Chapter 1 Installing and Configuring SunScreen SKIP

---

Note -

While SunScreen SKIP is a part of a SunScreen Remote Administration solution, you should install and configure that particular configuration by using the SunScreen documentation: SunScreen 3.1 Installation Guide and SunScreen3.1 Administration Guide.

---

Overview of SunScreen

SunScreen is Sun Microsystems' implementation of Simple Key-Management for Internet Protocols (SKIP).

It is replacement software and upgrade software for any previous version of SKIP for the Solaris operating environment.

This chapter provides instructions for installing SunScreen on the Solaris 2.6. Solaris 7, or Solaris 8 operating environments for Sparc and Intel platforms and the Trusted Solaris 7 for the SPARC platform. Once SKIP is installed, configured, and enabled on the systems requiring its services, IP-layer encryption can begin. SKIP runs without further administration effort until new systems need to be added or certificate management is required. This chapter also describes how you can protect your locally stored secrets with a passphrase.

Hardware and Software Requirements

Supported Platforms

SunScreen is supported on the following platforms:

• Any Sun SPARC workstation running the Solaris 2.6, Solaris 7, or Solaris 8 operating environments.

• Any Intel-based PC that is compatible with and running the Solaris 2.6, Solaris 7, or Solaris 8 operating environments for the Intel Platform.

  ---

  Note -

  The RC2-40 cryptor is restricted to use with the Solaris operating environment in 32-bit mode only.

  ---

Hardware Requirements

The hardware requirements are as follows:

• A minimum of 16-MB of RAM is required, 32-MB of RAM is recommended.

• A minimum of 6-MB of free disk space is required for installation, 3-MB of disk space is permanently used.

• One or more supported network interfaces.

• A CD-ROM drive.

• A floppy drive, if planning to install SunCA certificates.

Operating System Requirements

To run SunScreen, you must

1. Install the Solaris SunCore® software group.

   This software group contains the minimum software required to boot and run the Solaris operating environment. It includes some networking software and the drivers necessary to run the OpenWindows environment; it does not include the OpenWindows software.

2. Additionally, install the following packages:

   system	SUNWadmr	System & Network Administration Root
   system	SUNWcar	Core Architecture, (Root)
   system	SUNWcsd	Core Solaris Devices
   system	SUNWcsr	Core Solaris, (Root)
   system	SUNWcsu	Core Solaris, (Usr)
   system	SUNWdfb	Dumb Frame Buffer Device Drivers
   system	SUNWesu	Extended System Utilities
   system	SUNWkvm	Core Architecture, (Kvm)
   system	SUNWlibC	SPARCompilers Bundled libC
   system	SUNWlibms	SPARCompilers Bundled shared libm
   system	SUNWtoo	Programming Tools
   system	SUNWvolr	Volume Management, (Root)
   system	SUNWvolu	Volume Management, (Usr)

3. If you plan to use the skiptool GUI, install the packages for OpenWindows.

   • SUNWolrte

   • SUNWxwplt

   • SUNWolslb

4. If you are going to use certificates from a Certificate Authority, be aware that you must install the following operating system package:

   system SUNWscpu Source Compatibility, (Usr)

Otherwise the install_skip_keys command will fail.

Protocol Compatibility

SunScreen supports the following protocol versions:

• SKIP, Version 1, for SunScreen SPF-100/100G compatibility.

• Any platform that has implemented SKIP as described in the ICG Technical Reports, including the SunScreen product line, except SunScreen SPF-100, which only implements SKIP, Version 1 (see above).

• SunScreen, Release 1.5.1, is the upgrade for SunScreen SKIP, Release 1.5.

Installation Overview

Before installing SKIP, be sure that you have the CD-ROM for the base software and any encryption upgrade CD-ROMs or diskettes to which you are entitled.

---

Note -

If you are an experienced SKIP user who just wants a quick installation overview, see Appendix A, Quick-Start Guide.

---

New Users

For the new user, this chapter tells about

• Installing SunScreen ("Installing the New Version").

• Generating and installing an Unsigned Diffie-Hellman (UDH) key pair, if you are using UDH ("Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates").

• Installing SunScreen on your network interface ("Installing Your Network Interface").

• Rebooting your system ("Rebooting Your System").

• Protecting your locally stored secrets with a passphrase ("Activating Your Passphrase").

Upgrade Users

For the user who is upgrading from any version of SKIP for the Solaris operating environment to this release, this chapter covers these additional topics (as well as the previously mentioned installation topics).

• Upgrading to SunScreen ("Upgrading From Earlier SKIP Versions").

• Removing any old version of SKIP for the Solaris operating environment

• Preserving or removing previous configurations

Cryptography Upgrade Users

This chapter also contains information on how to add cryptography upgrade packages for those users who for example want to upgrade from a SKIP 512- bit version to a SKIP 2048- bit or 4096- bit version.

Installing SKIP for the First Time

This section provides instructions for installing SKIP on the SPARC and Intel platforms running the Solaris 2.6, Solaris 7, or Solaris 8 operating environments.

To install and run the software, you must be able to become root on your local system and know the IP address of the machine on which SKIP is to be installed. Ask your systems administrator for the IP address of your machine. To install the software for the first time (or if you are installing it without saving the configurations), follow these steps:

1. Open a terminal window and become root.

2. Mount the CD-ROM through the file manager by typing:

   volcheck

   ---

   Note -

   If you are not using vold on your system, type # mount -F hsfs -oro /dev/dsk/c0t6d0s0 /mntThe device name or the mount point or both depends on your local system configuration.

   ---

3. Go to the directory on the CD-ROM for your OS. (The examples assume a machine with only one CD-ROM.)

   Solaris operating environment for the SPARC Platform:

   cd /cdrom/cdrom0/sparc

   Solaris operating environments for the Intel Platform:

   cd /cdrom/cdrom0/x86

   ---

   Note -

   If you have mounted the CD-ROM manually, replace /cdrom/cdrom0 with /mnt.

   ---

4. Type the standard Solaris operating environment pkgadd command to add all packages:

   pkgadd -d .

5. You are prompted with the following menu of packages.

   1 SUNW3des SKIP 3DES Crypto Module (sparc) 1.5.1 2 SUNW3desx SKIP 3DES Crypto Module (64-bit (sparc) 1.5.1 3 SUNWbdc SKIP Bulk Data Crypt (sparc) 1.5.1 4 SUNWbdcx SKIP Bulk Data Crypt (64-bit) (sparc) 1.5.1 5 SUNWdes SKIP DES Crypto Module (sparc) 1.5.1 6 SUNWdesx SKIP DES Crypto Module (64-bit) (sparc) 1.5.1 7 SUNWes SKIP End System (sparc) 1.5.1 8 SUNWesx SKIP End System (64-bit (sparc) 1.5.1 9 SUNWkdsup SKIP D-Support module (sparc) 1.5.1 10 SUNWkeymg SKIP Key Manager Tools (sparc) 1.5.1 ... 8 more menu choices to follow; <RETURN> for more choices, <CTRL-D> to stop display: 11 SUNWrc2 SKIP RC2 Crypto Module (sparc) 1.5.1 12 SUNWrc4 SKIP RC4 Crypto Module (sparc) 1.5.1 13 SUNWrc4s SKIP RC4-128 Crypto Module (sparc) 1.5.1 14 SUNWrc4sx SKIP RC4-128 Crypto Module (64-bit) (sparc) 1.5.1 15 SUNWrc4x SKIP RC4 Crypto Module (64-bit) (sparc) 1.5.1 16 SUNWsafe SKIP SAFER Crypto Module (sparc) 1.5.1 17 SUNWsafex SKIP SAFER Crypto Module (64-bit (sparc) 1.5.1 18 SUNWsman SKIP Man Pages (sparc) 1.5.1 Select package(s) you wish to process (or "all" to process all packages). (default: all) [?,??,q]:

6. Select a (all). As the prompts appear, answer questions with Y (yes) to add the package.

7. When you get back to the same menu of packages, type q to quit.

8. To eject the CD-ROM from the CD-ROM drive, type:

   cd / eject cdrom0

   or eject the CD-ROM from the CD-ROM drive through the file manager.

   ---

   Note -

   If you are not using vold on your system, unmount your CD-ROM by typing: #cd / #umount/mnt #eject cdrom0

   ---

9. To add /usr/sbin to your PATH variable in the Bourne shell, type:

   PATH=/usr/sbin:$PATH export PATH

10. To add /usr/share/man to your MANPATH variable in the Bourne shell, type:

    MANPATH=/usr/share/man:$MANPATH export MANPATH

11. It will be helpful to add /usr/sbin to the PATH variable in your initialization file (such as: .profile, .cshrc, or .login file), and /usr/share/man to the MANPATH variable in the same file.

Now you are ready to complete the installation. The remaining steps include:

• Generating and installing SKIP Unsigned Diffie-Hellman (UDH) certificates ("Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates") or installing SunCA certificates (Chapter 2). You can use SKIP Unsigned Diffie-Hellman certificates and SunCA keys and certificates at the same time on SunScreen.

• Installing SunScreen on your network interface ("Installing Your Network Interface" on page 53).

• Rebooting your system ("Rebooting Your System").

Upgrading From Earlier SKIP Versions

To upgrade to SunScreen 1.5.1 from an earlier SKIP version, you must first remove the old version then install the new packages.

Removing Versions Earlier than SKIP 1.5

To remove any version of SKIP for the Solaris operating environment earlier than 1.5, become root and use the pkginfo and pkgrm packages shown in the following steps.

1. To list the SKIP packages that were installed, type:

   pkginfo | grep SICG The list of packages is displayed: 1 SICGbdcdr SKIP Bulk Data Crypt 1.0.3-FCS Software 2 SICGcrc2 SKIP RC2 Crypto Module 1.0.3-FCS Software 3 SICGcrc4 SKIP RC4 Crypto Module 1.0.3-FCS Software 4 SICGes SKIP End System 1.0.3-FCS Software 5 SICGkeymg SKIP Key Manager Tools 1.0.3-FCS Software 6 SICGkisup SKIP I-Support module 1.0.3-FCS Software (sparc) 1.0.3-FCS

2. To remove the packages, type:

   pkgrm package_names

3. Answer Y (yes:) to questions that the pkgrm program asks. The pkgrm program ends with the statement:

   Removal of <SICGkisup> was successful.

   ---

   Note -

   This is valid only for this example. If moduli of other sizes were used, then the last package removed would be different.

   ---

4. To remove the /etc/opt/SUNWicg/skip directory and any configurations that were installed, type:

   rm -rf /etc/opt/SUNWicg/skip

   ---

   Caution -

   If you want to preserve previous configurations (including certificates, and the key manager configuration file), do not remove the /etc/opt/SUNWicg/skip directory.

   ---

5. To reboot the machine, type:

   init 6

Removing SunScreen SKIP 1.5 or 1.5B

To remove SunScreen SKIP. Release 1.5 or Release 1.5B, for the Solaris operating environment, become root and use the pkginfo and pkgrm packages shown in the following steps.

1. To list the SKIP packages that were installed, type:

   pkginfo | grep -i skip The list of packages is displayed: application SUNW3des SKIP 3DES Crypto Module application SUNW3desx SKIP 3DES Crypto Module (64-bit) application SUNWbdc SKIP Bulk Data Crypt application SUNWbdcx SKIP Bulk Data Crypt (64-bit) application SUNWdes SKIP DES Crypto Module application SUNWdesx SKIP DES Crypto Module (64-bit) application SUNWes SKIP End System application SUNWesx SKIP End System (64-bit) application SUNWkdsup SKIP D-Support module application SUNWkeymg SKIP Key Manager Tools application SUNWkusup SKIP U-Support module application SUNWrc2 SKIP RC2 Crypto Module application SUNWrc4 SKIP RC4 Crypto Module application SUNWrc4s SKIP RC4-128 Crypto Module application SUNWrc4sx SKIP RC4-128 Crypto Module (64-bit) application SUNWrc4x SKIP RC4 Crypto Module (64-bit) application SUNWsafe SKIP SAFER Crypto Module application SUNWsafex SKIP SAFER Crypto Module (64-bit) application SUNWsman SKIP Man Pages

2. To remove the packages, type

   pkgrm package_names

3. Answer Y (yes:) to questions that the pkgrm program asks. The pkgrm program ends with the statement:

   Removal of <SUNWsman> was successful.

   ---

   Note -

   This is valid only for this example. If moduli of other sizes were used, then the last package removed would be different.

   ---

4. To remove the /etc/opt/SUNWicg/skip directory and any configurations that were installed, type:

   rm -rf /etc/opt/SUNWicg/skip

   ---

   Caution -

   If you want to preserve previous configurations (including certificates, and the key manager configuration file), do not remove the /etc/opt/SUNWicg/skip directory.

   ---

5. To reboot the machine, type:

   init 6

Installing the New Version

Follow these steps:

1. Open a terminal window and become root.

2. Mount the CD-ROM through the file manager or by typing:

   volcheck

   ---

   Note -

   If you are not using vold on your system, type # mount -F hsfs -oro /dev/dsk/c0t6d0s0/mntThe device name or the mount point or both depends on your local system configuration.

   ---

3. Go to the directory on the CD-ROM for your OS:

   Solaris operating environment for the SPARC Platform:

   cd /cdrom/cdrom0/sparc

   Solaris operating environment for the Intel Platform:

   cd /cdrom/cdrom0/x86

   ---

   Note -

   If you have mounted the CD-ROM manually, replace /cdrom/cdrom0 with /mnt.

   ---

4. To use the standard Solaris operating environment pkgadd command to add all packages, type:

   pkgadd -d .

5. You are prompted with the following menu of packages:

   1 SUNW3des SKIP 3DES Crypto Module (sparc) 1.5.1 2 SUNW3desx SKIP 3DES Crypto Module (64-bit (sparc) 1.5.1 3 SUNWbdc SKIP Bulk Data Crypt (sparc) 1.5.1 4 SUNWbdcx SKIP Bulk Data Crypt (64-bit) (sparc) 1.5.1 5 SUNWdes SKIP DES Crypto Module (sparc) 1.5.1 6 SUNWdesx SKIP DES Crypto Module (64-bit) (sparc) 1.5.1 7 SUNWes SKIP End System (sparc) 1.5.1 8 SUNWesx SKIP End System (64-bit (sparc) 1.5.1 9 SUNWkdsup SKIP D-Support module (sparc) 1.5.1 10 SUNWkeymg SKIP Key Manager Tools (sparc) 1.5.1 ... 8 more menu choices to follow; <RETURN> for more choices, <CTRL-D> to stop display: 11 SUNWrc2 SKIP RC2 Crypto Module (sparc) 1.5.1 12 SUNWrc4 SKIP RC4 Crypto Module (sparc) 1.5.1 13 SUNWrc4s SKIP RC4-128 Crypto Module (sparc) 1.5.1 14 SUNWrc4sx SKIP RC4-128 Crypto Module (64-bit) (sparc) 1.5.1 15 SUNWrc4x SKIP RC4 Crypto Module (64-bit) (sparc) 1.5.1 16 SUNWsafe SKIP SAFER Crypto Module (sparc) 1.5.1 17 SUNWsafex SKIP SAFER Crypto Module (64-bit) (sparc) 1.5.1 18 SUNWsman SKIP Man Pages sparc) 1.5.1 Select package(s) you wish to process (or "all" to process all packages). (default: all) [?,??,q]: Select a (all). As the prompts appear, answer questions with Y (yes) followed with a <Return> if you wish to add the package.

6. Select a (all) or the number of the package. As the prompts appear, answer questions with Y (yes), if you wish to add the package.

7. When you get back to the same menu of packages, type q to quit.

8. If you want to use certificates, and the key manager configuration file from an earlier version of SKIP, type:

   cp /etc/opt/SUNWicg/skip/* /etc/skip

   ---

   Note -

   1.x ACLs cannot be used in version 1.5.1

   ---

9. To eject the CD-ROM from the CD-ROM drive, type:

   cd / eject cdrom0

   or eject the CD-ROM through the file manager.

   ---

   Note -

   If you are not using vold on your system, unmount your CD-ROM by typing: #cd / #umount/mnt #eject cdrom0

   ---

10. To add /usr/sbin to your PATH variable in the Bourne shell, type:

    PATH=/usr/sbin:$PATH

    export PATH

11. To add /usr/share/man to your MANPATH variable in the Bourne shell, type:

    MANPATH=/usr/share/man:$MANPATH export MANPATH

12. It will be helpful to add /usr/sbin to the PATH variable in your initialization file (such as: .profile, .cshrc, or .login file), and /usr/share/man to the MANPATH variable in the same file.

Now you are ready to generate and install SKIP Unsigned Diffie-Hellman (UDH) certificates (if you are going to use them). You may use SKIP UDH certificates and SunCA keys and certificates at the same time on SunScreen.

You are also ready to install SKIP on any new or different network interface (if you need to). Generate and install the SKIP UDH certificates ("Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates") and install SunScreen on the network interface ("Installing Your Network Interface") before you reboot your system.

---

Note -

If you are going to use the same keys, certificates and network interface that you used in SKIP for the Solaris operating environment, Release 1.0, you only need to reboot your system and restore any ACL files that you use. This is only true if you did not remove the /etc/opt/SUNWicg/skip directory and you copied over your old files.

---

Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates

Once SKIP has been installed, you must install at least one local identity (public-private key pair) for your host. The following procedure creates a SKIP UDH certificate, which is the one you will most likely use. For a more detailed discussion of SKIP UDH certificates, see Appendix B.

Chapter 2 discusses keys, certificates, and hashes in greater detail. If you are installing other kinds of keys and certificates, see the documentation that is supplied with them or contact the vendor. If you are installing keys and certificates from Sun Microsystems, see Chapter 2 "".

The skiplocal command creates and manages all local key types, including UDH certificates, on your system. You can have more than one UDH certificate on your system. Your local identities can also be of different lengths (moduli), depending on the version of SunScreen that you have. The default will always be the largest modulus you can generate.

---

Note -

Local secret is the term used for an encryption certificate and key.

---

Initialize SKIP Directories

On a first-time SKIP installation, you must initialize the SKIP directories before you create any certificates. Issue the following command to initialize the SKIP directories:

skiplocal -i

Generating a UDH Keypair

To generate an UDH key pair locally, type:

skiplocal -k

---

Note -

If you have local identities of different strengths, such as 512 bits, 1024 bits), and 2048 bits or 4096 bits), use the argument -m followed immediately with the bit size of the modulus without an intervening space as in the following figure.

---

When generating an unsigned certificate, no authority exists to certify the identities. This means that each party must verify the name of the certificate over the telephone or some other trusted channel. Without verification through a secure channel, you have no way of knowing if the certificate belongs to the correct party or not.

In thefollowing figure,the skiplocal -k command was used to generate a local key pair, in this case with a 512-bit modulus.

---

Example 1-1 512-bit Modulus




# skiplocal -k -m 512 generating local secret with 512 modulus size It would help the quality of the random numbers if you would type 50-100 random keys on the keyboard. Hit return when you are done. 100 Format: Hashed Public Key (MD5) Name/Hash: 9e 23 db 35 a2 c2 d8 17 20 19 21 99 3d c9 06 e1 Not valid Before: Sun Aug 25 17:00:00 1996 Not valid After: Sat Aug 25 17:00:00 2001 g: 2 p: f52aff3ce1b1294018118d7c84a70a72d676c40319c807297aca950cd9969fabd00a509b0246 d3083d66a45d419f9c7cbd894b221926baaba25eca55e92a055f public key: 0b5522b769b3d2b8098e69312a941ce7e6de9e1635ca09dd780b328db71141739e9bb46a3 d0d183372d98d7c2a0d850b70fad05edaaaa865ae5dddf618cadbff Added local identity slot 0

---

Printing out Local Information

To print out local information in a shareable form, type:

skiplocal -x

In the following figure, the skiplocal -x command prints out the local system's current information in a form that can be sent (for example, via e-mail) to other users who wish to communicate with you.

---

Caution -

The defaults proposed by skiplocal -x work well if you and the party with whom you wish to communicate have one key and one network interface. If you have some other configuration, you should not use skiplocal -x.

---

A safer solution than using skiplocal -x is to have each user run skiptool and then call each other on the telephone and type the other person's key ID in the Remote Key ID field in the add window (See Chapter 3).

In the following example, the first command shows you the local information. The next command redirects that information to a mail message sent to a machine that wishes to communicate with you using SKIP. Upon receiving the message, the user would copy the information and paste it onto their own command line which adds an ACL entry for your host.

---

Example 1-2 Sending and Loading an ACL Entry




On local machine (mysun) display ACL entry in export format # skiplocal -x skiphost -a mysun -R 0x24be59e388dadfa6814885d1e5f79de9 -r 8 -s 8 -k des-ede-k3 -t des-cbc -m md5 Mail above text to the username@host # skiplocal -x| mail username@host On peer machine (host) execute skiphost command from mail message sent by mysun # skiphost -a mysun -R 0x24be59e388dadfa6814885d1e5f79de9 -r 8 -s 8 -k des-ede-k3 -t des-cbc -m md5 Result: Adding mysun: SKIP params: IP mode: tunneling Tunnel address mysun Kij alg: DES-EDE-K3 Crypt alg: DES-CBC MAC alg: MD5 Receiver NSID MD5 (DH Pub. Value) Receiver key id 0x24be59e388dadfa6814885d1e5f79de9 Sender NSID MD5 (DH Pub. Value) done.

---

---

Caution -

Even when using skiplocal -x, make sure you both verify the key ID over the telephone with the other party to make sure no one is impersonating them.

---

Listing the Current Local Identities

To list the current local identities, type:

skiplocal -l

In the following figure, the skiplocal -l command is used to list the current local identities.

---

Example 1-3 Listing All Local Identities




# skiplocal -l Local ID Slot Name: 0 Type: Software Slot NSID: 8 MKID (name): 24be59e388dadfa6814885d1e5f79de9 Not Valid Before: Tue Aug 6 17:00:00 1996 Not Valid After: Mon Aug 6 17:00:00 2001 Modulus size: 2048 bits Local ID Slot Name: 1 Type: Software Slot NSID: 8 MKID (name): 8ace505b602127f38e08f74f13d0c915 Not Valid Before: Sun Aug 25 17:00:00 1996 Not Valid After: Sat Aug 25 17:00:00 2001 Modulus size: 2048 bits Local ID Slot Name: 2 Type: Software Slot NSID: 8 MKID (name): 9e23db35a2c2d817201921993dc906e1 Not Valid Before: Sun Aug 25 17:00:00 1996 Not Valid After: Sat Aug 25 17:00:00 2001 Modulus size: 512 bits #

---

For more information on the skiplocal command, refer to Chapter 4, Using the Command-Line Interface and to the man pages for SunScreen.

---

Note -

If you installed an UDH certificate during installation, the information in Chapter 2, Installing Keys and Certificates will not apply to you unless you also plan to install SunCA keys and certificates. You may use SKIP UDH certificates and SunCA keys and certificates at the same time on SunScreen.

---

Installing Your Network Interface

Installing on One Interface

The skipif command is used to install SKIP on a network interface.

If you are adding SunScreen to a machine with only one interface, make sure that you are root and type:

skipif -a

Installing on Multiple Interfaces

If you are adding SunScreen to a machine with multiple interfaces, make sure that you are root and type:

skipif -i networkinterface -a

---

Note -

Replace networkinterface with the interface that you wish to specify. If you do not specify the network interface, it attaches to the first network interface that it finds.

---

You can add SKIP on more than one interface. In that case, you need to run the skipif -a -i interface command for each interface on which you want to use SKIP.

Installing On All Interfaces

If you want to use SKIP on all the network interfaces present in the system, type:

skipif -a -i all

Rebooting Your System

After you have installed the software, generated and installed the local identities, and installed the network interface, you must reboot your system.

To reboot the machine, type:

init 6

Security Issues

This section describes how you can secure your SKIP software with an administrative password (passphrase) and information on why you should secure your core files and backup files.

Passphrase Protection

SKIP includes a feature that allows you to protect your locally stored secrets with a passphrase. A passphrase differs from a password in that it is longer and capitalization counts. This passphrase is used to encrypt all of your SKIP secret values. Your passphrase should be one that you can remember, but that is hard to guess. You can change the passphrase or delete it at any time. After you set, change, or delete your passphrase, you should run skipd_restart to reinitialize your key manager.

---

Note -

Once you have protected your secret values with a passphrase, each time that you reboot you will not be able to run SKIP-encrypted connections because your system cannot get to your locally stored secrets with the passphrase. You must run skipd_restart which will then prompt you for your passphrase.

---

---

Caution -

If you forget your passphrase, there is no way to discover it or recover it. Your protected locally stored secrets will no longer be available. If you do not know the passphrase and you want to reinstall or upgrade the software, you must first remove the old software and its locally stored secrets. See "Upgrading From Earlier SKIP Versions". The old locally stored secrets will remain encrypted with the old passphrase and will be unavailable.

---

Once you set a passphrase, you will be prompted for it each time you add a new local identity (through skiplocal -a) or generate a new key (through skiplocal -k).

Activating Your Passphrase

To activate your passphrase, use the following procedure:

1. Type:

   skiplocal -P

2. You are prompted as follows:

   You are now assigning a global passphrase which will be used to encrypt all of your SKIP secret values. Please choose a passphrase which you will remember, but will be hard for someone else to guess New global passphrase: <type a new passphrase> again: <type the new passphrase>

3. To reinitialize your key manager, type:

   skipd_restart

Changing Your Passphrase

To change your passphrase, use the following procedure:

1. Type:

   skiplocal -P

2. You are prompted as follows:

   You are now changing the global passphrase which is used to encrypt your SKIP secrets Global passphrase: <type a old passphrase> New Passphrase: <type a new passphrase> again: <type the new passphrase>

3. To reinitialize your key manager, type

   skipd_restart

Removing Your Passphrase

To remove your passphrase, use the following procedure:

1. Type:

   skiplocal -R

2. You are prompted as follows:

   You are now removing the global passphrase which will be used to encrypt all of your SKIP secrets. Global passphrase: <type your passphrase>

   If it matches, all locally stored secrets are decrypted and stored and the passphrase feature is disabled.

3. To reinitialize your key manager, type:

   skipd_restart

Upgrading Cryptography Modules

The following table contains information about the packages you need if you want to add additional cryptography modules to your configuration. For example, SunScreen 3.1 ships with the 512- bit version of SKIP which only contains the RC2 and RC4(x) Crypto modules. To add additional modules, for example DES, you must take some care to install only the packages you need.

---

Note -

Do not add the End System SKIP modules (SUNWes and SUNWesx) to a SunScreen EFS 3.0 Screen or a SunScreen 3.1 Screen. 

---

Table 1-1 SKIP Cryptography Upgrades

If you have the 512- bit version...	Add these packages to upgrade to the 1024- bit version...	Add these packages to upgrade to the 2048- or 4096-bit version...
	SUNWkusup SKIP U-Support module	SUNWkdsup SKIP D-Support module
	SUNWdes SKIP DES Crypto Module	SUNWdes SKIP DES Crypto Module
	SUNWdesx SKIP DES Crypto Module (64-bit)	SUNWdesx SKIP DES Crypto Module (64-bit)
		SUNW3des SKIP 3DES Crypto Module
		SUNW3desx SKIP 3DES Crypto Module (64-bit)
		SUNWrc4s SKIP RC4-128 Crypto Module
		SUNWrc4sx SKIP RC4-128 Crypto Module (64-bit)
		SUNWsafe SKIP SAFER Crypto Module
		SUNWsafex SKIP SAFER Crypto Module (64-bit)

Security Concerns

Core Files and Security

You should be aware that a saved core file contains your local secret(s). While it would be difficult for someone to discern or discover the secrets from this file, it is possible. You should, therefore, protect a core file as carefully as any of your other local secrets. Remember, if you send your core file out-of-house for analysis, you are giving your local secret to the analyst.

Any system backups made while such a core file exists may contain the core file as well and so must be considered a possible means of discovering your local secret(s). These backups must be kept in a secure location.

Expired Certificates and Security

Two systems can still communicate even after one of the systems's certificate has expired; communication between two peers persists until you issue a skipd_restart command. The key manager daemon or commands check against certificate expiration upon identities addition or daemon restart. There is no checking against certificate expiration when the ACL and the corresponding key management information have been passed to the kernel.