Cryptography Enhanced Products

- Buyer's and Developer's Guide -


Contents


Introduction

This is an annotated overview of computer and network security products that are commercially available, in the public or shareware domain. The overview addresses application software engineers and system end users who look for suitable toolkits to meet or at least support their security needs.

The market of computer security products is difficult to survey. The more defensive sector of the market is well respected and professional solutions are available off-the-shelf; for example, firewalls, access control and virus protection. The more offensive sectors are less established in the civil markets and available products are less professional and less integrated due to governments' offenses, smaller promotion, legal uncertainties, etc. Most kinds of cryptographic and steganographic solutions fall into this category. In the current post cold war situation, some governments feel their national suvereignity threatened and in the U.S. strong cryptographic products are subject to export control regulations and/or escrow plans (Clipper). Thus, software engineers, procurers and end-users may find it difficult to take informed decisions in this area.

Undoubtedly, the internet and WWW increasingly act as a catalyst in balancing the legitimate security needs of governments, commerce and individual consumers, patients, etc. Naturally, individual interests are the least represented in this balancing process. Click into the golden key to find out about movements addressing this particular issue. In order to support proactive development of computer security that meets the security requirements of all parties involved, this overview focuses on the more offensive and less clear cut market of security products.

If you are interested in professional privacy initiatives, explore the Golden Key Campaign.

Note that this document is only a first shot and needs more work in every respect. Feel free to comment, critisize and contribute to bleumer@acm.org.


Overview

All security products are organized into the following sections.

Cryptography Enhanced Applications and Steganography Enhanced Applications list applications (including browsers) that provide security on demand. Some of them are separate applications that work together with the production applications on a file-by-file basis. Others provide plug-in facilities for enhanced integration with production applications.

Safe Interpreters deals with a special case of applications: virtual machines capable to execute high level programming languages like Java. We make this a separate section because such interpreters are so transparent as applications that they may be seen as a part of the runtime environment; however, they have not yet been integrated into available operating systems.

Internet Servers covers the growing number of internet servers for http, ftp, etc. that provide security services.

Runtime Environments presents security modules for operating systems. These modules enforce their respective type of security in a transparent way and usually need no maintenance by the user.

Application Programming Libraries summarizes the libraries available for cryptographic support. This section addresses software engineers more than end-users.

Protocols and Algorithms provide more background information on standardized use of cryptographic mechanisms.

Each section provides information about the supplier (SUP) of each product, whether it is commercially (C) available, freeware (F), shareware (S), or public domain (PD). If the product runs on certain platforms, i.e., operating systems only, this is mentioned under the OS entry. Respective URLs for source code, documentation, and FAQs are given (SRC). A remark (REM) to each product summarizes some specific features and drawbacks with respect to cryptography).

For more information on security legislation and export regulations consult


Cryptography Enhanced Applications


Netscape Navigator

SUP
(C) Netscape Communications
SRC
Software (US), German Mirror
REM
WWW Browser that interprets a lot more than standard HTML 2.0. For example Java Script. Capable to support SSL for network layer security.
Problems: .

NCSA Mosaic

SUP
(C) National Center for Supercomputing Applications (NCSA)
SRC
Software (US), German Mirror
REM
WWW Browser.

Microsoft Internet Explorer

SUP
(C) Microsoft
SRC
Software (US), German Mirror
REM
WWW Browser.

IBM Web Explorer

SUP
(C) IBM
SRC
Software (US), German Mirror
REM
WWW Browser.

SUN Hot Java

SUP
(C) SUN Microsystems
SRC
Software (US), German Mirror
REM
WWW Browser.

SafetyWeb

SUP
(C) Spry, Inc.
SRC
Evaluation Demo (US)
REM
Secure WWW server based on the new Secure-HTTP (S-HTTP) standard. SafetyWEB will encrypt and authenticate data as it is transferred between S-HTTP browsers. Any HTTP client can access the secure server but non-S-HTTP users will not be able to use the security capabilities.
Features:

Pretty Good Privacy (PGP)

SUP
(PD) Philip Zimmermann prz@acm.org
(C) ViaCrypt(Commercial Version)
SRC
International homepage of PGP, Documentation (German) , [Z96]
MIT's Public Key Server provides an international index of PGP public keys.
REM
Free international product ready to encrypt and/or sign your files. Source Code available for the public domain version.

Entrust

SUP
(C) Northern Telecom (Nortel), entrust@entrust.com
SRC
Entrust Homepage, Documentation (postscript)
OS
PC - Windows 3.1, UNIX - HP-UX 9.03, Solaris 2.4, Sun OS 4.1.3, MacOS 7
REM
Scalable (several 10,000 users), fully-featured security product making use of X.500 public key management. Public-key infrastructure architected to be independent of any particular choice of cryptographic algorithm to ensure that it will always be able to take advantage of the latest advances in cryptographic technology and standards. Supported mechanisms:

RSA Secure (tm)

SUP
(C) RSA Data Security, Inc. rsasecure@rsa.com
SRC
Homepage , Evaluation demo (US)
REM
File Protection Software.

Secure File System (SFS)

SUP
Peter Gutmann ??
OS
MS-DOS, Windows 3.x, Windows 95
SRC
Homepage
REM
Transparent Encryption of file system at sector level. Careful and thorough security analysis provided.

Lotus Notes

SUP
(C) Lotus Development Corporation. RSA Data Security, Inc
SRC
No evaluation copy known on the web.
REM

Steganography Enhanced Applications


Andy Browns S-Tools

SUP
(SW)
OS
MS Windows
REM
Hides secret information in files that must be provided by the user.

Hide and Seek 4.1

SUP
Colin Maroney
OS
MS DOS
REM
Hides secret information in files that must be provided by the user.

Pretty Good Envelope 1.0 (PGE)

SUP
Roche' Crypt
OS
REM
Hides secret information in files that must be provided by the user.

PGMstealth


Gzsteg


White Noise Storm (tm)

SUP
Ray (Arsen) Arachelian rarachel@photon.poly.edu or sunder@intercon.com or RayDude@Aol.Com;
REM
Hides secret information in files that must be provided by the user.

MandelSteg


Stego

SRC
(PD) Romana Machado's Homepage
OS
Platform independent Java implementation
REM
Hides secret information in files that must be provided by the user.

Kevin Maher's Texto

SRC
REM
Hides information in files that are synthesized automatically.

Safe Interpreters


Java

SUP
SunSoft/JavaSoft
SRC
Documentation, FAQ on Applet Security, Java Security Story, Low Level Security, WWW Security FAQ
REM
Core security feature is the Java Verifier that downloads required classes on-line and checks them statically. In addition, the interpreter performs checks at run time (e.g., type and range checking). Java 2.0 does not provide for cryptographic security features such as digitally signed applets.

SafePhyton

SUP
(PD):
OS
Unix, MS-Windows(95, NT), MacOS
SRC
Software (FI), Software (NL), German mirror

Safe TCL


Defensive Security (Access Control)


URLs of Interest

Organisations

General Software


References

Selected books on security and cryptography

[BM91]
Bellovin SM, Merritt M: Limitations of the Kerberos Authentication System; Computer Communication Review 20/5 (1990) 119-132. Postscript
[CB95]
Cheswick RC, Bellovin SM: Firewalls and Internet Security; Addison-Wesley, Reading 1994.
[CZ95]
Chapman DB, Zwicky ED: Building Internet Firewalls; O'Reilly and Associates, Sebastopol 1995.
[P95]
Bart Preneel (ed.): Fast Software Encryption; LNCS 1008; Springer, Berlin 1995.
[G95]
Garfinkel S:Pretty Good Privacy;O'Reilly, Sebastopol 1995. 1993, 257-274.
[GRL90]
Gasser M, Le Roux Y, Lipner S: The Digital Distributed System Security Archtecture; SECURICOM 90, 8th Worldwide Congress on Computer and Communications Security and Protection, March 13-16, 1990, Paris, 81-94.
[GKL92]
Gasser M, Kaufman C, Linn J, Le Roux Y, Tardo J: DASS: Distributed Authentication Security Service; Education and Society, Aiken R (ed.), Proc. 12th IFIP World Computer Congress 1992, Information Processing 92, Vol. II, Elsevier Science Publishers B.V. (North-Holland), 1992, 447-456.
[NK93]
Neuman BC, Kohl J: The Kerberos Network Authentication Service (V5); RFC-1510, 1993.
[NS78]
Needham RM, Schroeder MD: Using Encryption for Authentication in Large Networks of Coputers; Communications of the ACM, 21(12) 1978, 993-999.
[NSA95]
NSA: Security Service API: Cryptographic API Recommendations; 1995 Postscript.
[NT94]
Neuman BC, Ts'o T: Kerberos: An Authentication Service for Computer Networks; IEEE Communications, 32(9) 1994 HTML.
[S96]
Schneier B:Applied Cryptography; John Wiley, New York 1996.
[Z96]
Zimmermann PR: The Official PGP User's guide; MIT Press, Cambridge 1995.

Last modified: June 1, 1996

Gerrit Bleumer
bleumer@acm.org