LINEBURG


<< . .

 2
( 9)



. . >>



xiii
xiv
Tables
Data Types ....................................................................................................................
2“1 2
Data Structures and Descriptions..................................................................................
2“2 5
nzttBufferBlock..............................................................................................................
2“3 5
nzttWallet ......................................................................................................................
2“4 6
nzttPersona....................................................................................................................
2“5 6
nzttIdentity....................................................................................................................
2“6 6
OCISecurityInitialize Handles.......................................................................................
6“1 2
OCISecurityTerminate parameters................................................................................
6“2 3
OCISecurityOpenWallet parameters .............................................................................
6“3 4
OCISecurityCloseWallet parameters .............................................................................
6“4 5
OCISecurityOpenPersona parameters...........................................................................
6“5 6
OCISecurityOpenPersona errors ...................................................................................
6“6 6
OCISecurityClosePersona parameters...........................................................................
6“7 7
OCISecurityClosePersona errors ...................................................................................
6“8 7
OCISecuritySign parameters .........................................................................................
6“9 8
OCISecurityVerify parameters ......................................................................................
6“10 9
OCISecurityVerify errors.............................................................................................
6“11 10
OCISecurityValidate parameters.................................................................................
6“12 11
OCISecurityValidate errors .........................................................................................
6“13 11
OCISecuritySignDetached parameters ........................................................................
6“14 12
OCISecuritySignDetached errors ................................................................................
6“15 12
OCISecurityVerifyDetached parameters .....................................................................
6“16 13
OCISecurityVerifyDetached errors .............................................................................
6“17 14
OCISecurityHash parameters......................................................................................
6“18 15
OCISecurityHash errors ..............................................................................................
6“19 15
OCISecuritySeedRandom parameters .........................................................................
6“20 16
OCISecurityRandomBytes parameters........................................................................
6“21 17
OCISecurityRandomNumber parameters ...................................................................
6“22 18
OCISecurityInitBlock parameters................................................................................
6“23 19
OCISecurityReuseBlock parameters............................................................................
6“24 20
OCISecurityPurgeBlock parameters............................................................................
6“25 21
OCISecuritySetBlock parameters ................................................................................
6“26 22
PL/SQL Procedure and Function Descriptions.............................................................
7“1 1
PROCEDURE OpenWallet ............................................................................................
7“2 2
PROCEDURE OpenWallet ............................................................................................
7“3 3
PROCEDURE CloseWallet ............................................................................................
7“4 3
PROCEDURE DestroyWallet ........................................................................................
7“5 3
PROCEDURE StorePersona ..........................................................................................
7“6 4
PROCEDURE OpenPersona..........................................................................................
7“7 4



xv
PROCEDURE ClosePersona .........................................................................................
7“8 4
PROCEDURE RemovePersona .....................................................................................
7“9 4
PROCEDURE CreatePersona........................................................................................
7“10 4
PROCEDURE RemoveIdentity .....................................................................................
7“11 5
CreateIdentity ...............................................................................................................
7“12 5
AbortIdentity ................................................................................................................
7“13 5
StoreTrustedIdentity.....................................................................................................
7“14 6
Validate.........................................................................................................................
7“15 6
Sign parameters for raw data........................................................................................
7“16 8
Sign parameters for string data.....................................................................................
7“17 8
Verify parameters for raw data.....................................................................................
7“18 9
Verify parameters for string data..................................................................................
7“19 9
SignDetached parameters for raw data.......................................................................
7“20 10
SignDetached parameters for string data....................................................................
7“21 10
VerifyDetached parameters for raw data....................................................................
7“22 11
VerifyDetached parameters for string data.................................................................
7“23 11
KeyedHash parameters for raw data ..........................................................................
7“24 13
KeyedHash parameters for string data .......................................................................
7“25 13
Hash parameters for raw data ....................................................................................
7“26 14
Hash parameters for string data .................................................................................
7“27 14
SeedRandom parameters for numeric data.................................................................
7“28 15
OCI Function Names and Descriptions ........................................................................
B“1 2




xvi
Part I
Concepts

Part I, Concepts, contains the following chapters:
Chapter 1, “Overview”
s


Chapter 2, “Data Types”
s


Chapter 3, “Concepts”
s


Chapter 4, “Using the Oracle Cryptographic Toolkit”
s


Chapter 5, “Random Number Generator”
s
1
Overview

This chapter provides an overview of the Oracle Cryptographic Toolkit. The follow-
ing topics are discussed:
“What is the Oracle Security Server?”
s


“What is the Oracle Cryptographic Toolkit?”
s


“Oracle Cryptographic Toolkit Functional Layers”
s


“Oracle Cryptographic Toolkit Elements”
s


“Types of Interfaces”
s




Overview 1-1
What is the Oracle Security Server?



1.1 What is the Oracle Security Server?
The Oracle Security Server is a portable security service that provides a centralized
global authentication and authorization framework. It provides enterprise security
by using public key cryptography to authenticate users, control user access to data,
and protect sensitive data. These functions are achieved through the use of public
key cryptography for encryption, digital signatures, and user authentication.
The Oracle Security Server uses X.509 v1 certi¬cates as its authentication mecha-
nism. The X.509 v1 certi¬cate is a standard format for digitally signed certi¬cates
that contain information such as a user™s identity, authorizations, and public key
information.
X.509 v1 certi¬cates are used to access secure network systems. Users obtain certi¬-
cates so they can identify themselves, present their access credentials, and obtain a
secure network connection with other cryptographically secure users or systems.

1.1.1 Oracle Security Server Features
The Oracle Security Server supports the following features.

Certi¬cate Authority Capability
Customers can create their own certi¬cate authorities (CA), create certi¬cates for
their users, and manage user authorizations and roles using the Oracle Security
Server.
A certi¬cate authority is a trusted entity that certi¬es that other entities are who
they say they are. The CA is something of an electronic notary service: it generates
and validates electronic IDs in the form of certi¬cates that are the equivalent of
driver™s licenses or passports. The CA uses its private key to sign each certi¬cate:
an entity that receives a certi¬cate from the CA can trust that signature just as a per-
son in real life can trust the written signature of a notary.

X.509 v1 Certi¬cate
A certi¬cate is a message, signed by the CA, stating that a speci¬ed public key
belongs to someone or something with a speci¬ed name. Certi¬cates prevent some-
one from using a phony key to impersonate another party and also enable parties
to exchange keys without contacting a CA for each authentication. Distributing
keys in certi¬cates is as reliable as if the keys were obtained directly from the CA.
Certi¬cate-based authentication works even when the security database server is
temporarily unavailable.




1-2 Oracle Cryptographic Toolkit Programmer™s Guide
What is the Oracle Security Server?



The authentication mechanism used by the Oracle Security Server is based on the
International Telecommunications Union (ITU) X.509 v1 certi¬cates. X.509 is a stan-
dard format for digitally signed certi¬cates. It conveys a user™s identity and public
key data.

Certi¬cate Revocation List (CRL)
A certi¬cate revocation list (CRL) is a data structure, signed and timestamped by a
CA, that lists all of the certi¬cates created by the CA that have not yet expired but
are no longer valid. CRLs are used to revoke security privileges and for compro-
mise management.
A party retrieving a certi¬cate from the CA can check one or more CRLs to see
whether that certi¬cate has been revoked. However, since checking a CRL incurs
signi¬cant overhead, users may want to make these checks only for documents that
are especially important, or they may want to limit themselves to only random, or
periodic, checks of the CRLs.

Certi¬cate Management Services
The Oracle Security Server Manager provides the user with a graphical user inter-
face that is used to create, store, and revoke certi¬cates.

Oracle Enterprise Manager Administration Tool
The Oracle Security Server Manager is implemented as an Oracle Enterprise Man-
ager applet. This applet is a graphical user interface to the command line version of
the Oracle Security Server Manager.

Command Line Administration Tools
The Oracle Security Server Manager is also implemented as a set of command line
tools. These command line tools give you access to the same Oracle Security Server
features as the Oracle Enterprise Manager tool.




Overview 1-3
What is the Oracle Cryptographic Toolkit?



1.2 What is the Oracle Cryptographic Toolkit?
The Oracle Cryptographic Toolkit is an interface to the cryptographic services pro-
vided by the Oracle Security Server. It is intended to unify all cryptographic ser-
vices, including the use, storage, retrieval, import, and export of credentials. This
interface is used by both internal and external Oracle customers to add security
enhancements to their applications. External customers can use either OCI or PL/
SQL to access the Oracle Cryptographic Toolkit.
Refer to Figure 1“1, “Relationship between Toolkit and Services”, for an overview
of who uses the Oracle Security Server and the Oracle Cryptographic Toolkit and
how the two are related.

Figure 1“1 Relationship between Toolkit and Services




1-4 Oracle Cryptographic Toolkit Programmer™s Guide
Oracle Cryptographic Toolkit Functional Layers



The Oracle Cryptographic Toolkit presents an abstraction that hides keys and X.509
v1 certi¬cates from the application. The application, then, works with wallets,
trusted identities, and personas. A wallet is a storage abstraction that can be
located on the ¬le system, in a database, or in a hardware device; a trusted identity
is similar to a certi¬cate; and a persona is a combination of a certi¬cate and its asso-
ciated private key.


1.3 Oracle Cryptographic Toolkit Functional Layers
The Oracle Cryptographic Toolkit is comprised of four functional layers: an API
layer, a Cryptographic Engine Functions layer, a Persona/Identity Functions layer,
and a Wallet Functions layer. Refer to Figure 1“1, “Relationship between Toolkit
and Services”.

1.3.1 API Layer
The API layer contains three interfaces, or points of entry, into the Oracle Crypto-
graphic Toolkit. The three points of entry are OCI, PL/SQL, and raw C (for Oracle
internal customers only). The OCI and PL/SQL interfaces are actually wrappers
around the raw C interface.

1.3.2 Cryptographic Engine Functions
The Cryptographic Services layer consists of all the cryptographic services avail-
able to the Oracle Security Server. These services include the use, storage, retrieval,
import and export of credentials. This layer consists of two main components: a
cryptographic engine and an abstract cryptographic engine.
Cryptographic engine functions are built on top of a set of primitives presented by
the abstract cryptographic engine. The cryptographic engine issues a function call
to the abstract cryptographic engine. After it issues the function call, the crypto-
graphic engine veri¬es that the correct amount of memory is available for any out-
put from the abstract cryptographic engine and that the cipher keys are available in
the appropriate format. A cryptographic engine function provides a single interface
to the application. Following is a list of cryptographic engine functions.

Attached sign/verify
The signature generated from a message is attached to that message. The Oracle
Cryptographic Toolkit:
supports both RSA and DSS signatures
s


de¬nes and supports an Oracle proprietary signature format
s




Overview 1-5
Oracle Cryptographic Toolkit Functional Layers



will support industry standard signature formats such as PKCS #7 and
s

W3C DSig blocks

Detached sign/verify
The signature generated from a message is kept separate from that message. The
Oracle Cryptographic Toolkit:
supports both RSA and DSS signatures
s


de¬nes and supports an Oracle proprietary signature format
s


will support industry standard signature formats such as PKCS #7 and
s

W3C DSig blocks

Hash
The cryptographic checksum of an entity. Both MD5 and SHA hash algorithms are
supported.

Keyed hash
The cryptographic checksum of a message with an additional key folded in. Both
MD5 and SHA hash algorithms are supported.

Random Numbers
Pseudo random number generation. The Oracle Cryptographic Toolkit generates
random integers, random sequences of bytes, and allows the application to change
the seed value.

1.3.3 Persona/Identity Functions
The Wallet provides storage and retrieval of personas and identities for use with
various cryptographic engine functions. In order for an application to call the cryp-
tographic engine functions, the wallet must contain at least one persona. The Ora-
cle Cryptographic Toolkit relies on the persona to carry speci¬c information about
what cryptographic algorithm to use with a cryptographic engine function. The
application con¬gures the persona for a particular purpose and then uses one or
more cryptographic engine functions. The application can therefore treat a persona
as a set of security contexts: one for each cryptographic engine function.

1.3.4 Wallet Functions
The Wallet Functions layer implements one or more repositories referred to as wal-
lets. A wallet implements a single way to store, retrieve, and use credentials that




1-6 Oracle Cryptographic Toolkit Programmer™s Guide
Oracle Cryptographic Toolkit Elements


<< . .

 2
( 9)



. . >>

Copyright Design by: Sunlight webdesign