|
Overview
ISC CDKs make standards-based cryptographic building blocks available
to developers and integrators. Use them to construct secure corporate
applications for internal use or OEM products for resale.
Description
ISC CDKs are flexible, cost effective libraries of linkable
cryptographic modules that allow you to add encryption, digital
signatures, and message authentication to any application. They
reduce the cost of developing secure applications by applying readily
available, commercially supported, conventional and public key technology.
Purchase a complete toolkit or have us customize one that targets
your specific application. ISC can provide implementations of the
following federal and industry standards:
- NIST Advanced Encryption Standard (AES)
- NIST Data Encryption Standard (DES), triple DES (TDES), and
DESX
- NIST Digital Signature Algorithm (DSA) and Elliptic Curve DSA
(ECDSA)
- Rivest-Shamir-Adleman (RSA) public key technology
- NIST Secure Hash Algorithm (SHA-1, SHA-224/256/384/512)
- MD2/MD5 hash algorithms
- Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH)
Key Agreement
- ElGamal, and elliptic curve ElGamal, public key cryptosystems
- AT&T proprietary exportable DES replacement (EA2)
(A more complete list of the available cryptographic algorithms,
protocols, and schemes appears in the
table
below.)
Wide Ranging Applicability
ISC CDKs can be used to add encryption and authentication
to a wide variety of applications:
- security-enhanced device drivers (such as a encrypting file system filter)
- e-mail applications
- electronic funds transfer and EDI
- document transmission, and
- messaging and VoIP products
The latest version even provides support for building simple SSL/TLS clients (with one- or two-sided authentication).
Ease of Use
The ISC CDKs provide C/C++ APIs that allow your programmers
to rapidly link them into existing code or into new applications
under development. (CDK 7.0 C++ documentation is available on-line.)
Testimonial from a satisfied customer:
I'm very pleased
to say that we could integrate your library into our existing
system without any problem in development environment. How
do I describe it was so easy?
Each kit includes a test file with commented sample source code
illustrating the use of each function. This test program also can
be compiled to verify the proper operation of the cryptographic
engines on your operating system. Virtually unlimited key sizes
can be supported for the public key algorithms.
Commercial Availability
ISC CDKs are available for the following platforms:
- Windows 9x/ME/NT/2000/XP, PocketPC/ARM (including kernel mode)
- Solaris 2.x,7,8,9/SPARC, Solaris 8/x86, SunOS 4.1.3/SPARC
- HP-UX 10.x/11.x/11.i
- IBM AIX (32- and 64-bit versions)
- Linux i86
- Mac OS X
- SGI IRIX 6.x
- Compaq Tru64 and OpenVMS/AXP
- Cray UNICOS
These libraries can be used in your internal corporation applications
or in applications developed for resale; they can even be used to build a security-enhanced device driver that operates in Windows kernel mode. An initial CDK license
includes two developer seats; additional developer seats may be
purchased as needed. Per copy licensing fees are required for redistribution
of the CDK with applications that employ its cryptographic code.
Contact us via
e-mail for fee schedules, header files, and sample code, or
for further information on custom libraries.
Standards Compliance
|
|
CDK 7.0
meets NIST FIPS 140-2 and DoD NSTISSP #11 acquisition requirements, and has been approved by NSA for classified use. It was awarded NIST
FIPS 140-1 Level 1 Certificate No. 347.
Certification was performed by a NIST-accredited laboratory
that did source code level validation of all supported FIPS
approved algorithms and security interfaces. Review and
oversight was provided jointly by NIST and CSE.
|
 |
At the time of validation, there were no formal NIST test suites for certain FIPS approved algorithms. In these cases we ran standard industry tests, provided letters of assurance to NIST, and the NIST-accredited CMT lab checked the source code and test results. These algorithms are marked VA (for "Vendor Affirmed") in the NIST certificate column of the table below.
Only products containing FIPS 140-validated security modules may be purchased and used for the processing of sensitive data by agencies of the U.S. Federal Government. Such products are also recommended by the Government of Canada.
NIST NOTE: FIPS 140-2 is now in effect. However, Agencies may continue to purchase, retain and use FIPS 140-1 validated modules.
The cryptographic primitives that can be included
in a custom CDK for your company's use comply with the following
Federal and industry standards:
| Algorithms
Supported
in CDK 7.0 |
Relevant
Standards and Other References |
NIST
Certificate |
| RSA |
FIPS
186-2; ANSI X9.31-1998;
RFC2437
(PKCS#1v2.0), RFC3447 (PKCS#1v2.1) |
|
| DSA |
FIPS
186-2; ANSI X9.30-1997 |
|
| ECDSA |
FIPS
186-2; ANSI X9.62-1998;
IEEE 1363-2000 |
|
| DH |
RFC2631;
ANSI X9.42-1998;
IEEE 1363-2000 |
|
| ECDH |
ANSI X9.63; IEEE 1363-2000 |
|
| AES |
FIPS
197;
NIST SP-800-38A;
NIST SP-800-38C;
DRAFT NIST SP-800-38B;
CNSS Policy No. 15;
RFC3394;
RFC3565 |
|
| DES |
FIPS
46-3; ANSI X3.92 |
|
| TDES |
FIPS
46-3; ANSI X9.52-1998; NIST SP-800-38A; NIST SP 800-20;
DRAFT
NIST SP 800-67 |
|
| DESX |
(analysis
by J. Kilian and P. Rogaway) |
|
| Skipjack/EES |
FIPS
185; NIST/NSA
specification |
|
| RC2 |
RFC3217;
RFC2268 |
|
| RC4 |
RFC2246
(SSL/TLS);
"Arcfour"
internet-draft |
|
| SHA-1 |
FIPS
180-2; ANSI X9.30 Part 2;
ISO/IEC
10118-3:1998 |
|
| SHA-224/256/384/512 |
FIPS
180-2; NIST
specifications |
|
| HMAC-SHA-1 |
FIPS
198; RFC2104;
ANSI X9.71 |
|
| HMAC-MD5 |
RFC2104;
ANSI X9.71 |
|
| MD2 |
RFC1319 |
|
| MD5 |
RFC1321 |
|
| PRNG |
FIPS
186-2; FIPS
140-2 Annex C; NIST SP 800-22 |
|
| Password Generation |
FIPS
181 |
|
| Available Separately |
Relevant
Standards and Other References
|
| MQV, ECMQV |
IEEE 1363-2000, NIST SP800-56A, NIST SP800-78 |
| KEA |
NIST/NSA
specification; RFC2528;
RFC3279; SDN.701 |
| OAEP |
RFC2437
( PKCS #1v2.0); RFC3560; IEEE 1363-2000 |
| CAST-128 |
RFC2144 |
| RIPEMD-160 |
ISO/IEC
10118-3:1998; A.
Bosselaers' website; RFC2857 |
In addition to the algorithms listed in the first part of the above
table, CDK 7.0 includes:
- X.509v3 certificate and CRL handling (RFC2459, RFC3279, RFC3280, NIST SP 800-15)
- PKCS#7/#8/#10/#12 PDU creation
and parsing
- basic S/MIME v3 CMS functions for PDU creation and parsing (RFC3370. RFC3851, RFC3852)
- key derivation functions for PKCS#5 PBE and various ANSI and
PKCS#1/#3/#5/#8 (RFC2313-2315) padding, encoding, and decoding functions
- RFC3394 key wrapping and unwrapping
- pseudo-random number generation, primality testing, and routines
for low-level modular exponentiation and other high-precision
arithmetic operations (in rings of integers, finite fields, and
elliptic curves)
- simple SSL/TLS client support
CDK 7.0 is the cryptographic engine used in all builds of SecretAgent 5.7 and above, SpyProof! 1.x, SecretAgent Mobile, SecretAgent
5.6 for PocketPC/ARM, and SpyProof! 1.x.
References
ANSI/ABA
Security Standards for Financial Services
The
IEEE 1363 website
Addressing a Popular FIPS 140-2 vs. FIPS 140-1 Misconception
Even though 140-2 is the current standard, products validated under 140-1 have not been deprecated. According to NIST, U.S. Government "agencies may continue to purchase, retain and use FIPS 140-1 validated modules after May 25, 2002. Modules validated as conforming to FIPS 140-1 and FIPS 140-2 are accepted by the Federal Agencies of both [the U.S. and Canada] for the protection of sensitive information." Furthermore, "Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against this standard [FIPS 140-2]." (Quoted text taken from NIST website on 3/26/07.)
|
