Network Security Services
Encyclopedia
In computing
, Network Security Services (NSS) comprises a set of libraries designed to support cross-platform
development of security-enabled client and server applications. NSS provides a complete open-source implementation of crypto libraries supporting SSL and S/MIME
. NSS is triple-licensed under the Mozilla Public License
, the GNU General Public License
, and the GNU Lesser General Public License.
invented the SSL security protocol.
at Security Levels 1 and 2. NSS was the first open source cryptographic library to receive FIPS 140 validation. The NSS libraries passed the NISCC
TLS/SSL and S/MIME test suites (1.6 million test cases of invalid input data).
, Red Hat
, Sun Microsystems
/Oracle Corporation
, Google
and other companies and individual contributors have co-developed NSS. Mozilla
provides the source code repository, bug tracking system, and infrastructure for mailing lists and discussion groups. They and others named below use NSS in a variety of products, including the following:
(NSPR), a platform-neutral open-source API for system functions designed to facilitate cross-platform development. Like NSS, NSPR has been used heavily in multiple products.
Programmers can utilize NSS as source and as shared (dynamic) libraries. Every NSS release is backward compatible with previous releases, allowing NSS users to upgrade to the new NSS shared libraries without recompiling or relinking their applications.
interface for access to cryptographic hardware like SSL accelerators, HSM-s
and smart cards
. Since most hardware vendors such as SafeNet Inc. and Thales
also support this interface, NSS-enabled applications can work with high-speed crypto hardware and use private keys residing on various smart cards, if vendors provide the necessary middleware.
(JSS) consists of a Java interface to NSS. It supports most of the security standards and encryption technologies supported by NSS. JSS also provides a pure Java interface for ASN.1 types and BER
/DER
encoding. The Mozilla CVS tree makes source code for a Java interface to NSS available.
Computing
Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...
, Network Security Services (NSS) comprises a set of libraries designed to support cross-platform
Cross-platform
In computing, cross-platform, or multi-platform, is an attribute conferred to computer software or computing methods and concepts that are implemented and inter-operate on multiple computer platforms...
development of security-enabled client and server applications. NSS provides a complete open-source implementation of crypto libraries supporting SSL and S/MIME
S/MIME
S/MIME is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFCs. S/MIME was originally developed by RSA Data Security Inc...
. NSS is triple-licensed under the Mozilla Public License
Mozilla Public License
The Mozilla Public License is a free and open source software license. Version 1.0 was developed by Mitchell Baker when she worked as a lawyer at Netscape Communications Corporation and version 1.1 at the Mozilla Foundation...
, the GNU General Public License
GNU General Public License
The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
, and the GNU Lesser General Public License.
History
NSS originated from the libraries developed when NetscapeNetscape
Netscape Communications is a US computer services company, best known for Netscape Navigator, its web browser. When it was an independent company, its headquarters were in Mountain View, California...
invented the SSL security protocol.
FIPS 140 validation and NISCC testing
The NSS software crypto module has been validated five times (1997, 1999, 2002, 2007, and 2010) for conformance to FIPS 140FIPS 140
The 140 series of Federal Information Processing Standards are U.S. government computer security standards that specify requirements for cryptography modules...
at Security Levels 1 and 2. NSS was the first open source cryptographic library to receive FIPS 140 validation. The NSS libraries passed the NISCC
National Infrastructure Security Co-ordination Centre
The National Infrastructure Security Co-ordination Centre was an inter-departmental centre of the UK government.Set up in 1999. The role of NISCC was to minimise the risk to the Critical National Infrastructure from electronic attack....
TLS/SSL and S/MIME test suites (1.6 million test cases of invalid input data).
Applications that use NSS
AOLAOL
AOL Inc. is an American global Internet services and media company. AOL is headquartered at 770 Broadway in New York. Founded in 1983 as Control Video Corporation, it has franchised its services to companies in several nations around the world or set up international versions of its services...
, Red Hat
Red Hat
Red Hat, Inc. is an S&P 500 company in the free and open source software sector, and a major Linux distribution vendor. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina with satellite offices worldwide....
, Sun Microsystems
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
/Oracle Corporation
Oracle Corporation
Oracle Corporation is an American multinational computer technology corporation that specializes in developing and marketing hardware systems and enterprise software products – particularly database management systems...
Google
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
and other companies and individual contributors have co-developed NSS. Mozilla
Mozilla
Mozilla is a term used in a number of ways in relation to the Mozilla.org project and the Mozilla Foundation, their defunct commercial predecessor Netscape Communications Corporation, and their related application software....
provides the source code repository, bug tracking system, and infrastructure for mailing lists and discussion groups. They and others named below use NSS in a variety of products, including the following:
- MozillaMozillaMozilla is a term used in a number of ways in relation to the Mozilla.org project and the Mozilla Foundation, their defunct commercial predecessor Netscape Communications Corporation, and their related application software....
client products, including FirefoxMozilla FirefoxMozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
, ThunderbirdMozilla ThunderbirdMozilla Thunderbird is a free, open source, cross-platform e-mail and news client developed by the Mozilla Foundation. The project strategy is modeled after Mozilla Firefox, a project aimed at creating a web browser...
, and SeaMonkeySeaMonkeySeaMonkey is a free and open source cross-platform Internet suite. It is the continuation of the former Mozilla Application Suite, based on the same source code...
. - AOL Communicator and AOL Instant Messenger (AIM)AOL Instant MessengerAOL Instant Messenger is an instant messaging and presence computer program which uses the proprietary OSCAR instant messaging protocol and the TOC protocol to allow registered users to communicate in real time. It was released by AOL in May 1997...
- Google ChromeGoogle ChromeGoogle Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
(Linux version; Windows version since at least v8) http://code.google.com/p/chromium/wiki/LinuxCertManagement - Open source client applications such as EvolutionNovell EvolutionEvolution or Novell Evolution is the official personal information manager and workgroup information management tool for GNOME. It combines e-mail, calendar, address book, and task list management functions. It has been an official part of GNOME since version 2.8 in September 2004...
, PidginPidgin (software)Pidgin is an open-source multi-platform instant messaging client, based on a library named libpurple. Libpurple has support for many commonly used instant messaging protocols, allowing the user to log into various services from one application.The number of Pidgin users was estimated to be over 3...
, and OpenOffice.orgOpenOffice.orgOpenOffice.org, commonly known as OOo or OpenOffice, is an open-source application suite whose main components are for word processing, spreadsheets, presentations, graphics, and databases. OpenOffice is available for a number of different computer operating systems, is distributed as free software...
2.0. - Server products from Red Hat: Red Hat Directory Server, Red Hat Certificate System, and the mod nss SSL module for the Apache web server.
- Sun server products from the Sun Java Enterprise System, including Sun Java System Web Server, Sun Java System Directory ServerSun Java System Directory ServerThe Sun Java System Directory Server is Sun Microsystems' scalable LDAP directory server and DSML server. The Java System Directory Server is a component of the Java Enterprise System...
, Sun Java System Portal ServerSun Java System Portal ServerThe Sun Java System Portal Server is a component of the Sun Java Platform, Enterprise Edition, a software system that supports a wide range of enterprise computing needs....
, Sun Java System Messaging ServerSun Java System Messaging ServerOracle Communications Messaging Exchange Server is Oracle’s highly scalable and robust messaging server software. The software was obtained by Oracle as part of the company's acquisition of Sun in 2010....
, and Sun Java System Application ServerSun Java System Application ServerThe Oracle GlassFish Server , is a platform for delivering server-side Java applications and Web services. Produced by Sun Microsystems, the SJSAS is a Java EE 5 certified application server and is a core part of the Java Enterprise System...
, open source version of Directory Server OpenDSOpenDSOpenDS Software is a free, open source directory service, written in Java, and developed as part of the OpenDS project. OpenDS Software implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory...
.
Architecture
NSS includes a framework to which developers and OEMs can contribute patches, such as assembler code, to optimize performance on their platforms. Mozilla has certified NSS 3.x on 18 platforms. NSS makes use of Netscape Portable RuntimeNetscape Portable Runtime
In computing, the Netscape portable runtime, or NSPR, a platform abstraction library, makes all operating systems it supports appear the same to Mozilla-style web-browsers. NSPR provides platform independence for non-GUI operating system facilities...
(NSPR), a platform-neutral open-source API for system functions designed to facilitate cross-platform development. Like NSS, NSPR has been used heavily in multiple products.
Software development kit
In addition to libraries and APIs, NSS provides security tools required for debugging, diagnostics, certificate and key management, cryptography module management, and other development tasks. NSS comes with an extensive and growing set of documentation, including introductory material, API references, man pages for command-line tools, and sample code.Programmers can utilize NSS as source and as shared (dynamic) libraries. Every NSS release is backward compatible with previous releases, allowing NSS users to upgrade to the new NSS shared libraries without recompiling or relinking their applications.
Interoperability and open standards
NSS supports a range of security standards, including the following:- SSLTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
v2 and v3. The Secure Sockets Layer (SSL) protocol allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection. - TLSTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
v1 (RFC 2246). The Transport Layer Security (TLS) protocol from the IETFInternet Engineering Task ForceThe Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
supersedes SSL v3 while remaining backward-compatible with SSL v3 implementations. - The following PKCSPKCSIn cryptography, PKCS refers to a group of public-key cryptography standards devised and published by RSA Security.RSA Data Security Inc was assigned the licensing rights for the patent on the RSA asymmetric key algorithm and acquired the licensing rights to several other key patents as well...
standards:- PKCS #1. RSA standard that governs implementation of public-key cryptography based on the RSA algorithm.
- PKCS #3. RSA standard that governs implementation of Diffie–Hellman key agreement.
- PKCS #5. RSA standard that governs password-based cryptography, for example to encrypt private keys for storage.
- PKCS #7. RSA standard that governs the application of cryptography to data, for example digital signatures and digital envelopes.
- PKCS #8. RSA standard that governs the storage and encryption of private keys.
- PKCS #9. RSA standard that governs selected attribute types, including those used with PKCS #7, PKCS #8, and PKCS #10.
- PKCS #10. RSA standard that governs the syntax for certificate requests.
- PKCS #11. RSA standard that governs communication with cryptographic tokens (such as hardware accelerators and smart cards) and permits application independence from specific algorithms and implementations.
- PKCS #12. RSA standard that governs the format used to store or transport private keys, certificates, and other secret material.
- Cryptographic Message SyntaxCryptographic Message SyntaxThe Cryptographic Message Syntax is the IETF's standard for cryptographically protected messages. It can be used to digitally sign, digest, authenticate or encrypt any form of digital data....
, used in S/MIMES/MIMES/MIME is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFCs. S/MIME was originally developed by RSA Data Security Inc...
(RFC 2311 and RFC 2633). IETF message specification (based on the popular Internet MIMEMIMEMultipurpose Internet Mail Extensions is an Internet standard that extends the format of email to support:* Text in character sets other than ASCII* Non-text attachments* Message bodies with multiple parts...
standard) that provides a consistent way to send and receive signed and encrypted MIME data. - X.509 v3X.509In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
. ITUInternational Telecommunication UnionThe International Telecommunication Union is the specialized agency of the United Nations which is responsible for information and communication technologies...
standard that governs the format of certificates used for authentication in public-key cryptography. - OCSPOnline Certificate Status ProtocolThe Online Certificate Status Protocol is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 2560 and is on the Internet standards track...
(RFC 2560). The Online Certificate Status Protocol (OCSP) governs real-time confirmation of certificate validity. - PKIX Certificate and CRL Profile (RFC 3280). The first part of the four-part standard under development by the Public-Key Infrastructure (X.509) working group of the IETF (known as PKIX) for a public-key infrastructure for the Internet.
- RSA, DSADigital Signature AlgorithmThe Digital Signature Algorithm is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology in August 1991 for use in their Digital Signature Standard , specified in FIPS 186, adopted in 1993. A minor...
, ECDSAElliptic Curve DSAThe Elliptic Curve Digital Signature Algorithm is a variant of the Digital Signature Algorithm which uses Elliptic curve cryptography.-Key and signature size comparison to DSA:...
, Diffie–Hellman, EC Diffie–Hellman, AESAdvanced Encryption StandardAdvanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
, Triple DESTriple DESIn cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block....
, DESData Encryption StandardThe Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...
, RC2RC2In cryptography, RC2 is a block cipher designed by Ron Rivest in 1987. "RC" stands for "Ron's Code" or "Rivest Cipher"; other ciphers designed by Rivest include RC4, RC5 and RC6....
, RC4RC4In cryptography, RC4 is the most widely used software stream cipher and is used in popular protocols such as Secure Sockets Layer and WEP...
, SHA-1, SHA-256, SHA-384, SHA-512SHA-2In cryptography, SHA-2 is a set of cryptographic hash functions designed by the National Security Agency and published in 2001 by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm. SHA-2 includes a significant number of changes from its predecessor,...
, MD2, MD5MD5The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
, HMACHMACIn cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message...
: Common cryptographic algorithms used in public-key and symmetric-key cryptography. - FIPSFederal Information Processing StandardA Federal Information Processing Standard is a publicly announced standardization developed by the United States federal government for use in computer systems by all non-military government agencies and by government contractors, when properly invoked and tailored on a contract...
186-2 pseudorandom number generator.
Hardware support
NSS supports the PKCS #11PKCS11
In cryptography, PKCS #11 is one of the family of standards called Public-Key Cryptography Standards , published by RSA Laboratories, that defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules and smart cards...
interface for access to cryptographic hardware like SSL accelerators, HSM-s
Hardware Security Module
A hardware security module is a type of secure cryptoprocessor targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications...
and smart cards
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
. Since most hardware vendors such as SafeNet Inc. and Thales
Thales Group
The Thales Group is a French electronics company delivering information systems and services for the aerospace, defense, transportation and security markets...
also support this interface, NSS-enabled applications can work with high-speed crypto hardware and use private keys residing on various smart cards, if vendors provide the necessary middleware.
Java support
Network Security Services for JavaJava (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
(JSS) consists of a Java interface to NSS. It supports most of the security standards and encryption technologies supported by NSS. JSS also provides a pure Java interface for ASN.1 types and BER
Basic Encoding Rules
The Basic Encoding Rules is one of the encoding formats defined as part of the ASN.1 standard specified by the ITU in X.690.-Description:...
/DER
Distinguished Encoding Rules
Distinguished Encoding Rules , is a message transfer syntax specified by the ITU in X.690. The Distinguished Encoding Rules of ASN.1 is an International Standard drawn from the constraints placed on basic encoding rules encodings by X.509. DER encodings are valid BER encodings...
encoding. The Mozilla CVS tree makes source code for a Java interface to NSS available.
See also
- Information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- Comparison of TLS ImplementationsComparison of TLS ImplementationsThe Transport Layer Security protocol provide the ability to secure communications across networks. There are several TLS implementations which are free and open source software and sometimes choosing between the available implementations can be tough...