QUICK NAVIGATOR
PRODUCTS
TECHNOLOGIES
DEVELOPMENT TOOLS
*Common Data Security Architecture
*References & Resources
*Beta Software Download
*Specs
[INTEL NAVIGATION HEADER]

Common Data Security Architecture

Overview | Specifications | Presentations | Download Implementation


Introduction to CSSM

There are several data security and encryption standards in the personal computer industry today. There are isolated standards covering cryptography, key management, and digital signatures. What is missing is a mechanism that comprehends and integrates all these standards, and presents a common interface both for application developers and security service providers. Common Data Security Architecture (CDSA) is our vision of how to address the need for a security infrastructure.

The CDSA specification, as the figure shows, is composed of four layers:

  • Applications
  • A collection of System Security Services
  • A Common Security Services Manager (CSSM)
  • Add-in modules that implement cryptographic operations and trust model-specific policies

The CSSM is, in turn, made up of four primary components:

  • Cryptographic Services Manager - Manages the selection and use of cryptographic algorithms and key management. The manager allows applications to query a Cryptographic Service Provider (CSP) and determine if it is available, what algorithms it supports, and what keys are stored within the CSP. A CSP typically performs operations like encryption, decryption, digital signature generation, key-pair generation, random-number generation and key exchange.

  • Certificate Services Manager - Responsible for creation, manipulation, and use of digital certificates and certificate revocation lists. The manager allows an application to view, find, and retrieve values from certificates.

  • Trust Policy Manager - Manages what actions can be performed by a certificate bearer. Trust policies are defined by certificate authorities, institutions that issue certificates, or applications. Multiple trust modules managed by the Trust Policy Manager implement the policies defined by these authorities.

  • Data Storage Services Manager - Stores and manages persistent digital certificates and certificate revocation lists. The Database Services Manager uses a Data Storage Library Interface (DLI) to access multiple user-defined databases.

The architecture provides complete extensibility through add-in modules that conform to the CSSM-defined interfaces: Service Provider Interface (SPI), Trust Policy Interface (TPI), Certificate Library Interface (CLI) and Data Storage Library Interface (DLI). For example, multiple Cryptographic Service Providers, implementing different cryptographic algorithms, can conform to the SPI, thus making themselves accessible through CSSM. Similarly, certificate libraries that manipulate different certificate formats can conform to the CLI, allowing applications to use multiple certificate types.

The CSSM infrastructure also includes integrity services and management of security contexts. Integrity services perform a self-check of the local CSSM installation to determine that is has not been tampered. Context management services assist applications in managing the many parameters required to control cryptographic operations.

The System Security Services layer (above CSSM) is the architectural layer that implements secure communications, electronic commerce protocols, private data storage systems, and utilities for installing and managing the security infrastructure itself.

The implementation available for download is beta software, for use within the United States only. You must download this module if you wish to use the Digital Certificate Manager (sample application) or the Java Interface Adapter available at this site. This download module consists of executable binaries for CSSM core, and default modules for trust evaluation (Intel Trust Policy Module), certificate management (Intel Certificate Library Module), and certificate storage (Intel Data Storage Module). The binaries operate only in the Windows* 95 and Windows NT* environments. The Windows 3.1 environment is not supported. A single software license covers a single download containing these four executable modules. Please read the export restrictions and licensing information carefully before downloading these modules.

The default Intel Cryptographic Services Module is provided as a separate download. The cryptographic services module is also beta software, for use only within the United States. Please read the export restrictions and licensing information carefully before downloading the cryptographic module.

This software expires, becoming non-functional, on April 30, 1997.

Specifications

Presentations

Download Implementation

Notice: This software is export controlled by the State Department of the United States of America. You will be asked to make legally binding statements in order to download it.


Please send comments and questions to cdsa@ibeam.intel.com

* Legal Stuff © 1997 Intel Corporation
Free Web Hosting