For an informative overview on cryptographic application programming
interfaces see [NSA95].
Generic Security Services API (GSS-API)
- SUP
- Open Group - XOpen (John Linn) XoSpecs@xopen.co.uk
- SRC
- RFC
1508
Generic Security Service Application Program Interface
- RFC
1509
Generic Security Service API: C-bindings
- REM
- Most general and stable high level API
- Establishes contexts for bi-directional security associations
- SUP
- Open Group - XOpen (John Linn) XoSpecs@xopen.co.uk
- REM
- Companion API to GSS.
- Establishes contexts for uni-directional security associations.
- SUP
- Open Group - XOpen
Piers McMahon (ICL/UK);
- SRC
- Documentation
- SUP
- (C) RSA Laboratories, Burt Kaliski
- SRC
- RSA Homepage
- BSAFE
Specification, PKCS (CRYPTOKI)
Documentation
- RSAREF Documentation
- REM
- BSAFE - PKCS (CRYPTOKI): Low-level object oriented CAPI.
Hardware and software implementations are called ``cryptographic tokens''.
- handles application data objects, certificate objects and
public/private/secret key objects,
- FORTEZZA used by NSA as a hardware implementation (``real token'') for
CRYPTOKI.
- Includes DES, 3DES, RSA, RC2, RC4, RC5, PEM, PKCS, X.509, Shamir Secret
Sharing, Diffie Hellman Key Exchange
- RSAREF: Cryptographic toolkit to facilitate rapid
deployment of Internet Privacy-Enhanced Mail
- SUP
- SRC
- REM
- SUP
- (PD) GMD Darmstadt, Germany, Wolfgang
Schneider
- SRC
- SecuDE Homepage (DE)
- REM
- Implementation of X.509, ASN.1, PKCS, PEM. Uses commonly accepted
algorithms like RSA, DES, DSS...
- SUP
- (C) Microsoft (David M. Balenson)
- SRC
- Software
- REM
- Cryptographic library that supports Win32(TM) applications. Hardware and
software implementations of the library are called ``cryptographic service
providers'' (CSP).
- One CSP will be included in Windows NT and probably Windows 95. The OS will
not load just any old CSP. CSPs have to be signed by Microsoft. The kernel
contains a (hardcoded?) 1024 RSA public key that it uses to check the signature
when the user tries to load a CSP. If the signature check fails, the CSP won't
load. Microsoft says it will sign any CSP from anyone AS LONG AS THEY CERTIFY
THAT THEY WILL FOLLOW THE EXPORT RULES. So you can get your CSP signed if you
use exportable cryptography or if you agree not to send it outside the US and
Canada, etc. But an end user can't just compile crypto code and use it as a
CSP, even for his or her own use, without getting it signed by Microsoft first
(actually, the CSP development kit does allow this, but it includes a special
version of the OS kernel).
- Includes: RSA
- SUP
- National Security Agency (NSA), Amy Reiss
- SRC
-
Homepage
- REM
- First API definition by NSA. Second version announced for June 96.
Implementations planned as Cryptographic Service Providers pluggable into
Microsoft CAPI
- Several accompanying APIs planned:
- Certificate Management API
- Authentication API
- Key Management API
- Audit API
- SUP
- (PD) Wei Dai
- SRC
-
Homepage
- Software
(US)
- REM
- C++ class library of cryptographic primitives (mostly other people's code,
repackaged into classes). Compiled and tested on Borland C++ 4.5, MSVC 4.0, and
G++ 2.7.2 on MS-DOS, Windows NT, and a variety of UNIX machines.
- CryptoSystems available:
- Encryption - IDEA, DES, 3DES, RC4, RC5, Blowfish, SAFER, RSA, ElGamal,
- Digital Signature - RSA, DSA, LUC,
- Hash function - SHA, MD5,
- Secret Sharing, Zero Knowledge Proofs of Graph Isomorphism, etc.
- SUP
- (PD) Eric A. Young
- SRC
- Software (AUS)
- German
mirror
- SSLeay FAQ
- REM
- Royalty free software library implementing the Secure
Socket Layer Protocol. Provides strong end-to-end encryption even outside
the US (No US product).
- SUP
- (C) Terisa Systems
- REM
- Secure version of HTTP that uses an extra protocol specifier ``shttp://''
and adheres to the same dataflow conventions as HTTP, i.e., no interactivity
between client and server.
- Asymmetric key management typically using RSA (manual or Kerberos possible)
- Application layer encryption + authentication + non-repudiation
- All mechanisms including key lenghts negotiable
- Exchange formats PKCS-7, PEM, MOSS
- SUP
- John Linn
- SRC
- Privacy enhancement for Internet electronic mail:
- RFC
1421
Part I: Message encryption and authentication procedures,
- RFC
1422
Part II: Certificate-based key management
- RFC
1423
Part III: Algorithms, modes, and identifiers
- RFC
1424
Part IV: Key Certification and Related Services
- REM
- Application layer encryption + authentication + non-repudiation
The Directory Authentication Service (X.509)
- SUP
- ISO, CCITT
- SRC
-
- REM
- ISO Standard for public key exchange using a hierarchical infrastructure of
trusted certification authorities. Clients may generate private keys on their
own. Public keys may be used for arbitrary purposes, e.g., digital signatures
(strong authentication) and/or public key encryption.
- SUP
- Netscape Communications
- SRC
- Documentation
- REM
- Session layer encryption + authentication (no non-repudiation),
- RSA for key exchange during handshake/key establishment phase (server
starts a session by sending his public-key + certificate, public key directory
required),
- Newer version also allows for other key exchange methods like FORTEZZA,
- Symmetric algorithms for bulk encryption,
- supports many higher protocols like HTTP, NNTP, etc.
- Cannot provide non-repudiable proof of client origin as clients' private
keys are not supported,
- Key Management:
- VeriSign acts as global Key
Distribution Centre (Trusted Third Party) and authenticates SSL Servers on a
commercial basis. Examples: Apache SSL Server distributed by
Community ConneXion
- Netscape Navigator interoperates with VeriSign as VeriSign's Public Key is
hard coded into Netscape Navigator 2.0 and higher.
- SUP
- IETF (R. Atkinson, P. Metzger)
- SRC
- IP-layer security architecture
- RFC
1826
IP Authentication Header,
- RFC
1827
IP Encapsulating Security Payload (ESP)
- RFC
1828
IP Authentication using Keyed MD5
- RFC
1829
ESP DES-CBC Transform
- REM
- Two alternative algorithm independent mechanisms:
- IP Authentication Header (AH) RFC-1826
, MD5 mandatory-to-implement, no encryption required
- IP Encapsulating Security Payload (ESP)
RFC-1827 , DES-CBC
mandatory-to-implement,
- Prototyping efforts
- SUP
- ?
- SRC
- RFC
1848
MIME Object Security Services
- Documentation
- REM
-
- SUP
- ??
- SRC
- RFC
1847
Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted,
- Software?? (US)
- REM
-
- SRC
- Software?? (AUS)
- REM
- Symmetric block cipher with 64 bit input/output blocks and 56 bit keys.
- SRC
- RFC
1321
MD5 Message-Digest Algorithm
- REM
- Hash algorithm that produces 128 bit output.
- SRC
- Software
(BE)
- REM
- Hash algorithms that produce 128-bit and 160-bit outputs, respectively.
Last modified: June 1, 1996
(Some links adapted: Birgit Pfitzmann, Jan 27, 1997)
Gerrit Bleumer
bleumer@acm.org