Information Security for the Enterprise Home About Us Contact Us
ISC
Mideye
ControlGuard
Support
Buy Online
Print

Standards Compliance

Cryptographic Standard

SecretAgent 5.6 and above satisfy NSTISSP No. 11 acquisition requirements for COTS security and information assurance products.

SecretAgent 5.x uses ISC-developed implementations of the following standards-compliant cryptographic schemes and protocols. (Releases 5.6 and above contain cryptographic modules built upon our FIPS 140-1 validated CDK 7.0.)

Encryption Algorithms:

  • 128/192/256-bit AES in CBC mode (FIPS 197)
  • 192-bit TDES in CBC mode (FIPS 46-3; ANSI X9.52-1998)
  • DES in CBC mode (FIPS 46-3/81; ANSI X3.106); decrypt-only (for backward compatibility)
  • EES ("Skipjack"; FIPS 185; SDN.701; requires a FORTEZZA card though a software module can be supplied upon demand)
  • AT&T EA2 in CBC mode (for compatibility with older, "exportable" versions of SA5)
  • DESX in CBC mode (for automatic encryption only; replaced by 128-bit AES-CBC in release 5.2.8)
  • RC4 with 64-2048 bit keys (for self-decrypting archives only)

Key Exchange Mechanisms:

  • RSA (generates 1024/2048/4096/8192-bit keys; supports all recipient key sizes from 512 to 16384 bits; ANSI X9.31; IEEE 1363-2000; RFC2313; PKCS#1v1.5)
  • Diffie-Hellman (1024/2048/4096-bit keys; ANSI X9.42-1998; IEEE 1363-2000)
  • ECDH (supports 163/233/283/409/571-bit NIST curves in char. 2, 192/224/256/384/521-bit NIST curves in char. p; FIPS 186-2; ANSI X9.42-1988; IEEE 1363-2000)
  • KEA (SDN.701; requires a FORTEZZA card)

Digital Signature Schemes:

  • DSA (1024/2048/4096-bit keys; FIPS 186-2; ANSI X9.30-1997)
  • RSA (generates 1024/2048/4096/8192-bit keys; supports all key sizes from 512 to 16384 bits; FIPS 186-2; ANSI X9.31-1998; PKCS#1 v.1.5)
  • ECDSA (supports 163/233/283/409/571-bit NIST curves in char. 2, 192/224/256/384/521-bit NIST curves in char. p; FIPS 186-2; ANSI X9.62-1988; IEEE 1363-2000)

Message Authentication Codes:

  • SHA-1 ("Secure Hash Algorithm"; FIPS 180-2; ANSI X9.30-1997(2))
  • (command line versions also support SHA-256/384/512)
  • MD2 and MD5 (RFC1319/RFC1321; used only for certificate validation)

Public Key Infrastructure Support:

  • X.509 version 3 RSA, DSA, or ECC certificates (from binary or base64-encoded
  • ASN.1 DER files, or PKCS#7 files)
  • PKCS#10 RSA/DSA/ECC certificate requests
  • Optional CRL support (may be made mandatory using PolicyAgent)
  • IETF PKIX key usage certificate extensions (encrypt-and-sign, encrypt-only, sign-only)
  • LDAP repository access for certificate retrieval/certificate status
  • Local and network certificate database access
  • Self-signed X.509 certificates for use without a PKI

Encoding & Compression Options:

  • A Lempel-Ziv variant (LZSS) is provided for the optional compression of plaintext prior to encryption
  • A base64 encoding function is provided for the optional encoding of ciphertext
  • MSP output (SDN.701; requires a FORTEZZA card and special SecretAgent build)

Secure File/Disk Erasure:

  • integrated file erasure and free space wiping utility conforms to the latest
  • Department of Defense National Industrial Security Program Operating Manual (NISPOM) January 1995 (DoD 5220.22-M)

X.509 Interoperability

SecretAgent 5 uses standard X.509 version 3 certificates with optional chain validation and CRL checking in compliance with RFC3280. On most platforms, SecretAgent can generate standard PKCS#10 certificate requests (for use with an existing CA) or X.509 version 3 self-signed certificates (for operation without a formal PKI). We have performed interoperability testing with all major Certificate Authorities and PKI vendors (e.g., Baltimore, Entrust, Verisign, XCert).

In October 2002, SecretAgent 5.6 for Windows passed interoperability testing at DISA's JITC PKE Certification Lab at Ft. Huachuca and has received formal certification of full compliance with the DoD PKI. The JITC test was based on NIST's "Conformance Testing of Relying Party Client Certificate Path Processing Logic," Version 1.07, Sept. 28, 2001. SecretAgent 5.7 also passes these tests.

SecretAgent 5.8 and 5.9 were designed for full compliance with the recently expanded NIST "Public Key Interoperability Test Suite (PKITS) Certificate Path Validation", Version 1.0, Sept. 2, 2004. The Path Validation Modules (PVMs) in these builds are also "(Federal) Bridge-Enabled," satisfying all requirements in Sections 3 and 4 of NIST Draft Special Publication 800-XXX, NIST Recommendation for X.509 Path Validation, Version 0.5, May 3, 2004.


File Formats

In addition to the native .sa5 file format supported by SecretAgent on all platforms, Release 5.7 and above for Windows, UNIX, and Mac OS X supports the following:

  • S/MIME v3 CMS (RFC3852) — encrypt/decrypt/sign/validate; support for enveloped and detached signatures included

Release 5.7 and above for Windows also supports:

  • OpenPGP (RFC2440) — certificate-based encrypt/decrypt only; OpenPGP signatures are not supported

CMS support provides interoperability with several S/MIME v3 clients, such as Microsoft Outlook Express and OpenSSL. OpenPGP support provides interoperability with PGP 6/7/8, Gnu Privacy Guard, and other RFC2440-compliant applications.

Encryption & Trust
SecretAgent
SpyProof
PolicyAgent
Document Access Server
CertAgent
Credential Management
Development Tools
Technical Information
Brochures

© Copyright 2006 tamtech Solutions Ltd