NanoCrypto

NanoCrypto is a sophisticated, FIPS-certified cryptographic engine purpose-built for resource-constrained embedded systems environments. With out-of-the-box support for more than 35 operating systems (including environments without an OS), NanoCrypto allows device OEMs and ISVs to build confidentiality, integrity, and authentication features directly into almost any type of device or application. As the core cryptographic engine securing millions of devices from hundreds of technology manufacturers worldwide, NanoCrypto is, quite simply, one of the smallest, fastest, and most comprehensive cryptographic cores on the market.

NanoCrypto also supports NSA Suite B crypto algorithms to provide a holistic approach for securing networked devices and services, ideally suited for high-traffic enterprise and federal environments where performance is critical. Suite B cryptography is a set of cryptographic algorithms and protocols specified by NIST that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS) (see US Export Restricted Algorithms).

NanoCrypto is available in two models:

License

This project is available under a dual-license model:

• Open Source License: GNU Affero General Public License v3 (AGPL v3): This license allows you to use, modify, and distribute the code for free in accordance with AGPL terms.
• Commercial License: If you wish to use TrustCore SDK in a proprietary or commercial product (e.g., embedded in closed-source firmware or commercial SaaS applications), a commercial license is available under DigiCert’s Master Services Agreement (MSA). Contact us at sales@digicert.com for commercial licensing details.

Key features

NanoCrypto provides these key features:

• Small memory footprint and high performance
• Speeds integration and testing of complex cryptographic functions for your product
• Open standards-based, RFC compliant
• PKCS standards-based
• Support for PEM, DER, and PKCS#12 certificate formats
• Support for TPM-generated keys
• Support for post-quantum ciphers
• Operators for hardware acceleration
• Abstraction platform for compliance with export/import controls
• Simple APIs available for C, C++, and Java applications
• OS- and platform-agnostic for easy portability
• Threadless architecture, synchronous and asynchronous
• Guaranteed GPL-free code that protects your intellectual property

System requirements

Memory requirements

NanoCrypto Basic has a minimum memory footprint of 250KB (estimate based on Intel x86 builds).

Typical memory usage is with a full set of ciphers and may vary (decrease or increase) based on 32/64-bit, x86/ARM/MIPS, reduced set of ciphers, static/shared library, and compile flags.

Supported operating systems

NanoCrypto is currently supported on these operating systems:

• Linux (Ubuntu, Debian, Raspbian, CentOS)
• Solaris
• Microsoft® Windows
• CygWin
• FreeBSD
• FreeRTOS
• ThreadX
• QNX

For other operating systems, if required, DigiCert can provide a guide to assist with porting to another operating system or RTOS.

Supported operating platforms

NanoCrypto is currently supported on these operating platforms:

• Intel® x86
• ARM A/M Series
• Hardware Acceleration — Intel AES-NI, Vendor Extensions via NanoCAP operators or NanoCrypto Callbacks
• Secure Element — TPM 2.0/1.2, NXP A71CH, Renesas S5, PKCS#11 SIM, ARM TrustZone

Random number generation

NanoCrypto provides multiple implementations for the secure and efficient generation of random numbers. These implementations are platform independent, but still take advantage of hardware when available. NanoCrypto currently supports these algorithms for random number generation:

• CTR DRBG: Defined in NIST 800-90A and can be used in FIPS Inside products.
• FIPS186 RNG: Defined in NIST FIPS-186 but cannot be used in FIPS Inside products.

Supported algorithms

The TrustCore SDK-supported algorithms in NanoCrypto are as follows:

• Message Digests (Hash)
• Message Authenticate Checksum (MAC)
• Symmetric Ciphers
• Asymmetric Ciphers
• PBE and Key Derivation
• Certificate Formats

Message digests (hash)

NanoCrypto supports these message digest (hash) algorithms:

• MD2 (only for backwards compatibility)
• MD4 (only for backwards compatibility)
• MD5 (only for backwards compatibility)
• SHA-1
• SHA-224
• SHA-256
• SHA-384
• SHA-512
• SHA3-224
• SHA3-256
• SHA3-384
• SHA3-512
• SHAKE-128
• SHAKE-256
• BLAKE2s
• BLAKE2b

Message authenticate checksum (MAC)

NanoCrypto supports these message authenticate checksum (MAC) algorithms:

• HMAC with MD5 (only for backwards compatibility)
• HMAC with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
• Poly 1305 MAC
• BLAKE2s
• BLAKE2b

Symmetric ciphers

NanoCrypto supports these symmetric ciphers:

• AES
  • ECB
  • CBC
  • CTR
  • OFB
  • CFB 128
• DES
  • ECB
  • CBC
• Triple-DES
  • ECB
  • CBC
• RC2
  • ECB
• AEAD Ciphers
  • AES CCM
  • AES-GCM
• ChaCha20-Poly1305
• RC4 (Stream Cipher)
  • RC4

Asymmetric ciphers

NanoCrypto supports these asymmetric ciphers:

• Diffie-Hellman (DH)
• Post-quantum cryptography algorithms (PQC)
  • ML-DSA
  • SLH-DSA
• DSA
• RSA
  • PKCS 1.5
  • PKCS OAEP
  • PKCS PSS
• ECC (Prime Field Curves and Edward’s Curves)
  • ECDH
  • EdDH
  • ECDSA
  • EdDSA
  • El Gamal

PBE and key derivation

NanoCrypto supports these PBE and key derivation algorithms:

• ANSI X9.63 KDF
• NIST KDF 800-108
• PKCS#5 PBKDF2 (NIST SP 800-132)
• PKCS#12 PBE
• TKIP
• AESKW (RFC 3394, RFC 5649, NIST SP 800-38f)

Certificate formats

NanoCrypto supports these certificate formats:

• .pem
• .der
• .p12

US export-restricted algorithms

This table lists algorithms that are subject to US export restrictions.

FIPS and Suite B support

The Federal Information Processing Standard (FIPS) Publication 140‑2 and 140-3 are U.S. government computer security standards used to accredit cryptographic modules. FIPS 140‑2/3 validation is a requirement when selling products containing embedded cryptography to the U.S. government, and the standards have been increasingly adopted as baseline requirements by regulated industries such as finance, manufacturing and healthcare.

The National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to FIPS 140‑2/3 (see http://csrc.nist.gov/groups/STM/cmvp). For information about the FIPS 140‑2/3-certified NanoCrypto FIPS binary, refer to the NIST web site at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.

Suite B cryptography is a set of cryptographic algorithms and protocols specified by NIST that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS). If your TrustCore SDK product is used with the TrustCore SDK FIPS binaries, then the Suite B algorithms are already included.