SECUDE - A General Purpose Security Toolkit
by Wolfgang Schneider
Authenticity and protection of privacy is an increasing concern of
everyone as electronic information storage and exchange is rapidly growing.
Example applications where security is needed are the privacy of sensitive
e-mail, unforgeable digitally signed electronic forms and contracts, encryption
of local files, network authentication, electronic data interchange and
software distribution. The use of public-key cryptography makes authenticity
achievable and manageable in an open electronic communication society of
a large scale.
SECUDE (Security Development Environment) is a portable general-purpose
security toolkit for Unix and Personal Computer systems (MS-DOS, Windows
95/NT). The free contribution of SECUDE for non-commercial use is part
of efforts in GMD to facilitate the open, authentic and privacy-preserving
electronic telecooperation between people.
SECUDE is a security toolkit which incorporates well known and established
symmetric and public-key cryptography. It offers a library of security
functions and a well documented C Application Program Interface which allows
to incorporate security into virtually any application. In addition there
are a number of ready-to-use utilities with the following features:
- asymmetric cryptographic functions like RSA, DSA, DSS
- symmetric cryptographic functions like DES, Triple DES, IDEA
- various hash functions like MD2, MD4, MD5, SHA, Sqmodn
- Diffie-Hellman key agreement
- security functions for origin authentication, data integrity, non-repudiation
of origin and data confidentiality purposes on the basis of digital signatures
and symmetric and asymmetric encryption
- X.509 key certification functions, handling of certification pathes,
cross-certification, certificate revocation
- Public Key Cryptography Standards (PKCS)
- defined interfaces like Authentication Framework (AF), Generic Security
Services-Application Program Interface (GSS-API)
- utilities to sign, verify, encrypt and decrypt files
- utilities and library functions for the operation of certification
authorities (CA) and interaction between certifying CAs and certified users
- utilities and library functions for PEM processing according to RFC
1421-1424
- utilities and library functions for S/MIME processing
- optional: secure access to public X.500 Directories for the storage
and retrieval of certificates, cross-certificates and revocation lists
(integrated secured DUA using strong authentication and signed DAP operations)
- data representations according to ASN.1 BER and DER
- integrity-protected and confidentiality-protected storage of all security
relevant information of a user (secret keys, verification keys, certificates
etc.) in a so called Personal Security Environment.
Benchmarks of selected algorithms (kbit/sec, Pentium 133,
WinNt-4.0).
| Algorithm |
Encryption
(in Kbit/s) |
Decryption
(in Kbit/s) |
| DES-BC |
7272 |
7272 |
| Triple DES |
2749 |
2666 |
| RSA (512 bit) |
51.20 |
4.26 |
| RSA (1024 bit) |
34.13 |
1.44 |
A Personal Security Environment typically contains the user's private
and public key (the latter wrapped in an X.509 certificate), the public
root key which the user trusts, the user's distinguished name, the user's
login name, and the forward certification path to the user's root key.
In addition, the Personal Security Environment allows to securely store
other's public keys after their validation (allowing henceforth to trust
them like the root key without verifying them again), and certificate revocation
lists (CRLs).
SECUDE provides two different Personal Security Environment realizations,
a SmartCard environment and a DES-encrypted directory.
Both are only accessible through the usage of Personal Identification
Numbers (PIN). SmartCards require a particular hard- and software environment.
SECUDE supports different devices, eg the German Telekom system TCOS combined
with the Siemens Nixdorf card reader B1.
An Internet Privacy Enhanced Mail implementation (PEM RFC 1421-1424)
is part of SECUDE. It provides a PEM filter which transforms any input
text file into a PEM formatted output file and vice versa, and which should
be capable of being easily integrated into Mail-User Agents or CA tools.
As an additional functionality which goes beyond RFC 1421-1424, SECUDE-PEM
may be configured with an integrated X.500 DUA which allows, for instance,
automatic retrieval of certificates and CRLs during the PEM de-enhancement
process.
Please contact:
Wolfgang Schneider - GMD
Tel: +49 6151 869 700
E-mail: wolfgang.schneider@gmd.de
