Manualshelf

Reference Guide

ManualsBrandsDell ManualsBSAFEBSAFE Micro Edition Suite
11121314151617181920
Crypto-C ME Cryptographic Toolkit 17
RSA BSAFE Crypto-C Micro Edition 4.1.4 Security Policy Level 1
with Level 2 Roles, Services and Authentication
To set the initial authentication data in the roles database, the call to
R_PROV_FIPS140_init_roles() must supply an authentication callback
function. The authentication callback function is called once for each type of role to
allow the application to set the initial authentication data.
PIN Data
PIN data supplied by the application is hashed using the SHA-512 algorithm to
generate 64 bytes of authentication data, which is stored in the roles database.
The application must set random PIN data of sufficient security strength to make a
brute force attack infeasible. The PIN must contain random data with the equivalent of
a minimum of 83 effectively random bits. Reasoning for this figure is provided in
Key Derivation Threat Model:
Up to 64 bytes of PIN data can be passed to the module by a call to assume a role.
1.3.2 Crypto Officer Role
The Crypto Officer is responsible for installing and loading the cryptographic module.
After the module is installed and operational, an operator can assume the Crypto
Officer role by calling
R_PROV_FIPS140_assume_role() with
R_FIPS140_ROLE_OFFICER. The preinstalled authentication callback function will
gather PIN data during the call. A message digest of the PIN, generated using
SHA-512, is checked against the authentication data held by the roles database.
An operator assuming the Crypto Officer role can:
Create the roles database, in memory or on disk
Perform the full set of self tests.
Call any Crypto-C ME function. For a complete list of functions available to the
Crypto Officer, see Services.
1.3.3 Crypto User Role
A Crypto Officer can assume the Crypto User role by calling
R_PROV_FIPS140_assume_role() with R_FIPS140_ROLE_USER. The
preinstalled authentication callback function will gather PIN data during the call. A
message digest of the PIN, generated using SHA-512, is checked against the
authentication data held by the roles database.
An operator assuming the Crypto User role can use the entire Crypto-C ME API
except for
R_PROV_FIPS140_self_tests_full(), which is reserved for the
Crypto Officer. For a complete list of Crypto-C ME functions, see Services.