Cryptographic Layer

Cryptographic Layer

Alexander Liss

07/10/01

Implementation of cryptography in software is a foundation of security systems build on top of it. It has to satisfy stringent security requirements, has to be reliable (its failures can be exploited) and it has to be highly available in spite of its computational intensity. It means that implementation of cryptography has to be done by specialists.

It is complex - many not widely known details of it have to be done properly to make it secure. Hence, it is desirable to encapsulate it, that it can be done once and used many times by different applications.

Substantial work is done already in this direction through standardization and readily available software and hardware products. However, further encapsulation has to be done in the form of cryptographic services, which are accessed by applications through a minimal interface precluding a possibility of misuse. Everything that can be hidden from an application programmer, as private keys, details of implementation of cryptographic procedures, etc. should be hidden.

We provide a C++ interface for such encapsulation - Cryptographic Layer. Its implementation can vary depending on available tools.

Cryptographic products provide powerful tools - thread safe, with remote access to computing and secure storage resources. If such tools are available, then the Cryptographic Layer is a thin wrapper of these tools.

Otherwise, there is a need for another layer of implementation - an implementation of a set of basic cryptographic routines, secure storage, etc. This layer is a Cryptographic Base.

This layer has to be designed in the way that it is easy to add new cryptographic routines or new variants of their implementation.

A first "user" of the Cryptographic Layer is a software module facilitating certificate verification - a Verifier. Because we want to provide a uniform interface for such module, we have to define a presentation of Certificate (in its both forms - original and opened, after verification).

There are a few large areas of cryptographic applications, as virtual private network, Public Key Infrastructure, securing of communication for example with Secure Socket Layer protocol (SSL).

SSL and other SSL-like protocols are especially complex. To facilitate their implementation we provide a Cryptographic Wrapper layer on top of the Cryptographic Layer and the Verifier.

One can see how design decisions were made analyzing layers from SSL to Cryptographic Wrapper to Cryptographic Layer and Verifier to Cryptographic Base.

The Cryptographic Wrapper has to support SSL: Record Layer, full Handshake and abbreviated Handshake at a socket's reconnect. It has to hold own certificates and it has to be able to sign with own private keys.

The Verifier supports work with certificates. It has to check their revocation status. It is desirable for it to remember some history of verification in a cache that a slow verification procedure could be sped up.

The Cryptographic Layer should provide channels for hashing and symmetric-key encryption, when data is passed to the layer in portions, it has to provide public-key procedures, etc.

An important feature of the Cryptographic Layer - a private key never leaves it. It is generated there, stored in a secure database, and used, when needed.

From outside, a private key is referenced with its public key. In turn, a public key could be stored in a certificate.

The Cryptographic Base provides a minimal "middle-ware", which allows an implementation of every type of cryptographic procedure, secure storage, etc. to be done as an independent software module. This simplifies development, and maintenance of software.