Cryptlib

Last updated
cryptlib
Developer(s) Peter Gutmann
Initial release1995 (1995)
Stable release 3.4.5 (2019;5 years ago (2019) [1] ) [±]
Written in C
Type Security library
License Sleepycat (Berkeley Database) License [2] [3]
Website www.cs.auckland.ac.nz/~pgut001/cryptlib/ OOjs UI icon edit-ltr-progressive.svg

cryptlib is an open-source cross-platform software security toolkit library. It is distributed under the Sleepycat License, [2] a free software license compatible with the GNU General Public License. [3] Alternatively, cryptlib is available under a proprietary license for those preferring to use it under proprietary terms. [4]

Contents

Features

cryptlib is a security toolkit library that allows programmers to incorporate encryption and authentication services to software. It provides a high-level interface so strong security capabilities can be added to an application without needing to know many of the low-level details of encryption or authentication algorithms. It comes with an over 400 page programming manual. [5]

At the highest level, cryptlib provides implementations of complete security services such as S/MIME and PGP/OpenPGP secure enveloping, SSL/TLS and SSH secure sessions, CA services such as CMP, SCEP, RTCS, and OCSP, and other security operations such as secure timestamping. Since cryptlib uses industry-standard X.509, S/MIME, PGP/OpenPGP, and SSH/SSL/TLS data formats, the resulting encrypted or signed data can be easily transported to other systems and processed there, and cryptlib itself runs on many operating systems—all Windows versions and most Unix/Linux systems. This allows email, files, and EDI transactions to be authenticated with digital signatures and encrypted in an industry-standard format.

cryptlib provides other capabilities including full X.509/PKIX certificate handling (all X.509 versions from X.509v1 to X.509v4) with support for SET, Microsoft AuthentiCode, Identrus, SigG, S/MIME, SSL, and Qualified certificates, PKCS #7 certificate chains, handling of certification requests and CRLs (certificate revocation lists) including automated checking of certificates against CRLs and online checking using RTCS and OCSP, and issuing and revoking certificates using CMP and SCEP. It also implements a full range of certification authority (CA) functions provides complete CMP, SCEP, RTCS, and OCSP server implementations to handle online certificate enrolment/issue/revocation and certificate status checking. Alongside the certificate handling, it provides a sophisticated key storage interface that allows the use of a wide range of key database types ranging from PKCS #11 devices, PKCS #15 key files, and PGP/OpenPGP key rings through to commercial-grade RDBMS' and LDAP directories with optional SSL protection.

cryptlib can make use of the crypto capabilities of a variety of external crypto devices such as hardware crypto accelerators, Fortezza cards, PKCS #11 devices, hardware security modules (HSMs), and crypto smart cards. It can be used with a variety of crypto devices that have received FIPS 140 or ITSEC/Common Criteria certification. The crypto device interface also provides a general-purpose plug-in capability for adding new functionality that can be used by cryptlib.

cryptlib is written in C and supports BeOS, DOS, IBM MVS, Mac OS X, OS/2, Tandem, a variety of Unix versions (including AIX, Digital Unix, DGUX, FreeBSD/NetBSD/OpenBSD, HP-UX, IRIX, Linux, MP-RAS, OSF/1, QNX, SCO UnixWare, Solaris, SunOS, Ultrix, and UTS4), VM/CMS, Windows 3.x, Windows 95/98/ME, Windows CE/PocketPC/SmartPhone and Windows NT/2000/XP/Vista. It is designed to be portable to other embedded system environments. It is available as a standard DLL. Language bindings are available for C / C++, C# / .NET, Delphi, [6] Java, Python, and Visual Basic (VB).

Algorithm support

Ciphers
AlgorithmKey sizeBlock size
AES 128/192/256128
Blowfish 44864
CAST-128 12864
DES [7] 5664
Triple DES 112 / 16864
IDEA [8] 12864
RC2 [9] 102464
RC4 [9] 20488
RC5 [8] 83264
Skipjack [9] 8064
Hashes
AlgorithmDigest size
MD2 [7] [9] 128
MD4 [7] [9] 128
MD5 [7] 128
RIPEMD-160 160
SHA-1 160
SHA-2 / SHA-256256
MACs
AlgorithmKey sizeDigest size
HMAC-MD5 128128
HMAC-RIPEMD-160 160160
HMAC-SHA-1 160160
HMAC-SHA-2 256256
Public-key
AlgorithmKey size
Diffie–Hellman 4096
DSA 4096
ECDSA 521
ECDH 521
Elgamal 4096
RSA 4096

Release History

See also

Related Research Articles

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.

In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.

<span class="mw-page-title-main">GnuTLS</span> Free software library implementing TLS

GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

The following tables compare general and technical features of notable email client programs.

strongSwan is a multiplatform IPsec implementation. The focus of the project is on authentication mechanisms using X.509 public key certificates and optional storage of private keys and certificates on smartcards through a PKCS#11 interface and on TPM 2.0.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

<span class="mw-page-title-main">Extended Validation Certificate</span> X.509 public key certificate

An Extended Validation Certificate (EV) is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as any other X.509 certificates, including securing web communications with HTTPS and signing software and documents. Unlike domain-validated certificates and organization-validation certificates, EV certificates can be issued only by a subset of certificate authorities (CAs) and require verification of the requesting entity's legal identity before certificate issuance.

Simple Certificate Enrollment Protocol (SCEP) is described by the informational RFC 8894. Older versions of this protocol became a de facto industrial standard for pragmatic provisioning of digital certificates mostly for network equipment.

In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing Online Certificate Status Protocol (OCSP) responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA, with the aim of improving both security and performance.

In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents. The reference implementation is public domain software.

wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS written in the C programming language. It includes SSL/TLS client libraries and an SSL/TLS server implementation as well as support for multiple APIs, including those defined by SSL and TLS. wolfSSL also includes an OpenSSL compatibility interface with the most commonly used OpenSSL functions.

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).

The tables below compare cryptography libraries that deal with cryptography algorithms and have application programming interface (API) function calls to each of the supported features.

The Enrollment over Secure Transport, or EST is a cryptographic protocol that describes an X.509 certificate management protocol targeting public key infrastructure (PKI) clients that need to acquire client certificates and associated certificate authority (CA) certificates. EST is described in RFC 7030. EST has been put forward as a replacement for SCEP, being easier to implement on devices already having an HTTPS stack. EST uses HTTPS as transport and leverages TLS for many of its security attributes. EST has described standardized URLs and uses the well-known Uniform Resource Identifiers (URIs) definition codified in RFC 5785RFC 5785.

References

  1. Gutmann, Peter (2019). "Downloading". cryptlib. University of Auckland School of Computer Science. Retrieved 2019-08-07.
  2. 1 2 "{title}". Archived from the original on 2018-06-29. Retrieved 2018-11-02.
  3. 1 2 "{title}". Archived from the original on 2009-07-16. Retrieved 2018-11-02.
  4. "{title}". Archived from the original on 2011-06-08. Retrieved 2011-02-05.
  5. https://www.cryptlib.com/downloads/manual.pdf [ bare URL PDF ]
  6. "Cryptlib AddOn's for Delphi programmers". cryptlib.sogot.de. Archived from the original on 2008-03-17. Retrieved 2008-04-07.
  7. 1 2 3 4 Disabled by default due to its insecurity
  8. 1 2 Disabled by default due to it being patented
  9. 1 2 3 4 5 Disabled by default due to it being obsolete
  10. Gutmann, Peter (August 21, 2018). "cryptlib 3.4.4 update 1 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  11. Gutmann, Peter (January 10, 2018). "cryptlib 3.4.4 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  12. Gutmann, Peter (March 25, 2016). "cryptlib 3.4.3 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  13. Gutmann, Peter (December 17, 2012). "cryptlib 3.4.2 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  14. Gutmann, Peter (July 27, 2011). "cryptlib 3.4.1 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  15. Gutmann, Peter (October 6, 2010). "cryptlib 3.4.0 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  16. Gutmann, Peter (July 3, 2008). "cryptlib 3.3.2 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  17. Gutmann, Peter (February 1, 2007). "cryptlib 3.3.1 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  18. Gutmann, Peter (September 13, 2006). "cryptlib 3.3 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  19. Gutmann, Peter (August 29, 2006). "cryptlib 3.2.3a released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  20. Gutmann, Peter (July 10, 2006). "cryptlib 3.2.3 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  21. Gutmann, Peter (September 6, 2005). "cryptlib 3.2.2 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  22. Gutmann, Peter (August 9, 2005). "cryptlib 3.2.1 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  23. Gutmann, Peter (April 18, 2005). "cryptlib 3.2 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
  24. Gutmann, Peter (December 13, 2003). "cryptlib 3.1 released". cryptlib@mbsks.franken.de (Mailing list). Retrieved 2019-08-07.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.