Internationally Available Strong Crypto Products

Part III: Development Environments and Secure Web Services

By Seán Boran

Go to Part I: Introduction, Secure Telnet and File Encryption

Go to Part II: Secure Email and VPNs

September 20, 1999. This is the third part in a series of three articles devoted to Persons needing strong crypto Internationally. Part three focuses on Development Environments and Secure Web Services.

If we missed out on one of your favourite international products below, or you like to submit corrections/feedback contact us.


Development Libraries

Be careful when choosing libraries, quality of implementations differ. In particular the quality of random number generation, obfuscation of clear-text in memory and even clean algorithms varies greatly. Access to full sources makes debugging and verification easier.

Commercial crypto Libraries

Commercial libraries are often pricey (tens of thousands of dollars..).
  1. PGP: The C/C++ PGPsdk is available from Network Associates www.pgpinternational.com and www.pgpinternational.com/product/sof-dev.html runs on Solaris, Linux, Win95/NT, MAC.
  2. Baltimore Technologies www.baltimore.com have been in the encryption game for over 20 years and have an established crypto pedigree. They are based in Ireland, England and Australia.

  3. Baltimore offer the CST encryption libraries in C. SMT is an S/MIME toolkit. An SSL, Java SSL and PKI library are also available.
    J/Crypto is a pure Java library, that implements encryption, hashing & certificate management. V3 was used by the author for secure Applet-Proxy-Server communications.
  4. Entrust: see below.
  5. Switzerland: r3 Engineering: see note on Entrust below.
  6. Denmark: Cryptomathic
  7. Germany:
  8. Canada: Certicom offer toolkit that include plugins for Microsoft CAPI and Intel CDSA. SSL and smart cards libraries are available.
  9. C2 net offer a SSL crypto engine and SafePassage Secure Tunnel for adding encrypted TCP tunnels to applications. (a bit like SSH TCP tunnels).
  10. Australia: Eracom offer crypto hardware for UNIX (SCO) and Windows, with DES and RSA interfaces and development libraries in Java (JCE) and C (PKCS#11 / Cryptoki).

Free crypto libs

References

Garbo, Crypto CD
www.cs.hut.fi/crypto/                                                  [pointers to crypto SW]
ftp.funet.fi/pub/crypt                                                    [excellent: a "must visit"]
www.counterpane.com/                                             [Schneier: Blowfish, Twofish]
ftp.psy.uq.oz.au/pub/Crypto/                                      [E.Young's DES, SSL]
www.systemics.com/                                                 [cryptix Java, C, Perl]
www.eskimo.com/~weidai/cryptlib.html                   [Wei Dai's C++ lib]
www.cs.hut.fi/ssh/                                                       [Tatu Ylonen's SSH]
cwis.kub.nl/~frw/people/koops/lawsurvy.htm          [Crypto+Law]
ftp://ripem.msu.edu/pub/crypt/sci.crypt/ -- sci.crypt Archives
www.swcp.com/~iacr/ -- International Association for Cryptologic Research
www.cs.adfa.oz.au/teaching/studinfo/csc/lectures/classical.html   [Classical Crypto Explanation]
www.cryptosoft.com/snews/snews.htm                   [an index to lots of crypto news articles]
cryptography.org/freecryp.htm                                 [links to crypto sites, a bit old]

A good overview of all the history of PGP versions and supported algorithms can be found at www.stat.uga.edu/~rmarquet/pgpvers.html

Vendors:

www.sse.ie CA/RA, S/MIME, strong SSL.
www.baltimore.com : CA/RA, S/MIME, PKI /SSL/ crypto programming toolkits. www.trustworks.com VPN
www.datafellows.com VPN, File encryption, SSH, Anti-virus.
www.gemplus.com Smart cards


Secured web services

Secured web services are based on the use of standard application protocols over SSL. Netscape's secure socket layer is a "plug-in" socket layer (port 443 for HTTP) offering client & server authentication, integrity checking, compression and encryption. It is currently an Internet draft (not yet approved).
It is designed to fit on the transport layer in the TCP/IP stack (like Berkeley sockets), but below applications (such as telnet, ftp, HTTP). SSL was introduced in July 1994.

TLS (Transport Layer Security)  In 1995, the IETF started work on the adoption of SSL as an Internet Standard, known as TLS. A draft of the protocol was published in March 1997, based on SSL 3.0. Some differences are the use of HMAC instead of MD5 for integrity checking and a slightly different set of encryption algorithms that are supported. www.consensus.com/ietf-tls or www.ietf.org/html.charters/tls-charter.html

Strong Browsers

HTTP over SSL is the most common usage of SSL. https:// is used rather than http:// to connect to a secured site. If you use Netscape Navigator 2&3, the broken key on the bottom left corner will become "unbroken" indicating that the session is encrypted. One tooth on the key indicates 40bit and 2 teeth indicate 128 bit encryption.

Strong Web servers

Other services over SSL

Before considering SSL for Telnet, rsh or ftp, give SSH a look, it has more to offer for interactive logon and copying.

LDAP over SSL: OpenLDAP www.openldap.org

IMAP/POP over SSL

FTP over SSL rsh/rlogin/rcp over SSL Telnet / tn3270 over SSL Proxies

Sean Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.