Cryptology has quickly grown from a field only used by government and military agencies to being one that impacts the day to day lives of consumers across the globe. Cryptographic libraries are used by individuals in just about any country in the world when conducting secure online transactions, communicating via secure email or video, and in numerous B2B (business-to-business) transactions. As a result, there are a number of cryptographic libraries that have been developed for use in most of the major programming language libraries.
What is a Cryptographic Library?
Implementing a cryptographic library from scratch to fulfill security needs in a development project can be 1 – Costly, and 2 – Time consuming in order to accomplish the task properly. As a result, there have been a number of both proprietary and open source projects that have been developed in order to help developers create projects that are secure while avoiding these risks associated with creating secure applications. Not all projects are created equal; however, as a code developer or architect must seek out code libraries that implement the latest versions of security protocols. Additionally, ensuring a code library has undergone proper testing can help a project lead avoid embarrassing loopholes or security vulnerabilities that can result in a project getting a bad name or losing business in the market-place.
What are the Qualities of a Good Cryptographic Library?
Not all programming libraries are created equally. This aspect of reusing programming code is even more important when considering making use of freely available cryptographic libraries for just about any programming language. For a library to be useful, some of the qualities that it should contain are: 1 – The library should implement the current versions of cryptographic protocols, 2 – The library should be thoroughly tested to avoid introducing vulnerabilities into the programming project, 3 – The organization responsible for developing and maintaining the project should be trustworthy, and 4 – The code library’s license should support use in the developer’s project.
What is SSL?
Secure Sockets Layer (SSL) has become the standard security technology for the Internet to establish an encrypted link between a Web browser and a Web server. The secure data link helps to ensure that all information passed between the web server and web client remains private. SSL is the current industry standard and is used throughout the world to help ensure the protection of online transactions from all manner of tasks that range from banking to online shopping.
In order to create an SSL connection, a web server will require a SSL certificate to conduct the transaction. There are a number of questions that have to be answered when first configuring a web server to conduct SSL operations before the server can create a public and a private key.
Once created, a public key does not have to be kept secret. It is placed into a data file labeled as a certificate signing request (CSR). Once the CSR is crated, it should be submitted to a Certification Authority (CA) that will validate the details of the certificate. The CA will then issue an SSL certificate that validates the requesting organization’s details and allow SSL to be implemented over the Internet on the desired website. The web server will then match the SSL certificate that is issued to the locally-held private key.
Although the complexities of the SSL protocol remain invisible to the majority of Web users, the implementation details of the protocol typically rely on cryptographic programming libraries that are used by the programming language used by the web server or a compatible technology.
The following is a listing of popular cryptographic libraries in use today. The listing is by programming language and not necessarily “all inclusive” of those that can be found in industry. If you have a favorite library not listed, please include in the comments section of the article.
C / C++ Programming Language Crypto Libraries
MatrixSSL is an SSL implementation designed for devices that can’t avoid a large footprint or overhead. It is one of the only open-source SSL implementations that is specifically designed to be used in embedded environments.
The entire library takes up less than 50K of memory on disk including the cipher suite. The project is written in C and includes the following features: client and server SSL support, implementation of RSA, ARC4, SHA1, MD5, and 3DES, and session resumption. The source code for the project is assessed to be well documented and also includes a portability layer for additional operating system support, cryptography providers, and cipher suites.
MatrixSSL is released under the GNU open source license and when compiled includes just a single library file and API interface. For projects where the GNU is too restrictive the developers make a commercial license available through PeerSec Networks. The core package of the MatrixSSL project is an implementation of the SSLv3 communication standard. The current build of the project supports both the Linux and Windows operating systems; however, there is a portable OS layer that allows for easy porting to alternative operating systems.
The OpenPGP SDK is an open source cryptographic library that is written in the C programming language and implements the OpenPGP specification. The project has been successfully implemented in the Ubuntu, FreeBSD, Fedora and OSX operating systems. The OpenPGP SDK’s most recent release was in 2009 and provides an OpenPGP library implementation that conforms to RFC 4800, OpenPGP Message Format (RSA and partial DSA implementation). Features of the SDK include: RSA key generation, RSA encryption and decryption (AES, AES 256, 3DES, and CAST5 algorithm support provided), SHA1, SHA256, SHA384, SHA512, and SHA224 hash algorithm support.
The OpenPGP SDK also includes a free testing suite with the project download. The test suite can be run by developers from the root directory of the project using the “make test” command without the quotes from the command line. Alternatively, the testing suite can be run from the “tests” subdirectory of the project by running ‘./tests’.
The OpenSSL project is authored in the C programming language and includes a license similar to the Apache-style. The OpenSSL cryptographic library includes SSL and TLS protocol support as well as a number of command line applications. The project is released under a dual license that is a by-product of the original SSLeay and current OpenSSL licenses. Each are BSD-styled or like open source licenses and the project is managed by a community of volunteer developers.
The goals of the OpenSSL Project is to produce an open-source, commercial-grade, fully featured toolkit that implements Transport Layer Security (TLS v1) and Secure Sockets Layer (SSL v2/v3) protocols. The API also includes a full-strength, general purpose cryptography library for developers to leverage while implementing the OpenSSL toolkit in their development projects.
PolarSSL Crypto Library
The PolarSSL cryptographic library is a popular crypto API that includes a significant number of programming examples and more importantly – documentation. The API includes an OpenSSL implementation that helps encourage rapid code development that supports cryptography. The library is available under a choice of two licenses: open source or commercial. This model lets project architects choose the best license for their project. If selecting the commercial option, the fee can be paid at once or split out over a monthly subscription fee.
PolarSSL includes support for most known encryption algorithms found in industry. Symmetric encryption algorithm support in the API is provided for the following algorithms: AES, ARC4, Blowfish, Triple-DES (3DES), DES, Camellia, and XTEA. Where appropriate, the following modes of operation are supported by the API: ECB (electronic codebook mode), CBC (cipher block chaining mode), CFB (cipher feedback mode), GCM (Gallois counter mode), and CFB (cipher feedback mode).
PolarSSL includes support for the following hash algorithms: MD2, MD4, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512. To help ensure compliance with the latest NIST standards, the API provides the NIST standardized CTR_DRBG random number generator.
The API is checked against OpenSSL for compliance with the currently published cryptographic standards and is fundamentally designed around the international standard.
Java and C# Programming Language Crypto Libraries
BouncyCastle Crypto API
The BouncyCastle crypto API provides cryptographic library support for both the Java and C# programming libraries. The library has been in development for more than 10 years and include the following features:
– Support for both the C# and Java programming languages.
– Is a provider for both the Java Cryptography Architecture and Java Cryptography Extension.
– Includes support for both reading and writing ASN.1 encoded objects.
– Contains a lightweight API for both DTLS (RFC 4347) and TLS (RFC 4346).
– A signed JAR that is suitable for the Sun JCE and JDK 1.4-1.7 (at the time of this writing).
– Generators for Version 1, 2, and 3 X.509 certificates, and Version 2 CRLs and PKCS12 files.
– Both generators and processors for: S/MIME, CMS, OCSP, TSP, CMP, CRMF, OpenPGP, Extended Access Control (EAC), and data validation and certificate server (RFC 3029).
The BouncyCastle API is able to be incorporated in most major Java builds ranging from J2ME to JDK 1.7 (at the time of this writing. The API is typically upgraded for newly released JDKs after testing).
The developers of the BouncyCastle project now include a developer’s wiki for both the C# and Java builds of the project. The API is released under the MIT Open Source License and is approved for export under the License Exception TSU. The project leads do recommend seeing the Bureau of Industry and Security’s website for additional information regarding the limitations of exporting the codebase for international use.
PHP Programming Language Crypto Libraries
Mcrypt is the current replacement for the legacy UNIX-based crypt() package and crypt(1) command that includes extensions for the PHP programming language. Developers are able to use the package to make use of a large range of encryption functions without having to make significant changes to their programming code. The Mcrypt project is released under the GPL, and supports a wide range of algorithms and modes. Some of the block algorithms supported by the API include: DES, TripleDES, Blowfish (default), 3-WAY, SAFER-SK64, SAFER-SK128, TWOFISH, TEA, RC2 and GOST in CBC, OFB, CFB and ECB cipher modes. The cryptographic library also includes support for RC6 and IDEA with the CFB/OFB being set to 8 bit by default in the library.
How to Install Mcrypt on Windows Computers?
Although there are a number of tutorials around the Web that cover how to install MCrypt for Windows, most of them are not kind to the developer who does not have a lot of experience with PHP. The following is an attempt to provide a simplified explanation for the developer who has not yet reached “PHP Ninja” status. Many times, when developers have issues with using Mcrypt, the default PHP installation may not have it included or the end-user may have failed to setup the API appropriately.
Step 1 – Download the Windows binary package from the PHP website.
Step 2 – Unzip the binary file to a folder on your computer.
Step 3 – Open the folder that is created on your computer. There should be a file name similar to, “libmcrypt.dll” located in the folder.
Step 4 – Copy the file to the PHP extension folder.
Step 5 – In the PHP extension folder locate the folder named, “ext.”
Step 6 – Copy the file name, “php_mcrypt.dll” to the PHP extension folder.
Step 7 – Edit the php.ini file to include the following line in the vicinity of other “extension=” entries:
Step 8 – If you have difficulty locating the PHP extensions folder, it should be located in a folder similar to “Program Files\PHP\” on a Windows computer.
Step 9 – If you cannot locate the php.ini file, it should also be located in the “Program Files\PHP\” directory. In non-English builds of the Windows OS, the name of the file may vary to better match the language of the OS build.
Step 10 – Save the changes that you make to the php.ini file and Mcrypt should be enabled on your computer.
Other Cryptographic Libraries
Adam Shostack maintains a good list of cryptographic libraries at Source Available Cryptographic Libraries.