Internationally Available Strong Crypto Products
Part III: Development Environments and Secure Web Services
By Seán Boran
Go
to Part I: Introduction, Secure Telnet and File Encryption
Go to
Part II: Secure Email and VPNs
September 20, 1999. This is the third part in a series of three
articles devoted to Persons needing strong crypto Internationally. Part
three focuses on Development Environments and Secure Web Services.
If we missed out on one of your favourite international products
below, or you like to submit corrections/feedback contact
us.
Development Libraries
Be careful when choosing libraries, quality of implementations differ.
In particular the quality of random number generation, obfuscation of clear-text
in memory and even clean algorithms varies greatly. Access to full sources
makes debugging and verification easier.
Commercial crypto Libraries
Commercial libraries are often pricey (tens of thousands of dollars..).
-
PGP: The C/C++ PGPsdk is available from Network Associates www.pgpinternational.com
and www.pgpinternational.com/product/sof-dev.html
runs on Solaris, Linux, Win95/NT, MAC.
-
Baltimore Technologies www.baltimore.com
have been in the encryption game for over 20 years and have an established
crypto pedigree. They are based in Ireland, England and Australia.
Baltimore offer the CST encryption libraries in C. SMT is an S/MIME
toolkit. An SSL, Java SSL and PKI library are also available.
J/Crypto is a pure Java library, that implements encryption, hashing
& certificate management. V3 was used by the author for secure Applet-Proxy-Server
communications.
-
Entrust: see below.
-
Switzerland: r3 Engineering: see note on Entrust
below.
-
Denmark: Cryptomathic
-
Germany:
-
Canada: Certicom offer toolkit that
include plugins for Microsoft CAPI and Intel CDSA. SSL and smart cards
libraries are available.
-
C2 net offer a SSL crypto engine
and SafePassage Secure Tunnel
for adding encrypted TCP tunnels to applications. (a bit like SSH TCP tunnels).
-
Australia: Eracom offer crypto
hardware for UNIX (SCO) and Windows, with DES and RSA interfaces and development
libraries in Java (JCE) and C (PKCS#11 / Cryptoki).
Free crypto libs
-
OpenSSL www.openssl.org
is a further development of Eric Young's SSLeay and is the foundation for
many products. Extract from the "readme":
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, fully featured, and Open Source toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
v1) protocols with full-strength cryptography world-wide.
OpenSSL includes low level crypto functions, such as the algorithms
in SSL and some high level PKCS functions (more are needed!). It is being
actively developed.
... if your Company want's to contribute to free crypto, look no further!
Mod_ssl, OpenLDAP
and OpenCA build on OpenSSL.
SSLeay references: Introducing
SSL and Certificates using SSLeay SSLeay
Programmer Reference SSLeay
SSLeay and SSLapps FAQ
-
Wei Dai's Crypto++ 3.1 www.eskimo.com/~weidai/cryptlib.html
is a multi-platform C++ crypto library. It does not include high level
functions such as PKCS.
-
Adam Shostack provides a comparison of algorithms implemented in various
free libraries www.homeport.org/~adam/crypto/
Entrust is a U.S. company, that bought out
the Swiss cypto company "r3 Security Engineering". Apparently this allows
them to provide crypto internationally. In fact, they are giving away complete
libraries "sort-of free" - see devnet.entrust.ch
. The following is an extract from the license:
....
Entrust Technologies hereby grants to you a non-exclusive, non-transferable,
internal license to use one (1) copy of the Entrust/Toolkit solely to develop
Licensee Applications and Licensee Applets. Any attempt to use information
received as a part of an Entrust/Toolkit for any other purpose including,
but not limited to, the creation of an emulator of the Entrust family of
products or an emulator of the Entrust/Toolkit constitutes a breach of
this License.
.....
Licensee Applications and Licensee Applets: Entrust Technologies
grants you a non-exclusive, non-transferable right to use and distribute
copies of those portions of the Entrust/Toolkit (excluding the Entrust/Engines)
incorporated into Licensee Applications or Licensee Applets by way of permitted
use of an Entrust/Toolkit. You shall not distribute the Entrust/Engine
whether separately or as part of a Licensee Application or Licensee Applet.
You shall not otherwise sell, license, distribute or in any other manner
commercially exploit any part of an Entrust/Toolkit. You shall not modify
the Entrust/Engines.
==> I'm not sure how significant the Entrust/Engines limitation
above, is.
-
Perl: See CPAN, Perl with SSL: www.neuronio.pt/SSLeay.pm.html.
-
Cryptix-Java and CryptixPerl: Cryptix
is a strong cryptographic library (V3.01) for Java. There is an older V1.16
in Perl with a PGP interface (last update April '97). Perl version doesn't
look easy to use and high-level key management functions seem to be missing.
-
PGP:
-
PGPlib:
V1.1/Jan'98 from Tage Stabell-Kuloe in Norway.
PGP 2.6.x compatible C library, UNIX (especially NetBSD 1.2, FreeBSD,
HP-UX and Linux). Uses SSLeay crypto functions. ftp://dslab1.cs.uit.no/pub/PGPlib.tar.gz
www.pasta.cs.uit.no/~tage/
www.cryp.to/pgplib-dev-archive/
-
PGPlib for Windows,
V1.0/July'98 which implements common PGP functions in C www.cam.org/~droujav/pgp/pgplib.html
-
CTC: V2.1/Jan'99 by
Ian Miller and
Mr. Tines in
England. Free PGP 2.x & 5.x compatible C++ crypto library for UNIX,
ftp.demon.co.uk/pub/mac/pgp/
.
-
PGP::Sign is a Perl library for PGP 2.x or 5.x or GnuPG with signing
only. V0.14/Feb.'99, Russ Allbery rra@stanford.edu.
See CPAN or
www.eyrie.org/~eagle/software/
-
PGP::Pipe is a Perl wrapper for PGP 2.x command line, by Gerard Hickey.
V0.3/Aug.'96. Looks good, a pity it doesn't support the PGP5 library. Find
it on CPAN .
-
PGPTools: PGP library in C. www.unicorn.com//pgp/pgptools.html
-
The GNU privacy guard (see previous section) is supplied with source code,
so it *could* be made into a library? www.gnupg.org
-
Java:
-
The Australian ABA is a clean room
implementation of the Java Cryptography Extension (JCE) API as defined
by Sun Microsystems, plus a provider of underlying crypto algorithms. This
package does not include any native code. ABA's principal (commercial)
product is a java based Ecommerce solution called SecuEpayment.
www.aba.net.au/solutions/crypto/jce.html
The license is not restrictive, looks good.
-
Cryptix-java V2.2 www.systemics.com/doc/cryptix
-
Java SSH implementations also include crypto engines:
Mindterm http://www.mindbright.se/english/
Gourio's Applet www.cl.cam.ac.uk/~fapp2/software/java-ssh/
References
Garbo, Crypto
CD
www.cs.hut.fi/crypto/
[pointers to crypto SW]
ftp.funet.fi/pub/crypt
[excellent: a "must visit"]
www.counterpane.com/
[Schneier: Blowfish, Twofish]
ftp.psy.uq.oz.au/pub/Crypto/
[E.Young's DES, SSL]
www.systemics.com/
[cryptix Java, C, Perl]
www.eskimo.com/~weidai/cryptlib.html
[Wei Dai's C++ lib]
www.cs.hut.fi/ssh/
[Tatu Ylonen's SSH]
cwis.kub.nl/~frw/people/koops/lawsurvy.htm
[Crypto+Law]
ftp://ripem.msu.edu/pub/crypt/sci.crypt/
-- sci.crypt Archives
www.swcp.com/~iacr/ -- International
Association for Cryptologic Research
www.cs.adfa.oz.au/teaching/studinfo/csc/lectures/classical.html
[Classical Crypto Explanation]
www.cryptosoft.com/snews/snews.htm
[an index to lots of crypto news articles]
cryptography.org/freecryp.htm
[links to crypto sites, a bit old]
A good overview of all the history of PGP versions and supported algorithms
can be found at www.stat.uga.edu/~rmarquet/pgpvers.html
Vendors:
www.sse.ie CA/RA, S/MIME, strong SSL.
www.baltimore.com : CA/RA, S/MIME,
PKI /SSL/ crypto programming toolkits. www.trustworks.com
VPN
www.datafellows.com VPN,
File encryption, SSH, Anti-virus.
www.gemplus.com Smart cards
Secured web services
Secured web services are based on the use of standard application protocols
over SSL. Netscape's secure socket layer is a "plug-in" socket layer (port
443 for HTTP) offering client & server authentication, integrity checking,
compression and encryption. It is currently an Internet draft (not yet
approved).
It is designed to fit on the transport layer in the TCP/IP stack (like
Berkeley sockets), but below applications (such as telnet, ftp, HTTP).
SSL was introduced in July 1994.
TLS (Transport Layer
Security) In 1995, the IETF started work on the adoption of SSL
as an Internet Standard, known as TLS. A draft of the protocol was published
in March 1997, based on SSL 3.0. Some differences are the use of HMAC instead
of MD5 for integrity checking and a slightly different set of encryption
algorithms that are supported. www.consensus.com/ietf-tls
or www.ietf.org/html.charters/tls-charter.html
Strong Browsers
HTTP over SSL is the most common usage of SSL. https:// is used rather
than http:// to connect to a secured site. If you use Netscape Navigator
2&3, the broken key on the bottom left corner will become "unbroken"
indicating that the session is encrypted. One tooth on the key indicates
40bit and 2 teeth indicate 128 bit encryption.
-
Mozilla (the version of Netscape
Communicator 5 with free source code) is available with strong crypto,
called cryptozilla that uses SSLeay.
It hasn't yet reached release status. Is it still being actively developed?
-
The Email client supplied with Netscape
Communicator 4 and later supports S/MIME. It is normally U.S. exported
restricted, but with the fortify utility (from Farrell McKay www.fortify.net),
full encryption strength can be switched back on in International versions.
Runs on UNIX as well as windows. GUI could be better.
-
Opera is a browser from an Norwegian
company, that is gaining increasing acceptance. If offers SSL v2/v3
and TLS v1 support and is less bulky than the recent Microsoft and Netscape
browsers.
-
"Strong Plugins" for weak browsers: many software addons exist, that are
effectively local proxies and allow strong SSL connection between PC and
server. There are often problems when client side authentication and smart
cards are needed, however.
-
C2 net SafePassage Web proxy, which
adds strong encryption to international versions of Explorer and Navigator.
-
TrustedWeb Express from SSE is a plug-in
for existing Browsers (including MS and NS), which provides SSL v3
encryption, authentication, smart card support (PC/SC interface), LDAP
interface and CRL checking www.sse.ie/trustedwebexpress/index.html
. Platform: Win95/NT.
-
SecureNet from Swissonline is used
by several Swiss Banks for Internet banking.
-
SafeLine from The Blue Window (Switzerland) www.commercemaker.ch/e/services/safeline/
runs on Windows and MAC.
-
Baltimore's WebSecure
is used to divert all web communications through Java programs in both
browser and web server. Built on top of the standard 40-bit SSL between
the browser and web server, WebSecure works with either a full JVM (Java
Virtual Machine) or within a smaller JRE (Java Runtime Environment). If
no WebSecure Server is present then WebSecure Client will simply relay
all 40-bit SSL data to the Web Server.
Strong Web servers
-
C2 net, probably the market leader,offer
the Stronghold Web Server
2, based on the popular Apache, with strong SSL. Stronghold costs US$995
and includes a server certificate from Thawte Consulting.
-
Apache with SSL support is available from several sources (list in probable
order of usefulness):
-
CERN HTTPD with SSL: www.west.nl/archive/cern_httpd/HTTPS.patch
-
A comparison of HTTPD server security is at webcompare.iworld.com/compare/security.html
-
"Strong Plugins" for weak web servers: many software addons exist, that
are effectively local proxies and allow strong SSL connection between client
and server.
-
C2 net offer the Stronghold
Proxy can be installed on the same host as an existing Web server,
to offer strong SSL to browsers connecting to that server. Based on Apache.
-
SSE's TrustedWeb
runs on UNIX and NT and is integrated with the web server via CGI, ISAPI
or NSAPI.
-
AdNovum (www.AdNovum.ch Switzerland)
offer a reverse proxy that is a hardened Apache/SSL and provides additional
features such as RADIUS authentication and load balancing. It's a dedicated
hardened UNIX box, that is typically used in Secure Internet applications
developed by AdNovum.
-
Baltimore's WebSecure
is used to divert all web communications through Java programs in both
browser and web server. Built on top of the standard 40-bit SSL between
the browser and web server, WebSecure works with either a full JVM (Java
Virtual Machine) or within a smaller JRE (Java Runtime Environment). If
no WebSecure Server is present then WebSecure Client will simply relay
all 40-bit SSL data to the Web Server.
-
CryptoServer, from Shoreline
Securities (in the Bahamas), is an addon for NT Web servers such as
IIS and Netscape Fastrack
Other services over SSL
Before considering SSL for Telnet, rsh or ftp, give SSH a look, it has
more to offer for interactive logon and copying.
LDAP over SSL: OpenLDAP www.openldap.org
IMAP/POP over SSL
FTP over SSL
rsh/rlogin/rcp over SSL
Telnet / tn3270 over SSL
Proxies
Sean Boran is an IT
security consultant based in Switzerland and the author of the online IT
Security Cookbook.