Cryptlib

Last updated
cryptlib
Developer(s) Peter Gutmann
Initial release1995 (1995)
Stable release 3.4.5 (2019;3 years ago (2019) [1] ) [±]
Written in C
Type Security library
License Sleepycat (Berkeley Database) License [2] [3]
Website www.cs.auckland.ac.nz/~pgut001/cryptlib/ OOjs UI icon edit-ltr-progressive.svg

cryptlib is an open-source cross-platform software security toolkit library. It is distributed under the Sleepycat License, [2] a free software license compatible with the GNU General Public License. [3] Alternatively, cryptlib is available under a proprietary license for those preferring to use it under proprietary terms. [4]

Contents

Features

cryptlib is a security toolkit library that allows programmers to incorporate encryption and authentication services to software. It provides a high-level interface so strong security capabilities can be added to an application without needing to know many of the low-level details of encryption or authentication algorithms. It comes with an over 400 page programming manual. [5]

At the highest level, cryptlib provides implementations of complete security services such as S/MIME and PGP/OpenPGP secure enveloping, SSL/TLS and SSH secure sessions, CA services such as CMP, SCEP, RTCS, and OCSP, and other security operations such as secure timestamping. Since cryptlib uses industry-standard X.509, S/MIME, PGP/OpenPGP, and SSH/SSL/TLS data formats, the resulting encrypted or signed data can be easily transported to other systems and processed there, and cryptlib itself runs on many operating systems—all Windows versions and most Unix/Linux systems. This allows email, files, and EDI transactions to be authenticated with digital signatures and encrypted in an industry-standard format.

cryptlib provides other capabilities including full X.509/PKIX certificate handling (all X.509 versions from X.509v1 to X.509v4) with support for SET, Microsoft AuthentiCode, Identrus, SigG, S/MIME, SSL, and Qualified certificates, PKCS #7 certificate chains, handling of certification requests and CRLs (certificate revocation lists) including automated checking of certificates against CRLs and online checking using RTCS and OCSP, and issuing and revoking certificates using CMP and SCEP. It also implements a full range of certification authority (CA) functions provides complete CMP, SCEP, RTCS, and OCSP server implementations to handle online certificate enrolment/issue/revocation and certificate status checking. Alongside the certificate handling, it provides a sophisticated key storage interface that allows the use of a wide range of key database types ranging from PKCS #11 devices, PKCS #15 key files, and PGP/OpenPGP key rings through to commercial-grade RDBMS' and LDAP directories with optional SSL protection.

cryptlib can make use of the crypto capabilities of a variety of external crypto devices such as hardware crypto accelerators, Fortezza cards, PKCS #11 devices, hardware security modules (HSMs), and crypto smart cards. It can be used with a variety of crypto devices that have received FIPS 140 or ITSEC/Common Criteria certification. The crypto device interface also provides a general-purpose plug-in capability for adding new functionality that can be used by cryptlib.

cryptlib is written in C and supports BeOS, DOS, IBM MVS, Mac OS X, OS/2, Tandem, a variety of Unix versions (including AIX, Digital Unix, DGUX, FreeBSD/NetBSD/OpenBSD, HP-UX, IRIX, Linux, MP-RAS, OSF/1, QNX, SCO/UnixWare, Solaris, SunOS, Ultrix, and UTS4), VM/CMS, Windows 3.x, Windows 95/98/ME, Windows CE/PocketPC/SmartPhone and Windows NT/2000/XP/Vista. It is designed to be portable to other embedded system environments. It is available as a standard Windows DLL. Language bindings are available for C / C++, C# / .NET, Delphi, [6] Java, Python, and Visual Basic (VB).

Algorithm support

Ciphers
AlgorithmKey sizeBlock size
AES 128/192/256128
Blowfish 44864
CAST-128 12864
DES [7] 5664
Triple DES 112 / 16864
IDEA [8] 12864
RC2 [9] 102464
RC4 [9] 20488
RC5 [8] 83264
Skipjack [9] 8064
Hashes
AlgorithmDigest size
MD2 [7] [9] 128
MD4 [7] [9] 128
MD5 [7] 128
RIPEMD-160 160
SHA-1 160
SHA-2 / SHA-256256
MACs
AlgorithmKey sizeDigest size
HMAC-MD5 128128
HMAC-RIPEMD-160 160160
HMAC-SHA-1 160160
HMAC-SHA-2 256256
Public-key
AlgorithmKey size
Diffie–Hellman 4096
DSA 4096
ECDSA 521
ECDH 521
Elgamal 4096
RSA 4096

Release History

See also

Related Research Articles

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

<span class="mw-page-title-main">GnuTLS</span> Free software library implementing TLS

GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

strongSwan is a multiplatform IPsec implementation. The focus of the project is on authentication mechanisms using X.509 public key certificates and optional storage of private keys and certificates on smartcards through a PKCS#11 interface and on TPM 2.0.

Bouncy Castle is a collection of APIs used in cryptography. It includes APIs for both the Java and the C# programming languages. The APIs are supported by a registered Australian charitable organization: Legion of the Bouncy Castle Inc.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

<span class="mw-page-title-main">Extended Validation Certificate</span> Certificate for HTTPS websites and software

An Extended Validation Certificate (EV) is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as any other X.509 certificates, including securing web communications with HTTPS and signing software and documents. Unlike domain-validated certificates and organization-validation certificates, EV certificates can be issued only by a subset of certificate authorities (CAs) and require verification of the requesting entity's legal identity before certificate issuance.

Simple Certificate Enrollment Protocol (SCEP) is described by the informational RFC 8894. Older versions of this protocol became a de-facto industrial standard for pragmatic provisioning of digital certificates mostly for network equipment.

In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing Online Certificate Status Protocol (OCSP) responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA, with the aim of improving both security and performance.

Mbed TLS is an implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required. It is distributed under the Apache License version 2.0. Stated on the website is that Mbed TLS aims to be "easy to understand, use, integrate and expand".

wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS written in the C programming language. It includes SSL/TLS client libraries and an SSL/TLS server implementation as well as support for multiple APIs, including those defined by SSL and TLS. wolfSSL also includes an OpenSSL compatibility interface with the most commonly used OpenSSL functions.

The Transport Layer Security (TLS) protocol provides the ability to secure communications across networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).

<span class="mw-page-title-main">LibreSSL</span> Open-source implementation of TLS protocols; forked from OpenSSL in 2014

LibreSSL is an open-source implementation of the Transport Layer Security (TLS) protocol. The implementation is named after Secure Sockets Layer (SSL), the deprecated predecessor of TLS, for which support was removed in release 2.3.0. The OpenBSD project forked LibreSSL from OpenSSL 1.0.1g in April 2014 as a response to the Heartbleed security vulnerability, with the goals of modernizing the codebase, improving security, and applying development best practices.

The tables below compare cryptography libraries that deal with cryptography algorithms and have API function calls to each of the supported features.

The Enrollment over Secure Transport, or EST is a cryptographic protocol that describes an X.509 certificate management protocol targeting public key infrastructure (PKI) clients that need to acquire client certificates and associated certificate authority (CA) certificates. EST is described in RFC 7030. EST has been put forward as a replacement for SCEP, being easier to implement on devices already having an HTTPS stack. EST uses HTTPS as transport and leverages TLS for many of its security attributes. EST has described standardized URLs and uses the well-known Uniform Resource Identifiers (URIs) definition codified in RFC 5785.

References

  1. Gutmann, Peter (2019). "Downloading". cryptlib. University of Auckland School of Computer Science. Retrieved 2019-08-07.
  2. 1 2 "{title}". Archived from the original on 2018-06-29. Retrieved 2018-11-02.
  3. 1 2 "{title}". Archived from the original on 2009-07-16. Retrieved 2018-11-02.
  4. "{title}". Archived from the original on 2011-06-08. Retrieved 2011-02-05.
  5. https://www.cryptlib.com/downloads/manual.pdf [ bare URL PDF ]
  6. "Cryptlib AddOn's for Delphi programmers". cryptlib.sogot.de. Archived from the original on 2008-03-17. Retrieved 2008-04-07.
  7. 1 2 3 4 Disabled by default due to its insecurity
  8. 1 2 Disabled by default due to it being patented
  9. 1 2 3 4 5 Disabled by default due to it being obsolete
  10. Gutmann, Peter (August 21, 2018). "cryptlib 3.4.4 update 1 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  11. Gutmann, Peter (January 10, 2018). "cryptlib 3.4.4 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  12. Gutmann, Peter (March 25, 2016). "cryptlib 3.4.3 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  13. Gutmann, Peter (December 17, 2012). "cryptlib 3.4.2 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  14. Gutmann, Peter (July 27, 2011). "cryptlib 3.4.1 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  15. Gutmann, Peter (October 6, 2010). "cryptlib 3.4.0 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  16. Gutmann, Peter (July 3, 2008). "cryptlib 3.3.2 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  17. Gutmann, Peter (February 1, 2007). "cryptlib 3.3.1 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  18. Gutmann, Peter (September 13, 2006). "cryptlib 3.3 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  19. Gutmann, Peter (August 29, 2006). "cryptlib 3.2.3a released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  20. Gutmann, Peter (July 10, 2006). "cryptlib 3.2.3 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  21. Gutmann, Peter (September 6, 2005). "cryptlib 3.2.2 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  22. Gutmann, Peter (August 9, 2005). "cryptlib 3.2.1 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  23. Gutmann, Peter (April 18, 2005). "cryptlib 3.2 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  24. Gutmann, Peter (December 13, 2003). "cryptlib 3.1 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.