Digital Authentication Framework 6.0.1.33
Defines | Enumerations | Functions

daf_auth_identify.h File Reference

Identification of DAF device capabilities. More...

#include "../daf/DigitalAuthenticationFramework.h"

Go to the source code of this file.

Defines

#define DA_AUTH_HAS_CRYPTO   0x01000000
 Device can do cryptographic ops.
#define DA_AUTH_NO_CRYPTO   0x00000000
 Device has no usable crypto.
#define DA_AUTH_CRYPTO_MASK   0xff000000
 Mask for testing crypto capability.
#define DA_AUTH_AUTHENTICATED   0x00010000
 Device has DA_PROTECTED_PATH and DA_AUTHENTIC_PATH set.
#define DA_AUTH_PUBLIC   0x00000000
 Non-secure path to device (needs user password)
#define DA_AUTH_AUTH_MASK   0x00ff0000
 Mask for testing secure path capability.
#define DA_AUTH_CRYPT_SYMM   0x00002000
 Can do symmetric crypto (encrypt/decrypt or MAC)
#define DA_AUTH_CRYPT_ASYMM   0x00001000
 Can do asymmetic crypto (encrypt/decrypt or signature)
#define DA_AUTH_CRYPT_INVERT   0x00000200
 Can do invertible transformation (i.e. encryption/decryption)
#define DA_AUTH_CRYPT_ONEWAY   0x00000100
 Can do one-way transformation (signature or HMAC)
#define DA_AUTH_CRYPT_MASK   0x0000ff00
 Mask for all crypto type flags.
#define DA_AUTH_CRYPT_SYMM_MASK   0x0000f000
 Mask for testing symmetric/asymmetric.
#define DA_AUTH_CRYPT_INVT_MASK   0x00000f00
 Mask for testing invertible/oneway.
#define DA_AUTH_CRYPT_NONE   0x00000000
 No usable crypto functions.
#define DA_AUTH_HAS_STORAGE   0x00000010
 Device can store data.
#define DA_AUTH_VALID   0x00000001
 Device is usable for authentication.

Enumerations

enum  DAAuthClass {
  DA_AUTH_CLASS_UNKNOWN, DA_AUTH_CLASS0, DA_AUTH_CLASS1_PUBLIC, DA_AUTH_CLASS1_AUTHENTICATED,
  DA_AUTH_CLASS2_AUTHENTICATED_INVERTIBLE, DA_AUTH_CLASS2_AUTHENTICATED_ONEWAY, DA_AUTH_CLASS2_PUBLIC_INVERTIBLE, DA_AUTH_CLASS2_PUBLIC_ONEWAY,
  DA_AUTH_CLASS3_AUTHENTICATED_INVERTIBLE, DA_AUTH_CLASS3_AUTHENTICATED_ONEWAY, DA_AUTH_CLASS3_PUBLIC_INVERTIBLE, DA_AUTH_CLASS3_PUBLIC_ONEWAY
}
 

Authentication device type.

More...

Functions

bool DAIdentifyAuthKey (DADevice &dev, DAKey &key, DAAuthClass &class_out)
 Examines a key from the given device (dev and key) and decides which authentication protocol class we should use, only considering this key.
bool DAIdentifyAuthDevice (DADevice &dev, DASession &sess, DAAuthClass &class_out)
 Examines the device and session (dev and sess) and decides which authentication protocol class we should use.
const char * DAAuthClassToString (DAAuthClass cls)
 Stringifies a member of the DAAuthClass enum.
DAAuthClass DAStringToAuthClass (const char *str)
 Reverses DAAuthClassToString, returning DA_AUTH_CLASS_UNKNOWN for invalid values.

Detailed Description

Identification of DAF device capabilities.

The DAF code (see authglue.h) assigns the device a DAAuthClass value, based on the capabilities of the keys which are available, and on attribute flags set in the device's DAMetaData. This determines which calls are made to the device implementation by DAAuthProtocol.

The actual enum value is a bit-mask of DA_AUTH_HAS_CRYPTO, DA_AUTH_PUBLIC flags, etc. The flags are coded such that higher enum values are preferred over lower ones; the authglue code will pick the 'best' class to use if there is a choice.

The ordering is:

Note that combinations of flags other than those given below are illegal.


Define Documentation

#define DA_AUTH_PUBLIC   0x00000000

Non-secure path to device (needs user password)

Devices which do not report both DA_PROTECTED_PATH and DA_AUTHENTIC_PATH flags set are considered to have no secure connection for transmitting secret data.

For these devices, DAAuthProtocol will require that a user password is supplied in addition to the data supplied by the device. These are hashed together to give the authentication secret.


Enumeration Type Documentation

Authentication device type.

Enumerator:
DA_AUTH_CLASS_UNKNOWN 

DAIdentifyAuthDevice was unable to find a usable key for authentication (this is an error).

DA_AUTH_CLASS0 

At least one key has the DA_STORAGE flag set (but not DA_READ_WRITE).

A class 0 device is capable of providing a single, fixed value to identify itself; this value is presented as a DAKey (see BasicReadonlyKey) and is read via the getData() method.

DA_AUTH_CLASS1_PUBLIC 

One or more keys has DA_STORAGE and DA_READ_WRITE flags set.

A class 1 device must be able to store and recall at least one data block of size DAKey::STORAGE_MESSAGE_SIZE. This data block is used as an authentication secret.

DA_AUTH_CLASS1_AUTHENTICATED 

As DA_AUTH_CLASS1_PUBLIC, but device has 'secure' communications.

DA_AUTH_CLASS2_AUTHENTICATED_INVERTIBLE 

One or more keys does symmetric encryption and decryption.

The DAAuthProtocol will use the key to encrypt a short (DAKey::ENCRYPT_MESSAGE_SIZE bytes) random value; the ciphertext is stored on disk. During the authentication sequence the ciphertext is decrypted using the same key, and the plaintext used as the authentication secret.

DA_AUTH_CLASS2_AUTHENTICATED_ONEWAY 

One or more keys does MAC generation or similar.

For these devices, DAF will ask for the MAC of a random input message to be generated. The input block (size DAKey::ONEWAY_MESSAGE_SIZE) is stored on disk; the generated MAC is used as an authentication secret.

DA_AUTH_CLASS2_PUBLIC_INVERTIBLE 

One or more keys does symmetric encryption/decryption; no secure path to device.

Some devices may offer cryptographic operations, but do not have a secure communications channel to the phone to transmit the data. DAIdentifyAuthDevice will identify and use such a device, but it is deprecated and support may be withdrawn, or disabled by policy, in a future release.

DA_AUTH_CLASS2_PUBLIC_ONEWAY 

Deprecated, see DA_AUTH_CLASS2_PUBLIC_INVERTIBLE.

DA_AUTH_CLASS3_AUTHENTICATED_INVERTIBLE 

One or more keys does public key encryption / decryption.

Operation is like DA_AUTH_CLASS2_AUTHENTICATED_INVERTIBLE; the key must be able to encrypt and decrypt a message of length DAKey::ENCRYPT_MESSAGE_SIZE.

DA_AUTH_CLASS3_AUTHENTICATED_ONEWAY 

One or more keys does signature with a public-key algorithm.

Note that this must be a deterministic signature algorithm, as the value of the signature is used as the authentication secret.

DA_AUTH_CLASS3_PUBLIC_INVERTIBLE 

Deprecated, see DA_AUTH_CLASS2_PUBLIC_INVERTIBLE.

DA_AUTH_CLASS3_PUBLIC_ONEWAY 

Deprecated, see DA_AUTH_CLASS2_PUBLIC_INVERTIBLE.


Function Documentation

const char* DAAuthClassToString ( DAAuthClass  cls)

Stringifies a member of the DAAuthClass enum.

bool DAIdentifyAuthDevice ( DADevice dev,
DASession sess,
DAAuthClass class_out 
)

Examines the device and session (dev and sess) and decides which authentication protocol class we should use.

Returns false if we can't work out what class to use (for instance, because the session has no keys available).

bool DAIdentifyAuthKey ( DADevice dev,
DAKey key,
DAAuthClass class_out 
)

Examines a key from the given device (dev and key) and decides which authentication protocol class we should use, only considering this key.

Returns false if we can't work out what class to use.

DAAuthClass DAStringToAuthClass ( const char *  str)

Reverses DAAuthClassToString, returning DA_AUTH_CLASS_UNKNOWN for invalid values.