- Contact Us
Sales & LicensingEmail: [email protected]Phone: +642 174 0250Postal Address: Digital Data Security Ltd 24 Durness Place, Orewa Auckland 0932 New Zealand
Technical ContactsEmail: [email protected]
Alternatively, please use our contact form;
Comments or questions are welcome.
Powered by Fast Secure Contact Form
- Cost-Effective Security
cryptlib allows developers to add world-class security services to their software applications, quickly and cost-effectively. The toolkit is specifically designed to minimise the input required from the development team. cryptlib saves valuable development time and resources, which translates into a significant decrease in programming time, speeds application and product time-to-market, and ultimately, reduces project cost.
cryptlib was designed by security experts, but not exclusively for security experts. It’s highly efficient and has been rigorously tested across a wide range of operating systems and platforms over a period of nearly two decades. The software has been deployed and proven in many different sectors, and our clients state that it’s the only security software development toolkit they’d ever need.
Business owners and managers often overlook the considerable cost, time and complexity involved in completing security projects successfully in-house. They over-estimate the ability of their technical staff to execute the security component in a very specialised and crucial part of their application or product. Internal security costs incurred are damaging to the business, as they also prevent the developer from working on productive tasks more suited to their skill set.
cryptlib developers access a series of ‘layered’ security services according to their needs and capabilities. At the highest level, there are extremely powerful and easy-to-use functions such as: ‘encrypt a message’ or ‘create a digital certificate’ that requires no knowledge of encryption techniques, or the underlying algorithms. cryptlib takes care of the key management, data encoding, en/decryption and digital signature processing automatically. By using just a handful of function calls, cryptlib makes very efficient use of developer time, and provides a considerable advantage over other commercially available products.
cryptlib users can approach their security projects with confidence, knowing that they are deploying expert-designed, robust and time-tested security solutions. You’ll find an in-depth technical manual available for download along with the software.
cryptlib is competitively priced and easily licensed compared to its rivals. We take a flexible approach, often adapting the license model to the customer’s requirements rather than the other way around. This means that we are always cost-competitive, and our clients have a real input into the final licensing arrangement. Please contact the cryptlib sales team for a specific quotation and more details.
At the highest level, cryptlib provides implementations of complete security services such as S/MIME and PGP/OpenPGP secure enveloping, SSL, TLS and SSH secure sessions, CA services such as CMP, SCEP, RTCS, and OCSP, and other security operations such as secure timestamping (TSP). Since cryptlib uses industry-standard X.509, S/MIME, PGP/OpenPGP, and SSH/SSL/TLS data formats, the resulting encrypted or signed data can be easily transported to other systems and processed there, and cryptlib itself runs on virtually any operating system — cryptlib doesn’t tie you to a single platform. This allows email, files, and EDI transactions to be authenticated with digital signatures and encrypted in an industry-standard format.
cryptlib provides an extensive range of other capabilities including full X.509/PKIX certificate handling (all X.509 versions from X.509v1 to X.509v3) with additional support for SET, Microsoft AuthentiCode, Identrus, RPKI, SigG, S/MIME, SSL, and Qualified certificates, PKCS #7 certificate chains, handling of certification requests and CRLs including automated checking of certificates against CRLs and online checking using RTCS and OCSP, and issuing and revoking certificates using CMP and SCEP. In addition cryptlib implements a full range of certificate authority (CA) functions, as well as providing complete CMP, SCEP, RTCS, and OCSP server implementations to handle online certificate enrolment/issue/revocation and certificate status checking. Alongside the certificate handling, cryptlib provides a sophisticated key storage interface that allows the use of a wide range of key database types ranging from PKCS #11 devices, PKCS #15 key files, and PGP/OpenPGP key rings through to commercial-grade RDBMS’ and LDAP directories with optional SSL protection.
External Crypto Devices
In addition to its built-in capabilities, cryptlib can make use of the crypto capabilities of a variety of external crypto devices such as hardware crypto accelerators, Fortezza cards, PKCS #11 devices, hardware security modules (HSMs), and crypto smart cards. For particularly demanding applications cryptlib can be used with a variety of crypto devices that have received appropriate FIPS 140 or ITSEC/Common Criteria certification. The crypto device interface also provides a convenient general-purpose plug-in capability for adding new functionality that will be automatically used by cryptlib. cryptlib also provides a general-purpose crypto HAL (hardware abstraction layer) interface that allows it to use the native crypto capabilities available in some ARM, MIPS, and PPC cores used in embedded systems and devices.
Operating Systems Supported by cryptlib
cryptlib is supplied as source code for AMX, BeOS, ChorusOS, DOS, DOS32, eCOS, µC/OS-II, embedded Linux, FreeRTOS/OpenRTOS, IBM MVS, µITRON, LynxOS, Macintosh/OS X, MQX, OS/2, PalmOS, RTEMS, Tandem, ThreadX, T-Kernel, a variety of Unix versions (including AIX, Digital Unix, DGUX, FreeBSD/NetBSD/OpenBSD, HP-UX, IRIX, Linux, MP-RAS, OSF/1, QNX, SCO/UnixWare, Solaris, SunOS, Ultrix, and UTS4), uClinux, VM/CMS, VxWorks, Windows 3.x, Windows 95/98/ME, Windows CE/PocketPC/SmartPhone, Windows NT/2000/XP/Vista/Windows 7 (32- and 64-bit versions), VDK, VxWorks, and Xilinx XMK, and pre-built 32- and 64-bit binaries for Windows. cryptlib’s highly portable nature means that it is also being used in a variety of custom embedded system environments. cryptlib comes with language bindings for C / C++, C# / .NET, Delphi, Java, Perl, Python, and Visual Basic (VB).
The cryptlib security software was originally written by Digital Data Security Limited (DDS) founder Dr Peter Gutmann as part of his Ph.D thesis at Auckland University in the mid-1990’s, and subsequently commercialised.
The cryptlib software intellectual property rights are fully owned by DDS, a private, New Zealand-based and registered limited liability company that has been trading successfully for over 20 years. Dr Gutmann has spent some time at the IBM Laboratories, Watson Research Center in Hawthorne, NY.
Peter has published a significant number of scientific papers on software security, and is widely regarded in the field. He is sought after as a speaker at various international conventions and conferences.
See: Peter’s home page, and bio details
- Applicationscryptlib security software services and application coverage may be used in virtually any situation that requires the protection or authentication of sensitive data. Some projects in which cryptlib is currently used include:
- Protection of medical records transmitted over electronic links.
- Protection of financial information transmitted between branches of banks.
- Transparent disk encryption.
- Strong security services added to web browsers with weak, exportable security.
- Running a CA.
- Encrypted electronic mail.
- File encryption.
- Protecting content on Internet servers.
- Digitally signed electronic forms.
- S/MIME mail gateway.
- Secure database access.
- Protection of credit card information.
- CA Operations
Certificate Management Servicescryptlib includes a scalable, flexible Certificate Authority (CA) engine built on the transaction-processing capabilities of a number of proven, industrial-strength relational databases running on a variety of hardware platforms. The CA facility provides an automated means of handling certificate issuance without dealing directly with the details of processing request, signing certificates, saving the resulting certificates in keys stores, and assembling CRLs. This constitutes a complete CA system for issuance and management of certificates and CRLs.
- Elliptic Curve CryptographyElliptic Curve Cryptography (ECC) is supported in cryptlib, both at the lower crypto-mechanism level and in high-level protocols like X.509, SSL/TLS, S/MIME, and SSH. cryptlib developers will now find it easy to integrate various ECC requirements into their software applications. Elliptic Curve Cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The US National Security Agency has endorsed it by including schemes based on ECC in its ‘Suite B’ set of recommended algorithms and allows their use for protecting information classified up to Top Secret. cryptlib’s implementation of ECC meets the requirements for NSA Suite B use.
- PGP/OpenPGPcryptlib supports the PGP/OpenPGP message format alongside the PKCS #7/CMS/SMIME formats, allowing it to be used to send and receive PGP-encrypted email and data. As with the S/MIME implementation, the PGP implementation uses cryptlib’s enveloping interface to allow simple, rapid integration of strong encryption and authentication capabilities into existing email agents and messaging software. Since the enveloping interface is universal, the process involved in creating PGP and S/MIME messages is identical except for the envelope format specifier, allowing a one-off development effort to handle any secure message format.
- PKI Services
CMP, OCSP, RTCS, SCEP, TSPIn addition to SSH, SSL and TLS, cryptlib also implements a full range of PKI services in its secure session interface, again providing both client and server implementations of all protocols. These services include the certificate management protocol (CMP), simple certificate enrolment protocol (SCEP), real-time certificate status protocol (RTCS), online certificate status protocol (OCSP), and timestamping (TSP).
- S/MIMEcryptlib employs the IETF-standardised Cryptographic Message Syntax (CMS, formerly called PKCS #7) format as its native data format. CMS is the underlying format used in the S/MIME secure mail standard, as well as a number of other standards covering secure EDI and related systems like HL7 medical messaging and the Session Initiation Protocol (SIP) for services like Internet telephony and instant messaging. The complexity of the S/MIME format means that the few other toolkits that are available require a high level of programmer knowledge of S/MIME processing issues. In contrast cryptlib’s enveloping interface makes the process as simple as pushing raw data into an envelope and popping the processed data back out, a total of three function calls, plus one more call to add the appropriate encryption or signature key.
- SSH, SSL & TLScryptlib supports secure network sessions using the SSH, SSL and TLS security protocols. As with envelopes, cryptlib takes care of the session details for you so that all you need to do is provide basic communications information such as the name of the server or host to connect to and any other information required for the session such as a password or certificate. cryptlib takes care of establishing the session and managing the details of the communications channel and its security parameters, and provides both client and server implementations of all of these session types.
“Cryptographic libraries are at the heart of secure communication systems. If these libraries are poorly designed, or difficult to use, they could be the Achilles heel in any system. However Cryptlib’s architecture has been carefully crafted to protect systems at all levels. The compact and modular nature of Cryptlib enabled us to implement multiple secure protocols in a very small platform. Author Peter Gutmann’s help was also very useful in doing both the original port and extensions such as SSHv2. The wide range of Cryptlib code and extensive documentation make this library the only complete choice for cryptographic needs.”
Christopher D. Leidigh, Chief Scientist, Embedded Networking & Technology, APC by Schneider Electric, USA
- Ainsworth Game Technology, Australia
- Brilliant Digital – Altnet, Australia
- Roads and Maritime Services, NSW, Australia
- Tauá Biomática Ltda., Brazil
- C-Works GmbH, Germany
- EFiS Financial Solutions AG, Germany
- Graebert GmbH, Germany
- IZT Labs, GmbH, Germany
- Rohde & Schwarz GmbH
- T-Systems, Germany
- Banking Payment Central Clearing House (Bankenes BetalingsSental AS) Norway
- Dynaplan AS, Norway
- Medilink Software AS., Norway
- Dutch Revenue Service – Belastingdienst, The Netherlands
- Gatsometer B.V., The Netherlands
- Infitel International NV, The Netherlands
- Arcode Corporation, USA
- Bloomberg, USA
- Bose Corporation, USA
- Castel Communications, USA
- Credant, USA
- Di-Central, USA
- FireEye, Inc., USA
- GE General Electric
- GoodTech Systems, California, USA
- IBM Tivoli, USA
- Kleinschmidt Inc., USA
- Lexmark International, Kentucky, USA
- Linkpoint International Corporation, California, USA
- MasterCard International, USA
- Mer-Tec Corporation, Texas, USA
- Northwestern University, Illinois, USA
- OSS Nokalva Inc. New Jersey, USA
- APC by Schneider Electric – APC USA
- South River Technologies, California, USA
- Tiburon Inc. California, USA
- XYPRO Technology Corporation, California, USA
- Zebra Technologies Corporation, USA
- Code Samples
Secure Online Software Encryption: Code ExampleThe best way to illustrate what cryptlib can do is with an example. The following code encrypts a message using public-key encryption.
/* Create an envelope for the message */
cryptCreateEnvelope( &cryptEnvelope, cryptUser, CRYPT_FORMAT_SMIME );
/* Add the message [...] */
cryptSetAttributeString( cryptEnvelope, CRYPT_ENVINFO_RECIPIENT, recipientName, recipientNameLength );
/* Push in the message data and pop out the encrypted result */
cryptPushData( cryptEnvelope, message, messageSize, &bytesIn );
cryptFlushData( cryptEnvelope );
cryptPopData( cryptEnvelope, encryptedMessage, encryptedSize, &bytesOut );
/* Clean up */
cryptDestroyEnvelope( cryptEnvelope );This performs the same task as a program like PGP using just 6 function calls (to create a PGP/OpenPGP message, just change the CRYPT_FORMAT_SMIME to CRYPT_FORMAT_PGP). All data management is handled automatically by cryptlib, so there’s no need to worry about encryption modes and algorithms and key lengths and key types and initialisation vectors and other details (although cryptlib provides the ability to specify all this if you feel the need). This is all that’s required — just copy the above code into your application to S/MIME-enable it.
Secure Session Code Example
/* Create the session */
cryptCreateSession( &cryptSession, cryptUser, CRYPT_SESSION_SSL );
/* Add the server name and activate the session */
cryptSetAttributeString( cryptSession, CRYPT_SESSINFO_SERVER_NAME, serverName, serverNameLength );
cryptSetAttribute( cryptSession, CRYPT_SESSINFO_ACTIVE, 1 );If you prefer SSH to SSL, just change the CRYPT_SESSION_SSL to CRYPT_SESSION_SSH and add a user name and password to log on. As with the encryption code example above, cryptlib provides a single unified interface to its secure session mechanisms, so you don’t have to invest a lot of effort in adding special-case handling for different security protocols and mechanisms. The corresponding SSL or TLS (or SSH if you prefer) server is:
/* Create the session */
cryptCreateSession( &cryptSession, cryptUser, CRYPT_SESSION_SSL_SERVER );
/* Add the server key/certificate and activate the session */
cryptSetAttribute( cryptSession, CRYPT_SESSINFO_PRIVATEKEY, privateKey );
cryptSetAttribute( cryptSession, CRYPT_SESSINFO_ACTIVE, 1 );As with the secure enveloping example, cryptlib is performing a large amount of work in the background, but again there’s no need to know about this since it’s all taken care of automatically.
Certificate Management Code ExampleThe following code illustrates cryptlib’s plug-and-play PKI interface:
/* Create the CMP session and add the server name/address */
cryptCreateSession( &cryptSession, cryptUser, CRYPT_SESSION_CMP );
cryptSetAttributeString( cryptSession, CRYPT_SESSINFO_SERVER, server, serverLength );
/* Add the username, password, and smart card */
cryptSetAttributeString( cryptSession, CRYPT_SESSINFO_USERNAME, userName, userNameLength );
cryptSetAttributeString( cryptSession, CRYPT_SESSINFO_PASSWORD, password, passwordLength );
cryptSetAttribute( cryptSession, CRYPT_SESSINFO_CMP_PRIVKEYSET, cryptDevice );
/* Activate the session */
cryptSetAttribute( cryptSession, CRYPT_SESSINFO_ACTIVE, TRUE );This code takes a smart card and generates separate encryption and signing keys in it, requests a signature certificate from the CA for the signing key, uses that to obtain a certificate for the encryption key, obtains any further certificates that may be needed from the CA (for example for S/MIME signing or SSL server operation), and stores everything in the smart card. Compare this to the hundreds or even thousands of lines of code required to do the same thing using other toolkits. Oh yes, and cryptlib provides the CA-side functionality as well — there’s no need to pay an expensive commercial CA for your certificates, since cryptlib can perform the same function.
- cryptlib API
cryptlib Application Programming Interface (API)cryptlib’s application programming interface (API) serves as an interface to a range of security mechanisms and algorithms through a single API. Developers only need to learn one API in order to provide security services for their applications. cryptlib’s powerful object management interface provides the ability to add encryption and authentication capabilities to an application without needing to know all the low-level details that make the encryption or authentication work. The automatic object-management routines take care of encoding issues and cross-platform portability problems, so that a handful of function calls are enough to create or process an S/MIME or PGP message or establish an SSL/TLS or SSH session. At a lower level, one or two function calls are enough to communicate public-key encrypted data with all of the associated information and parameters needed to decrypt the data on the other side of a communications channel, or to digitally sign a piece of data. This provides a considerable advantage over other encryption toolkits that often require hundreds of lines of code and the manipulation of complex data structures to perform the same task. cryptlib has been written to be as foolproof as possible. The APIs check each parameter and function call for errors before any actions are performed, with error reporting down to the level of individual parameters. In addition, logical errors such as, for example, key exchange functions being called in the wrong sequence, are checked for and identified. cryptlib is re-entrant and completely thread-safe, allowing it to be used with multithreaded applications under Windows, Unix, and embedded or RTOS kernels that function at the per-task level. Because it’s thread-safe, lengthy crypto operations can be run in the background while other processing is performed in the foreground.
cryptlib is available for free download and evaluation at any time. There is no charge for development seats, only for a commercial deployment of the software. cryptlib is vendor, channel and platform independent. We do not tie the user into a specific hardware platform, or insist on the maintenance of vendor or channel relationships. This offers the user significant portability and flexibility.
Please complete this brief form to gain access to the Cryptlib download page. Here you’ll find the latest Cryptlib software release, technical manuals and licensing information.
Powered by Fast Secure Contact Form
- cryptlib Download ConditionsYou may use Cryptlib subject to the restrictions below after you have obtained a valid software license. Cryptlib is distributed as ‘open source’ software but NOT for free. NB: No software license is required for evaluation purposes. If you make any changes to the code, you should send a copy of the changes to the author or authors to allow them to integrate them into the code. This is to allow a central consistent version to be maintained. Any software you create with this code may not be merely a set or subset of Cryptlib, with or without minor added functionality or a different interface. In particular you can’t distribute Cryptlib (or any modified form of it) as your own encryption product. This is to stop developers adding their own wrappers and selling it as “their” encryption product. All “commercial use” of Cryptlib requires a software license. “Commercial use” means any revenue-generating purpose such as use for company-internal purposes, or use of Cryptlib in an application or product, with a total gross revenue of over US$5,000. This allows Cryptlib to be used in freeware and shareware applications and for research purposes and non-revenue-generating personal use without charge. Freeware and shareware users must still obtain a valid software license. In addition the author reserves the right to grant free licenses for commercial use in special cases (for example where there is a general benefit to the public), contact the author for details if you think you qualify. Note that decoupling the software from the user, for example by running in a SaaS (Software as a Service) configuration, does not exempt you from the stated licensing requirements. We encourage programmers to disseminate Cryptlib as widely as possible.
- Download cryptlib Software & Manuals
Download cryptlib Current Version:It is strongly recommended that you always use the latest release of cryptlib, which will include enhancements and improvements over the previously available versions. A 370 page user’s guide and manual is also available below which is distributed separately from the code.
Latest cryptlib Release cryptlib Manual Current cryptlib 3.4.6 Release cryptlib Mailing List Archives Cryptlib Manual
- cryptlib Download Conditions
- Embedded Systemscryptlib’s high level of portability and configurability makes it ideal for use in embedded systems with limited resources or specialised requirements. The code is fully independent of any underlying storage or I/O mechanisms. It works just as easily with abstractions like named memory segments in flash memory as it does with standard key files on disk. It has been deployed on embedded systems without any conventional I/O capabilities or dynamic memory allocation facilities, with proprietary operating system architectures and services including ATMs, printers, web-enabled devices, POS systems, embedded device controllers, and similar environments, and even in devices with no operating system at all. cryptlib runs on the bare metal. Because cryptlib functions identically across all supported environments, it’s possible to perform application development in a fully-featured environment such as Windows or Unix and when the application is complete and tested, move it to the embedded system. This flexibility greatly reduces the amount of time that needs to be spent with embedded systems debuggers or in-circuit emulators since most of the development and code testing can be done on the host system of choice. See the FAQ for more details.
- Licensingcryptlib is distributed under a dual license that allows free, open-source use under a GPL-compatible license (aka the “Sleepycat” license) and closed-source use under a standard commercial license. In addition, cryptlib is often free for use in low-cost, non-open-source applications such as shareware, and for personal and research use. To use cryptlib under the GPL-compatible license, visit the open-source cryptlib site. Any and all large-scale commercial use of cryptlib requires a license. ‘Large-scale commercial use’ means any revenue-generating purpose such as use for company-internal purposes, or use of cryptlib in an application or product, with a total gross revenue of over $US 5,000. This allows cryptlib to be used in freeware and shareware applications, for evaluation and research purposes, and for non-revenue-generating or personal use without charge. In addition the author reserves the right to grant free licenses for commercial use in special cases (for example where there is a general benefit to the public). Contact the cryptlib Sales team for details if you think you qualify. Usage Conditions
- If you use cryptlib, you must give the authors credit in your software and/or documentation.
- If you make any changes to the code, you should send a copy of the changes to the author to allow them to be integrated into the code. This is to allow a central consistent version to be maintained.
- Any software you create with this code may not be merely a set or subset of cryptlib, with or without minor added functionality or a different interface. In particular you can’t distribute cryptlib (or any modified form of it) as your own encryption or security product. This is to stop users adding their own wrappers and selling it as “their” software product.
- PricingA cryptlib license fee is only payable when the software is deployed in a commercial project. There are many ways to structure a license arrangement. Usually we consider the expected deployment, and then negotiate one or more of the following:
- a per Server fee
- a per Client fee
- a product royalty-fee%
- a fixed annual fee, or in some instances, even a single license fee.
- Cyber Attacks
Cybercrime Flourishes, Cyber-attackers Never SleepThe information age has seen the development of increasingly complex electronic pathways, networks and devices that carry vast amounts of valuable data. This information is now the target of sophisticated and malicious individuals and organizations intent on breaching confidentiality, disrupting service, and outright theft. There is strong evidence that cybercrime; phishing attacks, computer fraud, theft of information and money, is on the increase and that many organizations are under constant threat. These cyber attacks have the potential to destroy customer confidence, and undermine successful enterprises. The most recent CSI Computer Crime and Security Survey found that the average cost per security incident was $235,000, and the largest loss reported was some $6 million. Financial fraud continues to consistently be a highly expensive attack, averaging almost $450,000 in losses per organization that suffered fraud. Other security surveys report even greater financial losses, and an increasing incidence of all types of malware. For example, security experts at McAfee Labs catalogued more than 16 million individual pieces of malware in 2017. This works out to be around 40,000 pieces per day, meaning the need to remain protected and vigilant is essential. As a result of these on-going threats, there is a strong demand for the means to secure vital electronic pathways, and to offer both providers and users a high level of confidence in systems integrity. However, the security structures required to protect data are generally very difficult to design and implement. Even when available, they tend to require considerable understanding of the underlying technical principles in order to be used effectively. This has lead to a proliferation of second-rate products that offer only the illusion of security. So, where does a software developer look to solve these problems? cryptlib provides the tools for developers to meet these challenges. They can approach their security projects with confidence, knowing that they are deploying expert-designed, robust and time-tested security solutions.
Do you have any performance measurements for algorithm x?It’s impossible to answer this question because it depends on the system that it’s being run on, the compiler being used, the algorithm, the key size (for public-key algorithms), the fact that cryptlib is in some cases performing a lot of other work in the background (e.g. data encapsulation or certificate processing), and a variety of other factors. In general on a modern system the raw performance of most of the block ciphers and hash functions is tens to hundreds of megabytes per second, and the raw time for public-key operations is a few milliseconds. With cryptlib hardware assist, the processing speed is limited mostly by the I/O bus speed. These are representative times. If you need a definitive figure for your exact hardware, OS, compiler, application, etc?., run the code and ?test it.
Does cryptlib run under other random OS?
cryptlib runs on virtually all generally-used operating system platforms, including embedded OSes and RTOSes, however there are a small number of relatively rare OS’s that it hasn’t yet been ported to, generally because they’re non-mainstream enough that access to a development system is difficult. cryptlib has been designed for easy portability to any OS, targeting new systems hasn’t proven much of a problem in the past.
Since cryptlib is open source software, you’re welcome to take the code and port it to any specialised OS that you require it to run on. The cryptlib developers can offer assistance where possible. Anyone requiring a port is strongly encouraged to contact the developers, since past experience has shown that this leads to a significant reduction in effort in performing the port (a
typical example was several months vs. 2 days to get it running on a particular mainframe environment).
Does cryptlib run under VM/CMS or MVS or on the AS/400?
Yes and no. The IBM mainframe adaptation was performed by building the code under VM and bringing it as close as possible to building under MVS at which point the code snapshot was taken over by a company that generally doesn’t talk to others about security issues and whose lawyers wouldn’t allow the changes they made to go back into the code base — Open Source has yet to arrive there.
This means that anyone wanting to run cryptlib on IBM mainframes will need to duplicate some of the work they did: system information polling to gather randomness for key generation (random/mvs.c and random/vm.c), miscellaneous code tweaks here and there, and fixing up the JCL. The last two are pretty trivial, the only thing that requires any real work is the randomness polling. The AS/400 situation is somewhat worse, to date there have been multiple ports performed but none have been released.
Does cryptlib support AADS, CDMF, CMC, CMMF, CPM, CRS, CSVP, DHPOP, DCS, DVCS, ICAP, OCDP, QC, RMP, SCVP, SDSI, SPKI, VMP, …?
Standards groups are constantly inventing new standards. Many will disappear without trace, some will be implemented by a few vendors (often in an incompatible manner) and ignored by the rest, some will be so complex and difficult to interpret that they won’t be viable for years (if ever), and a very small number will survive and prove useful. The cryptlib developers keep a close eye on the standards situation and will support those that serve a useful purpose and have good industry support?.
Note that being hyped in the trade press does not constitute good industry support. The intention behind taking this cautious approach is to avoid having users locked into a collection of orphaned and legacy protocols that have very little support elsewhere. Since cryptlib is available in full source code form, you’re welcome to implement any particular protocol you require yourself, or you can contact the cryptlib developers if you require the implementation of any custom protocols.
When will cryptlib support OAEP? PSS?
New crypto algorithms and mechanisms will be supported in cryptlib when they become generally adopted in implementations of security standards like SSL/TLS, S/MIME, SSH, and PGP. Without this general support, there’s little use for them since nothing would be able to employ them even if they were present in cryptlib. That is, any data produced using these algorithms would be unusable by any other implementation. In addition:
* Because these new mechanisms are barely supported by anything, it will be difficult ?or impossible to use them with crypto hardware such as HSMs or smartcards.
* The security benefits of using some of these new techniques is questionable. For example, standard PKCS #1 version 1.5 is secure when used properly (that is, there’s no real security benefit to using OAEP). Protocols like TLS and S/MIME simply include a note about using PKCS #1 version 1.5 securely, rather than requiring a move to OAEP or PSS.
* If you use some new mechanism, there’s a risk that you’ll be stuck with an orphaned mechanism if something else comes into fashion. SET is stuck with a version of OAEP that nothing else uses any more because of this problem.?
Can I read keys from the Windows registry/CryptoAPI blobs/the Mozilla certificate database/etc?
These are proprietary/undocumented formats that conform to no known standard. Because of their nature, they are tied to a particular vendor or platform and can’t be read by cryptlib (or anything else).
Why do I get an “Assertion failed” when I use cryptlib?
You’ve built the debug version of cryptlib rather than the release version. The debug version is intended for people developing cryptlib, and provides extended diagnostic and debugging information that isn’t present in a normal release. See “Debug vs.Release Versions of cryptlib” in the manual for more information.
Is cryptlib subject to any export restrictions?
No. The software has been developed outside the USA and is therefore not covered by US export restrictions and may be used anywhere in the world.
How is cryptlib licensed?
cryptlib is distributed under a dual license that allows free, open-source use under a GPL-compatible license (a.k.a. the Sleepycat License) and closed-source use under a standard commercial license. In addition, cryptlib is free for use in low-cost, non-open-source applications such as shareware, and for personal and academic or research use.
All commercial users must obtain a commercial license, which will be negotiated and agreed with Digital Data Security Limited, the registered owner of the cryptlib software. Specifically, any large-scale commercial use of cryptlib requires a license. “Large-scale commercial use” means any revenue-generating purpose such as use for company-internal purposes, or use of cryptlib in an application or product, with a total gross revenue of over US$5,000. This allows cryptlib to be used in freeware and shareware applications, for evaluation and research purposes, and for non-revenue-generating or personal use without charge. In addition the author reserves the right to grant free licenses for commercial use in special cases (for example where there is a general benefit to the public), however you must contact the author for permission if you think you qualify.
Does cryptlib run in embedded systems?
cryptlib’s high level of portability and configurability makes it ideal for use in embedded systems with limited resources or specialised requirements, including systems based on Altera NIOS, ARM7, ARM9, ARM TDMI, Coldfire, Fujitsu FR-V, Hitachi SuperH, MIPS IV, MIPS V, Motorola ColdFire, NEC V8xx series, NEC VRxxxx series, Panasonic/Matsushita AM33/AM34, PowerPC, PowerQUICC, Samsung CalmRISC, SH3, SH4, SPARC, SPARClite, StrongArm, TI OMAP, and Xilinx MicroBlaze processors, as well as a large range of licensed derivatives of these cores, too many and varied to enumerate here.
cryptlib doesn’t perform any floating-point operations and runs directly on processors without an FPU, and through its crypto HAL (hardware abstraction layer) capabilities can take advantage of on-chip or in-system cryptographic hardware capabilities and crypto cores where available, typically on some of the more advanced ARM, MIPS, and PPC cores.
The code is fully independent of any underlying storage or I/O mechanisms, and works just as easily with abstractions like named memory segments in flash memory as it does with standard key files on disk. It has been deployed on embedded systems without any conventional I/O capabilities or dynamic memory allocation facilities, with proprietary operating system architectures and services including ATMs, printers, web-enabled devices, POS systems, embedded device controllers, and similar environments, and even in devices with no operating system at all (cryptlib runs on the bare metal). It can also run independent of any form of operating system, and has been run on the bare metal in environments with minimal available resources, in effect functioning as a complete crypto operating system for the underlying hardware.
Because cryptlib functions identically across all supported environments, it’s possible to perform application development in a full-featured development environment such as Windows or Unix and only when the application is complete and tested move it to the embedded system. This flexibility saves countless hours of development time, greatly reducing the amount of time that needs to be spent with embedded systems debuggers or in-circuit emulators since most of the development and code testing can be done on the host system of choice.
Supported embedded environments include AMX, ChorusOS, eCos, FreeRTOS/OpenRTOS, uITRON, LynxOS, MQX, PalmOS, RTEMS, ThreadX, T-Kernel, uC/OS II, VDK, VxWorks, and XMK (alongside embedded forms of conventional operating systems). If required, the cryptlib developers can provide assistance in moving the code to any new or unusual environments.
The cryptlib Security Software Development Toolkit
Available right now, complete with documentation and licencing information!Download Today
Highly portable encryption
Any Hardware, any Operating System
cryptlib’s highly portable nature means that it’s also been employed in a wide range of embedded systems environments.
At the highest level, cryptlib provides implementations of complete security services such as S/MIME and PGP/OpenPGP secure enveloping, SSL, TLS and SSH secure sessions, and other security operations such as secure timestamping (TSP). In addition cryptlib implements a full range of certificate authority (CA) functions, as well as providing complete CMP, SCEP, RTCS, and OCSP server implementations to handle online certificate enrolment/issue/revocation and certificate status checking.
Cyber Threats increase in Sophistication & Intensity
Business owners and managers often overlook the considerable cost, time and complexity involved in completing security projects successfully in-house. They over-estimate the ability of their technical staff to execute the security component in a very specialised and crucial part of their application or product. Internal security costs incurred are damaging to the business, as they also prevent the developer from working on productive tasks more suited to their skill set.
cryptlib developers access a series of ‘layered’ security services according to their needs and capabilities.
cryptlib allows developers to quickly and easily add world-class security services to their applications and products. » Digital Security info….
Unlike many other security toolkits, cryptlib has been designed to minimise the effort required to add security services to your application or product. » Application Security…
Proven Track Record
cryptlib’s reliability and efficiency has been proven through widespread use for nearly two decades across a wide range of sectors. » cryptlib Users…
Any Hardware or OS
cryptlib supports a wide range of hardware platforms and most general-purpose, embedded, and RTOS kernels. » Platforms…
Cost Effective & Efficient
cryptlib cuts development costs and time-to-market. Developers only need to learn a single API to master SSH, SSL, TLS, S/MIME, PGP, & PKI security services. » Cost-effective
Any Embedded Systems
Not dependent on dynamic memory allocation, networking, or filesystem I/O, runs on a wide range of embedded & RTOS environments. » Embedded Systems…
How it works
Its easy to get started
cryptlib is available for free download and evaluation at any time. There is no charge for development seats, only for a commercial deployment of the software.Download
Download the latest cryptlib software, complete with full technical documentation.
Install and evaluate in your development project.
License & Deploy
Buy a software license and deploy in your live environment.
Why Choose cryptlib?
The cryptlib Security Software Development Toolkit allows even inexperienced developers to easily add world-class security services to their applications by learning a single API. cryptlib manages all your SSL, SSH, TLS, S/MIME, PGP, OpenPGP, PKI, X.509, CMP, OCSP and SCEP security requirements, and more. cryptlib was designed by security experts, but not exclusively for security experts. It is highly efficient and has been rigorously tested across a wide range of operating systems and platforms over the last 18 years. The cryptlib software has been deployed and proven in many different sectors, and our clients state that it is the only security software development toolkit you’ll ever need.
cryptlib Security Software Development Toolkit
At the highest level, cryptlib provides implementations of complete security services such as S/MIME and PGP/OpenPGP secure enveloping, SSL, TLS and SSH secure sessions, and other security operations such as secure timestamping (TSP). In addition cryptlib implements a full range of certificate authority (CA) functions, as well as providing complete CMP, SCEP, RTCS, and OCSP server implementations to handle online certificate enrolment/issue/revocation and certificate status checking. Alongside the certificate handling, cryptlib provides a sophisticated key storage interface that allows the use of a wide range of key database types ranging from PKCS #11 devices, PKCS #15 key files, and PGP/OpenPGP key rings through to commercial-grade RDBMS’ and LDAP directories with optional SSL protection.
Any hardware, any OS
In addition to its built-in capabilities, cryptlib can make use of the crypto capabilities of a variety of external crypto devices such as hardware crypto accelerators, Fortezza cards, PKCS #11 devices, hardware security modules (HSMs), and crypto smart cards. Since cryptlib uses industry-standard X.509, S/MIME, PGP/OpenPGP, and SSH/SSL/TLS data formats, the resulting encrypted or signed data can be easily transported to other systems and processed there, and cryptlib itself runs on virtually any operating system — cryptlib doesn’t tie you to a single platform.
cryptlib is supplied as source code for general-pur?pose operating systems including BeOS, DOS, DOS32, IBM MVS, OS/2, OS X, Tandem, a variety of Unix versions (including AIX, Digital Unix, DGUX, FreeBSD/NetBSD/OpenBSD, HP-UX, IRIX, Linux, MP-RAS, OSF/1, QNX, Solaris, SunOS, Ultrix, and UTS4), VM/CMS, 16-, 32-, and 64-bit Windows, and Windows CE/PocketPC/SmartPhone.
cryptlib’s highly portable nature means that it’s also been employed in a wide range of embedded systems environments including:
- KADAK AMX, ARINC653
- Segger embOS
- iOS, µITRON, embedded Linux
- Mongoose OS
- NXP MQX
- Mentor Graphics/Siemens Nucleus
- OSEK / OSEK/VDX, PalmOS
- Express Logic ThreadX
- uClinux, Analog Devices VDK
- Wind River VxWorks
As well as bare-metal environments.
If required, the cryptlib developers can provide assistance in moving the code to any new or unusual environments.
cryptlib comes with language bindings for C / C++, C# / .NET, Delphi, Java, Perl, Python, and Visual Basic (VB).
Many of the core algorithms used in cryptlib have been implemented in assembly language in order to provide the maximum possible performance. These routines provide an unprecedented level of performance, in some cases running faster than expensive, specialised encryption hardware designed to perform the same task. In addition, cryptlib’s crypto HAL (hardware abstraction layer) provides the ability to plug in hardware-assisted crypto for those CPUs that ? allow it. This means that cryptlib can be used for high-bandwidth applications such as video/audio encryption and online network and disk encryption.
Who we are
Our website address is: [enter your site here].
What personal data we collect and why we collect it
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Who we share your data with
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Visitor comments may be checked through an automated spam detection service.
Your contact information
How we protect your data
What data breach procedures we have in place
What third parties we receive data from
What automated decision making and/or profiling we do with user data
Industry regulatory disclosure requirements
Included as core cryptlib components are implementations of the most popular encryption and authentication algorithms, AES, Blowfish, CAST, DES, triple DES, IDEA, and RC5 conventional encryption, MD5, RIPEMD-160, SHA-1, and SHA-2 ?hash algorithms, HMAC-MD5, HMAC-SHA1, HMAC-RIPEMD-160, and HMAC-SHA2 MAC algorithms, and Diffie-Hellman, DSA, ECDSA, ECDH, Elgamal, and RSA public-key encryption algorithms.
“Industry standards compliant”
All algorithms, security methods, and data encoding systems in cryptlib either comply with one or more national and international banking and security standards or are implemented and tested to conform to a reference implementation of a particular algorithm or security system. Compliance with national and international security standards is automatically provided when cryptlib is integrated into an application.
These standards include:
ANSI X3.92, ANSI X3.106, ANSI X9.9, ANSI X9.17, ANSI X9.30-1, ANSI X9.30-2, ANSI X9.31-1, ANSI X9.42, ANSI X9.52, ANSI X9.55, ANSI X9.57, ANSI X9.62, ANSI X9.63, ANSI X9.73, ETSI TS 101 733, ETSI TS 101 861, ETSI TS 101 862, ETSI TS 102, FIPS PUB 46-2, FIPS PUB 46-3, FIPS PUB 74, FIPS PUB 81, FIPS PUB 113, FIPS PUB 180, FIPS PUB 180-1, FIPS PUB 186, FIPS PUB 198, ISO/IEC 8372, ISO/IEC 8731 ISO/IEC 8732, ISO/IEC 8824/ITU-T X.680, ISO/IEC 8825/ITU-T X.690, ISO/IEC 9797, ISO/IEC 10116, ISO/IEC 10118, ISO/IEC 15782, ITU-T X.842, ITU-TX.843, NSA Suite B, PKCS #1, PKCS #3, PKCS #5, PKCS #7, PKCS #9, PKCS #10, PKCS #11, PKCS #15, RFC 1319, RFC 1320, RFC 1321, RFC 1750, RFC 1991, RFC 2040, RFC 2104, RFC 2144, RFC 2202, RFC 2246, RFC 2268, RFC 2311 (cryptography-related portions), RFC 2312, RFC 2313, RFC 2314, RFC 2315, RFC 2437, RFC 2440, RFC 2459, RFC 2510, RFC 2511, RFC 2528, RFC 2560, RFC 2585, RFC 2630, RFC 2631, RFC 2632, RFC 2633 (cryptography-related portions), RFC 2634, RFC 2785, RFC 2876, RFC 2898, RFC 2984, RFC 2985, RFC 2986, RFC 3039, RFC 3058, RFC 3114, RFC 3126, RFC 3161, RFC 3174, RFC 3183, RFC 3211, RFC 3218, RFC 3261 (cryptography- related portions), RFC 3268, RFC 3274, RFC 3279, RFC 3280, RFC 3281, RFC 3369, RFC 3370, RFC 3447, RFC 3546, RFC 3565, RFC 3739, RFC 3770, RFC 3779, RFC 3851, RFC 3852, RFC 4055, RFC 4086, RFC 4108, RFC 4134, RFC 4210, RFC 4211, RFC 4231, RFC 4250, RFC 4251, RFC 4252, RFC 4253, RFC 4254, RFC 4256, RFC 4262, RFC 4279, RFC 4325, RFC 4334, RFC 4346, RFC 4366, RFC 4387, RFC 4419, RFC 4476, RFC 4648, RFC 4680, RFC 4681, and the Payment Card Industry Data Security Standard (PCI-DSS, cryptography-related portions).
In addition cryptlib can be used as an add-on security module to provide security services as per ISO/IEC 62351 for SCADA protocols such as IEC 60870-5, DNP 3.0, IEC 60870-6 (TASE.2 or ICCP), IEC 61850, and IEC 61334 (DLMS).
- Why cryptlib?
At least 10 Good Reasons
- cryptlib allows developers to add world-class security services to their software applications, quickly.
- cryptlib is easy to use. Developers need only learn a single API to master SSH, SSL, TLS, S/MIME, PGP, OpenPGP, and PKI security services.
- All levels of cryptlib developers can approach their security projects with confidence, knowing that they are deploying expert-designed, robust and time-tested security solutions. cryptlib is a high-quality security software solution, fully supported by an experienced technical team, unlike some other open-source toolkits, where technical support is minimal, or non-existent.
- cryptlib is written and maintained by a small, expert team, not a large corporation intent on securing on-going consulting revenue. Our staff are professional in their approach and customer-focused. We offer technical support and advice on complex security projects way beyond any standard ‘support-desk’ level. This means our business and technical objectives are closely aligned, and it is in our best interests to have clients up and running with cryptlib as soon as possible.
- cryptlib is vendor, channel and platform independent. We do not tie the user into a specific hardware platform, or insist on the maintenance of vendor or channel relationships. This offers the user significant portability and flexibility.
- cryptlib is available for free download and evaluation at any time. There is no charge for development seats, only for a commercial deployment of the software.
- cryptlib is widely used, and has received glowing testimonials and references from a range of clients in a number of different sectors in many countries.
- The cryptlib software intellectual property rights are fully owned by Digital Data Security Limited, a private, New Zealand-based and registered limited liability company that has been trading successfully for over 20 years.
- The cryptlib software is OSI Certified Open Source Software. OSI Certified is a certification mark of the Open Source Initiative.
- cryptlib is cost-effective. It saves valuable development time and resource, and delivers peace-of-mind to developers, managers and business owners alike. cryptlib sets the standard for security software development tools, and is truly the developer’s choice.
- $US1Trillion Lost In Stolen IP & Data TheftA McAfee report indicated businesses around the world lose more than $US1trillion annually through data theft and cybercrime. Read more: … Read more
- Bill Hansen – Kleinschmidt Inc, Deerfield, IL, USA“Cryptlib’s high-level functions enable me to effect complex S/MIME transformations with less setup and fewer function calls than other S/MIME … Read more
- Christopher D. Leidigh, Chief Scientist, APC Corp, USA“Cryptographic libraries are at the heart of secure communication systems. If these libraries are poorly designed, or difficult to use, … Read more
- Cryptlib Software Meets TLS 1.2 Standard, Adds ECC SupportThe latest release of the widely-used Cryptlib security software development toolkit is now available. Significant new features includes support for … Read more
- Dr. Zulfikar Ramzan – IP Dynamics Inc, USA“In all, I believe Cryptlib is a fantastic library. It’s clear that Peter Gutmann has meticulously thought through the major … Read more
- Expert FIPS 140 Certification Service AvailableDigital Data Security (DDS) is pleased to announce that we have specialist technical resource available to manage the FIPS* certification process … Read more
- Gregg Kirkpatrick – Ripple Systems, Australia“We have successfully used Cryptlib to deliver a smart card based PKI system to a Local Government Authority in the … Read more
- Independent cryptlib Software ReviewMike Ivanov, Active State, May 2010. http://www.activestate.com/blog/2010/05/python-crypto-state-art-part-3
- Mike Mohanbhai, CEO – ComputerWorks, New Zealand“Cryptlib has been integrated into our MailRules software in order to offer secure, encrypted information to our customers. Demand for … Read more
- New cryptlib 3.3 Release Meets TLS StandardOpen-source security toolkit leads the way in ease-of-use and protection The latest version of the popular Cryptlib security toolkit is … Read more
- New Cryptlib Release Implements TLS-LTSVersion 3.4.4 of Cryptlib implements TLS-LTS (long-term support) for use on systems that may have multi-year or even decade-long update … Read more
- Phillip Arcuri, Ph.D“DiCentral has been using Cryptlib since 2012 and we have been very impressed with the quality of the software and … Read more
- Viggo Kleven“In 2001 we were looking for a good security library. We found Cryptlib and have been using it ever since. … Read more