now don't all barf at the same time please
R. A. Hettinga
rah at shipwright.com
Tue May 7 12:31:22 EDT 2002
--- begin forwarded text
Date: Mon, 6 May 2002 21:30:54 +0100
To: usual at espace.net
From: Fearghas McKay <fm at st-kilda.org>
Subject: now don't all barf at the same time please
Reply-To: "Usual People List" <usual at espace.net>
Sender: <usual at espace.net>
from the latest Apple developer newsletter:
CDSA and OpenSSL (pdf)
This concise white paper discusses the advantages of using Common
Data Security Architecture (CDSA) in Mac OS X over OpenSSL in
creating security-enabled applications.
CDSA and OpenSSL
The foundation for cryptography and public key infractructure on OS X
is the Common Data Security
Architecture (CDSA). This is a layered set of security services and a
cryptographic framework for creating
security-enabled applications. In addition, Apple has created
additional layers built on CDSA to provided
simplified interfaces to CDSA for common security-related tasks.
One cryptographic toolkit that is well known in the Unix community is
OpenSSL. OpenSSL provides a general
purpose cryptography library, as well as support for the Secure
Sockets Layer (SSL) and Transport Layer
Security (TLS). The functionality and security provided by the CDSA
architecture is an improvement over that
available through OpenSSL, and we would like to migrate away from
using the OpenSSL library for doing
cryptography or SSL.
There are several advantages to using CDSA. It will improve the
overall performance of the system by
reducing the number of libraries that frameworks link against to do
cryptography. In addition, it makes it
easier to do export control paperwork. One of the largest user
benefits will be in the area of certificate
management, including certificates used by SSL. In addition, we are
actively improving the performance of
the algorithms in CDSA.
Using CDSA has the additional benefit of insulating clients from the
implementation of the algorithms.
Many of the functions in OpenSSL vary algorithm by algorithm, making
it difficult for clients to change
algorithms. With the modular approach used in CDSA, new cryptographic
modules can be written and
deployed with no changes to client code. This also holds true for
certificates. A client does not necessarily
need to know if a given certificate is stored on disk or on a smartcard.
Support for Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) is provided through the
SecureTransport API set. One major advantage of the SecureTransport
APIs is that they are designed so that
key material does not have to be supplied as a parameter to the API.
SecureTransport calls into CDSA to
access keys via reference, which allows us to use keys based on
tokens such as smartcards, which do not
allow keys to be exported.
One of the unique features of Apple's implementation of CDSA is the
use of reference keys. The default
Cryptographic Service Provider (CSP) talks to a root process called
Security Server to perform actions with
cryptographic keys. This allows the keys to be maintained in a
separate address space from the client
application, and also encourages developers to avoid using key
material directly. This is essential if external
cryptographic devices such as smartcards or hardware signing boxes
are to be supported.
OpenSSL will only be available in Darwin. We will be actively
promoting the use of CDSA as a more secure
and easy to use alternative to OpenSSL.
Use of CDSA
Clients who need to do cryptographic operations should use CDSA or
the layered services above CDSA.
Some common applications are encryption of data or hashing using such
algorithms as SHA-1. A wide
variety of algorithms are supported in our standard Cryptographic
Service Provider (CSP). Some well known
clients are the Keychain and the Encrypted Image feature of Disk Copy.
Clients needing SSL functionality should use CFNetwork, or use
SecureTransport directly. This will allow our
users to get the benefits of a common certificate store. These
benefits allow users to specify trust once,
rather than in each application. In addition, certificates stored on
tokens such as smartcards are supported
automatically. SecureTransport has support for both client and server
for TLS. The certificate APIs will also
be used by third party developers of applications such as browsers
and mail applications.
Sample code for using SecureTransport and for doing various types of
cryptographic operations is available.
This code is available on the latest developer CD or through the web site at
In addition, the apple-cdsa mailing list is a good resource for
asking CDSA questions. Sign up at:
The CDSA implementation is available in the open source repository,
and so can be used from Darwin code.
--- end forwarded text
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography