• What is FORTEZZA?
• What is Software FORTEZZA?
• Does the U.S. Government endorse Software FORTEZZA?
• Is Software FORTEZZA as secure as using a FORTEZZA Card?
• Can I mix Software and Hardware FORTEZZA?
• Can Software FORTEZZA be used with existing FORTEZZA Enabled Applications?
• As a developer, what must I do to use Software FORTEZZA?
• I am a DMS user. How can I get a Software FORTEZZA token?
• Where can I get additional information about Software FORTEZZA and how to use it?

In 1994 NSA developed a public-key cryptosystem for both encryption and authentication called FORTEZZA. It was based on a PCMCIA Crypto Card, the FORTEZZA Card, that provides convenient, fast, security services such as data integrity (via the Secure Hash Algorithm), Authentication and Non-Repudiation (via the Digital Signature Algorithm), and Confidentiality (via the Key Exchange Algorithm and SKIPJACK Algorithm). "FORTEZZA" is a registered trademark held by the National Security Agency. In practice, "FORTEZZA" is a term used to describe a wide range of security products that utilize the FORTEZZA suite of cryptographic algorithms. These products include PCMCIA-based cards, compatible serial port devices, combination cards (e.g., FORTEZZA/Modem and FORTEZZA/Ethernet), server boards, and others. "FORTEZZA-enabled" and "FORTEZZA Certified" are terms applied to other hardware and software products that have had FORTEZZA security integrated. Examples include e-mail, data file and media encryptors, web browsers, databases, digital cellular telephones, and routers.

In 1997 NSA initiated the development of a "software-only" implementation of FORTEZZA. The intent was to allow applications to support customer security requirements using either a hardware token or Software FORTEZZA. Software FORTEZZA emulates, in software, the operation of the FORTEZZA Crypto Card as closely as possible, both algorithmically and architecturally. In addition, it provides a Utility used to create, initialize and manage user Image Files, which are the individual user tokens associated with Software FORTEZZA. SPYRUS developed the government's reference implementation of Software FORTEZZA and is now making it available as part of their SPEX/® Developer's Toolkit. To be "FORTEZZA Compliant" a Software FORTEZZA implementation must be more than algorithm compatible with a FORTEZZA Crypto Card. A number of security practices must be followed to assure a sound implementation as well as compatibility with the Software FORTEZZA Initialization File produced by a Certificate Authority to distribute user certificate data and keys.

Yes. For "lower assurance" applications Software FORTEZZA is endorsed by the U.S. Government.

No. Although Software FORTEZZA provides a reasonably high degree of security, it does not provide as high a security profile as the FORTEZZA PC Card because of its greater vulnerability to various types of attack. Hence three types of security tokens are available within the FORTEZZA family of products, the FORTEZZA PC Card, the FORTEZZA Smart Card, and Software FORTEZZA. Each of these is intended to provide the different level of assurance required by different processing environments.

Product	Protection of Keys and Personality	Security Services	Applicable Environments
Software FORTEZZA	Moderate	Weak Authenticated Identity	Low Threat Environments
		Less Assured Data Integrity	Where Authenticated Identity is Not Required
		Less Assured Confidentiality	Where Only Privacy is Required over a System High Network.
FORTEZZA Smart Card	Strong (Limited by Technology)	Strong Authenticated Identity	Medium to Low Threat Environments
		Highly Assured Data Integrity	Where Strong Authenticated Identity is Required
		Less Assured Confidentiality	Where Only Privacy is Required over a System High Network.
FORTEZZA PC Card	Strong	Strong Authenticated Identity	Low to High Threat Environments
		Highly Assured Data Integrity	Where Strong Authenticated Identity is Required
		Highly Assured Confidentiality	Where Higher Assurance Privacy is Required.

Yes. Software FORTEZZA has been architected to provide additional functionality to that provided by the current FORTEZZA CI_Library. Within the SPEX/ Library, multiple, heterogeneous token support is available. Users of Software FORTEZZA can technically be fully interoperable with users of FORTEZZA PC Cards. However, because of the different assurance levels supported by the different tokens, this may not be allowed by policy. In security domains using V1 Certificates to represent a user's credentials, it is not possible to know the assurance level at which another party is operating. Because of the added risk associated with this type of operation, most security policies will not allow inter-operation between Software and Hardware FORTEZZA in a V1 domain. In security domains using V3 Certificates to represent a user's credentials, this type of anonymity is not possible. In these domains, inter-operation may be allowed.

Yes. Software FORTEZZA has been architected to provide a replacement for the current FORTEZZA CI_Library that is "plug-in compatible." In most cases, this will allow the developer of an existing FORTEZZA enabled application to simply replace the CI_Library with SPEX/ and continue operating as before.

If your application can, or you would like it to, take advantage of a cryptographic co- processor then FORTEZZA is definitely worth exploring. Software FORTEZZA, like the FORTEZZA Crypto Card, provides basic, low-level cryptographic services such as Hash, Digital Signature, Encryption, Decryption, and Time stamp functions. Descriptions of how FORTEZZA accomplishes these functions are detailed in other documents. The "FORTEZZA Application Implementor's Guide" and the "Software FORTEZZA Concept of Operation" are excellent sources of information on FORTEZZA operation and functionality, and are both available on this web site. If you would like to make your application "FORTEZZA-enabled", you can license the SPYRUS SPEX/ Developer's Toolkit. SPEX/® is a low-level cryptographic library that provides an Application Program Interface (API) for security-aware applications. The SPEX/ API provides a common set of development tools for all SPYRUS tokens including the government FORTEZZA® Crypto Card, the commercial LYNKS Privacy Card®, the ROSETTA™ Smart Card, and now, Software FORTEZZA. In addition, this developer's kit provides access to this functionality via the PKCS-11 API and Microsoft CAPI.

Please refer to the DMS "B" Tables. Software FORTEZZA is available on Microsoft Windows operating systems with DMS User Agent products supported by Lockheed Martin.

To contact the U.S. Government for more information about the FORTEZZA program, certification, or other network security issues, please call 1-800-GO-MISSI. For more information on the government's reference implementation of Software FORTEZZA, or to find out more about the SPEX/ Developer's Toolkit, review other portions of this web site or contact a representative of SPYRUS.