PKIBlackbox main features
Miss a feature? Tell us about your idea using Wish List.
Most features or PKIBlackbox are included into all SecureBlackbox packages and they don't require a separate license. Those features, that require a license for PKIBlackbox, SecureBlackbox Data Security, SecureBlackbox Standard or SecureBlackbox Professional, are marked as such.
Base cryptography - SecureBlackbox offers wide range of low-level cryptographic functions including
- RSA and DSA asymmetric cryptography operations;
- Symmetric encryption using AES256, AES128, RC2, RC4, DES, 3DES, Camellia, Blowfish, Twofish, IDEA, Serpent, SEED, Rabbit, GOST, CAST128;
- Hash calculation using SHA3, SHA2 (SHA512, SHA384, SHA256, SHA224), SHA1, MD5, MD4, MD2, RIPEMD160, GOST, BLAKE2 algorithms;
- PBKDF2 and BCrypt key derivation (adaptive hash functions);
- Elliptic Curve Cryptography ( X9.62, SEC2, CryptoPro, Brainpool, Cure25519 curve groups are supported )
- ECIES (Elliptic Curve Integrated Encryption Scheme) encryption (PKIBlackbox license is required)
Certificates - SecureBlackbox includes support for certificates in X.509 (versions 1-3) format. The following features and operations are offered:
- handling of asymmetric keys from 512 to 16384 bits long;
- support for RSA, DSA and DH keys;
- support for Elliptic Curve Cryptography (ECC) - ECDSA keys;
- support for both standard (predefined) and custom certificate extensions (as defined by X.509 v3);
- saving and loading of X.509 certificates in DER, PEM (base64-encoded DER), PKCS#7, PKCS#8, PKCS#12 (PFX), JKS (Java KeyStore) formats;
- saving and loading of private keys in DER, PEM (base64-encoded DER), PKCS#12 (PFX), PVK, JKS (Java KeyStore) formats;
- creation (generate, sign, issue) of self-signed and CA-signed certificates (PKIBlackbox license is required);
- validation of certificate integrity;
- complete validation of certificate chains including use of OCSP and CRLs;
- (optional) FIPS-compliant operation mode
Certificate requests - SecureBlackbox supports creation and use of Certificate Requests in PKCS#10 and CMC (Certificate Management over CMS) formats. Namely, the following operations are supported:
- generation of certificate requests and corresponding private keys;
- saving and loading of certificate requests in DER and PEM (base64-encoded DER) formats;
- saving and loading of private keys in DER, PEM (base64-encoded DER) and PVK formats;
- creation (generate, sign, issue) of certificates from certificate requests
Certificate Revocation Lists - SecureBlackbox supports operations with Certificate Revocation Lists (CRL) according to RFC 3280, including
- creation and modification of CRLs (PKIBlackbox license is required);
- support for CRL extensions and CRL Item extensions;
- saving and loading of CRLs in DER and PEM (base64-encoded DER) formats;
- checking of certificate presence in CRL
OCSP server component lets you create your own OCSP responder (PKIBlackbox package license is required).
Certificate Storages - with SecureBlackbox you can keep certificates in certificate storages. Certificate Storage management includes
- support for in-memory, file-based and system (Windows CryptoAPI) certificate storages;
- support for LDAP certificate storages (with help of LDAPBlackbox package);
- operations with Cryptocards and USB Crypto Tokens via PKCS#11 and CryptoAPI interfaces (PKIBlackbox license is required for PKCS#11 interface);
- powerful search by various criteria, including issuer, subject, dates, e-mails and more;
- saving and loading of storages in PKCS#7, PKCS#12 (PFX), JKS (Java Key Storage) formats;
- validation of certificates against certificates contained in the storage;
- multithreaded access to certificate storages;
- for Windows Certificate Storage - access to per-user and system-wide storages;
- for Windows Certificate Storage - access to system, registry, in-memory and LDAP storages
Code signing - with PKIBlackbox you can sign and timestamp your executables and libraries in PE format using MS Authenticode™ technology and verify the signatures. Code signing requires PKIBlackbox package license.
One-Time Passwords - PKIBlackbox lets you authenticate clients using One-Time Password (OTP) schemes.
- support for hash-based (HOTP) and time-based (TOTP) one-time passwords;
- generation and validation of one-time passwords
Data encryption and signing - PKIBlackbox lets you encrypt, sign, decrypt and verify various data using X.509 certificates and offers
- encryption and decryption according to PKCS#7 and CMS specification (RFC 3852);
- cryptographic signing and signature verification according to PKCS#7 and CMS specification (RFC 3852);
- timestamping and timestamp verification on signed data to ensure long-term validity of signatures;
- implementation of CAdES specification (see below);
- support for ASiC (Associated Signature Container) format (requires a license for Data Security or Professional package);
- possibility to sign the data in distributed mode lets you build client-server document management systems with secure signing of documents;
- data encryption and decryption using RSA certificates and AES (128 to 256 bit), Triple DES (3DES), ARCFOUR, RC2, DES algorithms;
- data signing and verification using ECDSA (ECC-based), RSA and DSA certificates and HMAC, SHA512, SHA384, SHA256, SHA1, MD5, MD2 algorithms.
Advanced Data Signing (CAdES) - PKIBlackbox lets you sign and verify various data using X.509 certificates according to CAdES specification and includes
- cryptographic signing and signature verification according to CMS specification (RFC 3852) and CAdES specification (RFC 5126);
- implementation of CAdES specification with automatic collection* of timestamps and revocation information (RFC 5126);
- support for all CAdES profiles: CAdES-BES, CAdES-EPES, CAdES-C, CAdES-T, CAdES-X, CAdES-XL, CAdES-A;
- timestamping and timestamp verification on signed data to ensure long-term validity of signatures
JSon Web Keys - PKIBlackbox offers components for managing JSon Web Keys and using them for encryption and signing. This includes
- JSon Web Signature (RFC 7515);
- JSon Web Encryption (RFC 7516);
- JSon Web Key (RFC 7517);
- JSon Web Token (RFC 7519);
Timestamping - PKIBlackbox lets you timestamp the data during signing and also create separate timestamps. This includes
- timestamping and timestamp verification using TSP (Timestamp Protocol, RFC 3161). Both TSP client and TSP server are available.
- timestamping (both client and server sides) of PE files (Authenticode, Microsoft's PKCS#7 based standard for signing EXE and DLL files);
- RFC 5544 timestamping of generic data (no signing required).
TSP Server class requires a license for PKIBlackbox package.
*Note regarding CRL retrieval and OCSP.
When collecting external timestamps and revocation information (CRL retrieval and OCSP checking), SecureBlackbox uses special retriever components which are part of other packages. In particular, timestamping, OCSP and CRL retrieval requires use of ElHTTPSClient class, which requires a license for HTTPBlackbox (client or client+server), SSLBlackbox (client or client+server), WebDAVBlackbox, CloudBlackbox, Transports, Standard or Professional package. LDAP CRL retriever requires LDAPBlackbox, Standard or Professional package.
Miss a feature? Tell us about your idea using Wish List.