Cryptlib
Encyclopedia
cryptlib is an open source
cross-platform software security toolkit library. It is distributed under the Sleepycat License
, a free software license compatible with the GNU General Public License
. Alternatively, cryptlib is available under a standard commercial license for those preferring to use it under commercial terms.
At the highest level, cryptlib provides implementations of complete security services such as S/MIME
and PGP
/OpenPGP secure enveloping, SSL/TLS
and SSH
secure sessions, CA
services such as CMP
, SCEP
, RTCS, and OCSP
, and other security operations such as secure timestamping. Since cryptlib uses industry-standard X.509
, S/MIME, PGP/OpenPGP, and SSH/SSL/TLS data formats, the resulting encrypted or signed data can be easily transported to other systems and processed there, and cryptlib itself runs on many operating systems—all Windows versions and most Unix/Linux systems. This allows email, files, and EDI transactions to be authenticated with digital signatures and encrypted in an industry-standard format.
cryptlib provides other capabilities including full X.509/PKIX certificate handling (all X.509 versions from X.509v1 to X.509v4) with support for SET
, Microsoft AuthentiCode, Identrus, SigG, S/MIME, SSL, and Qualified certificates, PKCS #7 certificate chains, handling of certification requests and CRLs (certificate revocation lists) including automated checking of certificates against CRLs and online checking using RTCS and OCSP, and issuing and revoking certificates using CMP and SCEP. It also implements a full range of certification authority (CA) functions provides complete CMP, SCEP, RTCS, and OCSP server implementations to handle online certificate enrolment/issue/revocation and certificate status checking. Alongside the certificate handling, it provides a sophisticated key storage interface that allows the use of a wide range of key database types ranging from PKCS #11 devices, PKCS #15 key files, and PGP/OpenPGP key rings through to commercial-grade RDBMS
' and LDAP directories with optional SSL protection.
cryptlib can make use of the crypto capabilities of a variety of external crypto devices such as hardware crypto accelerators, Fortezza cards, PKCS #11 devices, hardware security modules (HSMs), and crypto smart cards. It can be used with a variety of crypto devices that have received FIPS 140 or ITSEC/Common Criteria certification. The crypto device interface also provides a general-purpose plug-in capability for adding new functionality that can be used by cryptlib.
cryptlib is written in C and supports BeOS, DOS, IBM MVS, Mac OS X, OS/2, Tandem, a variety of Unix versions (including AIX, Digital Unix, DGUX, FreeBSD/NetBSD/OpenBSD, HP-UX, IRIX, Linux, MP-RAS, OSF/1, QNX, SCO/UnixWare, Solaris, SunOS, Ultrix, and UTS4), VM/CMS, Windows 3.x, Windows 95/98/ME, Windows CE/PocketPC/SmartPhone and Windows NT/2000/XP/Vista. It is designed to be portable to other embedded system environments. It is available as a standard Windows DLL. Language bindings are available for C
/ C++
, C# / .NET
, Delphi, Java
, Python
, and Visual Basic
(VB).
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
cross-platform software security toolkit library. It is distributed under the Sleepycat License
Sleepycat License
Sleepycat License is an OSI-approved open source license used by Oracle Corporation for the Berkeley DB, Berkeley DB Java Edition and Berkeley DB XML embedded database products...
, a free software license compatible with the GNU General Public License
GNU General Public License
The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
. Alternatively, cryptlib is available under a standard commercial license for those preferring to use it under commercial terms.
Features
cryptlib is a security toolkit library that allows programmers to incorporate encryption and authentication services to software. It provides a high-level interface so strong security capabilities can be added to an application without needing to know many of the low-level details of encryption or authentication algorithms. It comes with an over 400 page programming manual.At the highest level, cryptlib provides implementations of complete security services such as S/MIME
S/MIME
S/MIME is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFCs. S/MIME was originally developed by RSA Data Security Inc...
and PGP
Pretty Good Privacy
Pretty Good Privacy is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security...
/OpenPGP secure enveloping, SSL/TLS
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
and SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
secure sessions, CA
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
services such as CMP
Certificate Management Protocol
The Certificate Management Protocol is an Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure . It is described in RFC 4210 and is one of two protocols so far to use the Certificate Request Message Format , described in RFC 4211, with the other protocol...
, SCEP
Simple Certificate Enrollment Protocol
Simple Certificate Enrollment Protocol is an Internet Draft in the Internet Engineering Task Force . This protocol is being referenced by several manufacturers of network equipment and software who are developing simplified means of handling certificates for large-scale implementation to everyday...
, RTCS, and OCSP
Online Certificate Status Protocol
The Online Certificate Status Protocol is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 2560 and is on the Internet standards track...
, and other security operations such as secure timestamping. Since cryptlib uses industry-standard X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
, S/MIME, PGP/OpenPGP, and SSH/SSL/TLS data formats, the resulting encrypted or signed data can be easily transported to other systems and processed there, and cryptlib itself runs on many operating systems—all Windows versions and most Unix/Linux systems. This allows email, files, and EDI transactions to be authenticated with digital signatures and encrypted in an industry-standard format.
cryptlib provides other capabilities including full X.509/PKIX certificate handling (all X.509 versions from X.509v1 to X.509v4) with support for SET
Secure electronic transaction
Secure Electronic Transaction was a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet. SET was not itself a payment system, but rather a set of security protocols and formats that enable users to employ the existing credit card payment...
, Microsoft AuthentiCode, Identrus, SigG, S/MIME, SSL, and Qualified certificates, PKCS #7 certificate chains, handling of certification requests and CRLs (certificate revocation lists) including automated checking of certificates against CRLs and online checking using RTCS and OCSP, and issuing and revoking certificates using CMP and SCEP. It also implements a full range of certification authority (CA) functions provides complete CMP, SCEP, RTCS, and OCSP server implementations to handle online certificate enrolment/issue/revocation and certificate status checking. Alongside the certificate handling, it provides a sophisticated key storage interface that allows the use of a wide range of key database types ranging from PKCS #11 devices, PKCS #15 key files, and PGP/OpenPGP key rings through to commercial-grade RDBMS
Relational database management system
A relational database management system is a database management system that is based on the relational model as introduced by E. F. Codd. Most popular databases currently in use are based on the relational database model....
' and LDAP directories with optional SSL protection.
cryptlib can make use of the crypto capabilities of a variety of external crypto devices such as hardware crypto accelerators, Fortezza cards, PKCS #11 devices, hardware security modules (HSMs), and crypto smart cards. It can be used with a variety of crypto devices that have received FIPS 140 or ITSEC/Common Criteria certification. The crypto device interface also provides a general-purpose plug-in capability for adding new functionality that can be used by cryptlib.
cryptlib is written in C and supports BeOS, DOS, IBM MVS, Mac OS X, OS/2, Tandem, a variety of Unix versions (including AIX, Digital Unix, DGUX, FreeBSD/NetBSD/OpenBSD, HP-UX, IRIX, Linux, MP-RAS, OSF/1, QNX, SCO/UnixWare, Solaris, SunOS, Ultrix, and UTS4), VM/CMS, Windows 3.x, Windows 95/98/ME, Windows CE/PocketPC/SmartPhone and Windows NT/2000/XP/Vista. It is designed to be portable to other embedded system environments. It is available as a standard Windows DLL. Language bindings are available for C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
/ C++
C++
C++ is a statically typed, free-form, multi-paradigm, compiled, general-purpose programming language. It is regarded as an intermediate-level language, as it comprises a combination of both high-level and low-level language features. It was developed by Bjarne Stroustrup starting in 1979 at Bell...
, C# / .NET
.NET Framework
The .NET Framework is a software framework that runs primarily on Microsoft Windows. It includes a large library and supports several programming languages which allows language interoperability...
, Delphi, Java
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
, Python
Python (programming language)
Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
, and Visual Basic
Visual Basic
Visual Basic is the third-generation event-driven programming language and integrated development environment from Microsoft for its COM programming model...
(VB).
Algorithm support
| Algorithm | Key size | Block size |
|---|---|---|
| AES Advanced Encryption Standard Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES... |
128/192/256 | 128 |
| Blowfish Blowfish (cipher) Blowfish is a keyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date... |
448 | 64 |
| CAST-128 CAST-128 in cryptography, CAST-128 is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has also been approved for Canadian government use by the Communications Security Establishment... |
128 | 64 |
| DES Data Encryption Standard The Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is... |
56 | 64 |
| Triple DES Triple DES In cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block.... |
112 / 168 | 64 |
| IDEA International Data Encryption Algorithm In cryptography, the International Data Encryption Algorithm is a block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. As a block cipher, it is also symmetric. The algorithm was intended as a replacement for the Data Encryption Standard[DES]... |
128 | 64 |
| RC2 RC2 In cryptography, RC2 is a block cipher designed by Ron Rivest in 1987. "RC" stands for "Ron's Code" or "Rivest Cipher"; other ciphers designed by Rivest include RC4, RC5 and RC6.... |
1024 | 64 |
| RC4 RC4 In cryptography, RC4 is the most widely used software stream cipher and is used in popular protocols such as Secure Sockets Layer and WEP... |
2048 | 8 |
| RC5 RC5 In cryptography, RC5 is a block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for "Rivest Cipher", or alternatively, "Ron's Code"... |
832 | 64 |
| Skipjack Skipjack (cipher) In cryptography, Skipjack is a block cipher—an algorithm for encryption—developed by the U.S. National Security Agency . Initially classified, it was originally intended for use in the controversial Clipper chip... |
80 | 64 |
| Algorithm | Block size |
|---|---|
| MD2 | 128 |
| MD4 MD4 The MD4 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1990. The digest length is 128 bits. The algorithm has influenced later designs, such as the MD5, SHA-1 and RIPEMD algorithms.... |
128 |
| MD5 MD5 The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity... |
128 |
| RIPEMD-160 RIPEMD RIPEMD-160 is a 160-bit message digest algorithm developed in Leuven, Belgium, by Hans Dobbertin, Antoon Bosselaers and Bart Preneel at the COSIC research group at the Katholieke Universiteit Leuven, and first published in 1996... |
160 |
| SHA-1 | 160 |
| SHA-2 SHA-2 In cryptography, SHA-2 is a set of cryptographic hash functions designed by the National Security Agency and published in 2001 by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm. SHA-2 includes a significant number of changes from its predecessor,... / SHA-256 |
256 |
| Algorithm | Key size | Block size |
|---|---|---|
| HMAC HMAC In cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message... -MD5 MD5 The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity... |
128 | 128 |
| HMAC HMAC In cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message... -RIPEMD-160 RIPEMD RIPEMD-160 is a 160-bit message digest algorithm developed in Leuven, Belgium, by Hans Dobbertin, Antoon Bosselaers and Bart Preneel at the COSIC research group at the Katholieke Universiteit Leuven, and first published in 1996... |
160 | 160 |
| HMAC HMAC In cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message... -SHA-1 |
160 | 160 |
| HMAC HMAC In cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message... -SHA-2 SHA-2 In cryptography, SHA-2 is a set of cryptographic hash functions designed by the National Security Agency and published in 2001 by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm. SHA-2 includes a significant number of changes from its predecessor,... |
256 | 256 |
| Algorithm | Key size |
|---|---|
| Diffie–Hellman | 4096 |
| DSA Digital Signature Algorithm The Digital Signature Algorithm is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology in August 1991 for use in their Digital Signature Standard , specified in FIPS 186, adopted in 1993. A minor... |
4096 |
| ECDSA Elliptic Curve DSA The Elliptic Curve Digital Signature Algorithm is a variant of the Digital Signature Algorithm which uses Elliptic curve cryptography.-Key and signature size comparison to DSA:... |
521 |
| ECDH | 521 |
| Elgamal ElGamal encryption In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1984. ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of... |
4096 |
| RSA | 4096 |
Release History
- cryptlib 3.4.1 was released on .
- cryptlib 3.4.0 was released on .
- cryptlib 3.3.2 was released on .
- cryptlib 3.3.1 was released on .
- cryptlib 3.3 was released on .
- cryptlib 3.2.3a was released on .
- cryptlib 3.2.3 was released on .
- cryptlib 3.2.2 was released on .
- cryptlib 3.2.1 was released on .
- cryptlib 3.2 was released on .
- cryptlib 3.1 was released on .
See also
- OpenSSLOpenSSLOpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
- GnuTLSGnuTLSGnuTLS , the GNU Transport Layer Security Library, is a free software implementation of the SSL and TLS protocols. Its purpose is to offer an application programming interface for applications to enable secure communication protocols over their network transport layer.-Features:GnuTLS consists of...
- Network Security ServicesNetwork Security ServicesIn computing, Network Security Services comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications. NSS provides a complete open-source implementation of crypto libraries supporting SSL and S/MIME...
- PolarSSLPolarSSLPolarSSL is a dual licensed implementation of the SSL and TLS protocols. PolarSSL is almost entirely based on XySSL, which was written and copyrighted by French "white hat hacker" Christophe Devine. XySSL was first released on November 1, 2006 under GPL and BSD licenses...
- CyaSSLCyaSSLCyaSSL is a small, portable, embedded SSL programming library targeted for use by embedded systems developers. It is an open source, implementation of SSL built in the C language. It includes SSL client libraries and an SSL server implementation as well as support for multiple API's, including...
- Comparison of TLS ImplementationsComparison of TLS ImplementationsThe Transport Layer Security protocol provide the ability to secure communications across networks. There are several TLS implementations which are free and open source software and sometimes choosing between the available implementations can be tough...
- LibgcryptLibgcryptlibgcrypt is a cryptographic library developed as a separated module of GnuPG . It can also be used independently of GnuPG, although it requires its error-reporting library....