Browse Prior Art Database

Flexible Interface for Adding/Changing Imbedded Cryptographic Support

IP.com Disclosure Number: IPCOM000122964D
Original Publication Date: 1998-Jan-01
Included in the Prior Art Database: 2005-Apr-04
Document File: 2 page(s) / 103K

Publishing Venue

IBM

Related People

Cheng, PC: AUTHOR [+3]

Abstract

Security is an important issue, especially in networking. An explosion of security-related solutions is being proposed, especially with the rapid growth of the internet. Many of these solutions use a variety of cryptographic algorithms. New algorithms are needed to interoperate with other machines, and current algorithms are being improved to provide better security.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Flexible Interface for Adding/Changing Imbedded Cryptographic Support

      Security is an important issue, especially in networking.  An
explosion of security-related solutions is being proposed, especially
with the rapid growth of the internet.  Many of these solutions use a
variety of cryptographic algorithms.  New algorithms are needed to
interoperate with other machines, and current algorithms are being
improved to provide better security.

      Export regulations limit the type of cryptographic support
American companies may ship outside of the U.S.  Therefore, customers
may want to provide their own cryptographic solutions that may not be
shippable with the computer system.

      This presents an interesting problem for packaging and coding
of networking software that uses encryption.  Normally, code will
test for a normal range of values when users issue commands.  In
addition, configuration code expects certain files to exist in
certain locations  and will load and configure them in the operating
system.

      This method describes how a database is used to describe the
cryptographic support algorithm that is loaded as a specific kernel
extension.  The cryptographic code is shipped as separately
installable images.  When they are installed, they add their
particular stanzas to  the cryptographic database to describe their
type of cryptographic support.

Below is an example of the database stanza for DES CBC 8 and DES CBC
4:
  crypto_module:
    id = 17         # ESP_DES_CBC_4, see ipsec/ipsp.h for defines
    class = 1                  # Encryption
    effect_keylen = 56         # Effective Key length in bits
    keysize = 8                # Key size in bytes
    blksize = 8                # Block size in bytes
    digestsize = 0             # Digest Size in bytes (N/A)
    smit_choice = "DES_CBC_4"
    description = "DES CBC 4 Encryption Module"
    path = "/usr/lib/drivers/crypto/des_mod"
  crypto_module:
    id = 18         # ESP_DES_CBC_8, see ipsec/ipsp.h for defines
    class = 1                  # Encryption
    effect_keylen = 56         # Effective Key length in bits
    keysize = 8                # Key size in bytes
    blksize = 8                # Block size in bytes
    digestsize = 0             # Digest Size in bytes (N/A)
    smit_choice = "DES_CBC_8"
    description = "DES CBC 8 Encryption Module"
    path = "/usr/lib/drivers/crypto/des_mod"

      In the above example, the id is the number of the algorithm
used in the kernel code to execute the DES_CBC_4 or DES_CBC_8 code.
The effective key length is the key length in bits.  The keysize is
the key  size in bytes which the commands use to check for valid
user input. The  smit_choice is the tex...