1. CDSA HRS NCITS M1 Meeting Catherine J. Tilton SAFLINK 11417 Sunset Hills Rd, Suite 106 Reston, VA 20190 +1 703-708-9280 Fax +1 703-708-0014 ctilton@saflink.com M1/02-0018

2. NCITS M1 16 January 2002 2 CDSA The Common Data Security Architecture (CDSA) is a set of layered security services and cryptographic framework that provide an infrastructure for creating cross-platform, interoperable, security-enabled applications for client-server environments. CDSA covers all the essential components of security capability, to equip applications for electronic commerce and other business applications with security services that provide facilities for cryptography, certificate management, trust policy management, and key recovery. CDSAv2 is scalable such that it can provide security services for any device, ranging from Personal Digital Assistants (PDAs) to Mainframes, and any operating platform from Windows to UNIX / LINUX. Incorporating the CDSA solution into enterprise environments effectively decouples any single security solution from the infrastructure, and integrates a mechanism (EMM) that allows you to plug and unplug security solutions as required.

3. NCITS M1 16 January 2002 3 CDSA Architecture CDSA defines a horizontal, four-layer architecture: 1. Applications 2. Layered services and middleware 3. Common Security Services Manager (CSSM) infrastructure 4. Security Service Provider Modules The CDSAv2.3 Technical Standard is organized into 15 parts, each addressing specific aspects of the architecture, and catering for the needs Application Developers, CSSM Infrastructure Providers, and Security Service Module Providers.

4. NCITS M1 16 January 2002 4 CDSA components 1. The CDSA architecture 2. Common Security Services Manager (CSSM) APIs for core services 3. Cryptographic Service Providers (CSP) 4. Trust Policy Services (TP) 5. Authorization Computation Services (AC) 6. Certificate Library Services (CL) 7. Data Storage Library Services (DL) 8. Module Directory Service (MDS) 9. Key Recovery Services (KR) 10. Embedded Integrity Services Library (EISL) 11. Signed Manifest 12. Object Identifiers for Certificate Library Modules 13. Elective Module Manager (EMM) 14. Add-in Module Structure and Administration 15. Appendices, Glossary, and Index

5. NCITS M1 16 January 2002 5 CDSA Human Recognition Services (HRS) Human Recognition Service –Authentication API extension to CDSA –Elective Module Manager (EMM) –Biometric Functions based on the BioAPI (Ver 1.1) –CBEFF compliant An OpenGroup standard Supports user authentication within a security framework Biometrics used in conjunction with other security modules (cryptographic, dig cert, data libr) –Leverages the “Integrity” capabilities of CDSA Supports multi-factor authentication Open Source Reference Implementation is available – Part of the CDSA Open Source – http://www. intel.com/ial/security

6. NCITS M1 16 January 2002 6 CDSA Framework Module Directory Data store CSSM Security API Crypto Manager SPI Certificate Library CLI Certificate Manager HRI Authentication Manager DLI Data Manager Data Storage Library HRS BSP HRS-API Integrity Services Cryptographic Service Provider Smartcard TPI Trust Manager Trust Model Library Remote CAs Authorization Manager ACI Authorization Computation Library Module Management Plug-in Service Providers (SP) BioAPI EMM Source:Intel Labs Labs

7. NCITS M1 16 January 2002 7 Status/Summary HRS updated to be consistent with BioAPI Ver 1.1 –Intel has committed to keep the two in sync No active HRS WG at present –Responding to requests Website –http://www.opengroup.org/security/l2-cdsa.htm