Security Issues

1. The functions and methods in CryptoSys PKI provide cryptographic primitives intended to be used as part of a security-related application. It is up to you the programmer to ensure that keys, passwords and other private data are kept secret, and to ensure that appropriate security policies and procedures are followed by end users.
2. CryptoSys PKI is a 32-bit dynamically linked library (DLL) that provides encryption services to applications running on Microsoft Windows® operating systems. On Windows, it is designed for and supports multi-threaded operation.
3. In FIPS 140-2 terms, CryptoSys PKI is a multi-chip standalone module, consisting of the file diCrPKI.dll. It is intended to meet FIPS 140-2 security level 1. The cryptographic boundary for CryptoSys PKI is defined as the enclosure of the computer on which the cryptographic module is installed. As a pure software product, CryptoSys PKI provides no physical security by itself. The computer itself must be appropriately physically secured.
4. Functions that advertise that they create files will overwrite any existing file of the same name without warning.
5. No other files, temporary or permanent, are ever created by the toolkit.
6. There is no communications functionality whatsoever in the toolkit DLL. The toolkit will never attempt to "dial home" or make any attempt to create a communications socket. If your firewall tells you there is an attempt to create an internet connection, you have a virus or trojan of some sort unrelated to the CryptoSys PKI toolkit.
7. The Developer version of the toolkit makes no attempts to read or write to the Windows registry whatsoever under normal operations. However, optional registry settings may be made and, if they exist, will be read and acted on by the module if a critical error occurs.
8. The Trial version creates and updates registry entries in HKCU\Software\DI Management and reads entries created by the setup utility in HKLM\Software\DI Management. Do not attempt to change these entries.
9. Developer versions distributed to end users do not require any registry entries on the user's machine (but see optional registry settings).
10. To check you have a valid version of the CryptoSys PKI executable, please check the CRC and hash digests published on our web site.
11. It is your responsibility to take care of unencrypted private keys and password strings.
12. Some functions require the input to be provided as a file or create a file of the output. It is your responsibility to clean up these files after use.
13. VB6/C functions that write output to a string require the string to be "pre-dimensioned" first. All such functions require the length to be specified. Make sure the specified length matches the size of the string or a GPF error will result.
14. Except for the X509_CertIsValidNow function, no checks are made on the validity period of X.509 certificates by any other functions in this toolkit. It's up to you to make your own checks.
15. Read the section on Key Security below.

[Contents] [Index]