Messaging and Directory Server software used around the world in the Government, Military, Aviation and Commercial sectors.
This page describes security infrastructure components that are used by many of the Isode products. Along with the page on SASL (Simple Authentication and Security Layer) and the page on TLS (Transport Layer Security) this describes all of the infrastructure of the Isode products that use cryptography.
X.509 and Strong Authentication
X.509 describes an approach to providing and managing authentication using asymmetric cryptography, generally referred to as Public Key Infrastructure (PKI). X.400 and X.500 defined authentication mechanisms using X.509 PKI, which these standards referred to as "strong authentication". Isode uses the terms strong authentication to mean authentication based on X.509 PKI. This is common usage of the term, although it is sometimes used to refer to other technologies.
A summary of X.509 based PKI is given in the Isode White Paper A Short Tutorial on Distributed PKI, a general description of the benefits of strong authentication can be found in the whitepaper "The Security and Administrative Benefits of using X.509 PKI based Strong Authentication" and an explanation of X.509 concepts and terminology can be found here.
X.509 is used by Isode's products. Isode's security infrastructure includes:
- Libraries to enable applications to perform X.509 verification in support of strong authentication.
- Encrypted storage of private key and certificates in a PKCS#12 format file.
- Certificate and CRL cache.
- Infrastructure common to various Isode management tools, that enable setting up of X.509 credentials for a client or server, and interaction with a Certification Authority (CA) using PKCS#10 Certificate Signing Requests. This enables use of Isode products with most CAs, including the Isode Mini CA.
- Sodium enables generation of PKCS#10 CSRs for objects stored in the directory, to facilitate setup of X.509 configuration.
PKCS#11 is a widely used API for access to cryptographic hardware and software. Isode makes internal use of PKCS#11, and plans to extend this to provide support for smart cards and server side cryptographic hardware in future releases.
Authentication used with Transport Layer Security
Transport Layer Security (TLS) is an Internet Standard for providing data confidentiality, and is used by Isode. Details are provided here. TLS provides strong authentication using X.509 Certificates. Internet messaging and directory protocols make use of SASL to provide authentication services. When X.509 based authentication is used by messaging and directory protocols, the SASL authentication is made available to the application by the "SASL External" mechanism. This means that the application authenticates within the SASL framework, but uses the underlying TLS X.509 authentication to provide the authentication service. TLS provides two X.509 based authentication mechanisms:
- Client Authentication. Where a client application is authenticated by a server (e.g., For and LDAP server to verify the identity of a client).
- Server Authentication. Where the identity off a server is authenticated
by a client (e.g., for an LDAP client to ensure that it is talking
to the correct server).
Use of Directory
X.509 PKI can use the directory for two important functions: CRL checking and certificate paht building. These are described in the Isode white paper "Distributed Directory in support of Large Scale PKI" and are supported by the Isode products for Strong Authentication in the OSI protocols and for Signed Operations.
Cryptographic Algorithms
Isode infrastructure uses the following cryptographic algorithms.
| Asymmetric Cryptography | Supporting Hash Algorithms |
| RSA | MD2; MD5; SHA1 |
| DSA | SHA1 |
| ECDSA | SHA1 |
Strong Authentication Conformance
Isode products conform to the following standards for strong authentication, including management:
| ITU-T Recommendation X.509 (1997 E) | Information Technology - Open Systems Interconnection – The Directory: Authentication Framework, June 1997. |
|---|
PKCS (Public-Key Cryptography Standards) published by RSA Labs:
| PKCS#10 | Certification Request Syntax Standard – Version 1.7 |
|---|
| PKCS#11 | Cryptographic Token Interface Standard – Version V2.11 |
|---|
| PKCS#12 | Personal Information Exchange Syntax Standard – Version 1.0 |
|---|
Underlying Technology
Isode makes use of the OpenSSL package to provide:
- TLS.
- The X.509 used by applications making use of TLS, and the Mini CA product.
- The cryptography in support of all Isode X.509 implementations
OpenSSL has FIPS 140-2 conformance which is a US government security standard for cryptographic modules defined here. This is a high quality package used by many commercial products. Isode would like to acknowledge the contribution from the authors of OpenSSL, and of the organizations that have funded work on these packages.
There is also a strong security benefit in using open source technology, particularly for the cryptographic components. Because the source is widely used and openly available, it has been subject to substantial peer review. This leads to a high confidence in the security of these products. Isode tracks versions of OpenSSL, and in the event of security fixes to OpenSSL which may Impact Isode products, will release product updates.
Isode's X.509 used by X.400 and X.500 protocols is based on the CML open source package, using OpenSSL cryptography. CML is a high functionality package, providing broad X.509 capabilities, developed with US Government funding.
