Cryptography Enhanced Products

Contents

• Introduction
• Overview
• Cryptography Enhanced Applications
  • Netscape Navigator
  • NCSA Mosaic
  • Microsoft Internet Explorer
  • IBM Web Explorer
  • SUN Hot Java
  • SafetyWeb
  • Pretty Good Privacy (PGP)
  • Entrust
  • RSA Secure (tm)
  • Secure File System (SFS)
  • Lotus Notes
• Steganography Enhanced Applications
  • Andy Browns S-Tools
  • Hide and Seek
  • Pretty Good Envelope (PGE)
  • White Noise Storm
  • Stego
  • Kevin Maher's Texto
• Safe Interpreters
  • Java
  • SafePhyton
  • Safe TCL
• Internet Servers
  • Apache HTTP Server
  • APACHE-SSL COMMERCE
  • Secure Telnet, FTP
• Runtime Environments
  • SUN Solaris
  • OSF-DCE
  • OMG-CORBA
  • DEC-DSSA
  • SESAME
  • Kerberos
  • Secure Shell
  • S-Key
  • SRA (Telnet, FTP)
  • WebScan
  • MIME Sweeper
• Application Programming Libraries
  • GSS-API
  • IDUP-API
  • GCS-API
  • BSAFE (PKCS), RSAREF
  • Microsoft Crypto API
  • NSA Crypto API
  • Crypto++
  • SSLeay
• Protocol Standards
  • S-HTTP
  • PEM
  • X.509
  • SSL
  • Internet Protocol 6 (IPv6)
  • MOSS
  • S-MIME
• Algorithms
  • DES
  • MD5
  • RIPE-MD
• URLs of Interest
• References

Introduction

This is an annotated overview of computer and network security products that are commercially available, in the public or shareware domain. The overview addresses application software engineers and system end users who look for suitable toolkits to meet or at least support their security needs.

The market of computer security products is difficult to survey. The more defensive sector of the market is well respected and professional solutions are available off-the-shelf; for example, firewalls, access control and virus protection. The more offensive sectors are less established in the civil markets and available products are less professional and less integrated due to governments' offenses, smaller promotion, legal uncertainties, etc. Most kinds of cryptographic and steganographic solutions fall into this category. In the current post cold war situation, some governments feel their national suvereignity threatened and in the U.S. strong cryptographic products are subject to export control regulations and/or escrow plans (Clipper). Thus, software engineers, procurers and end-users may find it difficult to take informed decisions in this area.

Undoubtedly, the internet and WWW increasingly act as a catalyst in balancing the legitimate security needs of governments, commerce and individual consumers, patients, etc. Naturally, individual interests are the least represented in this balancing process. Click into the golden key to find out about movements addressing this particular issue. In order to support proactive development of computer security that meets the security requirements of all parties involved, this overview focuses on the more offensive and less clear cut market of security products.

If you are interested in professional privacy initiatives, explore the Golden Key Campaign.

Note that this document is only a first shot and needs more work in every respect. Feel free to comment, critisize and contribute to bleumer@acm.org.

Overview

All security products are organized into the following sections.

Cryptography Enhanced Applications and Steganography Enhanced Applications list applications (including browsers) that provide security on demand. Some of them are separate applications that work together with the production applications on a file-by-file basis. Others provide plug-in facilities for enhanced integration with production applications.

Safe Interpreters deals with a special case of applications: virtual machines capable to execute high level programming languages like Java. We make this a separate section because such interpreters are so transparent as applications that they may be seen as a part of the runtime environment; however, they have not yet been integrated into available operating systems.

Internet Servers covers the growing number of internet servers for http, ftp, etc. that provide security services.

Runtime Environments presents security modules for operating systems. These modules enforce their respective type of security in a transparent way and usually need no maintenance by the user.

Application Programming Libraries summarizes the libraries available for cryptographic support. This section addresses software engineers more than end-users.

Protocols and Algorithms provide more background information on standardized use of cryptographic mechanisms.

Each section provides information about the supplier (SUP) of each product, whether it is commercially (C) available, freeware (F), shareware (S), or public domain (PD). If the product runs on certain platforms, i.e., operating systems only, this is mentioned under the OS entry. Respective URLs for source code, documentation, and FAQs are given (SRC). A remark (REM) to each product summarizes some specific features and drawbacks with respect to cryptography).

For more information on security legislation and export regulations consult

• Survey of legislation regarding cryptography
• Overview of cryptography export cases
• HotWired Index on Privacy Resources

Cryptography Enhanced Applications

Netscape Navigator

SUP

(C) Netscape Communications

SRC

Software (US), German Mirror

REM

WWW Browser that interprets a lot more than standard HTML 2.0. For example Java Script. Capable to support SSL for network layer security.

Problems:

• Netscape Navigator 2.0 does not allow to disable interpretation of HTML extensions like Java Script, whereas 2.02 does so.
• Java Scripts can send e-mails without noticing the user and thereby send out private information from the user's machine.

.

NCSA Mosaic

SUP

(C) National Center for Supercomputing Applications (NCSA)

SRC

Software (US), German Mirror

REM

WWW Browser.

Microsoft Internet Explorer

SUP

(C) Microsoft

SRC

Software (US), German Mirror

REM

WWW Browser.

IBM Web Explorer

SUP

(C) IBM

SRC

Software (US), German Mirror

REM

WWW Browser.

SUN Hot Java

SUP

(C) SUN Microsystems

SRC

Software (US), German Mirror

REM

WWW Browser.

SafetyWeb

SUP

(C) Spry, Inc.

SRC

Evaluation Demo (US)

REM

Secure WWW server based on the new Secure-HTTP (S-HTTP) standard. SafetyWEB will encrypt and authenticate data as it is transferred between S-HTTP browsers. Any HTTP client can access the secure server but non-S-HTTP users will not be able to use the security capabilities.

Features:

• secure public key encryption and authentication
• basic password authentication,
• access control lists
• proxy server support.

Pretty Good Privacy (PGP)

SUP

(PD) Philip Zimmermann prz@acm.org

(C) ViaCrypt(Commercial Version)

SRC

International homepage of PGP, Documentation (German) , [Z96]

MIT's Public Key Server provides an international index of PGP public keys.

REM

Free international product ready to encrypt and/or sign your files. Source Code available for the public domain version.

Entrust

SUP

(C) Northern Telecom (Nortel), entrust@entrust.com

SRC

Entrust Homepage, Documentation (postscript)

OS

PC - Windows 3.1, UNIX - HP-UX 9.03, Solaris 2.4, Sun OS 4.1.3, MacOS 7

REM

Scalable (several 10,000 users), fully-featured security product making use of X.500 public key management. Public-key infrastructure architected to be independent of any particular choice of cryptographic algorithm to ensure that it will always be able to take advantage of the latest advances in cryptographic technology and standards. Supported mechanisms:

• RSA for key management,
• RSA (DSA planned) for digital signature
• DES or CAST for encryption.

RSA Secure (tm)

SUP

(C) RSA Data Security, Inc. rsasecure@rsa.com

SRC

Homepage , Evaluation demo (US)

REM

File Protection Software.

• Full integration with the Windows File Manager
• Automatic encryption and/or deryption via the RSA AutoCrypto (tm) List
• Emergency Access (tm) to encrypted files by splitting an escrowed master key among up to 8 trustees by a secret sharing scheme

Secure File System (SFS)

SUP

Peter Gutmann ??

OS

MS-DOS, Windows 3.x, Windows 95

SRC

Homepage

REM

Transparent Encryption of file system at sector level. Careful and thorough security analysis provided.

• Support of smart cards
• Support of archiving private keys

Lotus Notes

SUP

(C) Lotus Development Corporation. RSA Data Security, Inc

SRC

No evaluation copy known on the web.

REM

• Encryption of data transfer with 64 bit keys.
• Mandatory key escrow: Each encrypted message is accompanied by 24 bits of the corresponding encryption key, but not in plain but in encrypted form under a public key of the (US) government. The remaining 40 bit can easily be obtained by brute force.

Steganography Enhanced Applications

Andy Browns S-Tools

SUP

(SW)

OS

MS Windows

REM

Hides secret information in files that must be provided by the user.

• Uses the LSB of .wav soundfiles or of RGB color graphic files
• Optional encryption by IDEA, DES, 3DES, MPJ2, NSEA
• Original files cannot be recovered.

Hide and Seek 4.1

SUP

Colin Maroney

OS

MS DOS

REM

Hides secret information in files that must be provided by the user.

• Uses the LSB of GIF files
• Optional encryption by IDEA
• Original files cannot be recovered.

Pretty Good Envelope 1.0 (PGE)

SUP

Roche' Crypt

OS

REM

Hides secret information in files that must be provided by the user.

• Uses the LSB of GIF, JPEG files
• External encryption recommended
• Original files cannot be recovered

PGMstealth

Gzsteg

White Noise Storm (tm)

SUP

Ray (Arsen) Arachelian rarachel@photon.poly.edu or sunder@intercon.com or RayDude@Aol.Com;

REM

Hides secret information in files that must be provided by the user.

• Uses the LSB of image and sound files like PCX, TIFF, VOX, AIFF.

MandelSteg

Stego

SRC

(PD) Romana Machado's Homepage

OS

Platform independent Java implementation

REM

Hides secret information in files that must be provided by the user.

Kevin Maher's Texto

SRC

REM

Hides information in files that are synthesized automatically.

Safe Interpreters

Java

SUP

SunSoft/JavaSoft

SRC

Documentation, FAQ on Applet Security, Java Security Story, Low Level Security, WWW Security FAQ

REM

Core security feature is the Java Verifier that downloads required classes on-line and checks them statically. In addition, the interpreter performs checks at run time (e.g., type and range checking). Java 2.0 does not provide for cryptographic security features such as digitally signed applets.

• A major security bug concerning DNS Spoofing was fixed by Java 2.0.1 and Java Development Kit (JDK) 1.0.1. (Dean, Felten, Wallach, SUN)
• A major security bug concerning the Java Bytecode Verifier has been announced for Java 2.0.1 and JDK 1.0.1.
• Computer Incident Advisory Capability (CIAC) Notes

SafePhyton

SUP

(PD):

OS

Unix, MS-Windows(95, NT), MacOS

SRC

Software (FI), Software (NL), German mirror

Safe TCL

Defensive Security (Access Control)

• Software Products
• SATAN Source Code (www) , (ftp)
• TRIPWIRE
• COURTNEY
• Internet Scanner

URLs of Interest

Organisations

• CERT (Computer Emergency Response Team), cert@cert.org, CERT Advisories, FAQ, Tools & Papers">, ftp site, Actual alerts
• CIAC (Computer Incident Advisory Capability) ciac@llnl.gov, ftp site
• FIRST (Forum of Incident Response and Security Teams) e-mail: first@first.org
• IETF (Internet Engineering Task Force), Security related RFCs (German mirror) Full RFC index RFC search tool,
• NCSA (National Center for Supercomputing Applications)
• NCSC (North Carolina Super Computing Center)
• OMG (Object Management Group)
• Open Group (X/Open + OSF)
• NIST (National Institute of Standards and Technology), NIST-CSRC (Computer Security Resource Clearinghouse)
• NSA (National Security Agency),
• Thinck (Security Product Vendors)
• W3C (World Wide Web Consortium), WWW FAQ, WWW Security FAQ

General Software

• Purdue (multi platform)
• (MacOS)
• Hyperarchive (MacOS)

References

Selected books on security and cryptography

[BM91]

Bellovin SM, Merritt M: Limitations of the Kerberos Authentication System; Computer Communication Review 20/5 (1990) 119-132. Postscript

[CB95]

Cheswick RC, Bellovin SM: Firewalls and Internet Security; Addison-Wesley, Reading 1994.

[CZ95]

Chapman DB, Zwicky ED: Building Internet Firewalls; O'Reilly and Associates, Sebastopol 1995.

[P95]

Bart Preneel (ed.): Fast Software Encryption; LNCS 1008; Springer, Berlin 1995.

[G95]

Garfinkel S:Pretty Good Privacy;O'Reilly, Sebastopol 1995. 1993, 257-274.

[GRL90]

Gasser M, Le Roux Y, Lipner S: The Digital Distributed System Security Archtecture; SECURICOM 90, 8th Worldwide Congress on Computer and Communications Security and Protection, March 13-16, 1990, Paris, 81-94.

[GKL92]

Gasser M, Kaufman C, Linn J, Le Roux Y, Tardo J: DASS: Distributed Authentication Security Service; Education and Society, Aiken R (ed.), Proc. 12th IFIP World Computer Congress 1992, Information Processing 92, Vol. II, Elsevier Science Publishers B.V. (North-Holland), 1992, 447-456.

[NK93]

Neuman BC, Kohl J: The Kerberos Network Authentication Service (V5); RFC-1510, 1993.

[NS78]

Needham RM, Schroeder MD: Using Encryption for Authentication in Large Networks of Coputers; Communications of the ACM, 21(12) 1978, 993-999.

[NSA95]

NSA: Security Service API: Cryptographic API Recommendations; 1995 Postscript.

[NT94]

Neuman BC, Ts'o T: Kerberos: An Authentication Service for Computer Networks; IEEE Communications, 32(9) 1994 HTML.

[S96]

Schneier B:Applied Cryptography; John Wiley, New York 1996.

[Z96]

Zimmermann PR: The Official PGP User's guide; MIT Press, Cambridge 1995.

Last modified: June 1, 1996