The use and behavior of policy modules by the OCSF framework when only
the OCSF base is installed are as follows:
- For symmetric encryption, a check is made to disallow nested encryptions
of a data buffer. If the input buffer to be encrypted is identical to a buffer
of cipher text produced in the recent past, the framework considers this an
attempt to perform nested encryption of a data buffer and disallows it.
- When a symmetric context is created or updated a check is made to see
if the strength of the cryptography requested is stronger than allowed by
the policy modules or if the algorithm requested is not defined by the policy
modules. If so, the cryptographic context is flagged. An encryption or decryption
request made with that context will be denied.
- When an asymmetric context is created or updated a check is made to see
if the strength of the cryptography requested is stronger than allowed by
the policy modules or if the algorithm requested is not defined by the policy
modules. If so, the cryptographic context is flagged. An encryption, decryption,
key wrap or key unwrap request made with that context will be denied.
|