High Level Design for the Cryptography (PKIFCRYPTO) Subsystem
Overview
Overview
PKIF provides interfaces to basic cryptographic functionality including:
digital signature generation, digital signature verification, asymmetric key
encryption/decryption, symmetric key encryption/decryption, message digest
calculation, automatic decryption key discover and random number generation. All
cryptographic functionality is implemented and/or accessed via CPKIFCryptoMediator2 objects and associated
colleagues. For higher-level cryptographic message functionality, see the
documentation for Cryptographic
Message Syntax support.
PKIF does not implement any cryptography. It provides an interface to
cryptographic support available via Microsoft CAPI and Netscape Security Services (NSS). The private keys,
algorithms, support key sizes, etc. are those supported by the installed
cryptographic service providers (CSPs). PKIF does not provide functionality
beyond what is available from the installed CSPs but may limit the
functionality, e.g. CSP functionality beyond what PKIF supports is not available
through PKIF. PKIF provides support for AES, Triple DES (ECB and CBC), DES (ECB and
CBC), SHA-1, SHA-256, SHA-384, SHA-512, MD5, RSA and DSA. Supported key sizes are a function of the CSP.
PKIF has been tested with 1024 and 2048 bit RSA keys and 1024 bit DSA keys.
Cryptograpy subsystem also utilizes IPKIFColleague, CPKIFException objects provided by Miscellaneous/Utility subsystem for exception, logging, and colleague support.
Module Graph
The Cryptography (PKIFCRYPTO) subsystem has been divided into 56 modules as shown by the following graph. Each ellipse represents an individual module. The design information for each module has been provided individually and may be reached by clicking on any module in the graph:
Interface List
The list of interfaces and their errors/effects can be derived from clicking on the modules shown in the graph above.