--- begin forwarded text
Status: U Date: Mon, 6 May 2002 21:30:54 +0100 To: [EMAIL PROTECTED] From: Fearghas McKay <[EMAIL PROTECTED]> Subject: now don't all barf at the same time please Reply-To: "Usual People List" <[EMAIL PROTECTED]> Sender: <[EMAIL PROTECTED]> from the latest Apple developer newsletter: CDSA and OpenSSL (pdf) This concise white paper discusses the advantages of using Common Data Security Architecture (CDSA) in Mac OS X over OpenSSL in creating security-enabled applications. http://developer.apple.com/macos/pdf/CDSA_and_OpenSSL.pdf --- CDSA and OpenSSL Overview The foundation for cryptography and public key infractructure on OS X is the Common Data Security Architecture (CDSA). This is a layered set of security services and a cryptographic framework for creating security-enabled applications. In addition, Apple has created additional layers built on CDSA to provided simplified interfaces to CDSA for common security-related tasks. One cryptographic toolkit that is well known in the Unix community is OpenSSL. OpenSSL provides a general purpose cryptography library, as well as support for the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). The functionality and security provided by the CDSA architecture is an improvement over that available through OpenSSL, and we would like to migrate away from using the OpenSSL library for doing cryptography or SSL. There are several advantages to using CDSA. It will improve the overall performance of the system by reducing the number of libraries that frameworks link against to do cryptography. In addition, it makes it easier to do export control paperwork. One of the largest user benefits will be in the area of certificate management, including certificates used by SSL. In addition, we are actively improving the performance of the algorithms in CDSA. Using CDSA has the additional benefit of insulating clients from the implementation of the algorithms. Many of the functions in OpenSSL vary algorithm by algorithm, making it difficult for clients to change algorithms. With the modular approach used in CDSA, new cryptographic modules can be written and deployed with no changes to client code. This also holds true for certificates. A client does not necessarily need to know if a given certificate is stored on disk or on a smartcard. Support for Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) is provided through the SecureTransport API set. One major advantage of the SecureTransport APIs is that they are designed so that key material does not have to be supplied as a parameter to the API. SecureTransport calls into CDSA to access keys via reference, which allows us to use keys based on tokens such as smartcards, which do not allow keys to be exported. One of the unique features of Apple's implementation of CDSA is the use of reference keys. The default Cryptographic Service Provider (CSP) talks to a root process called Security Server to perform actions with cryptographic keys. This allows the keys to be maintained in a separate address space from the client application, and also encourages developers to avoid using key material directly. This is essential if external cryptographic devices such as smartcards or hardware signing boxes are to be supported. OpenSSL will only be available in Darwin. We will be actively promoting the use of CDSA as a more secure and easy to use alternative to OpenSSL. Use of CDSA Clients who need to do cryptographic operations should use CDSA or the layered services above CDSA. Some common applications are encryption of data or hashing using such algorithms as SHA-1. A wide variety of algorithms are supported in our standard Cryptographic Service Provider (CSP). Some well known clients are the Keychain and the Encrypted Image feature of Disk Copy. Clients needing SSL functionality should use CFNetwork, or use SecureTransport directly. This will allow our users to get the benefits of a common certificate store. These benefits allow users to specify trust once, rather than in each application. In addition, certificates stored on tokens such as smartcards are supported automatically. SecureTransport has support for both client and server for TLS. The certificate APIs will also be used by third party developers of applications such as browsers and mail applications. Resources Sample code for using SecureTransport and for doing various types of cryptographic operations is available. This code is available on the latest developer CD or through the web site at http://developer.apple.com/macos/security.html. In addition, the apple-cdsa mailing list is a good resource for asking CDSA questions. Sign up at: http://lists.apple.com/mailman/listinfo/apple-cdsa The CDSA implementation is available in the open source repository, and so can be used from Darwin code. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]