SECUDE - A General Purpose Security Toolkit
by Wolfgang Schneider
Authenticity and protection of privacy is an increasing concern of everyone as electronic information storage and exchange is rapidly growing. Example applications where security is needed are the privacy of sensitive e-mail, unforgeable digitally signed electronic forms and contracts, encryption of local files, network authentication, electronic data interchange and software distribution. The use of public-key cryptography makes authenticity achievable and manageable in an open electronic communication society of a large scale.
SECUDE (Security Development Environment) is a portable general-purpose security toolkit for Unix and Personal Computer systems (MS-DOS, Windows 95/NT). The free contribution of SECUDE for non-commercial use is part of efforts in GMD to facilitate the open, authentic and privacy-preserving electronic telecooperation between people.
SECUDE is a security toolkit which incorporates well known and established symmetric and public-key cryptography. It offers a library of security functions and a well documented C Application Program Interface which allows to incorporate security into virtually any application. In addition there are a number of ready-to-use utilities with the following features:
- asymmetric cryptographic functions like RSA, DSA, DSS
- symmetric cryptographic functions like DES, Triple DES, IDEA
- various hash functions like MD2, MD4, MD5, SHA, Sqmodn
- Diffie-Hellman key agreement
- security functions for origin authentication, data integrity, non-repudiation of origin and data confidentiality purposes on the basis of digital signatures and symmetric and asymmetric encryption
- X.509 key certification functions, handling of certification pathes, cross-certification, certificate revocation
- Public Key Cryptography Standards (PKCS)
- defined interfaces like Authentication Framework (AF), Generic Security Services-Application Program Interface (GSS-API)
- utilities to sign, verify, encrypt and decrypt files
- utilities and library functions for the operation of certification authorities (CA) and interaction between certifying CAs and certified users
- utilities and library functions for PEM processing according to RFC 1421-1424
- utilities and library functions for S/MIME processing
- optional: secure access to public X.500 Directories for the storage and retrieval of certificates, cross-certificates and revocation lists (integrated secured DUA using strong authentication and signed DAP operations)
- data representations according to ASN.1 BER and DER
- integrity-protected and confidentiality-protected storage of all security relevant information of a user (secret keys, verification keys, certificates etc.) in a so called Personal Security Environment.
Benchmarks of selected algorithms (kbit/sec, Pentium 133, WinNt-4.0).
DES-BC 7272 7272 Triple DES 2749 2666 RSA (512 bit) 51.20 4.26 RSA (1024 bit) 34.13 1.44
A Personal Security Environment typically contains the user's private and public key (the latter wrapped in an X.509 certificate), the public root key which the user trusts, the user's distinguished name, the user's login name, and the forward certification path to the user's root key. In addition, the Personal Security Environment allows to securely store other's public keys after their validation (allowing henceforth to trust them like the root key without verifying them again), and certificate revocation lists (CRLs).
SECUDE provides two different Personal Security Environment realizations, a SmartCard environment and a DES-encrypted directory.
Both are only accessible through the usage of Personal Identification Numbers (PIN). SmartCards require a particular hard- and software environment. SECUDE supports different devices, eg the German Telekom system TCOS combined with the Siemens Nixdorf card reader B1.
An Internet Privacy Enhanced Mail implementation (PEM RFC 1421-1424) is part of SECUDE. It provides a PEM filter which transforms any input text file into a PEM formatted output file and vice versa, and which should be capable of being easily integrated into Mail-User Agents or CA tools.
As an additional functionality which goes beyond RFC 1421-1424, SECUDE-PEM may be configured with an integrated X.500 DUA which allows, for instance, automatic retrieval of certificates and CRLs during the PEM de-enhancement process.
Wolfgang Schneider - GMD
Tel: +49 6151 869 700