test

SunScreen SKIP User's Guide, Release 1.5.1

Chapter 1 Installing and Configuring SunScreen SKIP

Note -

While SunScreen SKIP is a part of a SunScreen Remote Administration solution, you should install and configure that particular configuration by using the SunScreen documentation: SunScreen 3.1 Installation Guide and SunScreen 3.1 Administration Guide.

Overview of SunScreen SKIP

SunScreen SKIP is Sun Microsystems' implementation of Simple Key Management for Internet Protocols (SKIP).

It is replacement software and upgrade software for any previous version of SKIP for the Solaris operating environment.

This chapter provides instructions for installing SunScreen SKIP on the Solaris 2.6. Solaris 7, or Solaris 8 operating environments for SPARC and Intel platforms and the Trusted Solaris 7 for the SPARC platform. Once SKIP is installed, configured, and enabled on the systems requiring its services, IP-layer encryption can begin. SKIP runs without further administration effort until new systems need to be added or certificate management is required. This chapter also describes how you can protect your locally stored secrets with a passphrase.

Hardware and Software Requirements

Supported Platforms

SunScreen SKIP is supported on the following platforms:

Note -

The RC2-40 cryptor is restricted to use with the Solaris operating environment in 32-bit mode only.

Hardware Requirements

The hardware requirements are as follows:

Operating System Requirements

To run SunScreen SKIP, you must

  1. Install the Solaris SunCore® software group.

    This software group contains the minimum software required to boot and run the Solaris operating environment. It includes some networking software and the drivers necessary to run the OpenWindows environment; it does not include the OpenWindows software.

  2. Additionally, install the following packages:

    system 

    SUNWadmr

    System & Network Administration Root 

    system 

    SUNWcar

    Core Architecture, (Root) 

    system 

    SUNWcsd

    Core Solaris Devices 

    system 

    SUNWcsr

    Core Solaris, (Root) 

    system 

    SUNWcsu

    Core Solaris, (Usr) 

    system 

    SUNWdfb

    Dumb Frame Buffer Device Drivers 

    system 

    SUNWesu

    Extended System Utilities 

    system 

    SUNWkvm

    Core Architecture, (Kvm) 

    system 

    SUNWlibC

    SPARCompilers Bundled libC 

    system 

    SUNWlibms

    SPARCompilers Bundled shared libm 

    system 

    SUNWtoo

    Programming Tools 

    system 

    SUNWvolr

    Volume Management, (Root) 

    system 

    SUNWvolu

    Volume Management, (Usr) 

  3. If you plan to use the skiptool GUI, install the packages for OpenWindows.

    • SUNWolrte

    • SUNWxwplt

    • SUNWolslb

  4. If you are going to use certificates from a Certificate Authority, be aware that you must install the following operating system package:

    system SUNWscpu Source Compatibility, (Usr)

Otherwise the install_skip_keys command will fail.

Protocol Compatibility

SunScreen SKIP supports the following protocol versions:

Installation Overview

Before installing SKIP, be sure that you have the CD-ROM for the base software and any encryption upgrade CD-ROMs or diskettes to which you are entitled.

Note -

If you are an experienced SKIP user who just wants a quick installation overview, see Appendix A, Quick-Start Guide.

New Users

For the new user, this chapter tells about:

Upgrade Users

For the user who is upgrading from any version of SunScreen SKIP for the Solaris operating environment to this release, this chapter covers these additional topics (as well as the previously mentioned installation topics).

Cryptography Upgrade Users

This chapter also contains information on how to add cryptography upgrade packages for those users who for example want to upgrade from a SKIP 512- bit version to a SKIP 2048- bit or 4096- bit versions.

Installing SKIP for the First Time

This section provides instructions for installing SKIP on the SPARC and Intel platforms running the Solaris 2.6, Solaris 7, or Solaris 8 operating environments.

To install and run the software, you must be able to become root on your local system and know the IP address of the machine on which SKIP is to be installed. Ask your systems administrator for the IP address of your machine. To install the software for the first time (or if you are installing it without saving the configurations), follow these steps:

  1. Open a terminal window and become root.

  2. Mount the CD-ROM through the file manager by typing:


    # volcheck
    Note -

    If you are not using vold on your system, type 


    # mount -F hsfs -oro /dev/dsk/c0t6d0s0 /mnt

    The device name or the mount point or both depends on your local system configuration.

  3. Go to the directory on the CD-ROM for your OS. (The examples assume a machine with only one CD-ROM.)

    Solaris operating environment for the SPARC Platform:


    # cd /cdrom/cdrom0/sparc

    Solaris operating environments for the Intel Platform:


    # cd /cdrom/cdrom0/x86
    Note -

    If you have mounted the CD-ROM manually, replace /cdrom/cdrom0 with /mnt.

  4. Type the standard Solaris operating environment pkgadd command to add all packages: 


    # pkgadd  -d .

    You are prompted with the following menu of packages. 


    1 SUNW3des	SKIP 3DES
Crypto Module 
	(sparc) 1.5.1
2 SUNW3desx	SKIP 3DES Crypto Module (64-bit 
	(sparc) 1.5.1
3 SUNWbdc	SKIP Bulk Data Crypt 
	(sparc) 1.5.1
4 SUNWbdcx	SKIP Bulk Data Crypt (64-bit) 
	(sparc) 1.5.1
5 SUNWdes	SKIP DES Crypto Module 
	(sparc) 1.5.1
6 SUNWdesx	SKIP DES Crypto Module (64-bit) 
	(sparc) 1.5.1
7 SUNWes	SKIP End System 
	(sparc) 1.5.1
8 SUNWesx	SKIP End System (64-bit 
	(sparc) 1.5.1
9 SUNWkdsup	SKIP D-Support module 
	(sparc) 1.5.1
10 SUNWkeymg	SKIP Key Manager Tools 
	(sparc) 1.5.1

... 8 more menu choices to follow;
<RETURN> for more choices, <CTRL-D> to stop display:

11 SUNWrc2	SKIP RC2 Crypto Module 
	(sparc) 1.5.1
12 SUNWrc4	SKIP RC4 Crypto Module 
	(sparc) 1.5.1
13 SUNWrc4s	SKIP RC4-128 Crypto Module 
	(sparc) 1.5.1
14 SUNWrc4sx	SKIP RC4-128 Crypto Module (64-bit) 
	(sparc) 1.5.1
15 SUNWrc4x	SKIP RC4 Crypto Module (64-bit) 
	(sparc) 1.5.1
16 SUNWsafe	SKIP SAFER Crypto Module 
	(sparc) 1.5.1
17 SUNWsafex	SKIP SAFER Crypto Module (64-bit 
	(sparc) 1.5.1
18 SUNWsman	SKIP Man Pages 
	(sparc) 1.5.1

Select package(s) you wish to process (or "all" to
process all packages). (default: all) [?,??,q]:

  5. Select a (all). As the prompts appear, answer questions with y (yes) to add the package.

  6. When you get back to the same menu of packages, type q to quit.

  7. To eject the CD-ROM from the CD-ROM drive, type:


    # cd /
# eject cdrom0

    or eject the CD-ROM from the CD-ROM drive through the file manager.

    Note -

    If you are not using vold on your system, unmount your CD-ROM by typing: 


    # cd /
# umount/mnt
# eject cdrom0

  8. To add /usr/sbin to your PATH variable in the Bourne shell, type:


    PATH=/usr/sbin:$PATH 
export PATH

  9. To add /usr/share/man to your MANPATH variable in the Bourne shell, type:


    MANPATH=/usr/share/man:$MANPATH 
export MANPATH

  10. It is helpful to add /usr/sbin to the PATH variable in your initialization file (such as .profile, .cshrc, or .login file), and /usr/share/man to the MANPATH variable in the same file.

Now you are ready to complete the installation. The remaining steps include:

Upgrading From Earlier SKIP Versions

To upgrade to SunScreen SKIP 1.5.1 from an earlier SKIP version, you must first remove the old version then install the new packages.

Removing Versions Earlier than SunScreen SKIP 1.5

To remove any version of SKIP for the Solaris operating environment earlier than 1.5, become root and use the pkginfo and pkgrm packages shown in the following steps:

  1. To list the SKIP packages that were installed, type:


    #pkginfo | grep SICG

    The list of packages is displayed: 


    1 SICGbdcdr	SKIP Bulk Data Crypt 1.0.3-FCS Software
2 SICGcrc2	SKIP RC2 Crypto Module 1.0.3-FCS Software
3 SICGcrc4	SKIP RC4 Crypto Module 1.0.3-FCS Software
4 SICGes	SKIP End System 1.0.3-FCS Software
5 SICGkeymg	SKIP Key Manager Tools 1.0.3-FCS Software
6 SICGkisup	SKIP I-Support module 1.0.3-FCS Software
	(sparc) 1.0.3-FCS

  2. To remove the packages, type:


    # pkgrm package_names

  3. Answer y (yes) to questions that the pkgrm program asks. The pkgrm program ends with the statement: 


    Removal of <SICGkisup> was successful.
    Note -

    This is valid only for this example. If moduli of other sizes were used, then the last package removed will be different.

  4. To remove the /etc/opt/SUNWicg/skip directory and any configurations that were installed, type:


    # rm -rf /etc/opt/SUNWicg/skip
    Caution - Caution -

    If you want to preserve previous configurations (including certificates, and the key manager configuration file), do not remove the /etc/opt/SUNWicg/skip directory.

  5. To reboot the machine, type:

    # init 6

Removing SunScreen SKIP 1.5 or 1.5B

To remove SunScreen SKIP. Release 1.5 or Release 1.5B, for the Solaris operating environment, become root and use the pkginfo and pkgrm packages shown in the following steps:

  1. To list the SKIP packages that were installed, type:


    # pkginfo | grep -i skip

    The list of packages is displayed: 


    application SUNW3des       SKIP 3DES Crypto Module
application SUNW3desx      SKIP 3DES Crypto Module (64-bit)
application SUNWbdc        SKIP Bulk Data Crypt
application SUNWbdcx       SKIP Bulk Data Crypt (64-bit)
application SUNWdes        SKIP DES Crypto Module
application SUNWdesx       SKIP DES Crypto Module (64-bit)
application SUNWes         SKIP End System
application SUNWesx        SKIP End System (64-bit)
application SUNWkdsup      SKIP D-Support module
application SUNWkeymg      SKIP Key Manager Tools
application SUNWkusup      SKIP U-Support module
application SUNWrc2        SKIP RC2 Crypto Module
application SUNWrc4        SKIP RC4 Crypto Module
application SUNWrc4s       SKIP RC4-128 Crypto Module
application SUNWrc4sx      SKIP RC4-128 Crypto Module (64-bit)
application SUNWrc4x       SKIP RC4 Crypto Module (64-bit)
application SUNWsafe       SKIP SAFER Crypto Module
application SUNWsafex      SKIP SAFER Crypto Module (64-bit)
application SUNWsman       SKIP Man Pages

  2. To remove the packages, type


    # pkgrm package_names

  3. Answer y (yes) to questions that the pkgrm program asks. The pkgrm program ends with the statement: 


    Removal of <SUNWsman> was successful.
    Note -

    This is valid only for this example. If moduli of other sizes were used, then the last package removed would be different.

  4. To remove the /etc/opt/SUNWicg/skip directory and any configurations that were installed, type:


    # rm -rf /etc/opt/SUNWicg/skip
    Caution - Caution -

    If you want to preserve previous configurations (including certificates, and the key manager configuration file), do not remove the /etc/opt/SUNWicg/skip directory.

  5. To reboot the machine, type:

    # init 6

Installing the New Version

Follow these steps:

  1. Open a terminal window and become root.

  2. Mount the CD-ROM through the file manager or by typing:


    #  volcheck
    Note -

    If you are not using vold on your system, type: 


    # mount -F hsfs -oro /dev/dsk/c0t6d0s0/mnt

    The device name or the mount point or both depends on your local system configuration.

  3. Go to the directory on the CD-ROM for your OS:

    Solaris operating environment for the SPARC Platform:


    # cd /cdrom/cdrom0/sparc

    Solaris operating environment for the Intel Platform:


    # cd /cdrom/cdrom0/x86
    Note -

    If you have mounted the CD-ROM manually, replace /cdrom/cdrom0 with /mnt.

  4. To use the standard Solaris operating environment pkgadd command to add all packages, type:


    # pkgadd  -d .

    You are prompted with the following menu of packages:


    1 SUNW3des	SKIP 3DES
Crypto Module 
	(sparc) 1.5.1
2 SUNW3desx	SKIP 3DES Crypto Module (64-bit 
	(sparc) 1.5.1
3 SUNWbdc	SKIP Bulk Data Crypt 
	(sparc) 1.5.1
4 SUNWbdcx	SKIP Bulk Data Crypt (64-bit) 
	(sparc) 1.5.1
5 SUNWdes	SKIP DES Crypto Module 
	(sparc) 1.5.1
6 SUNWdesx	SKIP DES Crypto Module (64-bit) 
	(sparc) 1.5.1
7 SUNWes	SKIP End System 
	(sparc) 1.5.1
8 SUNWesx	SKIP End System (64-bit 
	(sparc) 1.5.1
9 SUNWkdsup	SKIP D-Support module 
	(sparc) 1.5.1
10 SUNWkeymg	SKIP Key Manager Tools 
	(sparc) 1.5.1

... 8 more menu choices to follow;
<RETURN> for more choices, <CTRL-D> to stop display:

11 SUNWrc2	SKIP RC2 Crypto Module 
	(sparc) 1.5.1
12 SUNWrc4	SKIP RC4 Crypto Module 
	(sparc) 1.5.1
13 SUNWrc4s	SKIP RC4-128 Crypto Module 
	(sparc) 1.5.1
14 SUNWrc4sx	SKIP RC4-128 Crypto Module (64-bit) 
	(sparc) 1.5.1
15 SUNWrc4x	SKIP RC4 Crypto Module (64-bit) 
	(sparc) 1.5.1
16 SUNWsafe	SKIP SAFER Crypto Module 
	(sparc) 1.5.1
17 SUNWsafex	SKIP SAFER Crypto Module (64-bit) 
	(sparc) 1.5.1
18 SUNWsman	SKIP Man Pages sparc) 1.5.1

Select package(s) you wish to process (or "all" to
process all packages). (default: all) [?,??,q]: 
Select a (all). As the prompts appear, answer questions with Y (yes)
followed with a <Return> if you wish to add the package.

  5. Select a (all) or the number of the package. As the prompts appear, answer questions with y (yes), if you wish to add the package.

  6. When you get back to the same menu of packages, type q to quit.

  7. If you want to use certificates, and the key manager configuration file from an earlier version of SKIP, type:


    # cp /etc/opt/SUNWicg/skip/* /etc/skip
    Note -

    1.x ACLs cannot be used in version 1.5.1

  8. To eject the CD-ROM from the CD-ROM drive, type:


    # cd /
# eject cdrom0

    or eject the CD-ROM through the file manager.

    Note -

    If you are not using vold on your system, unmount your CD-ROM by typing: 


    # cd / 
# umount/mnt
# eject cdrom0

  9. To add /usr/sbin to your PATH variable in the Bourne shell, type:


    PATH=/usr/sbin:$PATH
export PATH

  10. To add /usr/share/man to your MANPATH variable in the Bourne shell, type:


    MANPATH=/usr/share/man:$MANPATH 
export MANPATH

  11. It is helpful to add /usr/sbin to the PATH variable in your initialization file (such as: .profile, .cshrc, or .login file), and /usr/share/man to the MANPATH variable in the same file.

Now you are ready to generate and install SKIP Unsigned Diffie-Hellman (UDH) certificates (if you are going to use them). You can use SKIP UDH certificates and SunCA keys and certificates at the same time with SunScreen SKIP.

You are also ready to install SKIP on any new or different network interface (if you need to). Generate and install the SKIP UDH certificates ("Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates") and install SunScreen SKIP ("Installing Your Network Interface") on the network interface before you reboot your system.

Note -

If you are going to use the same keys, certificates and network interface that you used in SKIP for the Solaris operating environment, Release 1.0, you only need to reboot your system and restore any ACL files that you use. This is only true if you did not remove the /etc/opt/SUNWicg/skip directory and you copied over your old files.

Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates

Once SKIP has been installed, you must install at least one local identity (public-private key pair) for your host. The following procedure creates a SKIP UDH certificate, which is the one you will most likely use. For a more detailed discussion of SKIP UDH certificates, see Appendix B, How SKIP Works.

Chapter 2 discusses keys, certificates, and hashes in greater detail. If you are installing other kinds of keys and certificates, see the documentation that is supplied with them or contact the vendor. If you are installing keys and certificates from Sun Microsystems, see Chapter 2, Installing Keys and Certificates.

The skiplocal command creates and manages all local key types, including UDH certificates, on your system. You can have more than one UDH certificate on your system. Your local identities can also be of different lengths (moduli), depending on the version of SunScreen SKIP that you have. The default will always be the largest modulus you can generate.

Note -

Local secret is the term used for an encryption certificate and key.

Initialize SKIP Directories

On a first-time SKIP installation, you must initialize the SKIP directories before you create any certificates.

    Issue the following command to initialize the SKIP directories:


    skiplocal -i
Generating a UDH Keypair

    To generate an UDH key pair locally, type: 


    skiplocal -k
    Note -

    If you have local identities of different strengths, such as 512 bits, 1024 bits), and 2048 bits or 4096 bits), use the argument -m followed by the bit size of the modulus without an intervening space as in the following figure.

    When generating an unsigned certificate, no authority exists to certify the identities. This means that each party must verify the name of the certificate over the telephone or some other trusted channel. Without verification through a secure channel, you have no way of knowing if the certificate belongs to the correct party or not.

    In the following figure, the skiplocal -k command is used to generate a local key pair, in this case with a 512-bit modulus.

    Example 1-1 512-bit Modulus


    # skiplocal -k -m 512
generating local secret with 512 modulus size
It would help the quality of the random numbers if you would
type 50-100 random keys on the keyboard. Hit return when
you are done.
100 
Format: Hashed Public Key (MD5)
Name/Hash: 9e 23 db 35 a2 c2 d8 17 20 19 21 99 3d c9 06 e1 
Not valid Before: Sun Aug 25 17:00:00 1996
Not valid After: Sat Aug 25 17:00:00 2001
g: 2
p: f52aff3ce1b1294018118d7c84a70a72d676c40319c807297aca950cd9969fabd00a509b0246
d3083d66a45d419f9c7cbd894b221926baaba25eca55e92a055f
public key: 0b5522b769b3d2b8098e69312a941ce7e6de9e1635ca09dd780b328db71141739e9bb46a3
d0d183372d98d7c2a0d850b70fad05edaaaa865ae5dddf618cadbff
Added local identity slot 0
Printing out Local Information

    To print out local information in a shareable form, type:


    skiplocal -x

    In the following figure, the skiplocal -x command prints out the local system's current information in a form that can be sent (for example, via email) to other users who wish to communicate with you.

    Caution - Caution -

    The defaults proposed by skiplocal -x work well if you and the party with whom you wish to communicate have one key and one network interface. If you have some other configuration, you should not use skiplocal -x.

    A safer solution than using skiplocal -x is to have each user run skiptool and then call each other on the telephone and type the other person's key ID in the Remote Key ID field in the add window (See Chapter 3, Using the skiptool GUI).

    In the following example, the first command shows you the local information. The next command redirects that information to a mail message sent to a machine that wishes to communicate with you using SKIP. The person receiving the message copies the information and pastes it into the command line, which adds an ACL entry for your host.

    Example 1-2 Sending and Loading an ACL Entry


    On local machine (mysun) display ACL entry in export format

# skiplocal -x												
skiphost -a mysun -R 0x24be59e388dadfa6814885d1e5f79de9 -r 8 
-s 8 -k des-ede-k3 -t des-cbc -m md5

Mail above text to the username@host

# skiplocal -x| mail username@host



On peer machine (host) execute skiphost command from mail message sent by mysun

# skiphost -a mysun -R 0x24be59e388dadfa6814885d1e5f79de9 -r 8
-s 8 -k des-ede-k3 -t des-cbc -m md5 

Result:

Adding mysun:								SKIP params:
	IP mode:								tunneling
	Tunnel address								mysun
	Kij alg:								DES-EDE-K3
	Crypt alg:								DES-CBC
	MAC alg:								MD5
	Receiver NSID								MD5 (DH Pub. Value)
	Receiver key id								0x24be59e388dadfa6814885d1e5f79de9
	Sender NSID								MD5 (DH Pub. Value)

												done.
    Caution - Caution -

    Even when using skiplocal -x, make sure you both verify the key ID over the telephone with the other party to make sure no one is impersonating them.

Listing the Current Local Identities

    To list the current local identities, type:


    skiplocal -l

    In the following figure, the skiplocal -l command is used to list the current local identities.

    Example 1-3 Listing All Local Identities


    # skiplocal -l
Local ID Slot Name: 0	Type: Software Slot
	NSID: 8 MKID (name): 24be59e388dadfa6814885d1e5f79de9
	Not Valid Before: Tue Aug 6 17:00:00 1996
	Not Valid After: Mon Aug 6 17:00:00 2001
	Modulus size: 2048 bits

Local ID Slot Name: 1	Type: Software Slot
	NSID: 8 MKID (name): 8ace505b602127f38e08f74f13d0c915
	Not Valid Before: Sun Aug 25 17:00:00 1996
	Not Valid After: Sat Aug 25 17:00:00 2001
	Modulus size: 2048 bits

Local ID Slot Name: 2	Type: Software Slot
	NSID: 8 MKID (name): 9e23db35a2c2d817201921993dc906e1
	Not Valid Before: Sun Aug 25 17:00:00 1996
	Not Valid After: Sat Aug 25 17:00:00 2001
	Modulus size: 512 bits

#

    For more information on the skiplocal command, refer to Chapter 4, Using the Command-Line Interface and to the man pages for SunScreen SKIP.

    Note -

    If you installed an UDH certificate during installation, the information in Chapter 2, Installing Keys and Certificates will not apply to you unless you also plan to install SunCA keys and certificates. You can use SKIP UDH certificates and SunCA keys and certificates at the same time with SunScreen SKIP.

Installing Your Network Interface

Installing on One Interface

The skipif command is used to install SKIP on a network interface.

    If you are adding SunScreen SKIP to a machine with only one interface, make sure that you are root and type:


    # skipif -a
Installing on Multiple Interfaces

    If you are adding SunScreen SKIP to a machine with multiple interfaces, make sure that you are root and type:


    # skipif -i networkinterface -a
    Note -

    Replace networkinterface with the interface that you wish to specify. If you do not specify the network interface, it attaches to the first network interface that it finds.

    You can add SKIP on more than one interface. In that case, you need to run the skipif -a -i interface command for each interface on which you want to use SKIP.

Installing On All Interfaces

    If you want to use SKIP on all the network interfaces present in the system, type:


    # skipif -a -i all

Rebooting Your System

After you have installed the software, generated and installed the local identities, and installed the network interface, you must reboot your system.

To Reboot Your System

    To reboot the machine, type: 


    # init 6

Security Issues

This section describes how you can secure your SKIP software with an administrative password or passphrase and information on why you should secure your core files and backup files.

Passphrase Protection

SKIP includes a feature that allows you to protect your locally stored secrets with a passphrase. A passphrase differs from a password in that it is longer and capitalization counts. This passphrase is used to encrypt all of your SKIP secret values. Your passphrase should be one that you can remember, but that is hard to guess. You can change the passphrase or delete it at any time. After you set, change, or delete your passphrase, you should run skipd_restart to reinitialize your key manager.

Note -

Once you have protected your secret values with a passphrase, each time that you reboot you will not be able to run SKIP-encrypted connections because your system cannot get to your locally stored secrets with the passphrase. You must run skipd_restart which will then prompt you for your passphrase.

Caution - Caution -

If you forget your passphrase, there is no way to discover it or recover it. Your protected locally stored secrets will no longer be available. If you do not know the passphrase and you want to reinstall or upgrade the software, you must first remove the old software and its locally stored secrets. See "Upgrading From Earlier SKIP Versions". The old locally stored secrets will remain encrypted with the old passphrase and will be unavailable.

Once you set a passphrase, you are prompted for it each time you add a new local identity (through skiplocal -a) or generate a new key (through skiplocal -k).

Activating Your Passphrase

To activate your passphrase, use the following procedure:

  1. Type:


    skiplocal -P

  2. You are prompted as follows:


    You are now assigning
a global passphrase which will be used to encrypt all of your SKIP
secret values. Please choose a passphrase which you will remember,
but will be hard for someone else to guess
New global passphrase:	<type a new passphrase>
again: <type the new passphrase>

  3. To reinitialize your key manager, type:


    skipd_restart
Changing Your Passphrase

To change your passphrase, use the following procedure:

  1. Type:


    skiplocal -P

  2. You are prompted as follows:


    You are now changing
the global passphrase which is used to encrypt your SKIP secrets
Global passphrase:	<type a old passphrase>
New Passphrase:	<type a new passphrase>
again:	<type the new passphrase>

  3. To reinitialize your key manager, type


    skipd_restart
Removing Your Passphrase

To remove your passphrase, use the following procedure:

  1. Type:


    skiplocal -R

  2. You are prompted as follows:


    You are now removing
the global passphrase which will be used to encrypt all of your
SKIP secrets.
Global passphrase:	<type your passphrase>

    If it matches, all locally stored secrets are decrypted and stored and the passphrase feature is disabled.

  3. To reinitialize your key manager, type:


    skipd_restart

Upgrading Cryptography Modules

The following table contains information about the packages you need if you want to add additional cryptography modules to your configuration. For example, SunScreen 3.1 ships with the 512- bit version of SKIP, which only contains the RC2 and RC4(x) Crypto modules. To add additional modules, for example DES, you must take some care to install only the packages you need.

Caution - Caution -

Do not add the End System SKIP modules (SUNWes and SUNWesx) to a SunScreen EFS 3.0 Screen or a SunScreen 3.1 Screen. 

Table 1-1 SKIP Cryptography Upgrades

If you have the 512- bit version... 

Add these packages to upgrade to the 1024- bit version... 

Add these packages to upgrade to the 2048- or 4096-bit version... 

 

SUNWkusup SKIP U-Support module 

SUNWkdsup SKIP D-Support module 

 

SUNWdes SKIP DES Crypto Module  

SUNWdes SKIP DES Crypto Module  

 

SUNWdesx SKIP DES Crypto Module (64-bit) 

SUNWdesx SKIP DES Crypto Module (64-bit)  

 

 

SUNW3des SKIP 3DES Crypto Module 

 

 

SUNW3desx SKIP 3DES Crypto Module (64-bit)  

 

 

SUNWrc4s SKIP RC4-128 Crypto Module  

 

 

SUNWrc4sx SKIP RC4-128 Crypto Module (64-bit)  

 

 

SUNWsafe SKIP SAFER Crypto Module 

 

 

SUNWsafex SKIP SAFER Crypto Module (64-bit)  

Security Concerns

Core Files and Security

You should be aware that a saved core file contains your local secret. While it would be difficult for someone to discern or discover the secrets from this file, it is possible. You should, therefore, protect a core file as carefully as any of your other local secrets. Remember, if you send your core file out-of-house for analysis, you are giving your local secret to the analyst.

Any system backups made while such a core file exists may contain the core file as well and so must be considered a possible means of discovering your local secrets. These backups must be kept in a secure location.

Expired Certificates and Security

Two systems can still communicate even after one of the systems's certificate has expired; communication between two peers persists until you issue a skipd_restart command. The key manager daemon or commands check against certificate expiration upon identities addition or daemon restart. There is no checking against certificate expiration when the ACL and the corresponding key management information have been passed to the kernel.