Updated: $Date: 2003-02-28 16:16:22 +0100 (Fri, 28 Feb 2003) $ $Author: loic $ADMINSITRATIVE PART
C.5. Cryptographic Services provided
[ ] Authentication (*) : ....................
[ ] Access Control (*) : ....................
[X] Signature (*) : DSA, Diffie-Hellman, RSA
[X] Integrity (*) : SHA-1, MD2, MD4, MD5, RIPE MD-160
[X] Confidentiality (*) : RSA, DSA, DES, Triple-DES, Blowfish, CAST5-128, IDEA, RC2, RC4, RC5
(*) Specify the names of the algorithms used.
TECHNICAL PART
General description of the product, the user manual ;
A description of the services provided by the product : cryptographic library with support for the X509 certification environment, and for hardware extensions. Used as a generic cryptographic library in many Free Software programs and specifically for its SSL and X509 support in programs communicating in a secure way over the Internet, either on-line (transport layer for WWW, IMAP, LDAP...), either off-line (S/MIME format e-mail). http://www.openssl.org/docs/ssl/ssl.html; http://www.openssl.org/docs/crypto/crypto.html ;
A description of the cryptographic functions provided by the product (encryption, signature, key management) : Encryption, data signing, public key handling, key certification (X509 format), password protection of private keys, key pair creation and random numbers generation, bignum computing library, safe memory management (erasing deallocated memory chunks, memory locking), flow encryption and authentication (SSL), "nul divulgation" interactive authentication ;
The description of the key management implemented in the software, including at least:
- the distribution method : irrelevant for OpenSSL, it is customary to use files or LDAP repositories ;
- the key generation process/method :openssl-0.9.6d/apps/gendsa.c openssl-0.9.6d/apps/genrsa.c openssl-0.9.6d/apps/gendh.c;
- the key archival format, if relevant: PKCS#8 (http://www.rsasecurity.com/rsalabs/pkcs/pkcs-8/), PKCS#12, PEM or DER formats, in a file. Encryption with symetric algorithms proposed in the sources. ;
- the key transmission format, if relevant: clear transmission of public keys (X509), Diffie-Hellman key exchange during the initalization of an SSL session (directory openssl-0.9.6d/ssl/), PKCS#12 ;The description of technical means implemented to prevent alteration of the encryption method or the associated key management: Calculus: safe memory management (erasing deallocated memory chunks, memory locking), Keys: protected by PKCS#8 encryption, MAC (MD5 and SHA1 algorithms) and PKCS#12 (password protection) ;
The description of pre-processing applied on un-encrypted data before encryption (compression, formating, header addition, etc.):
* PKCS#7 encapsulation (S/MIME) for textual files * other encodings ASN.1 : PKCS#12, X509 * TLSv1 protocol (SSL) for interactive sessions; ;The description of post-processing of encrypted data, after encryption (adding a header, formating, slicing into packets, etc.).
* PEM ("----BEGIN CERTIFICATE----" / "----END CERTIFICATE----") format * TLSv1 protocol (SSL) for interactive sessions, and the selected transport layer (eg. TCP/IP).