Cryptography – SSP Entry and Output
This post is part of the Computer Security – Cryptography posts series.
Sensitive Security Parameters may be introduced into or output from a module. In case Sensitive Security Parameters are introduced into or output from a module, theentry or output of Sensitive Security Parameters is executed utilizing manual (for instance, inserted via a keyboard or output via a visual display) or electronic (for instance, via a smart card/tokens, personal computer card, other electronic key loading device, or the module OS) methods or some combination thereof.
Documentation shall define the Sensitive Security Parameter entry and output methods applied by a module.
A module shall associate an Sensitive Security Parameter entered into or output from the module with the correct entity (that is, person, group, role, or process) to which the Sensitive Security Parameter is assigned.
All encrypted Sensitive Security Parameters, entered into or output from a module and utilized in an authorized mode of operation, shall be encoded utilizing an approved security function.
During manual Sensitive Security Parameter entry, the introduced values may be temporarily showed to permit visual verification and to improve accuracy. If encrypted Critical Security Parameters are manually introduced into the module, then the plaintext values of the Critical Security Parameters shall not be revealed.
Manually entered (plaintext or encrypted) cryptographic keys (including seed keys) shall be controlled during entry into a module for accuracy using the Manual Key Entry Test.
For software modules, Critical Security Parameters may be introduced into or output from the module in either encrypted or plaintext form under control of the module OS furnished that the Critical Security Parameters are maintained within the operational environment. Public Security Parameters may be entered into or output from a module in plaintext form.
Electronically transported Critical Security Parameters shall enter into and output from a module in encrypted form and their integrity shall be protected (for instance, by an approved security function or an approved or allowed key establishment method). Electronically transported Public Security Parameters shall enter into and output from the module with their integrity protected by either an approved digital signature algorithm or an approved MAC or an approved key transport method.
Non-electronically transported Public Security Parameters may be entered into or output from a module in plaintext form and need not be cryptographically authenticated regardless of whether they are entered manually or electronically.
SECURITY LEVELS 1 AND 2
There are no additional security requirements for this levels of security.
SECURITY LEVELS 3, 4 AND 5
For Security Levels 3, 4, and 5, non-electronically transported Critical Security Parameters shall be entered into or output from a module either
1. in encrypted form or
2. using split knowledge procedures (id est, as two or more plaintext components.)
If split knowledge procedures are utilized:
- The module shall separately authenticate the operator entering or outputting each component as a separate identity.
- The module shall control that no two operators entering or outputting key components have the same identities.
- In order to prevent misuse of any Sensitive Security Parameter, a cryptographic module shall use a Trusted Channel for the input or output of all Sensitive Security Parameters, whether or not cryptographically protected. If a Trusted Channel is established and maintained utilizing the cryptographic algorithms, the algorithms shall by approved and meet or exceed the documented security strength of the module.
- At least two components shall be required to reconstruct the original Critical Security Parameter.
- Documentation shall demonstrate that if knowledge of n components is mandatory to rebuild the original Critical Security Parameter, then knowledge of any n-1 components provides no information about the original Critical Security Parameter other than the length.
- Documentation shall specify the split knowledge operations employed by a module.
Cryptographic module
6 Responses to “Cryptography – SSP Entry and Output”
what does cryptography and cryptanalysis have to do w/math ?
You cant understand how the Public-Key Cryptography (PKC) is working without knowing mathematics , especially Number Theory (ranging from higher and modular arithmetic to the study of elliptic curves), Complexity Theory and Combinatorics.
As PKC underlies almost all identification protocols in use, ranging from internet transactions to ATM’s to digital signatures, if you don’t know math you will not understand any of this.
What are some resources for web encryption can I refer to ?
Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition by Bruce Schneier
Introduction to Modern Cryptography: Principles and Protocols (Chapman & Hall/Crc Cryptography and Network Security Series) by Jonathan Katz and Yehuda Lindell
Practical Cryptography by Niels Ferguson and Bruce Schneier
The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography by Simon Singh
Wavelet cryptography using SPIHT algorithm?
SPIHT ( Set Partitioning in Hierarchical Trees ) is not a simple extension of traditional methods for image compression, and represents an important advance in the field. The method deserves special attention because it provides the following:
Highest Image Quality
Progressive image transmission
Fully embedded coded file
Simple quantization algorithm
Fast coding/decoding
Completely adaptive
Lossless compression
Exact bit rate coding
Error protection
interesting post
a very good article about Cryptography – SSP Entry and Output