output arguments | |||
The logical interfaces of the NSS module consist of the following APIs. | The logical interfaces of the NSS module consist of the following APIs. | ||
Revision as of 17:39, 20 May 2006
This is a draft
Physical Ports
The NSS module is a software-only implementation. All keys, encrypted data, and control information are exchanged through calls to library functions (logical interfaces). The physical ports; physical covers, doors, or openings; manual controls; and physical status indicators of the NSS module would be those of the general purpose computer it runs on.
Logical Interfaces
The following four logical interfaces have been designed within the NSS module.
- Data input interface: function input arguments that specify plaintext data; ciphertext or signed data; cryptographic keys (plaintext or encrypted) and initialization vectors; and passwords that are to be input to and processed by the NSS module.
- Data output interface: function output arguments that receive plaintext data; ciphertext data and digital signatures; and cryptographic keys (plaintext or encrypted) and initialization vectors from the NSS module.
- Control input interface: function input arguments that specify commands or select algorithms, modes
- Status output interface: function return codes or output arguments
The logical interfaces of the NSS module consist of the following APIs.
PKCS #11
This defines NSS's PKCS #11 (Cryptoki) implementation. The API itself is considered to define the top edge of the cryptographic boundary, i.e., all application and upper level library access to the FIPS module is through this API. Also included in this module is the FIPS PKCS #11 token and the crypto algorithm support library called freebl. The FIPS PKCS #11 token is a Cryptoki token designed specifically for FIPS, and allows applications using NSS to operate in a strictly FIPS mode.
The functions in the PKCS #11 API are listed in Table II of the Security Policy.
S/MIME
Interfaces for S/MIME version 3 and PKCS #7 secure mail. Not part of the cryptographic boundary.
SSL/TLS
Interfaces for Secure Sockets Layer and Transport Layer Security. Not part of the cryptographic boundary.
Certificate
Used for high-level certificate calls, for example processing the parts of a certificate, and CRL management. Not part of cryptographic boundary.
Key
High-level private/public key calls. Includes retrieving information about the key, such as its strength. Not part of cryptographic boundary.
Crypto
Provides high-level access to hashing, signature, and verification operations. Not part of cryptographic boundary.
PKCS #12
Interface for PKCS #12, Personal Information Storage and Retrieval. Used to allow import/export of certificates and private keys in a secure manner. Not part of cryptographic boundary.
CRMF
Interfaces for CRMF/CMMF. Not part of cryptographic boundary.
JAR
Signed object interface. Not part of cryptographic boundary.