RSA BSAFE Security Tools for C/C++ Developers

RSA Solution Brief

RSA BSAFE® Security Tools for C/C++ Developers Introduction

Built on more than 20 years of expertise in delivering high-quality products for implementing strong security controls in software and networked applications, RSA BSAFE® security software for C/C++ Developers:

— Combines the core security functionality needed by commercial software developers into one common, interoperable and flexible set of libraries

— Provides solutions which support the latest industry standards, as well as industry and government requirements, including FIPS 140 and Suite B

— Offers support for open industry standards and broad platform support to ensure interoperability and future flexibility

— Delivers flexible and highly customizable mainframe environment solutions that effectively protect sensitive data in storage or during transmission to public or private networks

— Offers proven components that speed time to market for software products

DATA SECURITY RSA BSAFE® SOLUTIONS REQUIREMENTS

High Performance Even RSA BSAFE software has memory management and protection services to allow more control of the for Complex Processes memory allocated to hold the output of large math calculations, which ensures high performance. The software also supports many processor and platform optimizations to further optimize performance.

Broad Algorithm Support RSA BSAFE software supports major symmetric and asymmetric algorithms, enabling you to choose the most appropriate algorithm for your unique application constraints

Support for Industry RSA BSAFE software supports many widely accepted industry standards including ANSI 9.3.x and Standards 9.4.x, OCSP, FIPS 186-2, and others to enable the broadest compatibility with cryptographic implementations available on the market

Support for Government RSA BSAFE software earned FIPS 140 validation certificates. FIPS 140 is required for applications Cryptography Standards that use cryptography that are intended for use by the U.S. Federal Government. The cryptography including FIPS 140 and software also implements the latest Suite B cryptography standards published by the National Suite B Security Agency (NSA). Support for these important standards ensures your software will meet the interoperability and compatibility requirements of government applications.

Compliance with Public RSA BSAFE software complies with Public Key Cryptography Standards (PKCS) which define crypto- Key Cryptography graphic processes for easy interoperability. Adherence to these standards, such as PKCS #7, Standards (PKCS) ensures compliance with customer privacy and regulatory requirements, allows the signing of data messages and the opening of enveloped messages in the processing of large data blocks.

Integrates with Existing Support for multiple Certificate Authorities (CA’s), multiple trust models, and standards including Public Key Infrastructure OCSP, CRL, CMP, and SCEP, as well as the ability to import and export keys and certificates using (PKI) Implementations open standards

Support for X.509 RSA BSAFE software supports requesting, creating and parsing X.509 certificates. This provides Certificates interoperability with X.509 digital certificates issued by standards-based Certificate Authorities.

Platform Portability RSA BSAFE software includes specialized interfaces for I/O, time handling, memory management and threading that ease porting to customized application platforms.

2 RSA Solution Brief C/C++ Software for Meeting According to Gartner, companies will continue to place ever more pressure on their software and device Complex Security Requirements vendors to meet certain security requirements in both their own software development life cycles and their products.* Companies are becoming more wary of acquiring software that does not meet the security encryption technology helps developers build trust requirements they are establishing. According to the into applications which can then provide persistent same Gartner research, companies will be looking for protection for sensitive data. the following basic capabilities in the software solutions they purchase:

— Does the product encrypt its data store? Non-repudiation and Strong Authentication

— Does the product encrypt communication? Establishing trust in a transactional environment requires certification of the integrity of individual — Does the product provide an authentication transactions. Trust must also “persist” throughout the mechanism when communicating with its own life of the transaction. Two major components are components, third-party components, applications, required: validation the transaction comes from an services, or tools? authorized sender, and only that sender, and Companies are also increasingly wary of adding these certification the transaction contents remain capabilities after purchase. This is where RSA BSAFE unchanged. RSA BSAFE® Cert software enables security software for C/C++ developers can help. developers to integrate digital transaction signing capabilities which provide a “seal of approval” on the Access control and authentication are just the first sender’s identity as well as a secure digital “wrapper” steps in security development: effective security around the contents. This helps enforce non- requires a “defense in depth” strategy using multiple repudiation because applications have a record of layers of security controls. Customers expect security exactly when and by which entity the transaction was functionality to adapt to their changing requirements. initiated. These capabilities help establish a network In addition to protecting customers, software of trust for your electronic transactions. developers also must protect their own intellectual property against compromise and theft. How can developers ensure their applications have the Data Security over Open Networks appropriate security depth to meet all these requirements? How do developers ensure applications The Sarbanes-Oxley Act and other regulations require are not compromised, putting their customers at risk? companies to establish greater control over sensitive information. Effective security requires “defense in depth”—multiple layers of control. These controls Encryption Technology extend to business automation, network and telephony (including VoIP), and mobile access Companies are putting more and more pressure on devices. Most companies have deployed firewalls and software developers to employ strong security proxies to secure externally traveling transactions, but techniques such as encryption to ensure the privacy ensuring persistent security inside the network is also of sensitive data as well as close vulnerabilities in required. RSA BSAFE® SSL software helps developers their applications. Additionally, data security must be provide protection for transactions as they travel persistent for the life of a transaction, from the point between applications, ensuring the network link of execution through to fulfillment and reconciliation. between the application and the next intended ® Implementing RSA BSAFE Crypto software’s strong destination is a trusted link—safe from prying eyes.

*Gartner Research, Essential Checklist for Evaluating and Purchasing Secure Software, May 2006 RSA Solution Brief 3 RSA BSAFE Crypto

Strong Encryption Technology for Software Developers Persistent Protection for Data at Rest At a Glance Persistent protection requires you to properly secure — Helps application developers comply with data sensitive data at rest in back-office database systems privacy regulations in addition to standard network security controls. Our RSA BSAFE Crypto software is designed to help you — Persistent protection for application data at rest protect sensitive data as it is stored, using strong without compromising existing data models encryption techniques that ease integration with existing data models. RSA BSAFE Crypto software also — High-performance implementations offer effective supports a wide range of industry standard encryption security without compromising application algorithms offering you the flexibility to choose the demands option most appropriate to your requirements. The — Support for open industry standards ensures software also incorporates numerous performance interoperability with existing infrastructure and optimizations to ensure security does not become a flexibility to adapt to regulatory changes over time bottleneck to the throughput requirements of your applications. Using the capabilities of RSA BSAFE — Proven components from an industry leader means Crypto software in your application will help provide a faster time to market persistent level of protection for data, lessening the risk of internal, as well as external, compromise.

Standards Support Eases Integration into your Environment Another reason RSA BSAFE Crypto software is used so widely is the software is designed to support many global security standards so important to the business, financial and electronic commerce networks around the globe. RSA also submits its cryptography software for rigorous FIPS 140 testing and validation, the U.S. government standard which specifies the security requirements to be satisfied by a cryptographic module to be used by a Federal agency. This certification further highlights RSA’s commitment to providing strong, effective and up-to-date encryption solutions for our customers. RSA BSAFE Crypto software is part of the RSA BSAFE line of data security products for developers. These products provide a complete portfolio of solutions for enterprises, software OEMs, and device manufacturers to meet their regulatory and other data security goals.

4 RSA Solution Brief Key Features of RSA BSAFE Crypto

FIPS 140-2 Validated Crypto Module — A broad range of asymmetric (public key) algorithms, symmetric (secret key) ciphers and Suite B Elliptic Curve Support message digests provides flexibility for a wide

ANSI X9.30, X9.31, X9.32, X9.42, X9.56, variety of security needs.

Support X9.62, X9.63, and X9.80 Support Standards — Random number generation via a pseudo-random PKCS #1, #5, #8 and 11 Standards Support number generator (PRNG) and the FIPS 186-2 PRNG.

— Key generation services automate key generation Cryptographic Multi-Precision (CMP) Library and provide for the creation of cryptographic keys.

Message Digests — Cryptographic syntax and data encoding services

Symmetric Algorithms comply with public key cryptography standards (PKCS) for more seamless interoperability.

Services Asymmetric Algorithms — Memory management and protection services allow Cryptographic FIPS 186-2 Pseudo-Random Number more control of the memory allocated to hold the Generation output of large calculations, providing more flexibility. Padding Selection — High-speed math processing provides great Advanced Key Seeding Routines performance in calculations of large numbers — especially critical in public key operations — saving Services Key Generation Application valuable time.

Threading — Standards-based data-encoding services provide improved interoperability when data in Time cryptographic applications is transferred between Services Platform individuals/devices. PCKS #11 Interface

RSA Solution Brief 5 RSA BSAFE Cert

Non-repudiation and Strong Authentication for Sensitive Transactions Multiple Trust Model Support: Hierarchical and Explicit At a Glance — Helps establish a network of trust for electronic Chain Validation transactions

Trust Online Certificate Status Protocol (OCSP) — Allows developers to validate digital signatures to Services Support certify the integrity of transactions Certificate Revocation List (CRL) Support — Supports non-repudiation by offering certification

of a sender’s identity for a transaction Cryptographic Message Syntax (CMS) Services

— Support for open industry standards ensures Certificate Lifecycle Management — Request, interoperability with existing infrastructure and Retrieve, Process and Revoke Certificates flexibility to adapt to regulatory changes over time

Services Generate Self-Signed Certificates Certificate — Proven components from an industry leader means Import and Export Keys or Certificates faster time to market

Public Key Infrastructure: Interoperability with X.509 v3 Standards-Based The Open Standard for Establishing Integrity CAs The security demands on today’s software Private Key and Certificate Storage applications are rapidly changing. The growth of Directory and

business process automation and business-to- Services Storage business integration using the Internet requires a Message Digests mechanism for digital trust not accomplished by traditional physical barriers, usernames/passwords Symmetric Algorithms and other authentication and verification methods. Asymmetric Algorithms

Public key infrastructure (PKI) leverages public key Services

cryptography and provides a unified, scalable Cryptographic Key Generation framework for securing a wide range of enterprise and Internet applications. The scalability of PKI comes PCKS #11 Interface from the use of public/private key pairs and the comparative safety in exchanging public keys over Threading open networks. PKI-based digital certificates allow Services Platform Time developers to bind public keys to the identities of individuals and entities—to support authentication, credential validation and the establishment of rules of trust between parties in a transaction. RSA BSAFE Cert software provides the capabilities software developers need to implement this open standard into their transactional environment.

6 RSA Solution Brief Simplifying Development and Deployment — Cert software is built on the strong cryptographic of a Network of Trust and authentication services provided by RSA BSAFE RSA BSAFE Cert software gives application developers Crypto software. the capabilities they need to simplify the — Multi-threaded code generation improves the development of applications for managing digital performance of certificate and key handling certificates and integration into a public key operations. infrastructure. These products help organizations and software vendors build open PKI applications and — Request a certificate via PKCS#10, public key security products not tied to a single PKI vendor. cryptography infrastructure (X.509) [PKIX], Applications created with these products seamlessly Certificate Request Syntax (CRS), Certificate and automatically interoperate with existing PKI Management Protocol (CMP) or Simple Certificate products that support Public Key Cryptography Enrollment Protocol (SCEP). Standards (PKCS) and Public Key Infrastructure x.509 — Retrieve a certificate via PKCS#7, Basic Encoding (PKIX) standards. In addition to the certificate Rules (BER), Distinguished Encoding Rules (DER), management functionality, RSA BSAFE Cert software CRS, CMP or SCEP. includes protocol support for real-time PKI interaction, including certificate request/response operations — Process a certificate such as certificate enrollment, look-up and validation. Extract a public key Key Features of RSA BSAFE Cert Generate a self-signed certificate — Directory and PKI access services provide flexibility, Extract certificate extensions (parsing) interoperability and developer ease of use through Provide for full certificate extension support a directory interface which provides storage and retrieval of keys and certificates. PKI access allows Verify a certificate signature for certificate-enabled applications to work out of — Revoke a certificate with CMP the box with standards-based certificate authorities. — Check a certificate revocation with Online Certificate Status Protocol (OCSP) and Certificate — Cryptographic message syntax (CMS) services Revocation List (CRL) support standards on how to encode signed and/or enveloped messages so they may be securely — Sign data with PKCS#7 signatures or digital exchanged over open networks to allow for signatures via cryptography product interoperability and ease of use. — Import keys and certificates from other sources with — Trust services allow increased flexibility by PKCS#7, 8 and 12 supporting chain validation of hierarchical trust relationships and support for multiple trust models, — Export certificates to other sources with PKCS#12 e.g., self-signed certificates and explicit trust — Export private keys to other sources with PKCS#8 relationships. — Store private keys and certificates in LDAP, in- — Certificate services provide facilities to create, memory database or full-featured database request, retrieve and store digital certificates, (CodeBase) including support for self-signed certificates, and cross-certificates. Support for certificate extension extraction and certificate revocation enables full certificate life-cycle management.

RSA Solution Brief 7 RSA BSAFE SSL

Protection for Sensitive Data Traveling Over Open Extending Security To The Edge Of The Network Networks The tools of electronic transactions and the At a Glance technologies that support them—from the Internet and e-mail to VPN and WAP gateways—are all vulnerable to — Provides protection for sensitive data as it travels attack by hackers and mischief-makers. These over open networks, both internal and external transactions and agreements can be tampered with, — Uses the open standard Secure Sockets Layer (SSL) forged and blocked, while communications sent via e- and Transport Layer Security (TLS) protocols to mail and wireless technologies can be intercepted and provide data protection for network transactions their confidentiality broken. These threats also extend inside the network perimeter. Regulatory compliance — Allows developers to implement persistent and assurance of data privacy requires persistent protection for sensitive transactions to the edge of enforcement of security rules throughout the network. the network RSA BSAFE SSL software will help application — Proven components from an industry leader means developers build persistent enforcement into their faster time to market compared to open-source applications for all network transactions from the offerings edge of the network through to internal systems.

Secure Sockets Layer (SSL): The Open Standard for Creating Trusted Networks Secure Sockets Layer (SSL) is the Internet security protocol for point-to-point connections. It provides protection against eavesdropping, tampering and forgery. Clients and servers establish a secure link (or “pipe”) across the Internet to protect the information being sent and received. Customers can have confidence their information is confidential, authentic and original during an Internet connection using SSL. It is a formidable task for developers to become familiar with the various areas to consider, such as the protocol infrastructure, upper layer services and underlying cryptographic algorithms. Using RSA BSAFE SSL software, developers can easily add support for creating trusted network links between applications providing persistent security for transactions as they travel over open internal and external networks.

8 RSA Solution Brief Key Features of RSA BSAFE SSL

Network Layer Optimizations — Support for standard SSL v2, SSL v3 and TLS v1 protocols Blocking and Non-Blocking I/O Support — Support for public key cryptography standards Session Caching (PKCS) #1, 10, and 11

Built-in Protocol Handler Protocol Services — Supports requesting, creating and parsing X.509 TLS v1 Support standard digital certificates

SSL v2 and v3 Support — Supports client / server authentication and message authentication using the HMAC standard

Client and Server Authentication Services — Network layer optimizations support multiple

PKCS#1, #10 and #11 Support network protocols with a built-in protocol handler, session caching and blocking I/O with non-blocking Services

Certificate Certificate Certificate Management Services I/O support

— Improves scalability by including code FIPS 140 Crypto Support optimizations to run on popular platforms and processors; supports multi-threaded use. RSA’s Protocol Cipher Suites implementation of HP’s patented MultiPrime™ Services

Cryptographic technology helps optimize the performance of RSA private key operations in SSL transactions. Threading

Time Services Platform PCKS #11 Interface

RSA Solution Brief 9 Appendices

Complying with Data Security Guidelines Support for Mainframe Systems for Government Systems Not everyone is using databases to store all their Our technology meets or exceeds the information persistent data. This data is often still stored in VSAM security best practices and requirements established or QSAM data sets on the mainframe. Additionally, by the U.S. National Institute for Standards in many transaction or extract files exist containing Technology (NIST) and the U.S. National Security transient data. While UNIX System Services and Agency (NSA) as specified in FIPS 140, Suite B, and hierarchical file systems have been part of the IBM other security standards. Our customers including zSeries environment for many years, hierarchical file Lockheed Martin, Northrop Grumman, the U.S. systems are still not the predominant data storage Department of Homeland Security, the U.S. Senate, location. and many other agencies and their suppliers count on RSA supports Language Environment based program RSA technology that meets these standards to keep development with RSA BSAFE for C/++ Developers highly sensitive information protected. software. RSA submits all of its cryptography products for FIPS 140 testing and validation through the rigorous Cryptographic Module Validation Program (CMVP) PLATFORM SUPPORT CRYPTO CERT SSL established by NIST. The FIPS 140 validation program assures cryptographic libraries meet defined Operating Systems characteristics for robustness, security of the

architecture, and support for standard algorithms. We Microsoft® Windows® ✓✓✓ have also added support for the Suite B cryptography standards. This support allows us to meet the latest Sun® Solaris™ ✓✓✓ commercial cryptography software requirements for HP-UX ✓✓✓ protection of classified and other sensitive

information in government agencies. We continually Red Hat® Linux® ✓✓✓ update our solutions to meet the latest NIST guidelines so our customers have the confidence of Novell SUSE Linux ✓✓✓ using the most reliable security technology available IBM® AIX® ✓✓✓ for protecting network transactions, data stores, and device applications. z/OS ✓✓

OS/400 ✓✓

Ports on many other ✓✓✓ platforms available

10 RSA Solution Brief Algorithm Support Supported Standards

— RSA, RSA with MultiPrime™ technology, DSA and — FIPS 140 — for Crypto and SSL Diffie-Hellman — SSL v2, SSL v3, and TLS v1 protocols — for SSL — AES, RC5®*, RC4®, RC2®, DES, 3DES and DESX** — American National Standards Institute (ANSI) — — MD2, MD5, HMAC, SHA-1, SHA-224**, SHA-256*, X9.30, X9.31, X9.32, X9.42, X9.56, X9.62, X9.63, and SHA-384* and SHA-512* X9.80 — for Crypto

— Elliptic Curve Digital Signature Algorithm (ECDSA), — Public Key Cryptography Standards (PKCS) Elliptic Curve Diffie-Hellman (ECDH) and Elliptic #1, 5, 8, and 11 — for Crypto Curve Authenticated Encryption Scheme (ECAES)** #1, 3, 5, 7, 8, 10, 11 and 12 — for Cert, — SEED (Korean algorithm) ** #1, 10, and 11 — for SSL

— Certificate format — X.509 v3 — for Cert and SSL

— LDAP directory — v2 — for Cert

* Supported in the RSA BSAFE Crypto and Cert software ** Supported only in the RSA BSAFE Crypto software RSA Solution Brief 11 RSA is your trusted partner

RSA, The Security Division of EMC, is the expert in information-centric security, enabling the protection of information throughout its lifecycle. RSA enables customers to cost-effectively secure critical information assets and online identities wherever ©2007 RSA Security Inc. All Rights Reserved. they live and at every step of the way, and manage RSA, RSA Security, BSAFE and the RSA logo are either registered trademarks or trademarks of RSA Security Inc. in the United States security information and events to ease the burden of and/or other countries. Windows and Microsoft are registered compliance. trademarks or trademarks of the Microsoft Corporation in the U.S. and/or other countries. EMC is a registered trademark of EMC Corporation. All other products and services mentioned are trademarks RSA offers industry-leading solutions in identity of their respective companies. assurance & access control, encryption & key BCCD SB 0407 management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.