CryptoSys PKI Pro Manual

Security Issues

  1. The functions and methods in CryptoSys PKI Pro provide cryptographic primitives intended to be used as part of a security-related application. It is up to you the programmer to ensure that keys, passwords and other private data are kept secret, and to ensure that appropriate security policies and procedures are followed by end users.
  2. CryptoSys PKI Pro is a dynamically linked library (DLL) that provides cryptographic services to applications running on Microsoft Windows® operating systems. On Windows, it is designed for and supports multi-threaded operation.
  3. In FIPS 140-2 terms, CryptoSys PKI Pro is a multi-chip standalone module, consisting of the file diCrPKI.dll. It is intended to meet FIPS 140-2 security level 1. The cryptographic boundary for CryptoSys PKI Pro is defined as the enclosure of the computer on which the cryptographic module is installed. As a pure software product, CryptoSys PKI Pro provides no physical security by itself. The computer itself must be appropriately physically secured.
  4. Functions that advertise they create an output file will overwrite any existing file of the same name without warning.
  5. No other files, temporary or permanent, are ever created by the toolkit (exception).
  6. There is no communications functionality whatsoever in the toolkit DLL. The toolkit will never attempt to "dial home" or make any attempt to create a communications socket. If your firewall tells you there is an attempt to create an internet connection, you have a virus or trojan of some sort unrelated to the CryptoSys PKI Pro toolkit.
  7. The Developer version of the toolkit makes no attempts to read or write to the Windows registry whatsoever under normal operations. However, optional registry settings may be made and, if they exist, will be read and acted on by the module if a critical error occurs.
  8. The Trial version creates and updates registry entries in HKCU\Software\DI Management and reads entries created by the setup utility in HKLM\Software\DI Management. Do not attempt to change these entries.
  9. Developer versions distributed to end users do not require any registry entries on the user's machine (but see optional registry settings).
  10. To check you have a valid version of the CryptoSys PKI Pro executable, please check the integrity checksums published on our web site.
  11. It is your responsibility to protect unencrypted private keys and password strings.
  12. Some functions require the input to be provided as a file or create a file of the output. It is your responsibility to clean up these files after use.
  13. VB6/C functions that write output to a string require the string to be "pre-dimensioned" first. All such functions require the length to be specified. Make sure the specified length matches the size of the string or a GPF error will result.
  14. Except for the X509_CertIsValidNow and X509_ValidatePath functions, no checks are made on the validity period of X.509 certificates by any other functions in this toolkit, nor are the key usage flags checked. Any correctly-formatted X.509 certificate is considered valid for any purpose. It's up to you to make your own checks before use.
  15. Read the section on Key Security below.

Temporary file exception: [New in v12.0] The function ASN1_TextDumpToString and method Asn1.TextDumpToString create a locked temporary file which is automatically deleted.

[Contents] [Index]

[PREV: Filenames with "International" characters...]   [Contents]   [Index]   
   [NEXT: Key Security...]
Copyright © 2004-24 D.I. Management Services Pty Ltd. All rights reserved. Generated 2024-09-23T07:52:09Z.