DSE200 SDK Reference Manual - uniza.skkifri.fri.uniza.sk/~chochlik/epodpis/nCipher...

DSE200 SDK Reference Manual

Date: 16 November 2005

Version: 3.1

© Copyright 2005 nCipher Corporation Limited, Cambridge, United Kingdom.

Neither the whole nor any part of the information contained in this document may be adapted or reproduced in any material or electronic form without the prior written consent of the copyright holder.

nCipher™, nFast™, nForce™, nShield™, payShield™, KeySafe™, CipherTools™, CodeSafe™, UltraSign™, SafeBuilder™, Trust Appliance™, Security World™, netHSM™, SEE™, userShield™, nToken™, and the SEE logo are trademarks of nCipher Corporation Limited.All other trademarks are the property of the respective trademark holders.

Information in this document is subject to change without notice.

nCipher Corporation Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness to a particular purpose. nCipher Corporation Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material.

Commercial Computer Software – proprietary

This computer software and documentation is Commercial Computer Software and Computer Software Documentation, as defined in sub-paragraphs (a)(1) and (a)(5) of DFAR § 252.227-7014, “Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation”. Use, duplication or disclosure by the Government is subject to nCipher’s standard US Terms And Conditions for the Product.

Patents

International Patent Applications PCT/GB01/00688, and PCT/GB02/03058 and corresponding national patents/applications.

EMC compliance

The use of hand held or mobile radio equipment with a rated output power of 4W or more should not be permitted within a radius of 2m of this equipment.

FCC class A notice

This device complies with Part 15 of the FCC rules. Operation is subject to the following two conditions:

(1) This device may not cause harmful interference, and

(2) this device must accept any interference received, including interference that may cause undesired operation.

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

European class A notice

This device has been tested and found to comply with the requirements of the EMC directive 89/336/EEC as a Class A product to be operated in a commercial environment at least 10m away from domestic television or radio. In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures.

Contents

Chapter 1: Product Overview.................................................................5Product Overview, and the API .......................................................................................................................5

nCipher Infrastructure Overview....................................................................................................................6

Universal Coordinated Time and Its Distribution .......................................................................................6

nCipher Trust Model ..........................................................................................................................................7

Creating Trusted Time.......................................................................................................................8Timing Source ......................................................................................................................................8Time Distribution................................................................................................................................9nCipher Document Sealing Engine..................................................................................................9Time-stamping Function of the DSE...............................................................................................9

Chapter 2: Getting Started ................................................................... 10Installing the Software Development Kit .....................................................................................................10

Windows installation........................................................................................................................10Linux installation................................................................................................................................10Solaris installation..............................................................................................................................11

Locations of Installed Software and Examples ............................................................................................11

Java Examples......................................................................................................................................................12

C Examples .........................................................................................................................................................13

C Examples for Windows ...............................................................................................................13C Examples for Solaris.....................................................................................................................14C Examples for Linux.......................................................................................................................14

Chapter 3: C Language API Functions and Specifications.............. 16 Functions and Specifications ..........................................................................................................................17

API Functions......................................................................................................................................................17

TTI_EncodeTSQ_Ex.........................................................................................................................17TTI_DecodeTSQ_Ex........................................................................................................................19TTI_UnpackTSR ................................................................................................................................20TTI_GetTSR_Status..........................................................................................................................21TTI_GetTSR_EncodedToken..........................................................................................................22TTI_GetTST_TSTInfoEx..................................................................................................................24TTI_GetTST_TSACert ....................................................................................................................24TTI_GetTST_TimeAttributeCert .................................................................................................26TTI_GetTAC_TimingMetricsEx .....................................................................................................27TTI_GetTAC_TimingPolicy.............................................................................................................28

TTI_CheckTAC_MatchesTST ........................................................................................................29TTI_GetTAC_CertInfoEx................................................................................................................30

Signature Validation Function..........................................................................................................................30

TTI_VerifyTST_Signature ................................................................................................................30

Hash Functions...................................................................................................................................................32

TTI_SHA1_Init...................................................................................................................................32TTI_SHA1_Update ...........................................................................................................................32TTI_SHA1_Final ................................................................................................................................32TTI_MD5_Init ....................................................................................................................................33TTI_MD5_Update.............................................................................................................................33TTI_MD5_Final..................................................................................................................................34TTI_SHA256_Init ..............................................................................................................................34TTI_SHA256_Update.......................................................................................................................35TTI_SHA256_Final............................................................................................................................35TTI_SHA384_Init ..............................................................................................................................36TTI_SHA384_Update.......................................................................................................................36TTI_SHA384_Final............................................................................................................................36TTI_SHA512_Init ..............................................................................................................................37TTI_SHA512_Update.......................................................................................................................37TTI_SHA512_Final............................................................................................................................38

Utility Functions.................................................................................................................................................38

TTI_GetLastAsnError ......................................................................................................................38TTI_TSTInfoToIDData .....................................................................................................................39TTI_RemoveAttrCerts ....................................................................................................................40

Chapter 4: Java – API Functions and Specifications......................... 42Components .......................................................................................................................................................42

Functional Overview.........................................................................................................................................42

Deprecated Functions and Structures................................................ 44TTI_EncodeTSQ................................................................................................................................................44

TTI_DecodeTSQ...............................................................................................................................................45

TTI_GetTST_TSTInfo.......................................................................................................................................46

TTI_GetTAC_CertInfo.....................................................................................................................................47

TTI_GetTAC_TimingMetrics ..........................................................................................................................48

Acronyms .................................................................................................. 50Time signing glossary.............................................................................. 52

Chapter 1: Product Overview

This guide provides a detailed description of the nCipher DSE200 Software Development Kit (SDK).The kit provides the necessary software and documentation to properly integrate a nCipher DSE200 PKIX-compliant time-stamp into an application, file, log, or transaction. The API provides the mechanisms required for taking advantage of the built-in security and audit information generated by nCipher DSE200s.It is assumed that readers are software developers and programmers who have a fundamental understanding of public-key cryptographyThe material here will orient you to the DSE:• Instructions for installing the SDK• Guidelines for API development• Sample codeA full list of acronyms is found in Acronyms on page 50.A glossary of time terms is found in Time signing glossary on page 52.

Product Overview, and the APIThe nCipher DSE200 solution provides traceable and secure links to official UTC time sources.The API is a set of functions and sample code that enable the user to develop time-stamping applications or integrate time-stamping into existing applications. These applications have the primary function of allowing the user to communicate with the DSE200, which is a 1U network appliance. The SDK is used by software developers to enable their applications to obtain and use Time-Stamp Tokens from a DSE200. Functions provided by the API include:• Encoding and decoding time-stamp requests• Decoding time-stamp responses• Decoding time-stamp tokens• Generating SHA-1 digests• Verifying digital signatures of time-stamp tokensThe API is available in Java language classes and in C language libraries. The C language API is available as a WIN32 DLL and as Sun Solaris and Linux static libraries. The sample code and applications included in the SDK include examples of:

DSE200 SDK Reference Manual 5

nCipher Infrastructure Overview

• Generating SHA-1 digests and building time-stamp requests• Using the Time-Stamp TCP/IP protocol to submit requests and get responses from a

DSE• Decoding and verifying time-stamp responsesThe API supports the cryptographic mechanisms that create hashes, validate tokens, certify signatures, and establish DSE200 sessions.

nCipher Infrastructure OverviewThe ability to time-stamp e-documents is a fundamental business requirement. Critical to time-stamping is the level of trust required in the actual source of time itself: • How can a business be certain that the time contained in a time-stamp is accurate? • If multiple partners are conducting business transactions requiring time-stamps, whose

time will they agree to use? • What proof exists that a server’s built-in local clock has not been adjusted to an

arbitrary value?• Has a commonly-used time reference such as GPS been spoofed to indicate a different

time?Most time-stamp solutions today ignore both the issue of time source trust and the universal nature of time, so inconsistencies proliferate throughout even the largest and most global business transactions.To solve these problems, nCipher has developed products capable of securely and verifiably distributing time from a country’s legal time source down to the local time-stamp applications themselves. nCipher DSE200 provides time that is certified and traceable to a specific legal time source—a country’s National Measurement Institute (NMI). (In the United States, the National Institute of Standards and Technology, NIST, is legally established as the NMI.) Therefore, time-stamps distributed by nCipher’s DSE200 cannot be spoofed or altered.

Universal Coordinated Time and Its DistributionUniversal Coordinated Time (UTC) is the world standard for time. The origin of UTC is the International Timing Authority (ITA) known as the International Bureau of Weights and Measures (BIPM) in France. National Timing Authorities in various countries discipline their atomic clocks to be within a few nanoseconds of that of BIPM’s UTC. Each NMI then acts as a source of UTC for its country. By international agreement, the NMIs maintain audit records of their synchronization with BIPM UTC, thus providing verifiable sources of UTC within their countries. These NMIs supply time to hierarchies, or strata, of lower clocks that ultimately make UTC available to applications. While the


nCipher Trust Model

ITA–NMI timing relationship is documented and audited, the timing distribution hierarchy from the NMI down to the application has traditionally not been secure.

nCipher Trust ModelTo protect and authenticate UTC distribution, the DSE200 is used to securely distribute time from the NMI to the local application.The DSE200 is designed so that trust in the distributed time value is successfully propagated from the NMI down through all intermediate distribution layers to the application itself.Individual DSE200s are designed to be tamper resistant per FIPS 140-2 level 3 recommendations.Audit records certifying the clock calibration, traceable back to the NMI, are kept. The trust model also is created and maintained by audited operational procedures.


nCipher Trust Model

This is an illustration of the nCipher trust model.

Creating Trusted TimeTrusted time is created at the National Measurement Institute.To measure the clock offsets of the Stratum 1 clocks as well as those of other non-nCipher clocks, nCipher uses Secure NTP (DS/NTP) protocol. The protocol is based upon the Secure NTP protocol under development in the IETF.

Timing SourceFor its timing source, the NMI accepts an externally supplied timing signal. This is typically a one pulse-per-second (PPS) and a 10MHz frequency reference. In the United States, NIST supplies timing to the NMI. For tamper protection, an intervening network should not be allowed.

Figure 1 - 1: nCipher Trust Model


nCipher Trust Model

Time DistributionEach Upper Clock has a set of lower clocks that it is responsible for time certifying. Of course, it is possible to operate an Upper Clock in a standalone configuration but this is not a recommended configuration.Each Upper Clock is assigned a set of DSE200s for which it is responsible for time certifying. The system ensures that two Upper Clocks are assigned to each set of DSE200s in order to provide redundancy for the time certification process. The Upper Clock uses DS/NTP and UDP/IP to access each of its assigned DSE200s periodically to measure its time offset, and, if everything is normal, certify the DSE200 to be within a certain offset from NMI UTC. It may also send small time corrections to the DSE200 which can be used to make adjustments to the DSE200 clock to keep it within specification. If an Upper Clock finds that a DSE200 has a recent time certificate, then it takes no action; otherwise, it performs a time certification of that DSE200. Note that the Upper Clocks must have an Ethernet TCP/IP connection in order to communicate with the system.

nCipher Document Sealing EnginenCipher’s DSE200 operates as a Time-Stamp Authority (TSA) “engine” and can be used by TSAs to implement time-stamping as specified in the IETF PKIX Time-Stamp document. The TSSs provide trusted time, in the form of a Time-Stamp Token (TST). The DSE200 has its own Ethernet TCP/IP connection for communications with the upper clock and API application. Client applications access the DSE200 using the DSE200 SDK.

Time-stamping Function of the DSEThe primary function of the nCipher DSE200 is to issue signed time-stamps in the form of Time-Stamp Tokens (TST). The time-stamp Token is defined by PKIX Time Stamping Protocols.


Chapter 2: Getting Started

This chapter provides instructions for installing the DSE200 SDK and example applications on different operating system. It also describes the locations of the installed software and example applications on different operating systems.

Installing the Software Development KitThe following sections explain how to install the SDK on Windows, Linux, and Solaris.

Windows installationTo install on a Windows workstation, follow these steps:

1: Insert the nCipher DSE200 SDK CD-ROM (named nCDSE-all-dev-X.XX, where X.XX represents the CD-ROM version number) into your CD-ROM drive.

2: Run the executable file \win\2000\dsesdk\Setup.exe, and follow the onscreen instructions.By default, the Windows installer creates a Program Folder in the Start Menu named Document Sealing Engine SDK and places icons in it for the following installed items:• DSE Sample Classes for Java Documentation• DSE SDK Documentation• DSE SDK for Java Documentation• IP Time-Stamp Demo• IP Time-Stamp Demo Project• ReadMe

Note: The installer offers you the option to enter a different name of you choice for Program Folder in the Start Menu during installation.

Linux installationThe SDK is distributed as two compressed .tar files.To install on a Linux workstation, follow these steps:

1: Unpack the files from the root directory using the commands:tar -xvf nCDSE-all-dev-X.XX\linux\libc6_1\nfast\dsejdk\devel.tartar -xvf nCDSE-all-dev-X.XX\linux\libc6_1\nfast\dsesdk\devel.tar


Locations of Installed Software and Examples

In these commands, X.XX represents the CD-ROM version number.

Solaris installationThe SDK is distributed as a binary package file. To install on a Solaris workstation, follow these steps:

1: Ensure you have uninstalled any previously installed version of the SDK.2: Install the package using the command:

/usr/sbin/pkgadd -d /cdrom/nCDSE-all-dev-X.XX/solaris/2_7/nfast/nfast.pkg

In this command, X.XX represents the CD-ROM version number.

Locations of Installed Software and ExamplesWhen installed, the Java and C versions of the nCipher DSE200 SDK software have slightly different directory path structures.On Windows, the Java and C versions of the nCipher DSE200 SDK software are installed, respectively, in:• C:\nfast\java\dsesdk• C:\nfast\c\dsesdkOn Unix-based operating systems, the Java and C versions of the nCipher DSE200 SDK software are installed, respectively, in:• /opt/nfast/java/dsesdk• /opt/nfast/c/dsesdk


Java Examples

Java ExamplesThe following example Java applications are supplied on each operating system:

The contents of the ../java/dsesdk/ directory tree is the same for all operating systems (the path descriptions here use Unix-style directory separators, but you can substitute Windows-style directory separators as appropriate).

Example applications Use

TtiTest.java HttpTest.java

These applications get a time-stamp from a server and print information from the time-stamp to the screen. TtiTest.java uses the TCP/318 socket-based protocol to get the time-stamp from the server.HttpTest.java uses the HTTP protocol to get the time-stamp from the server.

TtiStress.javaHttpstress.java

These applications provide information on:• total running time in milliseconds• total count of successful time-stamps received• the count of time-stamp received during this second.• average time-stamps per second since program start-up.• total count of network retries followed by the count of

double, triple, and quadruple retries.• the total number of ignored exceptions. *

File/directory Description

../classes/tti.jar This file is the .jar file that contains all the public classes from the Java version of the nCipher DSE200 SDK.

../classes/asn1rt.jar

This is an internal support library for tti.jar.

../docs This directory contains the Javadoc documentation for the nCipher DSE200 SDK Java classes.

../examples/sample This directory contains two example applications, TtiTest.java and HttpTest.java.


C Examples

Note: Refer to the example help message for details of parameters that can be varied.

C ExamplesThe following sections discuss the C application examples available for Windows, Solaris and Linux.

Note: Refer to the example help message for details of parameters that can be varied.

C Examples for WindowsThe contents of C:\nfast\c\dsesdk\ provide the source and compiled binaries for two example C applications: ttitest and iptsdemo.• ttitest uses the TCP/318 socket-based protocol to get the time-stamp from the

server and then prints the information from the time-stamp to the screen.• iptsdemo, IP Time Stamp Demo, is a Windows GUI time-stamp application. There

is no Unix-based version of IP Time Stamp Demo.In C:\nfast\c\dsesdk\ you will find:

../examples/util This directory does not contain example applications but rather a collection of example classes; sample code that you can use and modify. Javadoc documentation for these example classes is included in the ../docs-util/ directory.

../docs-util This directory contains Javadoc documentation generated from the source example classes in the ../examples/util/ directory.

../classes/util/util.jar

This file is the compiled .jar file from the sample class files in the ../examples/util/ directory.


..\bin\tti.dll

This file is the DLL that implements the nCipher DSE200 SDK functions.

..\bin\ This directory includes prebuilt versions of the example applications ttitest.exe and iptsdemo.exe application



C Examples

C Examples for SolarisSolaris installations provide the source, compiled binaries, and Makefiles for the example C application ttitest. ttitest uses the TCP/318 socket-based protocol to get the time-stamp from the server and then prints the information from the time-stamp to the screen.On Solaris, the /opt/nfast/c/dsesdk directory contains different subdirectories for the gcc, swspro, and swspro64 compilers:

C Examples for LinuxLinux installations provide the source, compiled binaries, and Makefiles for the example C application ttitest. ttitest uses the TCP/318 socket-based protocol to get the time-stamp from the server and then prints the information from the time-stamp to the screen.

..\include\ This directory contains header files for the nCipher DSE200 SDK.

..\lib\tti.lib

This is the library file for linking with the nCIpher DSE200 SDK ..\bin\tti.dll file.

..\ttitest\ This directory contains the source for the ttitest application.

..\iptsdemo\

This directory contains the source for IP Time Stamp Demo.


../gcc/include

../swspro/include

../swspro64/include

These directories contain header files for the nCipher DSE200 SDK.

../gcc/lib/libtti.a

../swspro/lib/libtti.a

../swspro64/lib/libtti.a

These are library files for the nCipher DSE200 SDK.

../gcc/examples/

../swspro/examples/

../swspro64/examples/

These directories contain the compiled binary executables, source code, and Makefiles for the ttitest application.



C Examples

On Linux, the /opt/nfast/c/dsesdk directory contains:


../gcc/include This directory contains header files for the nCipher DSE200 SDK.

../gcc/lib/libtti.a

This is the library file for the nCipher DSE200 SDK.

../gcc/examples/ This directory contains the compiled binary executables, source code, and Makefiles for the ttitest application.


Chapter 3: C Language API Functions and Specifications

This chapter describes the API functions and specifications in detail.Note: The C Language API is currently provided in Solaris, Linux, and Windows versions.

Functional OverviewThe SDK can be used to obtain a time-stamp from an nCipher DSE200 stamp server with four basic steps:• Create an encoded request• Submit the request to the DSE• Decode the result• Verify the integrity of the time-stampHere are those steps in detail:

1: Using the TTI_SHA1 functions, generate a SHA-1 digest of the data to be time-stamped.2: Generate a nonce for the request. A nonce is a large random number that protects the

request against replay attacks.3: Populate a time-stamp request structure, TTI_TSQ_Ex, with the digest, nonce, and other

relevant information.4: Call TTI_EncodeTSQ_Ex to create an ASN.1 encoded version of the request.5: Submit the encoded request to a DSE200. The request will usually be submitted via a

TCP/IP connection.6: Unpack the response returned by the DSE200 by calling TTI_UnpackTSR. This will

verify and remove the transport specific headers from the response.#7: Call TTI_GetTSR_Status to verify the response successfully produced a time-stamp

token.8: Call TTI_GetTSR_EncodedToken to get the time-stamp token from the response. This

produces an encoded time-stamp token.The encoded time-stamp token is a PKCS #7 SignedData object and the signature can be verified with any cryptographic toolkit that supports PKCS #7. The TTI_VerifyTSTSignature function can also be used to verify the time-stamp signature.


Functions and Specifications

9: Verify the time-stamp token signature. Use TTI_VerifyTSTSignature or a cryptographic toolkit that supports PKCS #7.

10: Call TTI_GetTST_TSTInfoEx to populate a TTI_TSTInfoEx structure with the contents of the time-stamp token.

11: Verify the following:• Verify the value in the time-stamp token (TST) match the values in the time-stamp

request (TSQ)• Verify that the messageImprint matches• Verify that the nonce matches• If the request included a specific policy identifier, verify that this matches.• Verify that the time contained in the time-stamp is reasonably close to the current

system time. (Only perform this check if you can trust the system time to be relatively accurate.)

Functions and SpecificationsThe following sections document the API functions and their specifications. They have been documented as follows:• API Functions, see page 17• Signature Validation Function, see page 30• Hash Functions, see page 32• Utility Functions, see page 38.

API FunctionsThe following sections explain the API specifications.

TTI_EncodeTSQ_ExUses the information in a TTI_TSQ_Ex structure to create an encoded time-stamp request.int TTI_EncodeTSQ_Ex(

const TTI_TSQ_Ex * pTSQ,byte * encodedReq,size_t * encodedReqLen,TTI_TransportFormat transportFormat );


API Functions

Parameters:

Currently defined format types are:

Return Values:If this function succeeds, the return value is zero (TTI_SUCCESS).If this function fails, the return value is a nonzero error code.

pTSQ [in] Points to a populated TTI_TSQ_Ex structure. The information in this structure is used to create the encoded time-stamp request.The TTI_TSQ_Ex structure supports nonce and serial numbers up to 40 bytes.

encodedReq [out] Points to a buffer to receive the encoded time-stamp request.encodedReqLen [in/out] Points to a value specifying the size, in bytes, of the

encodedReq buffer. When the function returns, this value contains the size, in bytes, of the encoded time-stamp request.

transportFormat

[in] A flag indicating which type of additional transport encoding should be included in the request.

TTI_RAW Returns the encoded time-stamp request with no headers and no special encoding.

TTI_TCP Returns the encoded time-stamp request prepended with a five-byte TCP header.

TTI_HTTP Reserved for future use.TTI_SMTP Reserved for future use.

TTI_INVALID_PARAMETER pTSQ and encodedReqLen must not be NULL.transportFormat must be a valid TTI_TransportFormat value.

TTI_BUFFER_TOO_SMALL The size indicated by encodedReqLen is too small. When the function returns, the required size is returned in the value pointed to by encodedReqLen.

TTI_TSR_ASN_ERROR An unexpected ASN error occurred. To get the ASN error code, call TTI_GetLastAsnError.

TTI_NOT_SUPPORTED TTI_HTTP and TTI_SMTP are not supported at this time.


API Functions

Remarks:This function creates an encoded time-stamp request that includes the information supplied in the TTI_TSQ_Ex structure. The request is formatted according to version one of the PKIX Time-Stamp protocol. This function will also encode the request for a particular transport mechanism. At this time, two transport format options are supported: TTI_RAW and TTI_TCP. TTI_RAW returns the encoded time-stamp request with no headers and no special encoding. TTI_TCP returns the request with a five-byte TCP header prepended. This header includes the size of the request and a flag byte set to zero (tsaMsg).When this function is used with the transportFormat set to TTI_TCP, the resulting encoded time-stamp request may be submitted directly to an nCipher DSE200 via a TCP socket connected to port 318 of the server.

TTI_DecodeTSQ_ExDecodes an encoded time-stamp request and writes the information into a TTI_TSQ_Ex structure.int TTI_DecodeTSQ_Ex(

TTI_TSQ_Ex * pTSQ,const byte * encodedReq,size_t encodedReqLen );

Parameters:


pTSQ [out] Points to a TTI_TSQ_Ex structure that receives information from the encoded time-stamp request.The TTI_TSQ_Ex structure supports nonce and serial numbers up to 40 bytes.

encodedReq [in] Points to a buffer that contains an encoded time-stamp request.encodedReqLen

[in] Specifies the size, in bytes, of the encoded time-stamp request.

TTI_INVALID_PARAMETER

pTSQ and encodedReq must not be NULL.


API Functions

Remarks:This function can be used to decode a time-stamp request that was encoded with TTI_EncodeTSQ_Ex. It is potentially useful if the original TTI_TSQ_Ex structure that was used to create the encoded request is not available.

TTI_UnpackTSRConverts a transport-specific response into a raw time-stamp response by removing transport-specific headers.int TTI_UnpackTSR(

byte * encodedResp,size_t * encodedRespLen,int * responseCode,TTI_TransportFormat transportFormat );

Parameters:


TTI_ASN_ERROR Received unexpected results from an ASN function.TTI_TSR_ASN_ERROR An unexpected ASN error occurred. To get the ASN error

code, call TTI_GetLastAsnError.

encodedResp [in/out] Points to a buffer that contains a transport-specific response. When the function returns, this buffer will contain a raw time-stamp response.

encodedRespLen

[in/out] Points to a value specifying the size, in bytes, of the transport-specific response. When the function returns, this value contains the size, in bytes, of the raw time-stamp response.

responseCode [out] Points to an integer to receive the response code from a TTI_TCP response.

transportFormat

[in] The transport mechanism that produced this response.

TTI_RAW Encoded time-stamp response with no headers and no special encoding.

TTI_TCP Encoded time-stamp response prepended with a five-byte TCP header.



API Functions


Remarks:This function removes the header and special encoding that is added to a time-stamp response by the transport mechanism. At this time two transport format options are supported: TTI_RAW and TTI_TCP. TTI_RAW is only supported for completeness. If the format is TTI_RAW, this function simply returns TTAPI_SUCCESS without doing any processing because none is needed.If the format is TTI_TCP, this function will verify and remove the TCP header from the time-stamp response.

TTI_GetTSR_StatusDecodes a time-stamp response and writes the information into a TTI_PKIStatusInfo structure.int TTI_GetTSR_Status(

TTI_PKIStatusInfo * pPKIStatusInfo,const byte * encodedResp,size_t encodedRespLen );

TTI_INVALID_PARAMETER encodedResp, encodedRespLen, and responseCode must not be NULL.transportFormat must be a valid TTI_TransportFormat value.

TTI_RESPONSE_SIZE_MISMATCH

The size from the TCP header did not match the actual size of the response. The expect size from the TCP header is returned in the value pointed to by encodedRespLen.

TTI_TSA_UNEXPECTED_RESPONSE

The response flag in the TCP header contained an unexpected value. The only expect value is 5 (finalMsgRep). The actual value is returned in the value pointed to by responseCode.



API Functions

Parameters:


Remarks:This function retrieves the status information from a time-stamp response. This status information indicates whether a time-stamp token was issued in the response and, if it wasn’t, the reason for the failure.

TTI_GetTSR_EncodedTokenRetrieves the encoded time-stamp token from an encoded time-stamp response.int TTI_GetTSR_EncodedToken(

byte * tokenBuf,size_t * tokenBufLen,const byte * encodedResp,size_t encodedRespLen );

pPKIStatusInfo [out] Points to a TTI_PKIStatusInfo that receives information from the encoded time-stamp response.

encodedResp [in] Points to a buffer that contains an encoded time-stamp response.

encodedRespLen [in] Specifies the size, in bytes, of the encoded time-stamp response.

TTI_INVALID_PARAMETER pPKIStatusInfo and encodedResp must not be NULL.

TTI_ASN_ERROR Received unexpected results from an ASN function.TTI_TSR_ASN_ERROR An unexpected ASN error occurred. To get the ASN

error code, call TTI_GetLastAsnError.


API Functions

Parameters:


Remarks:A time-stamp response is what a DSE200 returns for a request. The response contains status information indicating what kind of response this is. If the status information indicates PKIS_granted or PKIS_grantedWithMods, the time-stamp response will also contain a time-stamp token. This function copies the time-stamp token into the supplied buffer.

tokenBuf [out] Points to a buffer that receives the encoded time-stamp token.

tokenBufLen [in/out] Points to a value specifying the size, in bytes, of the tokenBuf buffer. When the function returns, this value contains the size, in bytes, of the encoded time-stamp token.

encodedResp [in] Points to a buffer that contains an encoded time-stamp response.

encodedRespLen [in] Specifies the size, in bytes, of the encoded time-stamp response.

TTI_INVALID_PARAMETER encodedResp and tokenBufLen must not be NULL.TTI_BUFFER_TOO_SMALL The size indicated by tokenBufLen is too small.

When the function returns, the required size is returned in the value pointed to by tokenBufLen.

TTI_ASN_ERROR Received unexpected results from an ASN function.TTI_TSR_ASN_ERROR An unexpected ASN error occurred. To get the ASN

error code, call TTI_GetLastAsnError.TTI_INVALID_RESPONSE_STATUS

The time-stamp response status was not PKIS_granted or PKIS_grantedWithMods. This indicates that the time-stamp response was a failure response, therefore there is no time-stamp token in the response.

TTI_NO_TOKEN_PRESENT No token was present in the response. This is an unexpected situation and indicates corrupt data or a misbehaving DSE200.


API Functions

The time-stamp token is a Cryptographic Message Syntax SignedData object (See RFC 2630 and RFC 2315 [PKCS#7]). The time-stamp token represents the data that should be stored for future reference. This is the time-stamp.

TTI_GetTST_TSTInfoExDecodes an encoded time-stamp token and writes the encapsulated TSTInfo data into a TTI_TSTInfoEx structure.int TTI_GetTST_TSTInfoEx(

TTI_TSTInfoEx * pTSTInfo,const byte * encodedToken,size_t encodedTokenLen );

Parameters:


Remarks:This is the core data of a time-stamp token. The TSTInfo is part of the signed data of the time-stamp token and therefore is protected against modification. This function reads and decodes this portion of the time-stamp token and writes the information into a TTI_TSTInfoEx structure.

TTI_GetTST_TSACertRetrieves the encoded TSA certificate from an encoded time-stamp token.

pTSTInfo [out] Points to a TTI_TSTInfoEx structure that receives information from the encoded time-stamp token.The TTI_TSTInfoEx structure supports nonce and serial numbers up to 40 bytes.

encodedToken [in] Points to a buffer that contains an encoded time-stamp token.encodedTokenLen

[in] Specifies the size, in bytes, of the encoded time-stamp token.


encodedResp and tokenBufLen must not be NULL.




API Functions

int TTI_GetTST_TSACert( byte * certBuf,size_t * certBufLen,const byte * encodedToken,size_t encodedTokenLen );

Parameters:


Remarks:If the encoded time-stamp token contains the signing certificate, this function copies the encoded signing certificate into the supplied buffer. This function does not validate the signature on the time-stamp token.

certBuf [out] Points to a buffer that receives the encoded TSA certificate.certBufLen [in/out] Points to a value specifying the size, in bytes, of the

certBuf buffer. When the function returns, this value contains the size, in bytes, of the encoded TSA certificate.




encodedToken and certBufLen must not be NULL.

TTI_BUFFER_TOO_SMALL

The size indicated by certBufLen is too small. When the function returns, the required size is returned in the value pointed to by certBufLen.

TTI_INVALID_TST The content of the encodedToken buffer is not recognized as a valid encoded time-stamp token.

TTI_NO_TSACERT_PRESENT

The encoded time-stamp token did not contain the signing certificate. A time-stamp token will only contain the signing certificate if the time-stamp request specified that the certificate be included.

TTI_ESSCERTID_FAILED

The SHA-1 hash of the Time Attribute certificate did not match a value stored in the signed attributes of the time-stamp token.


API Functions

This function verifies the signing certificate against the first SHA-1 hash in the ESSCertID list before the function returns. The ESSCertID provides cryptographic binding of the time-stamp token to a particular identity certificate, whereas the signature only binds the time-stamp token to the public key.

TTI_GetTST_TimeAttributeCertRetrieves the encoded Time Attribute certificate from an encoded time-stamp token.

int TTI_GetTST_TimeAttributeCert(byte * certBuf,size_t * certBufLen,const byte * encodedToken,size_t encodedTokenLen );

Parameters:


certBuf [out] Points to a buffer that receives the encoded Time Attribute Certificate.

certBufLen [in/out] Points to a value specifying the size, in bytes, of the certBuf buffer. When the function returns, this value contains the size, in bytes, of the encoded Time Attribute certificate.

encodedToken [in] Points to a buffer that contains an encoded time-stamp token.encodedTokenLen [in] Specifies the size, in bytes, of the encoded time-stamp token.


encodedToken and certBufLen must not be NULL.


The size indicated by certBufLen is too small. When the function returns, the required size is returned in the value pointed to by certBufLen.

TTI_INVALID_TST The content of the encodedToken buffer is not recognized as a valid encoded time-stamp token.


API Functions

Remarks:If the encoded time-stamp token contains the Time Attribute certificate, this function copies the encoded TAC into the supplied buffer.This function verifies that the time-stamp token was issued under the Time Attribute certificate before the function returns. This verification is done by checking the ESSCertID list of SHA-1 hashes for the SHA-1 hash of the Time Attribute certificate. This check is necessary because the certificate list in a time-stamp token is not protected by the signature. The cryptographic binding of a time-stamp to a Time Attribute certificate is accomplished by including the SHA-1 hash of the Time Attribute certificate in the ESSCertID. The ESSCertID is protected by the signature on the time-stamp token.

TTI_GetTAC_TimingMetricsExDecodes an encoded Time Attribute certificate and writes the encapsulated TimingMetrics attribute data into a TTI_TimingMetricsEx structure.

int TTI_GetTAC_TimingMetricsEx( TTI_TimingMetricsEx * pTimingMetrics,const byte * certBuf,size_t certBufLen );

Parameters:

Return Values:If this function succeeds, the return value is zero (TTI_SUCCESS).

TTI_NO_TAC_PRESENT

The encoded time-stamp token did not contain the Time Attribute certificate. A time-stamp token will only contain the Time Attribute certificate if the time-stamp request specified that the certificate be included.



pTimingMetrics

[out] Points to a TTI_TimingMetricsEx structure that receives information from the encoded Time Attribute certificate.

certBuf [in] Points to a buffer that contains an encoded Time Attribute certificate.

certBufLen [in] Specifies the size, in bytes, of the encoded Time Attribute certificate.


API Functions

If this function fails, the return value is a nonzero error code.

TTI_GetTAC_TimingPolicyDecodes an encoded Time Attribute certificate and writes the encapsulated TimingPolicy attribute data into a TTI_TimingPolicy structure.int TTI_GetTAC_TimingPolicy(

TTI_TimingPolicy * pTimingPolicy,const byte * certBuf,size_t certBufLen );

Parameters:



pTimingMetrics and certBuf must not be NULL.



pTimingPolicy

[out] Points to a TTI_TimingPolicy structure that receives information from the encoded Time Attribute certificate.



TTI_NO_TAC_TIMINGPOLICY_PRESENT

The Time Attribute Certificate does not contain Timing Policy information.

TTI_INVALID_PARAMETER pTimingPolicy and certBuf must not be NULL.

TTI_ASN_ERROR Received unexpected results from an ASN function.



API Functions

TTI_CheckTAC_MatchesTSTVerifies that the time-stamp token was issued under the Time Attribute certificate.int TTI_CheckTAC_MatchesTST(

const byte * certBuf,size_t certBufLen,const byte * encodedToken,size_t encodedTokenLen );

Parameters

Return Values:

Remarks:This function verifies that the time-stamp token was issued under the Time Attribute certificate. This function is especially useful when the time-stamp token does not contain a Time Attribute certificate and the user wants to verify that the time-stamp token was issued under a TAC that the user retrieved from a previous time-stamp or some other mechanism.This verification is done by checking the ESSCertID list of SHA-1 hashes for the SHA-1 hash of the Time Attribute certificate. The cryptographic binding of a time-stamp to a Time Attribute certificate is accomplished by including the SHA-1 hash of the Time Attribute certificate in the ESSCertID. The ESSCertID is protected by the signature on the time-stamp token.






certBuf and encodedToken must not be NULL.


code, call TTI_GetLastAsnError.TTI_ESSCERTID_FAILED



Signature Validation Function

TTI_GetTAC_CertInfoExDecodes an encoded Time Attribute certificate and writes the encapsulated certificate data into a TTI_TXAC_CertInfo structure.int TTI_GetTAC_CertInfoEx(

TTI_TAC_CertInfoEx * pTAC,const byte * certBuf,size_t certBufLen );

Parameters:


Signature Validation FunctionThe following section explains the signature validation function.

TTI_VerifyTST_SignatureVerifies the signature on an encoded time-stamp token.int TTI_VerifyTST_Signature(

const byte * encodedToken,size_t encodedTokenLen,const byte * tsaCert,size_t tsaCertLen );

pTAC [out] Points to a TTI_TAC_CertInfoEx structure that receives information from the encoded Time Attribute certificate.The TTI_TAC_CertInfoEx structure supports nonce and serial numbers up to 40 bytes.

certBuf [in] Points to a buffer than contains an encoded Time Attribute certificate.certBufLen

[in] Specifies the size, in bytes, of the encoded Time Attribute certificate.






Signature Validation Function

Parameters:


Remarks:This function is provided so that API users can validate the signature of a time-stamp token. However, if you have access to other PKI tools, we recommend you use those to validate the signature. Asking the API to validate its own signature is of limited value.In addition to verifying the signature on the time-stamp token, TTI_VerifyTST_Signature verifies the signing certificate against the first SHA-1 hash in the ESSCertID before the function returns. The ESSCertID provides cryptographic binding of the time-stamp token to a particular identity certificate, whereas the signature only binds the time-stamp token to the public key.


[in] Specifies the size, in bytes, of encoded time-stamp token.

tsaCert [in, optional] Points to a buffer that contains the TSA certificate that signed this token.If this parameter is NULL, this function attempts to verify the signature with a certificate included in the time-stamp token.

tsaCertLen [in] Specifies the size, in bytes, of the encoded certificate.


encodedToken is not allowed to be NULL.

TTI_INVALID_TST encodedToken did not contain a valid encoded time-stamp token.

TTI_INVALID_SIGNATURE

The time-stamp token signature was not valid.

TTI_NO_TSACERT_PRESENT

The encoded time-stamp token did not contain the signing certificate. A time-stamp token contains the signing certificate only if the time-stamp request required that the certificate be included.




Hash Functions

Hash FunctionsThe following sections document hash functions.

TTI_SHA1_InitCreates a SHA-1 hash object and returns a handle that can be used to access the object.

TTI_SHA1_HANDLE TTI_SHA1_Init();

Return Values:If this functions succeeds, the return value is a nonzero handle.If this function fails, the return value is zero.

Remarks:Use the TTI_SHA1_Update function to feed data to the hash object.After a successful call to this function, the returned handle must eventually be released with a call to TTI_SHA1_Final.

TTI_SHA1_UpdateUsed to feed data to a specified hash object.Before calling this function, the TTI_SHA1_Init function must be called to get a handle to a hash object.void TTI_SHA1_Update(

TTI_SHA1_HANDLE hSHA,const void * pData,size_t cbData );

Parameters:

Remarks:This function may be called multiple times to compute the hash of long or discontiguous data streams.

TTI_SHA1_FinalUsed to retrieve the value from a hash object and to release the hash object.

hSHA [in] Handle of the SHA-1 hash object.pData [in] Points to a buffer containing the data to be added to the SHA-1 hash

object.cbData [in] Number of bytes of data to be added.


Hash Functions

void TTI_SHA1_Final( TTI_SHA1_HANDLE hSHA,byte * pbHash );

Parameters:

Remarks:After this function is called, the TTI_SHA1_HANDLE that was passed in becomes invalid. It must not be used for future calls to TTI_SHA1_Update or TTI_SHA1_Final.

TTI_MD5_InitCreates an MD5 hash object and returns a handle that can be used to access the object.

TTI_MD5_HANDLE TTI_MD5_Init();


Remarks:Use the TTI_MD5_Update function to feed data to the hash object.After a successful call to this function, the returned handle must eventually be released with a call to TTI_MD5_Final.

TTI_MD5_UpdateUsed to feed data to a specified hash object.Before calling this function, the TTI_MD5_Init function must be called to get a handle to a hash object.void TTI_MD5_Update(

TTI_MD5_HANDLE hMD5,const void * pData,size_t cbData );

hSHA [in] Handle of the SHA-1 hash object.pbHash [out] Points to a buffer that receives the hash. The buffer must be at least 20

bytes in length.


Hash Functions

Parameters:


TTI_MD5_FinalUsed to retrieve the value from a hash object and to release the hash object.void TTI_MD5_Final(

TTI_MD5_HANDLE hSHA,byte * pbHash );

Parameters:

Remarks:After this function is called, the TTI_MD5_HANDLE that was passed in becomes invalid. It must not be used for future calls to TTI_MD5_Update or TTI_MD5_Final.

TTI_SHA256_InitCreates an SHA256 hash object and returns a handle that can be used to access the object.




hMD5 [in] Handle of the MD5 hash object.pData [in] Points to a buffer containing the data to be added to the MD5 hash object.cbData [in] Number of bytes of data to be added.

hMD5 [in] Handle of the MD5 hash object.pbHash [out] Points to a buffer that receives the hash. The buffer must be at least 20

bytes in length.


Hash Functions


TTI_SHA256_HANDLE hSHA256,const void * pData,size_t cbData );

Parameters:


TTI_SHA256_FinalUsed to retrieve the value from a hash object and to release the hash object.void TTI_SHA256_Final(

TTI_SHA256_HANDLE hSHA256,byte * pbHash );

Parameters:


hSHA256

[in] Handle of the SHA256 hash object.

pData [in] Points to a buffer containing the data to be added to the SHA256 hash object.

cbData [in] Number of bytes of data to be added.

hMD5 [in] Handle of the SHA256 hash object.pbHash [out] Points to a buffer that receives the hash. The buffer must be at least 20

bytes in length.


Hash Functions

TTI_SHA384_InitCreates a SHA384 hash object and returns a handle that can be used to access the object.






Parameters:




hSHA384





Hash Functions

Parameters:


TTI_SHA512_InitCreates a SHA512 hash object and returns a handle that can be used to access the object.






h384 [in] Handle of the SHA384 hash object.pbHash [out] Points to a buffer that receives the hash. The buffer must be at least 20

bytes in length.


Utility Functions

Parameters:




Parameters:


Utility FunctionsThe following sections document the utility functions available.

TTI_GetLastAsnErrorUsed to retrieve extended ASN error codes. This function should be called after an encoding or decoding function returns TTI_ASN_ERROR or TTI_TSR_ASN_ERROR.

int TTI_GetLastAsnError();

hSHA512




hSHA512


pbHash [out] Points to a buffer that receives the hash. The buffer must be at least 20 bytes in length.


Utility Functions

Return Values:Returns the last ASN error code that occurred during an encoding or decoding function. This value is set before an encoding or decoding function returns TTI_TSR_ASN_ERROR.

Remarks:There are a large number of error codes that may be returned from this function. These errors usually occur only when an invalid or corrupted buffer is passed to a decode function. Since these errors are unexpected, this document does not contain a complete list of possible values. However, this function provides help with technical support in the case of unexpected errors

TTI_TSTInfoToIDDataThis function will modify the encapsulated content type in a time-stamp token, changing it from id-ct-TSTInfo to id-data.int TTI_TSTInfoToIDData(

const byte * encodedToken,size_t encodedTokenLen,byte * encodedObjectBuf,size_t * encodedObjectBufLen );

Parameters:


encodedToken [in] Points to a buffer that contains an encoded time-stamp token.

encodedTokenLen [in] Specifies the size, in bytes, of the encoded time-stamp token.

encodedObjectBuf

[out] Points to a buffer to receive the modified encoded time-stamp token.

encodedObjectBufLen

[in/out] Points to a value specifying the size, in bytes, of the encodedObjectBuf buffer. When the function returns, this value contains the size, in bytes, of the modified encoded time-stamp token.


Utility Functions


Remarks:The DSE200 issues time-stamp tokens that follow the requirements specified in RFC 3161. The encoded time-stamp tokens are CMS SignedData objects with an encapsulated content type of id-ct-TSTInfo.However, testing has shown that several PKI tool sets cannot handle this embedded content type. Therefore, these tools cannot validate the signature on time-stamp tokens.This TTI_TSTInfoToIDData function provides a temporary work-around for anyone using one of these PKI tools. Modifying the encapsulated content type to id-data has no adverse affect on signature validation and allows a time-stamp token signature to be validated by popular tool sets.Now that RFC 3161 exists and the time-stamp protocol is no longer just an IETF draft, we expect that the popular PKI tool sets will be updated to handle the id-ct-TSTInfo object identifier.

TTI_RemoveAttrCertsRemoves attribute certificates from a time-stamp token.int TTI_RemoveAttrCerts(

const byte * encodedToken,size_t encodedTokenLen,byte * encodedObjectBuf,size_t * encodedObjectBufLen );


pbEncodedToken and pcbEncodedObjectLength must not be NULL.


The size indicated by encodedObjectBufLen is too small. When the function returns, the required size is returned in the value pointed to by encodedObjectBufLen.




Utility Functions

Parameters:

Return ValuesIf this function succeeds, the return value is zero (TTI_SUCCESS).If this function fails, the return value is a nonzero error code.:

Remarks:If the time-stamp token contains a certificate list, the certificate list will contain at least one attribute certificate, most likely the Time Attribute certificate.Many PKI tool sets cannot handle SignedData objects that contain attribute certificates. Therefore PKI tools cannot validate signatures on time-stamp tokens. The TTI_RemoveAttrCerts function provides a work-around for anyone using one of these PKI tools. Removing the attribute certificates has no adverse affect on signature validation and allows a time-stamp token signature to be validated by popular tool sets.

encodedToken [in] Points to a buffer that contains an encoded time-stamp token.

encodedTokenLen [in] Specifies the size, in bytes, of the encoded time-stamp token.encodedObjectBuf

[out] Points to a buffer to receive the modified encoded time-stamp token.

encodedObjectBufLen

[in/out] Points to a value specifying the size, in bytes, of the encodedObjectBuf buffer. When the function returns, this value contains the size, in bytes, of the modified encoded time-stamp token.


pbEncodedToken and pcbEncodedObjectLength must not be NULL.


The size indicated by encodedObjectBufLen is too small. When the function returns, the required size is returned in the value pointed to by encodedObjectBufLen.




Chapter 4: Java – API Functions and Specifications

This chapter provides an overview of the contents and use of the API/JDK. Detailed documentation of the API Java classes is provided in HTML format in the doc subdirectory of your install directory.

ComponentsThe API/JDK consists of a tti.jar file, Javadoc documentation and a sample application that demonstrates proper usage.

Functional OverviewThe API/JDK can be used to obtain a time-stamp from a nCipher DSE200 with four basic steps:• Create an encoded request• Submit it to the DSE• Decode the result• Verify the integrity of the time stamp.

Here are the steps in greater detail:

1: Using standard java.security classes, generate a SHA-1 digest of the data to be time-stamped.

2: Generate a nonce for the request (a large random number that protects the request against replay attacks.)

3: Create a TimeStampRequest object with the digest, nonce, and other relevant information.

4: Call TimeStampRequest.encodeRequest to create an ASN.1 encoded version of the request.

5: Create a TimeStampServerTCP object with the IP address of a time-stamp server.6: Call TimeStampServerTCP.submitRequest to request and receive the encoded time-

stamp token. The encoded time-stamp token is a PKCS #7 SignedData object and the signature can be verified with any cryptographic tool kit that supports PKCS #7.


Functional Overview

7: Create a TimeStampToken object with the encoded time stamp token.8: Call TimeStampToken.getTSTInfo to obtain a TSTInfo object that contains the time-

stamp specific information (such as the time).9: Verify the integrity of the time-stamp token by checking that the time contained in the

time-stamp is reasonably close to the current system time.Each of these steps is illustrated in the example program TtiTest.java included with the API/JDK.


Appendix A: Deprecated Functions and Structures

The following sections document deprecated API functions and specifications.Note: Deprecated functions and structures still work. However, the following functions do not

support the use of SHA-384 or SHA-512. This is because, in some old structures, the hash value size was limited to 40 bytes which is not enough to support SHA-384 or SHA-512.

TTI_EncodeTSQNote: This function has been replaced by TTI_EncodeTSQ_Ex. See TTI_EncodeTSQ_Ex on

page 17 for more information.

Uses the information in a TTI_TSQ structure to create an encoded time-stamp request.int TTI_EncodeTSQ(

const TTI_TSQ * pTSQ,byte * encodedReq,size_t * encodedReqLen,TTI_TransportFormat transportFormat;

Parameters:


pTSQ [in] Points to a populated TTI_TSQ structure. The information in this structure is used to create the encoded time-stamp request.

encodedReq [out] Points to a buffer to receive the encoded time-stamp request.encodedReqLen [in/out] Points to a value specifying the size, in bytes, of the

encodedReq buffer. When the function returns, this value contains the size, in bytes, of the encoded time-stamp request.

transportFormat

[in] A flag indicating which type of additional transport encoding should be included in the request.

TTI_RAW Returns the encoded time-stamp request with no headers and no special encoding.

TTI_TCP Returns the encoded time-stamp request prepended with a five-byte TCP header.


TTI_DecodeTSQ


Remarks:This function creates an encoded time-stamp request that includes the information supplied in the TTI_TSQ structure. The request is formatted according to version one of the PKIX Time-Stamp protocol. This function will also encode the request for a particular transport mechanism. At this time, two transport format options are supported: TTI_RAW and TTI_TCP. TTI_RAW returns the encoded time-stamp request with no headers and no special encoding. TTI_TCP returns the request with a five-byte TCP header prepended. This header includes the size of the request and a flag byte set to zero (tsaMsg).When this function is used with the transportFormat set to TTI_TCP, the resulting encoded time-stamp request may be submitted directly to an nCipher DSE200 via a TCP socket connected to port 318 of the server.

TTI_DecodeTSQThis function has been replaced by TTI_DecodeTSQ_Ex. See TTI_DecodeTSQ_Ex on page 19 for more information.Decodes an encoded time-stamp request and writes the information into a TTI_TSQ structure.int TTI_DecodeTSQ(

TTI_TSQ * pTSQ,


TTI_INVALID_PARAMETER pTSQ and encodedReqLen must not be NULL.transportFormat must be a valid TTI_TransportFormat value.

TTI_BUFFER_TOO_SMALL The size indicated by encodedReqLen is too small. When the function returns, the required size is returned in the value pointed to by encodedReqLen.




TTI_GetTST_TSTInfo

const byte * encodedReq,size_t encodedReqLen );

Parameters:


Remarks:This function can be used to decode a time-stamp request that was encoded with TTI_EncodeTSQ. It is potentially useful if the original TTI_TSQ structure that was used to create the encoded request is not available.

TTI_GetTST_TSTInfoThis function has been replaced by TTI_GetTST_TSTInfoEx. See TTI_GetTST_TSTInfoEx on page 24 for more information.Decodes an encoded time-stamp token and writes the encapsulated TSTInfo data into a TTI_TSTInfo structure.int TTI_GetTST_TSTInfo(

TTI_TSTInfo * pTSTInfo,const byte * encodedToken,size_t encodedTokenLen );

pTSQ [out] Points to a TTI_TSQ structure that receives information from the encoded time-stamp request.

encodedReq [in] Points to a buffer that contains an encoded time-stamp request.

encodedReqLen [in] Specifies the size, in bytes, of the encoded time-stamp request.

TTI_INVALID_PARAMETER pTSQ and encodedReq must not be NULL.TTI_ASN_ERROR Received unexpected results from an ASN function.TTI_TSR_ASN_ERROR An unexpected ASN error occurred. To get the ASN

error code, call TTI_GetLastAsnError.


TTI_GetTAC_CertInfo

Parameters:


Remarks:This is the core data of a time-stamp token. The TSTInfo is part of the signed data of the time-stamp token and therefore is protected against modification. This function reads and decodes this portion of the time-stamp token and writes the information into a TTI_TSTInfo structure.

TTI_GetTAC_CertInfoThis function has been replaced by TTI_TAC_CertInfoEx. See TTI_GetTAC_CertInfoEx on page 30 for more information.Decodes an encoded Time Attribute certificate and writes the encapsulated certificate data into a TTI_TAC_CertInfo structure.

int TTI_GetTAC_CertInfo(TTI_TAC_CertInfo * pTAC,const byte * certBuf,size_t certBufLen );

pTSTInfo [out] Points to a TTI_TSTInfo structure that receives information from the encoded time-stamp token.




encodedResp and tokenBufLen must not be NULL.




TTI_GetTAC_TimingMetrics

Parameters:


TTI_GetTAC_TimingMetricsDecodes an encoded Time Attribute certificate and writes the encapsulated TimingMetrics attribute data into a TTI_TimingMetrics structure.

int TTI_GetTAC_TimingMetrics( TTI_TimingMetrics * pTimingMetrics,const byte * certBuf,size_t certBufLen );

Parameters:


pTAC [out] Points to a TTI_TAC_CertInfo structure that receives information from the encoded Time Attribute certificate.

certBuf [in] Points to a buffer than contains an encoded Time Attribute certificate.certBufLen

[in] Specifies the size, in bytes, of the encoded Time Attribute certificate.





pTimingMetrics

[out] Points to a TTI_TimingMetrics structure that receives information from the encoded Time Attribute certificate.




TTI_GetTAC_TimingMetrics







Appendix B: Acronyms

The following acronyms are used:

Acronym Definition

APC Application Certificate

API Application Program Interface

CA Certification Authority or Certificate Authority

CRL Certificate Revocation List

CRM Certificate Request Message

DSA Digital Signature Algorithm specified in DSS

DSS Digital Signature Standard (FIPS 186)

DS/NTP Datum Secure Network Time Protocol

ENMTMS Element Manager

FIPS Federal Information Processing Standard

GPS Global Positioning System

IETF Internet Engineering Task Force

NIST National Institute of Standards and Technology

NMI National Measurement Institute(s)

NOC Network Operations Center

NTP Network Time Protocol (RFC 1305)

OCSP Online Certificate Status Protocol

OCSPROCSP Responder

OEM Original Equipment Manufacturer

OID Object Identifier

PKI Public Key Infrastructure


PLB Private Label Branch

PSTN Public Switched Telephone Network

RA Registration Authority

SNMP Simple Network Management Protocol

SSL Secure Sockets Layer

TCCert Time Calibration Certificate

TLS Transport Layer Security

TPC Third Party Certificate

TPCA Third Party Certification/Certificate Authority

TSA Time Stamp Authority

TSP Time Stamp Protocol

TSR Time Stamp Request

UDP/IP User Datagram Protocol/Internet Protocol

UTC Coordinated Universal Time

Acronym Definition


Appendix C: Time signing glossary

The following are time-related terms, and their definitions.

Term Definition

Access Control The mechanisms of limiting entry to resources based on users’ identities and their membership in various predefined groups. The network resources with these access restrictions typically are servers, directories, and files.

ACTS Automated Computer Time System, a NIST service that provides announced time via telephone.

Advanced Encryption Standard (AES)

Developed by NIST and private companies, this standard is 256-bit based and is a stronger defense for sensitive material when compared to 40-bit or 128-bit.

Algorithm A clearly specified mathematical process for computation, or set of rules which, if followed, will give a prescribed result.

ANSI American National Standards Institute, the organization responsible for approving US standards in many categories, including computers and communications. Standards approved by this organization are often called ANSI standards.

API Application Program Interface. This interface enables software developers to write their software so that it can communicate with the computer's operating system or other programs.

ASCII American Standards Code Information Interchange, a code in which each alphanumeric character is represented as a number from 0 to 127, in binary code so the computer can understand it. Its simplicity allows diverse computers to understand one another.

ATM Asynchronous Transfer Mode, or ATM switching. This is a type of packet switching that makes it possible to transmit data at high speeds over a network. It also allows dynamic allocation of bandwidth, meaning users get only the bandwidth they need and are charged accordingly.


Attribute Certificate

A type of certificate that emphasizes certification of access rights and constraints. This is in contrast to Identity Certificate, which binds a distinguished name (DN) and a public key. Commonly, attribute certificates are issued with short validity periods and do not contain a public key value.

Audit Trail A series of events, usually kept in and managed by a computer-based log, that give proof of a defined activity.

Authentication The process by which people (or applications) who receive a certificate can verify the identity of the certificate’s owner and the validity of the certificate. Certificates are used to identify the author of a message or an entity such as a Web server or DSE200.

Authorization The granting of access rights to a user, program, or process. Once you have authenticated a user, the user may be allowed different types of access or activity.

BCD Binary Coded Decimal. Also called packed decimal, this is the representation of a number by using 0s and 1s, or four-bit binary numbers. So the number 29 would be encoded as 0010 1001.

Bureau International de l’Heure (BIPM)

The worldwide organization that coordinates standard frequencies and time signals, the BIPM maintains Coordinated Universal Time (UTC).

Calibration To fix the graduations of time measurement against the established national standard, including any periodic corrections that should be made.

CDMA Code Division Multiple Access, a technique of multiplexing, also called spread spectrum, in which analog signals are converted into digital form for transmission.

CDSA Common Data Security Architecture describes the security structure for an entire network. It is unique to each network because security is managed differently for each.

Certificate Certificates are used to verify the identity of an individual, organization, Web server, or hardware device. They are also used to ensure non-repudiation in business transactions, as well as enable confidentiality through the use of public-key encryption.

Term Definition


Certificate Authority (CA)

A trusted entity that issues a certificate after verifying the identity of the person or program or process that the certificate is intended to identify. A CA also renews and revokes certificates and, at regular intervals, generates a list of revoked certificates.

Certificate Extension

An extension of the X.509 standard that lets the certificate hold additional identifying information.

Certificate Request

A request containing a user’s public key, distinguished name (DN), and other data that is submitted to a Certificate Authority (CA) in order to receive a certificate.

Certificate Revocation List (CRL)

CRLs list certificates that have been revoked by a particular CA. Revocation lists are vital when certificates have been stolen, for example.

Certification Path

A specified sequence of issued certificates necessary for the user to get their key.

Confidentiality Keeping secret data from unauthorized eyes.

Content Filtering

A filter that screens out data by checking (for example) URLs or key words.

Coordinated Universal Time (UTC)

The international time standard is called Coordinated Universal Time or, more commonly, UTC, for “Universal Time, Coordinated”. This standard has been in effect since being decided on 1972 by worldwide representatives within the International Telecommunication Union. UTC is maintained by the Bureau International de l’Heure (BIPM) which forms the basis of a coordinated dissemination of standard frequencies and time signals. The acronyms UTC and BIPM are each a compromise among all the participating nations.

CR See Certificate Request.

Credential(s) Much like a photo ID or birth certificate, electronic credentials are recognized as proof of a party's identity and security level. Examples: certificate, logon ID, secure ID, and so forth.

Term Definition


Cross-Certificate

Two or more Certificate Authorities (CAs) which issue certificates (cross-certificates) to establish a trust relationship between themselves.

Cryptography See Encryption.

Data Encryption Standard (DES)

Encryption method in which both the sender and receiver of a message share a single key that decrypts the message.

DCLS Direct Current Level Shift, or digital IRIG. See also: IRIG.

Decryption The transformation of unintelligible data (ciphertext) into original data (clear text).

Denial of Service

When a network is flooded with traffic through any of a variety of methods, the systems cannot respond normally, so service is curtailed or denied. This is a favorite technique of network saboteurs.

DES See Data Encryption Standard (DES).

DHCP Dynamic Host Configuration Protocol is a standards-based protocol for dynamically allocating and managing IP addresses. DHCP runs between individual computers and a DHCP server to allocate and assign IP addresses to the computers as well as limit the time for which the computer can use the address.

Diffie-Hellman A key-agreement algorithm used to create a random number that can be used as a key over an insecure channel.

Digital Certificates

Digital Certificates are issued by a Certificate Authority (CA), which verifies the identification of the sender. The certificate is attached to an electronic message, so the recipient knows the sender is really who they claim to be.

Digital Fingerprint

Similar to digital signature, a digital fingerprint is the encryption of a message digest with a private key.

Digital Signature

Like a digital certificate, a digital signature is a data string that is verified by a Certificate Authority, and is attached to an electronic message so that it can verify that the sender is really who they claim to be. The difference between a digital certificate and a digital signature is found in how the message is encrypted and decrypted.

Term Definition


Digital Signature Algorithm (DSA)

The asymmetric algorithm that is at the core of the digital signature standard. DSA is a public-key method based on the discrete logarithm problem.

Digital Signature Standard (DSS)

A NIST standard for digital signatures, used to authenticate both a message and the signer. DSS has a security level comparable to RSA (Rivest-Shamir-Adleman) cryptography, having 1,024-bit keys.

Digital Time-Stamp

See Time-Stamp.

Directory The directory is the storage area for network security information such as keys or server names.

DSA See Digital Signature Algorithm (DSA).

DS/NTP Datum Secure Network Time Protocol, the protocol used by Sovereign Time, Inc., based on NTP and which includes additional security features.

DSS See Digital Signature Standard (DSS).

Element Manager (ENMTMS)

Software that manages the components of an application.

Encryption The transformation of clear data (clear text) into unintelligible data (ciphertext). Asymmetric encryption, also known as Public Key encryption, allows for the trading of information without having to share the key used to encrypt the information. Information is encrypted using the recipient’s public key and then the recipient decrypts the information with their private key. Symmetric encryption, also known as Private Key encryption, allows information to be encrypted and decrypted with the same key. Thus the key must be shared with the decrypting party--but anyone who intercepts the key can also use it.

Ephemeris Time Time obtained from observing the motion of the moon around the earth.

Term Definition


FIPS Federal (US) Information Processing Standards are a set of standards for document processing and for working within documents. Some commonly-used FIPS standards are 140-1, 140-2, and 180.

Firewall Firewalls are software and hardware systems that define access between two networks, offering protection from outside data that could be harmful, such as a virus sent via the Internet.

GMT Greenwich Mean Time, the mean solar time of the meridian of Greenwich, England, used until 1972 as a basis for calculating standard time throughout the world.

GPS Global Positioning System. The GPS is a constellation of 24 (or more) US Department of Defense satellites orbiting the earth twice a day.

Hack/crack Hackers are unauthorized programmers who write code that enables them to break into a computer network or program. Crackers are unauthorized programmers whose goal it is to break into computer networks or programs protected by security software or hardware.

Hash Also called hash function or hashing, used extensively in many encryption algorithms. Hashing transforms a string of characters usually into a shorter, fixed-length value or key. Information in a database is faster to search when you use a hashed key, than if you were to try to match the original data.

HTML HyperText Markup Language, the computer language used to create pages for the World Wide Web.

HTTP HyperText Transfer (or Transport) Protocol, the protocol most often used to transfer information from World Wide Web servers to users of the Web.

HTTPS HTTP over an SSL connection.

Identity Certificate

Also called Digital Certificates. The hash creates a message digest based on the contents of the message. The message is then encrypted using the publisher's private key, then it is appended to the original message.

Term Definition


IEEE Institute of Electrical and Electronic Engineers, an international organization that sets standards for electrical and computer engineering.

IETF Internet Engineering Task Force, an international organization which sets standards for Internet protocols in their Request for Comment (RFC) papers.These papers are numbered (RFC 1305, RFC 868, and so on) and are referred to by engineers worldwide as they work on technologies that support IETF standards.

IKE Internet Key Exchange, a security system that uses a private key and an exchange key that encrypts private keys. Passwords are delivered via the Internet.

In-band Authentication

When you use PKI—which involves public keys and a private key— for authentication, it is called in-band authentication. See also: Out-of-band Authentication.

Integrity Data that has retained its integrity has not been modified or tampered with.

IPSec Internet Protocol Security describes the IETF protocols that protect the secure exchange of packets on the IP layer.

IRIG InteRange Instrumentation Group is an analog standard for serial time formats.

Irrefutable See Non-repudiation.

ITU International Telecommunications Union, the international organization that sets standards for data communication.

Key An alphanumeric string that encrypts and decrypts data.

Key Escrow A secure storage maintained by a trusted third party, which holds keys.

Key Generation Creation of a key.

Key Management

The process by which keys are created, authenticated, issued, distributed, stored, recovered, and revoked.

Key Pair Two integrated keys: one public, one private.

Term Definition


Key Recovery The process of recovering a private decryption key from a secure archive for the purposes of recovering data that has been encrypted with the corresponding encryption key.

L1 Band, L2 Band

Each Navstar GPS satellite currently transmits in two dedicated frequency bands: L1 and L2, which is centered on 1227.6 MHz. L1 carries one encrypted signal, as does L2, both being reserved for the military. L1 also carries one unencrypted signal, for civilian use.

LDAP The Lightweight Directory Access Protocol is the standard Internet protocol for accessing directory servers over a network.

Leap Seconds Today’s scientists and engineers have perfected clocks based on a resonance in cesium atoms to an accuracy of better than one part in 10 trillion. These clocks keep pace with each other to within one two- or three-millionth of a second over a year’s time. The earth, on the other hand, might randomly accumulate nearly a full second’s error during a given year. To keep coordinated with the rotation of the earth, this error is added to (or deleted from) UTC time as a leap second, on the last day of the June or December in that year.

MD5 An algorithm for creating a cryptographic hash (or fingerprint) of a message or of data.

Message Authentication Code (MAC)

A MAC is a function that takes a variable length input and a key to produce a fixed-length output.

Message Digest The hash of a message. See also: Hash.

MIB Management Information Base, a database on the network that tracks, records, and corrects performance for each device on the network.

MTBF Mean Time Between Failure, a measure of reliability. The longer the time span between failures, the more reliable the device.

Multiplexing Process during which two or more signals are combined into one; at the other end, signals are unbundled by a demultiplexer. TDM is Time Division Multiplexing, FDM is Frequency Division Multiplexing, and CDMA is Code Division Multiple Access.

Term Definition


National Measurement Institute (NMI)

Also known as National Metrology Institute(s), the National Measurement Institute(s) is the national authority in each country that is usually recognized as the source of official time.

NIST National Institute of Standards and Technology, the National Measurement Institute in the United States. NIST produces standards for security and cryptography through in the form of FIPS documents.

NOC A Network Operations Center is a centralized point of network management within a large-scale data network.

Non-repudiation The time-stamp creates an evidentiary trail to a reliable time source that prevents a party in a transaction from later denying when the transaction took place.

Notarization Certification of the identity of the party in a transaction based on identifying credentials.

NTP Network Time Protocol is a protocol that provides a reliable way of transmitting and receiving the time over the TCP/IP networks. The NTP, defined in IETF RFC 1305, is useful for synchronizing the internal clock of the computers to a common time source.

OCSP Online Certificate Status Protocol, a protocol defined in RFC 2560, enables applications to check the status of a certificate every time the certificate is used.

OID Object Identifier.

Online validation

A way of validating a key each time before it is used to verify that it has not expired or been revoked.

OSI Operations System Interface.

Out-of-band Authentication

When authentication is performed using relatively insecure methods, such as over the telephone, it is called out-of-band authentication. In-band authentication, which uses PKI, is preferred. See also: In-band Authentication

PCI Peripheral Component Interconnect, a local bus that supports high-speed connection with peripherals. It plugs into a PCI slot on the motherboard.

Term Definition


PKCS Public Key Cryptography Standards. These standards allow compatibility among different cryptographic products.

PKI Public Key Infrastructure. The PKI includes the Certificate Authority (CA), key directory, and management. Other components such as key recovery, and registration, may be included. The result is a form of cryptography in which each user has a Public Key and a Private Key. Messages are sent encrypted with the receiver's public key; the receiver decrypts them using the private key.

PKI Certificate See Digital Certificates.

PKIX Extended Public Key Infrastructure, or PKI with additional features approved by the IETF.

Private Key This is a secret key, known to only one of the parties involved in a transaction.

PSTN Public Switched Telephone Network, a voice and data communications service for the general public which uses switched lines.

Public Key Messages are sent encrypted with the recipient's public key, which is known to others; the recipient decrypts them using their private key.

Public Key Certificate

Certificate in the form of data that holds a public key, authentication information, and private key information.

RA A Registration Authority (RA) does not issue certificates, but does the required identification for certain certificate data.

Resolution Resolution of a time code refers to the smallest increment of time, whether it is days, hours, seconds, or other.

Revocation The withdrawing of a certificate by a Certificate Authority before its expiration date or time. See also Certificate Revocation List (CRL).

Risk Management

The tasks and plans that help avoid security risk, and if security is breached, helps minimize damage.

Term Definition


Root CA A Certificate Authority (CA) whose certificate is self-signed; that is, the issuer and the subject are the same. A root CA is at the top of a hierarchy.

Root Time Trust Authority (RTTA)

Also called Root Time Trust Services, these are end user organizations who provide time calibration and auditing services. Examples include Seiko Instruments, Inc., and Sovereign Time.

RSA The RSA (Rivest-Shamir-Andleman) algorithm is a public-key encryption technology developed by RSA Data Security.

SHA-1 Secure Hash Algorithm is an algorithm developed by the US National Institute of Standards and Technology (NIST). SHA-1 is used to create a cryptographic hash of a message or data. It has a larger message digest, so it is considered to be somewhat stronger than MD5.

Smart card A card the size of a credit card, which holds a microprocessor that stores information.

S/MIME Secure Multipurpose Internet Mail Extensions. The standard for secure messaging.

SNMP Simple Network Management Protocol is the Internet standard protocol for network management software. It monitors devices on the network, and gathers device performance data for management information (data)bases (MIB).

Solar Time Time based on the revolution of the earth around the sun.

SSL Secure Sockets Layer, a protocol that enables secure communications on the World Wide Web/Internet.

SSL Client Authentication

Part of the SSL handshake process, when the client responds to server requests for a key.

SSL-LDAP Secure Sockets Layer-Lightweight Directory Access Protocol.

SSL Server Authentication

Part of the SSL handshake process, when the server informs the client of its certificate (and other) preferences.

Term Definition


Stratum Levels These are standards set by Network Time Protocol RFC 1305. The highest level are W3CStratum 0 devices such as GPS, which get their time from a primary time source such as a national atomic clock. Stratum 1 servers source their time from a Stratum 0 device. Stratum 2 and beyond obtain their time from Stratum 1 servers. The further removed in stratum layers a network is from a primary source, the greater the chance of signal degradations due to variations in communications lines and other factors.

Sysplex Timer The Sysplex Timer provides a synchronized Time-of-Day clock for multiple attached computers.

TCCert Time Calibration Certificate.

TCP/IP A mainstay of the Internet, the Transmission Control Protocol (TCP) provides dependable communication and multiplexing It is connection-oriented, meaning it requires a connection be established data transfer. It sits on top of the Internet Protocol (IP), which provides packet routing. This is connectionless, meaning each data packet has its source and destination data embedded, so it can bounce around a network and still get to its destination.

Telnet Telnet is a terminal emulation application protocol that enables a user to log in remotely across a TCP/IP network to any host supporting this protocol. The keystrokes that the user enters at the computer or terminal are delivered to the remote machine, and the remote computer response is delivered back to the user’s computer or terminal.

TFTP TFTP is a UDP-based, connectionless protocol.

Time Signing The process by which a stamp server issues a digital signature of the time stamp, then encrypts it.

Time-Stamp A record mathematically linking a piece of data to a time and date. Subset of a time signing.

Time-Stamping Authority

An authorized device that issues time-stamps, and its owner.

Term Definition


TLS Transport Layer Security, security that protects the OSI layer that is responsible for reliable end-to-end data transfer between end systems.

Tool box A group of software applications that have similar functions.

TPC Third Party Certificate. See also: Certificate.

TPCA Third Party Certification/Certificate Authority. See also: Certificate Authority (CA).

Traceability Traceability infers that the time standard used on the time signing server was set using time directly or indirectly from a National Measurement Institute (NMI).

Transaction An activity, such as a request or an exchange.

Triple-DES Also called Triple Data Encryption Algorithm (TDEA), Data Encryption Standard is an algorithm that encrypts blocks of data.

Trust In the network security context, trust refers to privacy (the data is not viewable by unauthorized people), integrity (the data stays in its true form), non-repudiation (the publisher cannot say they did not send it), and authentication (the publisher--and recipient--are who they say they are).

TSA See Time-Stamping Authority.

TSP Time-Stamp Protocol.

TTI Trusted Time Infrastructure is the clock and management system used by Digital Trust Authorities and National Measurement Institutes in support of Trusted Time StampServers.

UDP/IP User Datagram Protocol/Internet Protocol is a communications protocol that provides service when messages are exchanged between computers in a network that uses the Internet Protocol. It is an alternative to the Transmission Control Protocol.

USNO U.S. Naval Observatory, in Washington, D.C., where the atomic clock that serves as the official source of time for the United States is maintained.

UTC See Coordinated Universal Time (UTC).

Term Definition


Vault Secure data storage facility.

Verification The process of making sure the identity of the parties involved in a transaction is what they claim it to be.

Virus An unwanted program that hides behind legitimate code, and which is activated when the legitimate program is activated.

VPN Virtual Private Network, a way that authorized individuals can gain secure access to an organization's intranet, usually via the Internet.

W3C The World Wide Web Consortium, based at the Massachusetts Institute of Technology (MIT), is an international organization which creates standards for the World Wide Web.

Wireless Application Protocol (WAP)

Wireless Application Protocol, a worldwide standard for applications used on wireless communication networks.

WPKI Wireless Public Key Infrastructure.

WTLS Wireless Transport Layer Security.

X.509 The ITU's X.509 standard defines a standard format for digital certificates, the most-widely used PKI standard.

X.509 v3 Certificate Extension

The X.509 standard with extended features approved by the IETF.

Term Definition


Index

Symbols"C" API Functions and Specifications 16, 44

AAbout the API 5Access Control 52ACTS 52Advanced Encryption Standard (AES) 52Algorithm 52ANSI 52API 52API Specifications 17API/JDK 42API/JDK Components 42API/JDK Functional Overview 42ASCII 52ATM 52Attribute Certificate 53Audit Trail 53Authentication 53Authorization 53

BBCD 53BIPM 6Bureau International de l’Heure (BIPM) 53

CCalibration 53CDMA 53CDSA 53Certificate 53Certificate Authority (CA) 54Certificate Extension 54Certificate Request Message 54Certificate Revocation List (CRL) 54Certification Path 54Client applications 9Confidentiality 54Content Filtering 54Coordinated Universal Time (UTC) 54Credential(s) 54

CRM 54Cross-Certificate 55Cryptography 55

DData Encryption Standard (DES) 55DCLS 55Decryption 55Denial of Service 55DES 55DHCP 55Diffie-Hellman 55Digital Certificates 55Digital Fingerprint 55Digital Signature 55Digital Signature Algorithm (DSA) 56Digital Signature Standard (DSS) 56Digital time-stamp 56Directory 56DS/NTP 8, 56DSA 56DSS 56

EElement Manager (ENMTMS) 56Encryption 56Ephemeris Time 56Ethernet 9

FFIPS 57Firewall 57Function

TTI_CheckTAC_MatchesTST 29TTI_GetTAC_TimingMetrics 27TTI_GetTST_TimeAttributeCert 26

Functional Overview of the TTAPI/SDK 16Functions

TTI_CheckTAC_MatchesTST 29TTI_DecodeTSQ 45TTI_DecodeTSQ_Ex 19TTI_EncodeTSQ 44TTI_EncodeTSQ_Ex 17TTI_GetLastAsnError 38TTI_GetTAC_CertInfo 47TTI_GetTAC_CertInfoEx 30TTI_GetTAC_TimingMetrics 27TTI_GetTAC_TimingPolicy 28TTI_GetTSR_EncodedToken 22TTI_GetTSR_Status 21TTI_GetTST_TimeAttributeCert 26


TTI_GetTST_TSACert 24TTI_GetTST_TSTInfo 24, 46TTI_GetTST_TSTInfoEx 24TTI_RemoveAttrCerts 40TTI_SHA1_Final 32, 34, 35, 36, 38TTI_SHA1_Init 32, 33, 34, 36, 37TTI_SHA1_Update 32, 33, 35, 36, 37TTI_TSTInfoToIDData 39TTI_UnpackTSR 20TTI_VerifyTST_Signature 30

GGetting Started 10Global Positioning System (GPS) 57Glossary 52GMT 57

HHack/crack 57Hash 57HTML 57HTTP 57HTTPS 57

IIdentity Certificate 57IEEE 58IETF 58IKE 58In-band Authentication 58Installing the Software Development Kit 10Integrity 58International Bureau of Weights and Measures

(BIPM) 6IPSec 58IRIG 58Irrefutable 58ITU 58

JJava 42Java API Functions and Specifications 42Javadoc 42

KKey 58Key Escrow 58Key Generation 58Key Management 58Key Pair 58

Key Recovery 59

LL1 Band, L2 Band 59LDAP 59Leap Seconds 59

MMD5 59Message Authentication Code (MAC) 59Message Digest 59MIB 59MTBF 59Multiplexing 59

NNational Measurement Institute 6National Measurement Institute (NMI) 60nCipher Trust Model 7NIST 8, 60NMI 6NOC 60Non-repudiation 60Notarization 60NTP 60

OObtaining a time-stamp 16OCSP 60OID 60Online validation 60OSI 60Out-of-band Authentication 60

PPCI 60PKCS 61PKI 61PKI Certificate 61PKIX 5, 9, 61Private Key 61PSTN 61Public Key 61Public Key Certificate 61

RRA 61Resolution 61Revocation 61


Risk Management 61Root CA 62Root Trust Time Services (RTTS) 62RSA 62

SS/MIME 62Sample Java application 42SHA-1 62Smart card 62SNMP 62Solar Time 62SSL 62SSL Client Authentication 62SSL Server Authentication 62SSL-LDAP 62Stratum 1 8Stratum Levels 63

TTCCert 63TCP/IP 9, 63Telnet 63TFTP 63Time distribution 6, 9Time Signing 63Time Stamp Glossary 52Time Stamp Token 9Time-Stamp 63Time-Stamping Authority 63Timing Source 8TLS 64Tool box 64TPC 64TPCA 64Traceability 64Transaction 64Triple-DES 64Trust 64Trust in the time source 6Trusted Time Acronyms 50Trusted Time Infrastructure Overview 6Trusted Time Product Overview 5TSA 64TSP 64tti.jar 42TTI_GetTAC_TimingPolicy 28TtiTest.java sample program 43

UUDP/IP 64Universal Coordinated Time 6USNO 64UTC 6, 64

VVault 65Verification 65Virus 65VPN 65

WW3C 65WAP 65Windows 10WPKI 65WTLS 65

XX.509 65

v3 Certificate Extension 65


nCipher addresses

Internet addresses

Note: nCipher also maintain international sales offices. Please contact the UK or the US head office for details of your nearest nCipher representative.

nCipher Corporation Ltd. nCipher Inc.

Cambridge, UK

Jupiter HouseStation RoadCambridgeCB1 2JDUK

Boston Metro Region, USA

92 Montvale AveSuite 4500Stoneham, MA. 02180USA

Tel:Fax:

+44 (0) 1223 723600+44 (0) 1223 723601

Tel:

Fax:

800-NCIPHER800-6247437+1 (781) 994 4000+1 (781) 994 4001

E-mail: [email protected]@ncipher.com

E-mail: [email protected]@ncipher.com

Web Site: http://www.ncipher.com

Online Documentation: http://active.ncipher.com/documentation

http://www.ncipher.com

http://active.ncipher.com/documentation/

Date post:	01-Sep-2018
Category:	Documents
Upload:	vuongkien
View:	231 times
Download:	0 times

DSE200 SDK Reference Manual - uniza.skkifri.fri.uniza.sk/~chochlik/epodpis/nCipher...

Documents