|
This page describes security infrastructure components that are used by many of the Isode products. Along with the page on SASL (Simple Authentication and Security Layer) and the page on TLS (Transport Layer Security) this describes all of the infrastructure of the Isode products that use cryptography. X.509 and Strong AuthenticationX.509 describes an approach to providing and managing authentication using asymmetric cryptography, generally referred to as Public Key Infrastructure (PKI). X.400 and X.500 defined authentication mechanisms using X.509 PKI, which these standards referred to as "strong authentication". Isode uses the terms strong authentication to mean authentication based on X.509 PKI. This is common usage of the term, although it is sometimes used to refer to other technologies. A summary of X.509 based PKI is given in the Isode White Paper A Short Tutorial on Distributed PKI, a general description of the benefits of strong authentication can be found in the whitepaper "The Security and Administrative Benefits of using X.509 PKI based Strong Authentication" and an explanation of X.509 concepts and terminology can be found here. X.509 is used by Isode's products. Isode's security infrastructure includes:
PKCS#11 is a widely used API for access to cryptographic hardware and software. Isode makes internal use of PKCS#11, and plans to extend this to provide support for smart cards and server side cryptographic hardware in future releases. Authentication used with Transport Layer SecurityTransport Layer Security (TLS) is an Internet Standard for providing data confidentiality, and is used by Isode. Details are provided here. TLS provides strong authentication using X.509 Certificates. Internet messaging and directory protocols make use of SASL to provide authentication services. When X.509 based authentication is used by messaging and directory protocols, the SASL authentication is made available to the application by the "SASL External" mechanism. This means that the application authenticates within the SASL framework, but uses the underlying TLS X.509 authentication to provide the authentication service. TLS provides two X.509 based authentication mechanisms:
Use of DirectoryX.509 PKI can use the directory for two important functions: CRL checking and certificate paht building. These are described in the Isode white paper "Distributed Directory in support of Large Scale PKI" and are supported by the Isode products for Strong Authentication in the OSI protocols and for Signed Operations. Cryptographic AlgorithmsIsode infrastructure uses the following cryptographic algorithms.
Strong Authentication ConformanceIsode products conform to the following standards for strong authentication, including management:
PKCS (Public-Key Cryptography Standards) published by RSA Labs:
Underlying TechnologyIsode makes use of the OpenSSL package to provide:
OpenSSL has FIPS 140-2 conformance which is a US government security standard for cryptographic modules defined here. This is a high quality package used by many commercial products. Isode would like to acknowledge the contribution from the authors of OpenSSL, and of the organizations that have funded work on these packages. There is also a strong security benefit in using open source technology, particularly for the cryptographic components. Because the source is widely used and openly available, it has been subject to substantial peer review. This leads to a high confidence in the security of these products. Isode tracks versions of OpenSSL, and in the event of security fixes to OpenSSL which may Impact Isode products, will release product updates. Isode's X.509 used by X.400 and X.500 protocols is based on the CML open source package, using OpenSSL cryptography. CML is a high functionality package, providing broad X.509 capabilities, developed with US Government funding.
|
|||||||||||||||||
| Copyright © 2009 Isode | sitemap privacy feedback
|