1. 1 PK-Enabling Toolkits August 27, 2001

2. 2 CSOS Interfaces STATUS CHECKING Network Interface: HTTP Port 80 PKI Interface: PKCS 10 Request PKCS 7 Response Network Interface: LDAP v3 Port 389 PKI Interface: LDAP Request Entrust Web Connector X.500 Directory ENROLLMENT

3. 3 CSOS Client Operations nSigning (FIPS 186-2) l Signature Algorithm Support: DSA, RSA, ECC l Hash  SHA-1 nVerification l Validity Check (Is the certificate expired?) l Signature verification (SHA-1) l Certificate status check (LDAP) l Extension checks

4. 4 How does choosing the right toolkit affect your application? nToolkits vary in the functionality in which they support (Transparent key rollover, PKCS 11 support etc.) nSome toolkits have features that may be only meaningful with specific CA products. (.epf) nToolkits vary on which algorithms they support (RSA, Elliptical Curve, Diffie-Hillman etc.) n Does the toolkit meet FIPS 140-1 certification?

5. 5 Issues nAre the toolkits standards-based? Interoperable with popular COTS PKI’s? nSupport for PKCS #7 and PKCS #10 (Cert. Request and Response) nSupport for PKCS #11 (Ability to store certificate on a smart card) If desired… nCertificate Store- How certificates and access to keys are managed

6. 6 Issues (Continued) nAre toolkits affected by certain web browsers? (IE vs. Netscape) nPlatform Support nFIPS Web Site  http://csrc.nist.gov/cryptval/ l RSA Crypto-C (Cert # 163; 8/15/2001) l Microsoft CAPI Modules (Cert # 60, 68, 75, 103, 106, 110; 8/05/1999 to 08/15/2000 l Entrust Crypto Kernel (Cert # 130; 12/20/2000)

7. 7 Platform Support RSA BSafe   Entrust SDK  Microsoft CAPI  Win32 Solaris HP-UX Linux AIX

8. 8 RSA BSAFE Toolkit nRSA BSAFE provides a line of products to support PK-Enabling applications. nSupports PKCS #7, PKCS #10 and PKCS #11 nMulti vendor support for Windows, Solaris, Linux, HP-UX, AIX n Support for all necessary algorithms nCustomer support via. Professional Services Division

9. 9 Microsoft Crypto API Toolkit nMicrosoft’s Crypto API (CAPI) is a general purpose software-based toolkit that provides a library of key cryptographic modules. nProvides the ability for developers to use key cryptographic functions without the need to understand PKI nUses common APIs, transparent to applications, multi-product support (via multi CSP support) nThe CAPI SDK is freely downloadable at www.microsoft.com nNo support is currently available for this toolkit

10. 10 Entrust Toolkit nThe Entrust toolkit provides the ability to add digital signatures and encryption to applications. nProvides multi-CA support nNo specific client is required to sign and validate a file nSupport for PEM and PKIX standards nFreely downloadable at www.entrust.com nSupport available for a nominal fee

11. 11 FIPS 140-1, -2 Validation nStandard is defined by National Institute of Standards and Technology (NIST) nSecurity Level 1: a cryptographic module is not required to employ authentication mechanisms to control access to the module. It will then be required that one or more roles be implicitly or explicitly selected by the operator nSecurity Level 2: a cryptographic module shall employ role-based authentication to control access to the module

12. 12 FIPS 140-1, -2 Validation nSecurity Levels 3 & 4: a cryptographic module shall employ identity-based authentication mechanisms to control access to the module nFIPS 140-1 testing ends May 25, 2002 n“After May 25, 2002, all previous validations against FIPS 140-1 WILL STILL BE RECOGNIZED.”

13. 13 Questions?