CryptoSys PKI Toolkit

The CryptoSys PKI Toolkit provides you with an interface to public key cryptography functions from Visual Basic, VB6, VBA, VB.NET, VB2005, C/C++ and C# programs on any Win32-compatible system (W95/98/Me/NT4/2K/XP/2003/Vista).

You can create and read both enveloped-data (encrypted) and signed-data Cryptographic Message Syntax (CMS, PKCS#7) objects, which you can use in S/MIME email messages; verify the digital signature in a signed-data CMS object; generate and manage RSA public and private keys; carry out "raw" RSA encryption and digital signing, make PKCS#10 certificate request files, and create and manage X.509 certificate files. 2009-03-30: See how the CryptoSys PKI Toolkit compares in the CMS (RFC 3852) Implementation Report [PDF] (we're implementation #3).

Other utilities included in the toolkit are the ability to generate message digest hash values using SHA-1, MD5, MD2, SHA-224/256/384/512; generate HMAC keyed-hash message authentication values, wipe files using 7-pass DOD standards, generate cryptographically-secure random numbers to the strict NIST SP800-90 standard, prompt for a password, and convert to and from base64- and hexadecimal-encoded formats. If you just need standard symmetrical cryptography, see our alternative product CryptoSys API.

Latest releases:

2009-02-21: New Version 3.3 released 21 February 2009.

2009-01-27: XML-Dsig and the Chile SII.

2007-08-06: FirmaSAT utility to create SAT Mexico digital signatures.

Features

Provides over 100 core functions to provide PKI cryptography and utilities
Includes detailed 250-page manual
Interfaces for VB6/VBA, C/C++, VB.NET/VB2005 and C#
Create Cryptographic Message Syntax (CMS, PKCS#7) objects suitable to use in S/MIME messages
Create and manage X.509 certificates
Make PKCS#10 certificate request files
Provides RSA public key encryption and signing
Generate and manage RSA public and private keys
Carry out "raw" RSA encryption and decryption
Encrypt key data for transport using the [new in version 3.2] RSA-KEM ("Simple RSA") algorithm
Encrypt with symmetrical block ciphers Triple-DES and [new in version 3.2] AES-128/192/256 in 5 standard modes
Generate message digests (hash values) using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, MD2 and MD5
Generate HMAC keyed hash authentication codes
Generate secure random numbers
Convert data to and from base64- and hexadecimal-encoded format
Totally thread-safe.

CryptoSys PKI uses a straightforward Win32 DLL which is compatible with all versions of 32-bit Windows (95/98/Me/NT/2K/XP/2003/Vista). There is no "COM", no "Active-X", and no requirement to "register" it with Windows to use it. The installed executable has a small footprint under 300 KB. Developers can easily distribute it with their projects made in Visual Basic, VBA, C, C++, VB.NET/VB2005 or C# (in fact, in any other programming language that will let you call Win32 API functions - see Extra Interfaces). For more information on how the RSA key data is stored and how the various functions work together, see RSA Key Formats. For some examples, see the Examples section below. For the theory and more detailed explanations of how RSA is used in practical applications, see RSA algorithm including its use in creating ISO/IEC 9796 signatures in the AUTACK scheme. We have prepared some Test Vectors For RSA-KEM, which can be reproduced using CryptoSys PKI.

Note that the CryptoSys PKI Toolkit is totally independent from our original CryptoSys API product. The two packages do different things and do not require the other in order to work: see a Comparison of CryptoSys Features for a summary.

Feedback on the CryptoSys PKI Toolkit

Great product - just what I was looking for - bought a copy this morning.

Good work everyone!

It seems to be a very good and powerful toolkit

Thank you very much for the quick and detailed answer. It helped me a lot and now my program works pretty good, I have signed and encrypted my data successfully.

I wanted to let you know we [purchased] CryptoSys Software to include in an ERP project we are working on in Mexico. I had tried other digital signature products that required the certificate (with private) key first be stored in the Win certificate store and then I wasn't getting the correct signature. So, I guess there is something special about how you are using the .key file that is provided by SAT Mexico. I am very glad I came across your product. Thank you

Manual

There are two manuals available: one main manual and a supplementary one for .NET users. See the CryptoSys PKI Manual page.

Download

Download a free Trial Version of the CryptoSys PKI Toolkit now.

The install program and the product functions have been tested on W95, W98, NT4, W2K, XP and Vista systems. The functions have been tested using Visual Basic 6, Microsoft Office VBA (97 and 2003), Microsoft Visual C++, and Borland C++Builder version 5.5. The core DLL has been compiled for both Win32 and X64 systems using VS2008. The Win32 version uses Cloanto's LegacyExtender program to make it compatible with the older Windows systems (using VS2008 also explains some of the bloat in the size of the download...)

The trial version download includes the full set of manuals and test functions in Visual Basic, VB.NET, C and C#. Please read the licence conditions for the trial version. The latest version 3.3 was released on 21 February 2009. The trial period is 60 days from the date first installed on your system.

You need to have administrator rights when installing and uninstalling.

You can purchase a licenced version here. Existing licence holders can download the latest Developer Version here.

Examples

There is an example of each function in the manual and a series of tests in VB6/VBA, VB.NET/VB2005, C/C++ and C# provided with the installation download. These test programs should be in C:\Program Files\CryptoSysPKI.

See the PKI Examples Page for more details and more examples.

We get lots of queries asking how to use the RSA_Raw functions to do simple RSA encryption and signing. See Raw RSA Techniques for a guide to methods available in the latest version, including the new EncodeMsg and DecodeMsg functions introduced in version 2.6. If you want more detailed information about the different formats in which RSA keys can be stored, how the keys are used to create X.509 certificates, and all the different functions in the Toolkit that create, read and save the key data, you may find the information in RSA Key Formats useful. See also Importing an RSA key from known parameters.

Mexican Government SAT

The CryptoSys PKI Toolkit now includes full support for the private key files published by the Servicio de Administración Tributaria in Mexico. See SAT Mexico Example for some sample code. New 6 Aug 2007 New utility to create digital signatures in SAT v2.0 format and more now available. See FirmaSAT.

Security interface for the German health care insurances services

The CryptoSys PKI Toolkit complies with the requirements of the security interface for data exchange for the German health service version 1.5. See Data Exchange in the German Health Service with CryptoSys PKI.

CryptoSys PKI Toolkit erfüllt alle Voraussetzungen, die notwendig sind, gemäß der Security Schnittstelle für den Datenaustausch im Gesundheitswesen Version 1.5, um mit den Datenannahmestellen der gesetzlichen Krankenkassen und dem ITSG-Trustcenter zu kommunizieren. Anders als bei DAKOTA stehen hier alle notwendigen Prozeduren in einer einzigen DLL zur Verfügung. Für das Erstellen der Zertifizierungsanfrage, dem Einlesen der Zertifizierungsantwort, dem Signieren / Verschlüsseln der Nachricht und der Speicherung der Daten (Zertifikate, privater Schlüssel, Annahme-pkcs.key) sind Beispiele in VB vorhanden. Sowohl der Zertifikatsantrag (PKCS#10 Format) beim ITSG-Trustcenter als auch die Datenübermittlung (PKCS#7 Format) an AOK, IKK, BKK, LKK, Knappschaft wurden erfolgreich durchgeführt. CryptoSys PKI Toolkit wird im Leistungserbringerverfahren und im Arbeitgeberverfahren erfolgreich eingesetzt.

Extra Interfaces

There are interfaces to or both C# and VB.NET programmers in the .NET Class Library. Dr Richard Koch has kindly provided interfaces to the toolkit in a variety of other programming languages. See Extra Interfaces.

Linux Version

There is a beta release of a Linux Version of CryptoSys PKI. The Toolkit is provided as a static library which can be compiled with your own source code.

Integrity

Check the integrity of your PKI software against our published checksums and message digests.

New or Updated in the latest versions

Version 3.3:

(21 February 2009)

Compiled using VS2008 for both Win32 and X64.
Added the ability to include more extensions and other features to new X.509 certificates when using the X509_MakeCert and X509Make_CertSelf functions, and added more options for distinguished names.
Added the PEM_FileFromBinFile and PEM_FileToBinFile functions to enable you to convert files between ASN.1 DER/BER binary format and PEM format.
Incorporated a faster BigDigits mathematics algorithm to speed up RSA modular exponential calculations.
Improved the performance of the WIPE_File function - up to three times faster for large files.
Amended the RSA_FromXMLString function to allow the import of a restricted RSA private key from XML data consisting only of the <Modulus>, <Exponent> and <D> fields. The resulting "internal" key string can be used to sign raw data but cannot be saved in a private key file. This is useful to reproduce certain test vectors.
Added specialist options to enable users to create digital signatures suitable for use in an AUTACK message. See AUTACK messages and ISO/IEC 9796-1 signatures. In particular, this includes
- Adding a PKI_EMSIG_ISO9796 option to the RSA_EncodeMsg and RSA_DecodeMsg functions to enable the user to encode and decode a message according to ISO/IEC 9796-1.
- Adding a specialist option to the RSA_RawPrivate and RSA_RawPublic functions to sign and decrypt RSA signatures using the "RSA2" method used in ISO/IEC 9796-1, ANSI X9.31 and P1363.
Changed the value of PKI_KEYGEN_INDICATE option in RSA_MakeKeys so it does not clash with the des-EDE3-CBC block cipher option.

Version 3.2:

(2 February 2008)

Added a new generic block cipher function with AES and Triple DES. See CIPHER_Bytes, CIPHER_Hex, and CIPHER_File.
Added SHA-224 to the selection of message digest hash functions and added the HASH_HexFromHex and HMAC_HexFromHex functions.
Added the option to use the newer PKCS-1 signature algorithms "shaXXXWithRSAEncryption" with SHA-224/256/384/512 for X509_MakeCert[Self] and X509_CertRequest.
Added the ability to make, read and verify CMS signed-data objects using message digest algorithms SHA-224/256/384/512. See CMS_MakeSigData[FromString].
Added the ability to make and read CMS enveloped-data objects using the AES-128/192/256 content encryption algorithms. See CMS_MakeEnvData[FromString].
Added [provisionally in this release] the ability to make and read CMS enveloped-data objects using the RSA-KEM ("Simple RSA") key encryption algorithm. See CMS_MakeEnvData.
Added the primitive functions RSA_KemWrap and RSA_KemUnwrap which will wrap (encrypt) and unwrap (decrypt) secret keying data for a recipient with the recipient's RSA key using the RSA-KEM ("Simple RSA.html") algorithm; and added the block cipher key wrap functions CIPHER_KeyWrap and CIPHER_KeyUnwrap using AES-wrap and Triple DES wrap. (Note that the RSA function name is RSA_KemWrap, as in Key Encapsulation Mechanism, not KeyWrap.)
Added options to save and read encrypted private keys with improved security using AES-128/192/256 and SHA-224/256/384/512 when using the RSA_SaveEncPrivateKey and RSA_ReadEncPrivateKey functions. Please also read our comments on the new security algorithms.
Added the ability to pass both X.509 certificate data and RSA private and public key data to the X.509 and RSA functions using a PEM-encoded string instead of a file.
Improved the handling of enveloped-data objects by adding the CMS_QueryEnvData function, and included the ability to pass a base64- or PEM-encoded certificate list to CMS_MakeEnvData and CMS_MakeSigData.

Version 3.1:

(2 August 2007)

Added the ability to specify any valid UTF-8 characters in a distinguished name, including CJK characters, when creating an X.509 certificate with X509_MakeCert or X509_MakeCertSelf. See Specifying Distinguished Names for more details.
Added the RSA_KeyMatch function to verify that a pair of RSA private and public key strings are matched.
Added the functionality to all the X.509 certificate functions to allow the user to specify an input X.509 certificate as a base64 string instead of using a file.
Improved the functions that read ASN.1 data to avoid security issues arising from badly-formed data.
Increased the speed when encrypting large files using TDEA_File. To prevent accidental misuse, if an error occurs when using this function, the output file will now not exist.
Specialist Option: Added an alternative TeleTrusT content encryption algorithm to the CMS_MakeEnvData function to conform with the PKI requirements of the German Health System.

Version 3.0:

(27 March 2007)

Introduced a new, more secure, random number generator (RNG) based on NIST SP800-90 and Ferguson and Schneier's "Fortuna" method from Practical Cryptography. See Random Number Generator.
Incorporated extra security by encrypting "internal" RSA key strings to prevent security breaches by accidental disclosure - see Internal key strings. Added the RSA_KeyHashCode function to allow comparison of internal key strings.
Added the SHA-384 and SHA-512 message digest algorithms to the HASH functions.
Added the HMAC functions to compute a keyed hash value, HMAC_HexFromBytes and HMAC_Bytes.
Added functions to query an X.509 certificate file X509_KeyUsageFlags and X509_QueryCert.
Added functions to read in a X.509 certificate file directly as a base64 string and save the string as a file X509_ReadStringFromFile and X509_SaveFileFromString.

Thanks to all users who have suggested improvements and in particular to Bernd Rech for his suggestions, advice and help.

For more information, please contact us.

This page last updated: 11 April 2009