Common Security Services Manager Sample Applications Cryptographic Service Provider Module FAQ Introduction to CSSM There are several data security and encryption standards in the personal computer industry today. There are isolated standards covering cryptography or cryptography with private key management or certificate and key management. What is missing is an architecture that comprehends and integrates all these standards, and defines a common interface both for application developers and security service providers. Common Data Security Architecture (CDSA) is our vision of how to address the need for a security infrastructure.   The CDSA specification, as the figure shows, is composed of four layers:  Applications  A collection of System Security Services  A Common Security Services Manager (CSSM)  Add-in modules that implement cryptographic operations and semantic and syntactic manipulation of security credentials, such as digital certificates     The CSSM is, in turn, made up of four primary components:  Cryptographic Services Manager - Manages the selection and use of cryptographic algorithms and key management. The Cryptographic Services Manager allows applications to query a Cryptographic Service Provider (CSP) to determine its availability, what algorithms it supports, and what keys are stored within it. A CSP typically performs operations like encryption, decryption, digital signature generation, key generation, random-number generation and key exchange.  Certificate Services Manager - Responsible for creation, manipulation, and use of digital certificates and certificate revocation lists. The manager allows an application to view, find, and retrieve values from certificates.  Trust Policy Manager - Manages what actions can be performed by a certificate bearer. Trust policies are defined by certificate authorities, institutions that issue certificates, or applications. The Trust Policy Manager supports the use of multiple trust policy modules. Data Storage Services Manager - Stores and manages persistent digital certificates and certificate revocation lists. The Data Storage Services Manager supports concurrent access to databases.  The architecture provides complete extensibility through add-in modules that conform to the CSSM-defined interfaces: Service Provider Interface (SPI), Trust Policy Interface (TPI), Certificate Library Interface (CLI) and Data Storage Library Interface (DLI). For example, multiple Cryptographic Service Providers, implementing different cryptographic algorithms, can conform to the SPI, thus making themselves accessible through CSSM. Similarly, certificate libraries that manipulate different certificate formats can conform to the CLI, allowing applications to use multiple certificate types.  The CSSM infrastructure also includes integrity services and management of security contexts. Integrity services perform a self-check of the local CSSM installation to determine that it has not been tampered with. Context management services assist applications in managing the many parameters required to control cryptographic operations.  The System Security Services layer (above CSSM) is the architectural layer that implements secure communications, electronic commerce protocols, private data storage systems, and utilities for installing and managing the security infrastructure itself.  Please send comments and questions to cdsa@ibeam.intel.com  * Legal Information © 1998 Intel Corporation