SecuDE-4.4b0                                                Apr 07, 1995


(*) Read INDEX to get a list of all SecuDE files!



1. SecuDE: General Description
==============================

SecuDE is a general purpose security toolkit for Unix systems. It 
comprises a library of security functions and a number of utilities 
with the following functionality:

- basic cryptographic functions (RSA, DSA, DES, triple DES, IDEA, 
  various hash functions, including the RFC 1423 defined algorithm 
  suite (based on PKCS #1), DH key agreement (PKCS #3) and OIW defined 
  algorithms), 

- security functions for "data confidentiality", "data integrity", 
  "origin authentication" and "non-repudation of origin" purposes 
  on the basis of digital signatures and symmetric encryption,

- X.509 key certification functions, handling of certification pathes, 
  cross-certification, certificate revocation,

- processing of RFC 1422-defined certificate revocation lists,

- operation of certification authorities (CA) and interaction between 
  certifying CAs and certified users,

- Internet PEM processing according to RFC 1421 - 1424 (see 2.)

- secure access to public X.500 Directories for the storage 
  and retrieval of certificates, cross-certificates and revocation 
  lists (integrated secured DUA, based on QUIPU ICR1.1v3, using strong 
  authentication and signed DAP operations, see 3.),

- support of PKCS-defined structures,

- all necessary ASN.1 encoding/decoding (based on Isode-ICR1.1v3)

- secure storage of all security relevant information (secret keys,
  verification keys, certificates etc.) in a protected area (called
  PSE, Personal Secure Environment). SecuDE offers two alternative
  PSE realizations:
  - a user-associated DES-protected Unix directory 
  - a smartcard environment, connected via RS-232 to the host.
  Both are only accessible through the usage of PINs (Personal Identi-
  fication Numbers). Smartcards require the purchase of a particular 
  smartcard environment where RSA and DES cryptography is done in the 
  smartcard reader; information available on request.

SecuDE comes with a comprehensive Unix manual (350 p.) providing
detailled description of all unctions, utilities and data structures.

2. SecuDE PEM
=============

A PEM implementation is part of SecuDE. It provides a PEM filter
which transforms any input stream into a PEM formatted output stream 
and vice versa, and which should be easily integratable into Mail-UAs.

SecuDE-PEM realizes the Internet Specifications RFC 1421-1424. However, 
it only supports asymmetric key management.

SecuDE-PEM supports the certification and CRL procedures defined in RFC 
1424 and is integrated into the SecuDE CA functionality. As an additional 
functionality which goes beyond RFC 1421 - 1424, SecuDE-PEM may be 
configured with an integrated X.500 DUA which allows, for instance, 
automatic retrieval of certificates and CRLs during the PEM de-enhancement 
process.  

3. X.500 Package
================

a) Secured DUA
--------------

Concerning X.500 Directory access, SecuDE can be configured in three alter-
natives:

  1. Without X.500 DUA functionality. In this case, the SecuDE package
     is self-contained and needs no additional software.

  2. With integrated X.500 DUA, which operates on the basis of simple
     authentication (i.e. with passwords) and unprotected DAP operations.
     SecuDE uses QUIPU-ICR1.1v3 library functions for this DUA functionality.
     These library functions are not included in the SecuDE package, and
     a standard QUIPU-ICR1.1v3 installation is additionally required (the 
     Isode/QUIPU library libisode.a is needed to be able to bind 
     the application programs).

  3. With integrated X.500 DUA, which operates on the basis of strong authen-
     tication (i.e. with digital signatures) and signed DAP operations.
     SecuDE uses modified (i.e. security-enhanced) QUIPU-ICR1.1v3 library 
     functions for this DUA functionality. These library functions are not 
     included in the SecuDE package, and a security-enhanced QUIPU-ICR1.1v3 
     installation is additionally required (the security-enhanced Isode/QUIPU 
     library libisode.a is needed to be able to bind the application programs).

The security-enhanced Isode/QUIPU package needed for 3. is in the file 
icr1.1v3-secude4.4.crypt.tar of this directory. This file contains a complete 
Isode-ICR1.1v3 with security-enhancements provided by SecuDE-4.4. 
icr1.1v3-secude4.4.crypt.tar contains material which is available under licence
of the Isode Consortium Ltd, London, and is therefore encrypted. The decryption
key can be obtained from the IC.
 

b) Secured DSA
--------------

The file icr1.1v3-secude4.4.crypt.tar also contains software for a secured X.500 
DSA. "Secured" means the ability to perform strong authentication during
association setup between DUA and DSA, and subsequent signed operations at the 
DAP level. The DAP operations into which we have incorporated strong authentication 
are those assigned by the standard (X.511) for that purpose, i.e. Bind, Read, 
Compare, Search, List, AddEntry, RemoveEntry, ModifyEntry, and ModifyRDN. We have 
provided both SIGNED arguments and SIGNED results.


4. XMst, the Graphical User Interface to SecuDE
===============================================

XMst, the Graphical User Interface to SecuDE, provides more functions now,
like X.500 retrieval and enhanced Clipboard features. X/Motif-1.2 is needed to
compile and run it.


5. Use of Smartcards
====================

SecuDE-4.4 supports the use of the G&D/GMD smartcard package Starcos 1.1 as
one realization of the PSE. A serial line interface with 19.200 Baud is required
to connect the Starcos terminal to the workstation. The Starcos terminal is a
high-security crypto device which performs RSA and DES and provides a number of 
physical protection features. RSA key pairs are generated in the Starcos terminal. 
Secret RSA keys never leave the terminal.

A SecuDE/Starcos version using smartcards with RSA capability and dumb smartcard
terminals is in preparation.

6. System Platforms
===================

All programs of SecuDE are written in C except a small number of long-
integer arithmetic programs which are necessary for RSA and DSA. These programs 
are written in assembler language (assembler programs for SUN SPARC,
HP 9000, Motorola 680x0 for SUN/3 and Apollo Domain WS3xx and WS4xx and 
INTEL 286/386 are part of the package). C-only versions of RSA and DSA are 
contained in the package, too. 

SecuDE contains some third-source software, for instance ASN.1 functions
from ISODE-ICR1.1v3. It uses the md2, md4 and md5 programs from RFC 1319 - 1321.
The package is self-contained except for the X.500 DUA functionality 
which requires a QUIPU-ICR1.1v3 installation (libisode.a)

SecuDE can be installed on SUN/3 or SUN/4 systems with SunOS 4.1.2, SunOS 4.1.3 
or Solaris 2.x, on HP 9000 workstations with HP-UX, DEC Alpha workstations with OSF1,
on Silicon Graphics with IRIX, on Apollo Domain/IX systems, and under MS-DOS (the
latter without integrated X.500 DUA und without smartcard support; a gcc installation 
is needed on your MS-DOS system in order to install SecuDE-4.4 from the source). 
The installation on other Unix platforms should be possible with minor effort. 
In addition, a SecuDE version for MacIntosh is in preparation.


7. Conditions of use of SecuDE
==============================

Copyright Gesellschaft fuer Mathematik und Datenverarbeitung 
(GMD), 1990-1995.

Permission to use, copy, modify, and distribute this software and
its documentation for non-commercial purposes and without fee is 
hereby granted, provided that this notice and the reference to this 
notice appearing in each software module be retained unaltered, 
and that the name of GMD or any contributor shall not be used in 
advertising or publicity pertaining to distribution of the soft-
ware without specific written prior permission. It is the respon-
sibility of the users of this software to comply with national or 
international export and import regulations, or with licence 
rights from third parties (see below).

GMD and all contributors disclaim all warranties with regard to 
this software, including all implied warranties of merchantibility 
and fitness. In no event shall GMD or any contributor be liable 
for any special, indirect or consequential damages or any damages
whatsoever resulting from loss of use, data or profits, whether in 
an action of contract, negligence or other tortious action, arising
out of or in connection with the use or performance of this 
software.

The SecuDE package contains cryptographic software for both 
authentication and encryption purposes. This type of software 
might be subject to national or international export or import 
regulations. It contains also software which implements the RSA 
algorithm. The RSA algorithm is patented in USA. The IDEA block 
cipher is covered by a patent held by ETH Zuerich and the Swiss 
company Ascom-Tech AG. Ascom-Tech AG has granted permission for a 
licence-free non-commercial use of IDEA. Commercial users of IDEA
may obtain licensing details from Ascom Tech AG, Teleservices
Section, Postfach 151, 4502 Solothurn, Switzerland, 
Tel +41 65 242885, Fax +41 65 235761.

Those who get the SecuDE software via public network access are 
advised to get acquainted with the respective regulations and 
licence conditions for the environment where they intend to use 
the software. It is their responsibility not to get in conflict 
with such regulations.

8. Contact
==========

For more information please contact schneider@gmd.de