2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright
notice.
27
If SSL 3.0/TLS 1.0/TLS 1.1/TLS 1.2 flows using non-approved algorithms are
allowed by the policy engine, the flows should be considered as "clear text" due
to the use of non-approved algorithms.
Services available to a Crypto Officer and a User are described in
. For
each service listed, Crypto Officers and Users are assumed to have authenticated
prior to attempting to execute the service.
The role of Auditor is equivalent to User, and the role of Manage PKI is equivalent
to Crypto Officer.
The type of access to the CSPs uses the following notation:
•
Read (R): The plaintext CSP is read by the service
•
Write (W): The CSP is established, generated, modified, or zeroized by the
service
•
Execute (X): The CSP is used within an approved or allowed security
function or authentication mechanism
Table 2
–9 CSPs Accessed by Authorized Services
User
Crypto
Officer
Authorized Service
CSPs
Y
Unlock secure store
PIN – RX
KEK0 - W, X
KEK1 - RX
Master keys – RX KEK2s - RX
Object encryption keys - RX
Y
Y
View dashboards
none
Y
View system log data
none
Y
View/export SSL session log, SSL
errors
none
Y
View SSL statistics
none
Y
View/export intercepted
certificates
Object encryption keys - X
Other entity public keys - R
Y
Export diagnostic information:
PKI state
Object encryption keys - X
Y
Y
Export diagnostic information:
platform state
none
Y
Export diagnostic information:
SSL statistics
none
Y
Y
Export diagnostic information:
platform interfaces and platform
status statistics
none
Y
View debug information: SSL
statistics
none