High Level Design for the Cryptography (PKIFCRYPTO) Subsystem

Overview

Overview

PKIF provides interfaces to basic cryptographic functionality including: digital signature generation, digital signature verification, asymmetric key encryption/decryption, symmetric key encryption/decryption, message digest calculation, automatic decryption key discover and random number generation. All cryptographic functionality is implemented and/or accessed via CPKIFCryptoMediator2 objects and associated colleagues. For higher-level cryptographic message functionality, see the documentation for Cryptographic Message Syntax support.

 

PKIF does not implement any cryptography. It provides an interface to cryptographic support available via Microsoft CAPI and Netscape Security Services (NSS). The private keys, algorithms, support key sizes, etc. are those supported by the installed cryptographic service providers (CSPs). PKIF does not provide functionality beyond what is available from the installed CSPs but may limit the functionality, e.g. CSP functionality beyond what PKIF supports is not available through PKIF. PKIF provides support for AES, Triple DES (ECB and CBC), DES (ECB and CBC),  SHA-1, SHA-256, SHA-384, SHA-512, MD5, RSA and DSA. Supported key sizes are a function of the CSP. PKIF has been tested with 1024 and 2048 bit RSA keys and 1024 bit DSA keys.

Cryptograpy subsystem also utilizes IPKIFColleague, CPKIFException objects provided by Miscellaneous/Utility subsystem  for exception, logging, and colleague support.  

Module Graph

The Cryptography (PKIFCRYPTO) subsystem has been divided into 56 modules as shown by the following graph. Each ellipse represents an individual module. The design information for each module has been provided individually and may be reached by clicking on any module in the graph:
Modules

Interface List

The list of interfaces and their errors/effects can be derived from clicking on the modules shown in the graph above.