14
The following items address requirements not addressed above.
Cryptographic Bypass
Cryptographic bypass is not support in DSSENH.
Operation Authentication
DSSENH inherits all authentication from the Microsoft Windows 2000 operating
system upon which it runs. Microsoft Windows 2000 requires authentication from a
trusted control base (TCB) before a user is able to access system services. Once a
user is authenticated from the TCB, a process is created bearing the Authenticated
User's security token. All subsequent processes and threads created by that
Authenticated User are implicitly assigned the parent's (thus the Authenticated
User's) security token. Every user that has been authenticated by Microsoft
Windows 2000 is naturally assigned the Authenticated User role when he/she
accesses DSSENH.
Identity-based Authentication
While all Authenticated Users are assigned the same role and thus have access to
the same complete set of services, individual Authenticated Users may only access
key containers which they themselves have created. DSSENH assumes the
authentication of the user and enforces it by running in a thread with the
Authenticated User's security token.
ModularExpOffload
The ModularExpOffload function offloads modular exponentiation from a CSP to a
hardware accelerator. The CSP will check in the registry for the value
HKLM\Software\Microsoft\Cryptography\ExpoOffload that can be the name of a
DLL. The CSP uses LoadLibrary to load that DLL and calls GetProcAddress to get
the OffloadModExpo entry point in the DLL specified in the registry. The CSP uses
the entry point to perform all modular exponentiations for both public and private
key operations. Two checks are made before a private key is offloaded.
Operating System Security
The DSSENH cryptomodule is intended to run on Windows 2000 in Single User
Mode.
MISCELLANEOUS