EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SecureBlackbox®

Add perfect security to your application!

SecureBlackbox is a suite of software components that allows developers to add strong security to their applications to protect binary data, files, documents and e-mails.

SecureBlackbox includes authentic implementations (no 3rd-party code used) of various data security standards and network communication protocols for various platforms (Windows, .NET, Linux, macOS / iOS, Java / Android).

SecureBlackbox on
Most wanted features Vote or request a feature
Clients say:

Great Product and excellent support!


Latest version

Release:  15.1.298
08 November 2016

PKIBlackbox main features

Miss a feature? Tell us about your idea using Wish List.

Most features or PKIBlackbox are included into all SecureBlackbox packages and they don't require a separate license. Those features, that require a license for PKIBlackbox, SecureBlackbox Data Security, SecureBlackbox Standard or SecureBlackbox Professional, are marked as such.

image  Base cryptography - SecureBlackbox offers wide range of low-level cryptographic functions including

  • RSA and DSA asymmetric cryptography operations;
  • Symmetric encryption using AES256, AES128, RC2, RC4, DES, 3DES, Camellia, Blowfish, Twofish, IDEA, Serpent, SEED, Rabbit, GOST, CAST128;
  • Hash calculation using SHA3, SHA2 (SHA512, SHA384, SHA256, SHA224), SHA1, MD5, MD4, MD2, RIPEMD160, GOST, BLAKE2 algorithms;
  • PBKDF2 and BCrypt key derivation (adaptive hash functions);
  • Elliptic Curve Cryptography ( X9.62, SEC2, CryptoPro, Brainpool, Cure25519 curve groups are supported )
  • ECIES (Elliptic Curve Integrated Encryption Scheme) encryption (PKIBlackbox license is required)

image  Certificates - SecureBlackbox includes support for certificates in X.509 (versions 1-3) format. The following features and operations are offered:

  • handling of asymmetric keys from 512 to 16384 bits long;
  • support for RSA, DSA and DH keys;
  • support for Elliptic Curve Cryptography (ECC) - ECDSA keys;
  • support for both standard (predefined) and custom certificate extensions (as defined by X.509 v3);
  • saving and loading of X.509 certificates in DER, PEM (base64-encoded DER), PKCS#7, PKCS#8, PKCS#12 (PFX), JKS (Java KeyStore) formats;
  • saving and loading of private keys in DER, PEM (base64-encoded DER), PKCS#12 (PFX), PVK, JKS (Java KeyStore) formats;
  • creation (generate, sign, issue) of self-signed and CA-signed certificates (PKIBlackbox license is required);
  • validation of certificate integrity;
  • complete validation of certificate chains including use of OCSP and CRLs;
  • (optional) FIPS-compliant operation mode
During complete validation of certificate chains various revocation information is collected* via OCSP and Certificate Revocation Lists (CRL).

image  Certificate requests - SecureBlackbox supports creation and use of Certificate Requests in PKCS#10 and CMC (Certificate Management over CMS) formats. Namely, the following operations are supported:

  • generation of certificate requests and corresponding private keys;
  • saving and loading of certificate requests in DER and PEM (base64-encoded DER) formats;
  • saving and loading of private keys in DER, PEM (base64-encoded DER) and PVK formats;
  • creation (generate, sign, issue) of certificates from certificate requests
PKIBlackbox license is required to use certificate request functionality.

image  Certificate Revocation Lists - SecureBlackbox supports operations with Certificate Revocation Lists (CRL) according to RFC 3280, including

  • creation and modification of CRLs (PKIBlackbox license is required);
  • support for CRL extensions and CRL Item extensions;
  • saving and loading of CRLs in DER and PEM (base64-encoded DER) formats;
  • checking of certificate presence in CRL
In addition to CRLs, SecureBlackbox lets you check* certificate status in real-time using OCSP (Online Certificate Status Protocol, RFC 2560 and RFC 6960).
OCSP server component lets you create your own OCSP responder (PKIBlackbox package license is required).

image  Certificate Storages - with SecureBlackbox you can keep certificates in certificate storages. Certificate Storage management includes

  • support for in-memory, file-based and system (Windows CryptoAPI) certificate storages;
  • support for LDAP certificate storages (with help of LDAPBlackbox package);
  • operations with Cryptocards and USB Crypto Tokens via PKCS#11 and CryptoAPI interfaces (PKIBlackbox license is required for PKCS#11 interface);
  • powerful search by various criteria, including issuer, subject, dates, e-mails and more;
  • saving and loading of storages in PKCS#7, PKCS#12 (PFX), JKS (Java Key Storage) formats;
  • validation of certificates against certificates contained in the storage;
  • multithreaded access to certificate storages;
  • for Windows Certificate Storage - access to per-user and system-wide storages;
  • for Windows Certificate Storage - access to system, registry, in-memory and LDAP storages

image  Code signing - with PKIBlackbox you can sign and timestamp your executables and libraries in PE format using MS Authenticode™ technology and verify the signatures. Code signing requires PKIBlackbox package license.

image  One-Time Passwords - PKIBlackbox lets you authenticate clients using One-Time Password (OTP) schemes.

  • support for hash-based (HOTP) and time-based (TOTP) one-time passwords;
  • generation and validation of one-time passwords
OTP requires PKIBlackbox package license.

image  Data encryption and signing - PKIBlackbox lets you encrypt, sign, decrypt and verify various data using X.509 certificates and offers

  • encryption and decryption according to PKCS#7 and CMS specification (RFC 3852);
  • cryptographic signing and signature verification according to PKCS#7 and CMS specification (RFC 3852);
  • timestamping and timestamp verification on signed data to ensure long-term validity of signatures;
  • implementation of CAdES specification (see below);
  • support for ASiC (Associated Signature Container) format (requires a license for Data Security or Professional package);
  • possibility to sign the data in distributed mode lets you build client-server document management systems with secure signing of documents;
  • data encryption and decryption using RSA certificates and AES (128 to 256 bit), Triple DES (3DES), ARCFOUR, RC2, DES algorithms;
  • data signing and verification using ECDSA (ECC-based), RSA and DSA certificates and HMAC, SHA512, SHA384, SHA256, SHA1, MD5, MD2 algorithms.

image  Advanced Data Signing (CAdES) - PKIBlackbox lets you sign and verify various data using X.509 certificates according to CAdES specification and includes

  • cryptographic signing and signature verification according to CMS specification (RFC 3852) and CAdES specification (RFC 5126);
  • implementation of CAdES specification with automatic collection* of timestamps and revocation information (RFC 5126);
  • support for all CAdES profiles: CAdES-BES, CAdES-EPES, CAdES-C, CAdES-T, CAdES-X, CAdES-XL, CAdES-A;
  • timestamping and timestamp verification on signed data to ensure long-term validity of signatures
CAdES signing functions require a license for PKIBlackbox package.

image  JSon Web Keys - PKIBlackbox offers components for managing JSon Web Keys and using them for encryption and signing. This includes

JSon Web * functions require a license for PKIBlackbox package.

image  Timestamping - PKIBlackbox lets you timestamp the data during signing and also create separate timestamps. This includes

  • timestamping and timestamp verification using TSP (Timestamp Protocol, RFC 3161). Both TSP client and TSP server are available.
  • timestamping (both client and server sides) of PE files (Authenticode, Microsoft's PKCS#7 based standard for signing EXE and DLL files);
  • RFC 5544 timestamping of generic data (no signing required).
ElFileTSPClient and ElSocketTSPClient classes can be used with any SecureBlackbox license. ElHTTPTSPClient class uses ElHTTPSClient class, which requires a license for HTTPBlackbox (client or client+server), SSLBlackbox (client or client+server), WebDAVBlackbox, CloudBlackbox, Transports, Standard or Professional package.
TSP Server class requires a license for PKIBlackbox package.

*Note regarding CRL retrieval and OCSP.
When collecting external timestamps and revocation information (CRL retrieval and OCSP checking), SecureBlackbox uses special retriever components which are part of other packages. In particular, timestamping, OCSP and CRL retrieval requires use of ElHTTPSClient class, which requires a license for HTTPBlackbox (client or client+server), SSLBlackbox (client or client+server), WebDAVBlackbox, CloudBlackbox, Transports, Standard or Professional package. LDAP CRL retriever requires LDAPBlackbox, Standard or Professional package.

Miss a feature? Tell us about your idea using Wish List.

|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!