Cryptographic Development Kits
Overview
ISC CDKs are flexible, cost effective libraries of linkable cryptographic modules that allow you to add encryption, digital signatures, and message authentication to any application. They reduce the cost of developing secure applications by applying readily available, commercially supported, conventional and public key technology.
ISC CDKs make standards-based cryptographic building blocks available to developers and integrators. Use them to construct secure corporate applications for internal use or OEM products for resale.
Purchase a complete FIPS 140-2 validated library or have us customize one that targets your specific application. ISC can provide implementations of the following federal and industry standards††:
- Rivest-Shamir-Adleman (RSA†) public key encryption and digital signatures
- NIST Digital Signature Algorithm (DSA) and Elliptic Curve DSA (ECDSA†, EdDSA)
- Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH†) key agreement
- ElGamal and elliptic curve ElGamal public key encryption
- NIST Advanced Encryption Standard (AES†)
- NIST Secure Hash Algorithm (SHA-1, SHA-2†, SHA-3, SHAKE)
- NIST HMAC and XOFs (cSHAKE, KMAC, ParallelHash, TupleHash)
- NIST KDFs (ANSI x9.63, HKDF, IKEv1, IKEv2, One Step, PBKDF, SNMP, SSH, TLS, TPM)
- ChaCha20 and Poly1305 authenticated encryption with additional data (AEAD)
- NIST Data Encryption Standard (DES), triple DES (TDES), and DESX
†NSA Commercial National Security Algorithm Suite algorithms
††A more complete list of the available cryptographic algorithms, protocols, and schemes in the CDK appears in the “Standards” section below.
Applications
ISC CDKs can be used to add confidentiality and authentication to a wide variety of applications:
- security-enhanced device drivers (such as an encrypting file system filter)
- e-mail applications
- electronic funds transfer and EDI
- document transmission, and
- messaging and VoIP products
The latest version even provides support for building simple SSL/TLS clients (with one- or two-sided authentication).
Ease of Use
The ISC CDKs provide C/C++ APIs that allow your programmers to rapidly link them into your own proprietary applications. Here is a recent testimonial from a satisfied customer:
“I’m very pleased to say that we could integrate your library into our existing system without any problem in development environment. How do I describe it was so easy?”
Each kit includes a test file with commented sample source code illustrating the use of all top-level functions in the library. This test program also can be compiled to verify the proper operation of the underlying cryptographic module on your operating system. The key sizes for all supported public key schemes are limited only by memory and operating system constraints, i.e., they are virtually unlimited.
Supported Algorithms and Data Formats
The cryptographic primitives that can be included in an off-the-shelf or customized CDK are either FIPS 140-2/3 certified or otherwise comply with NSA Commercial National Security Algorithm Suite (CNSA) recommendations or relevant industry standards.
| CDK 8.1 Algorithms | Relevant Standards and Other References | NIST Certificate | FIPS mode |
| AES | Supported modes of operation: ECB, CBC, CBC_CS3, CCM, CFB-1, CFB-8, CFB-64, CFB-128, CTR, GCM FIPS 197, OFB, XTS; NIST SP-800-38A; NIST SP-800-38C; NIST SP-800-38D; NIST SP-800-38E; CNSS Policy No. 15; RFC 3394; RFC 3565; RFC 5084 | A3042 (#4002, #9) | ✔ |
| AES-CMAC | NIST SP-800-38B; RFC 4493 | A3042 | ✔ |
| AES-GCM-SIV | RFC 8452 | ||
| AES Key Wrap, Key Wrap Pad | NIST SP-800-38F; RFC 3394; RFC 5649 | A3042 | ✔ |
| RSA | FIPS 186-4 (PSS); NIST SP800-56Br2 (OAEP and KEM/RSASVE); ANSI X9.31-1998; RFC 2437 (PKCS#1v2.0), RFC 3447 (PKCS#1v2.1); RFC 3560; IEEE 1363-2000 | A3042 (#2065, #831) | ✔ |
| DSA | FIPS 186-4; ANSI X9.30-1997 | A3042 (#65) | ✔ |
| ECDSA | FIPS 186-4; ANSI X9.62-1998; IEEE 1363-2000; | A3042 (#832, #892) | ✔ |
| EdDSA | FIPS 186-5; RFC 8032 | ||
| DH | RFC 2631; ANSI X9.42-1998; IEEE 1363-2000 | ||
| ECDH | NIST SP 800-56Ar3; ANSI X9.63; IEEE 1363-2000 | A3042 | ✔ |
| x25519, x448 key exchange | FIPS 186-5; RFC 7748 | ||
| ChaCha20-Poly1305 | RFC 7539; RFC 7905 | ||
| DES, DESX (deprecated) | Supported modes of operation: ECB, CBC, CFB-1, CFB-8, CFB-32, CFB-64, OFB, CTR FIPS 46-3; ANSI X3.92; DESX analysis by J. Kilian and P. Rogaway | (#171) | |
| TDES (deprecated) | 128- or 192-bit key; supported modes of operation: ECB, CBC, CFB-1, CFB-8, CFB-32, CFB-64, OFB, CTR FIPS 46-3; ANSI X9.52-1998; NIST SP-800-38A; NIST SP 800-20; NIST SP 800-67 | A3042 (#115, #2197) | ✔ |
| Skipjack/EES (deprecated) | FIPS 185; NIST/NSA specification | (#9) | |
| SHA-1 (deprecated) | FIPS 180-4; ANSI X9.30 Part 2; ISO/IEC 10118-3:1998 | A3042 (#100, #3307) | ✔ |
| SHA-224/256/384/512 | FIPS 180-4; NIST specifications | A3042 (#3307) | ✔ |
| SHA3-224/256/384/512, SHAKE128, SHAKE256 | FIPS 180-4 | A3042 (#4, #15) | ✔ |
| XOFs cSHAKE KMAC ParallelHash TupleHash | NIST SP 800-185 | A3042 | ✔ |
| HMAC-SHA HMAC-SHA-2 HMAC-SHA-3 | FIPS 198-1; RFC 2104; ANSI X9.71 | A3042 (#100, #2615) | ✔ |
| HMAC-DBRG | NIST SP 800-90aR1 | A3042 (#1192) | ✔ |
| Jitter Entropy | NIST SP 800-90B | #E21 (A3042) | ✔ |
| GHASH | NIST SP-800-38D | ||
| PBKDF | NIST SP 800-132; RFC 8018 | A3042 | ✔ |
| HKDF | NIST SP800-135r1; RFC 5869 | A3042 | ✔ |
| KDFs: ANSI X9.63 IKEv1 IKEv2 SNMP SSH TLSv1.0/1.1/1.2 TLSv1.3 TPM | NIST SP800-135r1 | A3042 | ✔ |
| Also Available | Relevant Standards and Other References |
| CRYSTALS-Kyber (for generation encryption) | Kyber (pq-crystals.org); NIST announcement |
| CRYSTALS-Dilithium (for digital signatures) | Dilithium (pq-crystals.org); NIST announcement |
| FALCON (for digital signatures) | Falcon (falcon-sign.info); NIST announcement |
| SPHINCS+ (for digital signatures) | SPHINCS+; NIST announcement |
| HSS/LMS, XMSS (for digital signatures) | NIST SP 800-208, RFC 8391, RFC 8554, RFC 8778 |
| MQV, ECMQV† | IEEE 1363-2000; NIST SP 800-56Ar3; NIST SP 800-78-4 |
| KEA | RFC 2528; RFC 3279; NSA SDN 701 (MSP) |
| CAST-128 | RFC 2144 |
| RIPEMD-160 | ISO/IEC 10118-3:1998; RFC 2857 |
Additional high-level, non-FIPS cryptographic algorithms are available in an auxiliary library (to simplify FIPS 140-2/3 certification of the core library). These mechanisms, protocols and schemes include:
- X.509v3 certificate and CRL handling (RFC3279, RFC5280, RFC8603, NIST SP 800-15)
- basic S/MIME v3 CMS functions for PDU creation and parsing (RFC3370, RFC3851, RFC5652)
- PKCS#7/#8/#10/#12 PDU creation and parsing
- ANSI and PKCS#1/#3/#5/#8/#12 (RFC 2313/2314/2315, RFC 7292) padding, encoding/decoding, and private key transport functions
- pseudo-random number generation, primality testing, and routines for low-level modular exponentiation and other high-precision arithmetic operations (in rings of integers, finite fields, and elliptic curve groups)
- essential SSL/TLS client support
- OASIS SAM TSS v1.0: Shamir Threshold Secret Sharing over GF(28)
- The Shamir 3-of-5 TSS over GF(p) (where GF(p) is the finite field underlying the NIST P-384 elliptic curve)
- password generation (FIPS 181)
- RC2 (RFC 3217; RFC 2268)
- MD2 (RFC 1319), MD5 (RFC 1321)
- HMAC-MD5 (RFC 2104; ANSI X9.71)
References
ANSI/ABA Security Standards for Financial Services
The IEEE 1363 website
†Although not part of the CNSA, ECMQV is available from ISC for national security purposes under an NSA sub-license.
Standards Compliance
CDK 8.0 was awarded NIST FIPS 140-2 Level 1 Certificate No. 3105 (updated 8/15/2018). It is also compliant with the NSA Commercial National Security Algorithm Suite and meets or exceeds all DoD/CNSS NSTISSP #11 acquisition requirements. Its FIPS 140-2 certification was performed by a NIST-accredited laboratory that did source code level validation of all supported FIPS approved algorithms and security interfaces; FIPS 140-3 certification is pending. Review and oversight was provided jointly by NIST and CSE. While not a “Type 1 product,” it has been approved by NSA “for use on classified systems.”
Only products containing FIPS 140-2/3 validated security modules may be purchased and used for the processing of sensitive data by agencies of the U.S. Federal Government; such products are also recommended by the Government of Canada.
Availability
ISC CDKs are available for the following platforms:
- Windows and Windows Server (all active 32- and 64-bit versions)
- RHEL and all similar Linux distributions (x86, i64, IA64, MIPS, etc.)
CDKs can also be supplied (upon demand) for most other desktop, mobile, and embedded environments. As a testament to its portability, ISC has shipped CDK builds for the following target platforms:
- Mac OS X
- Android, iOS, Windows Phone/ARM (including kernel mode)
- Solaris 8,9,10/SPARC, Solaris 8,9,10/x86_64 (32- and 64-bit)
- HP-UX 10.x/11.x/11.i, OpenVMS/AXP
- IBM AIX (32- and 64-bit)
- SGI IRIX 6.x
- Cray UNICOS
using the following compilers (partial list):
- Microsoft Visual Studio for all Windows platforms
- GCC (GNU C++) for most Linux and other UNIX-based systems
- Sun C++ for Solaris/SPARC and /x86-based platforms
- Green Hill Software’s MULTI IDE for embedded PPC-based platforms
CDK libraries can be used in your internal corporation applications or in applications developed for resale; they can even be used to build a security-enhanced device driver that operates in Windows kernel mode. An initial CDK license includes two developer seats; additional developer seats may be purchased as needed. Per copy licensing fees are required for redistribution of the CDK with applications that employ its cryptographic code.