the pioneer windows application is pgp (pretty good privacy), which is free for non-commercial use. in addition to signatures, pgp also encrypts/decrypts files and manages the public keys of ones correspondents. the non-commercial version of pgp is available for free download from mit. the commercial version and other security products are available from pgp security, an affiliate of network associates.
id certify publishes a product called signatrue. this is document-signing tool that plugs into ms word, adobe acrobat, and various email programs. the idcertify web site has a free download for verifying signatrue signatures, without being able to produce signatures.
a search of shareware web sites will find many additional encryption and signature applications programs. signetsure and its companion program, authent, together can be a user application for signing and verifying files. but signetsure's main purpose is a developer tool.
aspencrypt is an active server dll with support for asp pages and visual basic. it costs $249.00 and has a 30-day free evaluation period. when a developer needs more functionality than signetsure provides, this might be a good choice. click for more discussion about aspencrypt.
pgpsdk is a development kit containing the same technology with which pgp is implemented. it comes bundled with pgp e-business server and is not available separately. pgp e-business server adds encrypted data transfers to an e-commerce web site without programming. one would normally not buy this just to obtain pgpsdk. click for more discussion about pgpsdk.
rsa security inc. publishes a full line of security products. it is the company that bought the (now expired) patent rights to the the rsa public-key algorithm. bsafe is their line of developer tools. bsafe crypto-c is a library of cryptography funtions.
watch this space for future information on crypto-c in the future.
one can sign various kinds of programs (exe, dll, vba scripts),
for verification by ms windows. this requires a registered
certificate. verification means both that the program has not
been hacked, and that the program's publisher is known to the
certificate authority. the following entities issue certificates
especially for this purpose.
certificates are not developer tools. yet they are what most most people think of when they hear "digital signature." so this web page would seem incomplete without mention of the topic. certificate authorities issue encryption key pairs. (a pair consists of a private key and a public key.) the difference between these keys and the keys you create with signetsure is that the issuing certificate authority maintains certain standards as to whom it will issue a key. professional virus authors and scam artists typically do not meet these standards and can have their certificates revoked once caught.
verisign is the best know certificate authority, but there are many other and the following list is hardly exhaustive.
entity | serving ... |
---|---|
abaecom | members of american bankers association. |
digital signature trust co. | general |
entrust.net | wireless communications |
esign australia | australia |
id.safe | singapore and general |
verisign | general |
cryptography research, inc. offers cryptographic consulting services. their web site is interesting, because it links to various papers discussing cryptography.
gibson research corporation has a useful website that deals not with cryptography, but with personal security and personal privacy. its shieldsup program tests your computer for security leaks online.
aspencrypt is a collection of class libraries for doing all types of cryptography tasks. here are the major topics included in its tutorial.
this is an impressive list of features. if you need any of these features, other than create and verify digital signatures, aspencrypt is clearly the tool of choice. so with all these features, why would anyone ever want to use signetsure? if you only want to sign/verify files, consider the following differences.
here are some other points to consider.
pgpsdk is published by network associates. it is the same library that network associates uses to develop its own cryptography products. the user's guide lists the following topics as core operations.
pgpsdk is intended strictly for c programmers. it is very comprehensive. of course, it exposes api's for encrypting, decrypting, signing and verifying. but it also exposes many lower-level api's as well. for example one can sign and verify network communication on a block-by-block basis. it also exposes access to its random number functions and to its big-number functions.
a drawback to using pgpsdk is availability and price. pgpsdk is not available as a separate product. it is bundled with network associates' pgp e-business server. the web site says that it is also available with total network security suite. but a network associates representative says that this is, at best, an evaluation version. there are separate prices for a two-year license and a perpetual license. a perpetual license for pgp ebusiness server is about $7,500 before jan, 2001 and about $10,000 starting jan, 2001.
the primary component of the pgp ebusiness server package is not pgpsdk, but software that adds cryptographic security to e-commerce web sites. network associates boasts that many large corporations use this product to secure their e-commerce data transfers. thus, one would not normally buy this product just to get pgpsdk. one buys this product to secure an e-commerce web site, and then may use pgpsdk only if further program development requires it.
rsa security inc. publishes a full line of security products. it is the company that bought the (now expired) patent rights to the the rsa public-key algorithm. bsafe is their line of developer tools. bsafe crypto-c is a library of cryptography funtions.
watch this space for future information on crypto-c in the future.