Previous section.
Common Security: CDSA and CSSM
Copyright © 1997 The Open Group
Screening Requests Based on Complex Policies
Not all policies can be served by the simple CSSM screening mechanisms
described in the previous section. Complex policy definitions represent
a challenge to clever systems designers. In response, these designers
are building more complex protocols and mechanisms to provide
applications with a broader range of security services while still
complying with stated policies.
Complex Policies
A policy is deemed complex if policy conformance and evaluation
requires any of the following:
-
Evaluation of a sequence of state transitions to determine whether the
security service request is permitted
-
Additional, explicit API calls by the application, to establish
required pre-conditions for performing policy controlled operations
Elective service modules and CSSM support for module manager
communications can be used to support evaluation of this type of
policy statement.
Evaluation of a Sequence of Events
When a policy definition requires checking a sequence of application
operations, state must be maintained in or by the module managers of
CSSM. Using information sharing, as described in
the Common Data Security Architecture (CDSA) Specification,
module managers can work together
to maintain information on an application's sequence of requests. These
same information-sharing mechanisms are used by elective module
managers and basic module managers alike. This design approach allows a
module manager to screen application requests by accumulating the
required state information and evaluating compliance when the request
is made, as if all of the required status information were simply
available now, rather than having been collected over a period of
time.
Services that Establish Pre-Conditions
Using the elective module manager features of CDSA, it is possible to
define a new category of security service for mechanisms whose service
it is to establish all pre-conditions required to use some other
security service. This type of service is called a Service Enabler. Key
Recovery is an example of a service enabler.
Some governmental entities are considering requiring the implementation
and use of certain key recovery schemes as a pre-condition for granting
an export, import, or use permit for certain encryption-based
products. Private business entities may also use key-recovery schemes
to ensure that their enterprise can recover confidential information
important to the enterprise's operation. Key encapsulation and key
escrow are two mechanisms that implement this new category of service.
As an elective module manager within CSSM, the Key Recovery Module
Manager (KRMM) defines an API for use by applications. Applications
must make explicit calls to the key recovery API to establish the
pre-conditions required to perform strong encryption within the
constraints of the policy. The CSSM Key Recovery APIs are specified in
the CSSM Key Recovery API Specification.
Users requiring these services should consult that
specification.
Applications establish the conditions required for policy compliance by
making explicit calls to the service-enabling APIs. To verify that the
required state has been achieved (that is, to determine that the
appropriate service-enabling functions have been invoked in the proper
order), appropriate module managers must share state information about
the sequence of operations requested by the application. In the example
of key recovery, the KRMM and the Cryptographic module manager must
share state information about whether the application has enabled key
recovery for a key that will be used to encrypt a communication
message.
In summary, the enhanced services provided by CSSM to support
system-wide policy compliance include:
-
Enhanced manifest to include capability descriptions for security
service modules
-
Integrity checks on the capability descriptions in a manifest
-
Capability screening at module installation and module attach time
-
Elective module managers whose category of service is service-enablement
Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy
of this publication.
You should also read the
legal notice explaining the terms and conditions relating to
the CDSA documentation.