Digital Authentication Framework 6.0.1.33
|
Identification of DAF device capabilities. More...
#include "../daf/DigitalAuthenticationFramework.h"
Go to the source code of this file.
Defines | |
#define | DA_AUTH_HAS_CRYPTO 0x01000000 |
Device can do cryptographic ops. | |
#define | DA_AUTH_NO_CRYPTO 0x00000000 |
Device has no usable crypto. | |
#define | DA_AUTH_CRYPTO_MASK 0xff000000 |
Mask for testing crypto capability. | |
#define | DA_AUTH_AUTHENTICATED 0x00010000 |
Device has DA_PROTECTED_PATH and DA_AUTHENTIC_PATH set. | |
#define | DA_AUTH_PUBLIC 0x00000000 |
Non-secure path to device (needs user password) | |
#define | DA_AUTH_AUTH_MASK 0x00ff0000 |
Mask for testing secure path capability. | |
#define | DA_AUTH_CRYPT_SYMM 0x00002000 |
Can do symmetric crypto (encrypt/decrypt or MAC) | |
#define | DA_AUTH_CRYPT_ASYMM 0x00001000 |
Can do asymmetic crypto (encrypt/decrypt or signature) | |
#define | DA_AUTH_CRYPT_INVERT 0x00000200 |
Can do invertible transformation (i.e. encryption/decryption) | |
#define | DA_AUTH_CRYPT_ONEWAY 0x00000100 |
Can do one-way transformation (signature or HMAC) | |
#define | DA_AUTH_CRYPT_MASK 0x0000ff00 |
Mask for all crypto type flags. | |
#define | DA_AUTH_CRYPT_SYMM_MASK 0x0000f000 |
Mask for testing symmetric/asymmetric. | |
#define | DA_AUTH_CRYPT_INVT_MASK 0x00000f00 |
Mask for testing invertible/oneway. | |
#define | DA_AUTH_CRYPT_NONE 0x00000000 |
No usable crypto functions. | |
#define | DA_AUTH_HAS_STORAGE 0x00000010 |
Device can store data. | |
#define | DA_AUTH_VALID 0x00000001 |
Device is usable for authentication. | |
Enumerations | |
enum | DAAuthClass { DA_AUTH_CLASS_UNKNOWN, DA_AUTH_CLASS0, DA_AUTH_CLASS1_PUBLIC, DA_AUTH_CLASS1_AUTHENTICATED, DA_AUTH_CLASS2_AUTHENTICATED_INVERTIBLE, DA_AUTH_CLASS2_AUTHENTICATED_ONEWAY, DA_AUTH_CLASS2_PUBLIC_INVERTIBLE, DA_AUTH_CLASS2_PUBLIC_ONEWAY, DA_AUTH_CLASS3_AUTHENTICATED_INVERTIBLE, DA_AUTH_CLASS3_AUTHENTICATED_ONEWAY, DA_AUTH_CLASS3_PUBLIC_INVERTIBLE, DA_AUTH_CLASS3_PUBLIC_ONEWAY } |
Authentication device type. More... | |
Functions | |
bool | DAIdentifyAuthKey (DADevice &dev, DAKey &key, DAAuthClass &class_out) |
Examines a key from the given device (dev and key ) and decides which authentication protocol class we should use, only considering this key. | |
bool | DAIdentifyAuthDevice (DADevice &dev, DASession &sess, DAAuthClass &class_out) |
Examines the device and session (dev and sess ) and decides which authentication protocol class we should use. | |
const char * | DAAuthClassToString (DAAuthClass cls) |
Stringifies a member of the DAAuthClass enum. | |
DAAuthClass | DAStringToAuthClass (const char *str) |
Reverses DAAuthClassToString, returning DA_AUTH_CLASS_UNKNOWN for invalid values. |
Identification of DAF device capabilities.
The DAF code (see authglue.h) assigns the device a DAAuthClass value, based on the capabilities of the keys which are available, and on attribute flags set in the device's DAMetaData. This determines which calls are made to the device implementation by DAAuthProtocol.
The actual enum value is a bit-mask of DA_AUTH_HAS_CRYPTO, DA_AUTH_PUBLIC flags, etc. The flags are coded such that higher enum values are preferred over lower ones; the authglue code will pick the 'best' class to use if there is a choice.
The ordering is:
Note that combinations of flags other than those given below are illegal.
#define DA_AUTH_PUBLIC 0x00000000 |
Non-secure path to device (needs user password)
Devices which do not report both DA_PROTECTED_PATH and DA_AUTHENTIC_PATH flags set are considered to have no secure connection for transmitting secret data.
For these devices, DAAuthProtocol will require that a user password is supplied in addition to the data supplied by the device. These are hashed together to give the authentication secret.
enum DAAuthClass |
Authentication device type.
DA_AUTH_CLASS_UNKNOWN |
DAIdentifyAuthDevice was unable to find a usable key for authentication (this is an error). |
DA_AUTH_CLASS0 |
At least one key has the DA_STORAGE flag set (but not DA_READ_WRITE). A class 0 device is capable of providing a single, fixed value to identify itself; this value is presented as a DAKey (see BasicReadonlyKey) and is read via the getData() method. |
DA_AUTH_CLASS1_PUBLIC |
One or more keys has DA_STORAGE and DA_READ_WRITE flags set. A class 1 device must be able to store and recall at least one data block of size DAKey::STORAGE_MESSAGE_SIZE. This data block is used as an authentication secret. |
DA_AUTH_CLASS1_AUTHENTICATED |
As DA_AUTH_CLASS1_PUBLIC, but device has 'secure' communications. |
DA_AUTH_CLASS2_AUTHENTICATED_INVERTIBLE |
One or more keys does symmetric encryption and decryption. The DAAuthProtocol will use the key to encrypt a short (DAKey::ENCRYPT_MESSAGE_SIZE bytes) random value; the ciphertext is stored on disk. During the authentication sequence the ciphertext is decrypted using the same key, and the plaintext used as the authentication secret. |
DA_AUTH_CLASS2_AUTHENTICATED_ONEWAY |
One or more keys does MAC generation or similar. For these devices, DAF will ask for the MAC of a random input message to be generated. The input block (size DAKey::ONEWAY_MESSAGE_SIZE) is stored on disk; the generated MAC is used as an authentication secret. |
DA_AUTH_CLASS2_PUBLIC_INVERTIBLE |
One or more keys does symmetric encryption/decryption; no secure path to device. Some devices may offer cryptographic operations, but do not have a secure communications channel to the phone to transmit the data. DAIdentifyAuthDevice will identify and use such a device, but it is deprecated and support may be withdrawn, or disabled by policy, in a future release. |
DA_AUTH_CLASS2_PUBLIC_ONEWAY |
Deprecated, see DA_AUTH_CLASS2_PUBLIC_INVERTIBLE. |
DA_AUTH_CLASS3_AUTHENTICATED_INVERTIBLE |
One or more keys does public key encryption / decryption. Operation is like DA_AUTH_CLASS2_AUTHENTICATED_INVERTIBLE; the key must be able to encrypt and decrypt a message of length DAKey::ENCRYPT_MESSAGE_SIZE. |
DA_AUTH_CLASS3_AUTHENTICATED_ONEWAY |
One or more keys does signature with a public-key algorithm. Note that this must be a deterministic signature algorithm, as the value of the signature is used as the authentication secret. |
DA_AUTH_CLASS3_PUBLIC_INVERTIBLE |
Deprecated, see DA_AUTH_CLASS2_PUBLIC_INVERTIBLE. |
DA_AUTH_CLASS3_PUBLIC_ONEWAY |
Deprecated, see DA_AUTH_CLASS2_PUBLIC_INVERTIBLE. |
const char* DAAuthClassToString | ( | DAAuthClass | cls | ) |
Stringifies a member of the DAAuthClass enum.
bool DAIdentifyAuthDevice | ( | DADevice & | dev, |
DASession & | sess, | ||
DAAuthClass & | class_out | ||
) |
Examines the device and session (dev
and sess
) and decides which authentication protocol class we should use.
Returns false if we can't work out what class to use (for instance, because the session has no keys available).
bool DAIdentifyAuthKey | ( | DADevice & | dev, |
DAKey & | key, | ||
DAAuthClass & | class_out | ||
) |
Examines a key from the given device (dev
and key
) and decides which authentication protocol class we should use, only considering this key.
Returns false if we can't work out what class to use.
DAAuthClass DAStringToAuthClass | ( | const char * | str | ) |
Reverses DAAuthClassToString, returning DA_AUTH_CLASS_UNKNOWN for invalid values.