 |
At its lowest level, cryptlib provides a transparent and consistent interface
to a number of widely-used encryption algorithms and systems. At a higher
level, it provides powerful and easy-to-use digital signature and encryption
key management routines. All encryption routines are accessed through a single
standardised interface with parameters such as the algorithm, mode and key size
being selectable by the user.
|
|
cryptlibs powerful object management interface provides the ability to add
encryption and authentication capabilities to an application without needing to
know all the low-level details which make the encryption or authentication
work. Automatic object-management routines take care of encoding issues and
cross-platform portability problems. cryptlib's
enveloping interface hides all the messy details of
key management and encryption which other libraries require you to explicitly
handle, so that functions such as digitally signing or encrypting a message can
be implemented in only a few lines of code. Since cryptlib uses
industry-standard X.509 and S/MIME data formats, the resulting encrypted or
signed data can be easily transported to other systems and unwrapped there -
cryptlib doesn't tie you to a single operating system.
|
|
On initialization cryptlib performs extensive self-testing against test data
from encryption standards and reference implementations. If a module in the
library fails the self-test, its use is automatically disabled. The API's
check each parameter and function call for errors before any actions are
performed, with error reporting down to the level of individual parameters. On
operating systems which support multithreading, all functions and objects are
fully thread-safe.
|
|
All algorithms, security methods, and data encoding systems in cryptlib either
comply with one or more internationally recognised
security or encryption standards, or are
implemented and tested to conform to a reference implementation of a particular
algorithm or security system.
|
|
cryptlib provides full X.509 certificate handling
with support for all X.509v3 and IETF PKIX certificate features as well as
support for SET, Microsoft AuthentiCode, S/MIME, and SSL client and server
certificates, handling of certification requests and CRL's including automated
checking of certificates against CRL's, the creation and checking of PKCS #7
certificate chains, and a full range of certification authority (CA) functions.
|
|
cryptlib provides a complete public and private key
management interface which allows keys to be stored in and retrieved from a
wide variety of key database types ranging from commercial-grade relational
databases (the native key format) and LDAP directories with optional SSL
protection through to external formats such as PGP keyrings, X.509 and SET flat
files, and smart cards.
|
|
In addition to its built-in capabilities, cryptlib can make use of the crypto
capabilities of a variety of external crypto devices such as hardware crypto
accelerators, Fortezza cards, PKCS #11 devices, and crypto smart cards. For
particularly demanding applications cryptlib can be used with a variety of
crypto devices which have received appropriate FIPS 140 or ITSEC
certifications. The crypto device interface also provides a convenient
general-purpose plug-in capability for adding new functionality which will be
automatically used by cryptlib.
|
|
Great care is taken to protect sensitive information:
- No user access to sensitive information is possible. All data is handled
via opaque handles which refer to data areas managed by cryptlib.
- Memory corresponding to encryption objects is managed by
cryptlib and will be automatically sanitized and freed when cryptlib
shuts down even if the caller forgets to free the object.
- Memory containing sensitive information such as encryption keys
is locked to prevent it from being swapped to disk if the underlying
OS allows this.
|
|
The software has been developed outside the US and is therefore not covered by
US export restrictions and can be used anywhere in the world.
|
