LINEBURG


<< . .

 4
( 9)



. . >>



3-2 Oracle Cryptographic Toolkit Programmer™s Guide
Security Concepts



forged by another entity, has not been altered, and cannot be repudiated by the
sender.

Encryption
The process of disguising the contents of a message and rendering it unreadable
(ciphertext) to anyone but the intended recipient.

Integrity
The guarantee that the contents of the message received were not altered from the
contents of the original message sent.

Non-repudiation
Undeniable proof of the origin, delivery, submission, or transmission of a message.

Public-Key Encryption
The process by which the sender of a message encrypts the message with the public
key of the recipient. Upon delivery, the message is decrypted with the recipient™s
private key.

Public/Private Key Pair
Each private key has an associated public key that anyone can access. Data
encrypted with a public key can be decrypted with its associated private key and
vice versa. However, data encrypted with a public key cannot be decrypted with a
public key.

X.509
The ISO authentication framework uses public key cryptography (X.509 protocols).
X.509 has a structure for public key certi¬cates. This framework allows for authenti-
cation across networks to occur.




Concepts 3-3
Oracle Cryptographic Toolkit Concepts



3.2 Oracle Cryptographic Toolkit Concepts
Following is a list of Oracle Cryptographic Toolkit concepts. Refer to Section 1.3,
“Oracle Cryptographic Toolkit Functional Layers” for information on how these
concepts are implemented.

Cryptographic Engine
A cryptographic engine (CE) is an implementation of cryptographic functions. The
CE can be software based, such as RSA™s BSAFE, or it can be hardware based, such
as a FORTEZZA card.

Detached Signature
A detached signature gives you the ability to manipulate the message indepen-
dently of the signature for that message. Use a detached signature to sign an object
that can be used with or without signature veri¬cation (for example, applets and
database rows).

Entity
An entity is a person (physical or imaginary) or a process.

Enveloping
Enveloping is the process of digitally signing a message for authentication and
encrypting the message with the recipient™s public key for privacy. It provides both
sender veri¬cation and message privacy.

Identity
An identity is composed of the public key and any other public information for an
entity. The public information may include user identi¬cation data: an e-mail
address, for example.

Persona
A persona is the combination of an identity (public information) and its associated
private information. A persona™s type is inherited from that persona™s identity. A
persona is always protected by a password associated with the wallet.

Personal Resource Locator
The personal resource locator (PRL) acts as a reference to a group composed of a
persona, its self-identity, and its trusted identities. It is a string in the format:
type:parameters




3-4 Oracle Cryptographic Toolkit Programmer™s Guide
Oracle Cryptographic Toolkit Concepts




where type is one of the de¬ned persona types and parameters is 0 or more param-
eters necessary to access the persona. The platform speci¬c PRL can be speci¬ed
with:
default:

to indicate that the persona is contained inside the wallet and can provide an addi-
tional protection key that is speci¬c for this persona.

Note: The value of the platform speci¬c PRL above is default, because
only the default wallet is supported in this release of the Oracle Crypto-
graphic Toolkit.


Protection Set
A protection set is a list of tuples (elements) in the form ((cryptographic-function-1,
format, algorithm(s), parameter(s)) (cryptographic-function-2, format, algorithm(s),
parameter(s)), ...). It represents the current set of algorithms and message formats
to be used with the cryptographic functions.

Recipient Oriented Encryption
Recipient Oriented Encryption is the process of encrypting a message with a ran-
domly generated symmetric key and then encrypting the encrypted message with
the public key of the recipient.

Signature
See “Digital Signature”.

Symmetric Encryption
Symmetric Encryption is an encryption method where both of the communicating
parties agree on a secret key (or algorithm) that can be used to both encrypt and
decrypt a message.

Toolkit Data Unit
A toolkit data unit (TDU) is an encoding of possibly formatted and/or cryptograph-
ically altered data that is created by an application using the Oracle Cryptographic
Toolkit. The TDU is usually transferred to another application that, in turn, uses the
Oracle Cryptographic Toolkit to decrypt the TDU back into data. The TDU is the




Concepts 3-5
Oracle Cryptographic Toolkit Concepts



message granularity of the Oracle Cryptographic Toolkit, and it is transport inde-
pendent.

Trust Point
A trust point is a third party identity contained within a persona that is quali¬ed
with a level of trust. The trust point is used when an identity is being validated as
the entity it claims to be.

Wallet
A wallet implements the storage and retrieval of credentials for use with various
cryptographic services. It represents a storage facility that is location and type trans-
parent once it is opened. A Wallet Resource Locator provides all the necessary infor-
mation to locate the wallet.
A Wallet Resource Locator (WRL) is a string in the format:
type:parameters

where type is one of the de¬ned wallet types and parameters is 0, or more, parame-
ters necessary to access the wallet. The platform speci¬c WRL can be speci¬ed with:
default:

to quickly access the default wallet.

Note: The value of the platform speci¬c WRL above is default, because
only the default wallet is supported in this release of the Oracle Crypto-
graphic Toolkit.




3-6 Oracle Cryptographic Toolkit Programmer™s Guide
4
Using the Oracle Cryptographic Toolkit

This chapter shows you how to program using the Oracle Cryptographic Toolkit.
The following topics are discussed:
“Basic Oracle Cryptographic Toolkit Program Flow”
s


“A Programming Example”
s




Using the Oracle Cryptographic Toolkit 4-1
Basic Oracle Cryptographic Toolkit Program Flow



4.1 Basic Oracle Cryptographic Toolkit Program Flow
The following section describes the typical program ¬‚ow for those who want to use
the Oracle Cryptographic Toolkit and provides program code examples for calling
the available functions. Refer to Figure 4“1, “Oracle Cryptographic Toolkit Program
Flow”, below, for an illustration of how a typical program ¬‚ows using the Oracle
Cryptographic Toolkit.

Figure 4“1 Oracle Cryptographic Toolkit Program Flow




4.2 A Programming Example
This section ¬rst lists the programming steps to follow when you use the Oracle
Cryptographic Toolkit. The balance of this chapter provides the following sample
code for your use:
“An Example: Generating a detached signature for an array of bytes”




4-2 Oracle Cryptographic Toolkit Programmer™s Guide
A Programming Example



4.2.1 Using the Oracle Cryptographic Toolkit
Follow steps 1 - 5 to access the Oracle Security Server.
Once the OCI process has been initialized with OCIInitialize and the environ-
1.
ment has been initialized with OCIEnvInit (refer to the Programmer™s Guide to
the Oracle Call Interface), the security handle can be created with OCIHandleAl-
loc and initialized with OCISecurityInitialize. The security handle is used with
subsequent calls to the Oracle Cryptographic Toolkit.
...
OCIError *error_handle = (OCIError *) NULL;
OCISecurity *security_handle = (OCISecurity *) NULL;
...

/*
* The OCI process and environment have already been initialized.
*/

OCIHandleAlloc((dvoid *) env_handle, (dvoid **) &error_handle,
(ub4) OCI_HTYPE_ERROR,
(size_t) 0,(dvoid **) 0),

OCIHandleAlloc((dvoid *) env_handle,
(dvoid **) &security_handle,
(ub4) OCI_HTYPE_SECURITY, (size_t) 0,
(dvoid **) 0);

OCISecurityInitialize(security_handle, error_handle);

Typically, an application will ¬rst need to open a wallet in order to get its per-
2.
sona and gain access to the list of trusted identities. The wallet location is speci-
¬ed through a Wallet Resource Locator (WRL), and if the contents have been
protected with a password, the correct password must be provided as well.
...
nzttWallet wallet;
...

OCISecurityOpenWallet(security_handle, error_handle,
wrllen, wrl,
passlen, password,
&wallet)




Using the Oracle Cryptographic Toolkit 4-3
A Programming Example



Next, an application will choose a persona from the wallet and open it to pre-
3.
pare it for use.
...
nzttPersona *persona;
...

/*
* Use the first persona in the wallet.
*/
persona = &wallet.list_nzttWallet[0];

OCISecurityOpenPersona(security_handle, error_handle, persona);

The application can now perform a cryptographic function such as signing
4.
some data:
...
nzttBufferBlock signature;
...

memset(&signature, 0, sizeof(signature));
OCISecuritySign(security_handle, error_handle, persona,
NZTTCES_END, strlen((char *)"Some data"),
"Some data", &signature);

During termination, the application should call OCIHandleFree to deallocate
5.
the security handle once the wallet has been closed and the security subsystem
has been terminated.
OCISecurityCloseWallet(security_handle, error_handle, &wallet);
OCISecurityTerminate(security_handle, error_handle);
OCIHandleFree((dvoid *) security_handle, OCI_HTYPE_SECURITY);




4-4 Oracle Cryptographic Toolkit Programmer™s Guide
A Programming Example



4.2.2 An Example: Generating a detached signature for an array of bytes
The following code sample shows you how to generate a detached signature for an
array of bytes. For brevity, errors are checked but are not displayed. Refer to Part
III, “Appendices”, for a complete code example.
#include <oratypes.h>

#ifndef OCI_ORACLE
#include <oci.h>
#endif

#ifndef OCIDFN
#include <ocidfn.h>
#endif

#ifdef __STDC__
#include <ociap.h>
#else
#include <ocikp.h>
#endif

static text phrase[] = "This is a static text phrase";

int main(argc, argv)
int argc;
char *argv[];
{
nzttWallet wallet; /* Wallet structure */
nzttBufferBlock signature; /* Detached signature */
nzttPersona *persona = (nzttPersona *)NULL; /* Persona used to sign */
OCIEnv *env_handle = (OCIEnv *)NULL; /* OCI environement handle */
OCIError *error_handle = (OCIError *)NULL; /* OCI error handle */
OCISecurity *security_handle = (OCISecurity *)NULL; /* OCI security handle*/

/*
* Clear out the wallet and signature structures so that if an
* error occurs before they are used, they are not mistaken for
* holding allocated memory.
*/
memset(&wallet, 0, sizeof(wallet));
memset(&signature, 0, sizeof(signature));
/*
* Initialize the OCI process.
*/




Using the Oracle Cryptographic Toolkit 4-5
A Programming Example



if (OCI_SUCCESS
!= OCIInitialize((ub4) OCI_DEFAULT,(dvoid *)0,(dvoid *(*)())0,
(dvoid *(*)())0, (void(*)())0))
{
goto exit;
}

/*
* Initialize the OCI environment.
*/
if (OCI_SUCCESS
!= OCIEnvInit((OCIEnv **)&env_handle,(ub4)OCI_DEFAULT, (size_t)0,
(dvoid **)0))
{
goto exit;
}

/*
* Create an error handle.
*/
if (OCI_SUCCESS
!= OCIHandleAlloc((dvoid *)env_handle, (dvoid **)&error_handle,
(ub4)OCI_HTYPE_ERROR, (size_t)0, (dvoid **)0))
{
goto exit;
}

/*
* Create a security handle
*/
if (OCI_SUCCESS
!= OCIHandleAlloc((dvoid *)env_handle, (dvoid **)&security_handle,
(ub4)OCI_HTYPE_SECURITY, (size_t)0, (dvoid **)0))
{
goto exit;
}


/*
* Initialize the security subsystem.
*/

<< . .

 4
( 9)



. . >>

Copyright Design by: Sunlight webdesign