Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support

cross-platform In computing, cross-platform software (also called multi-platform software, platform-agnostic software, or platform-independent software) is computer software that is designed to work in several computing platforms. Some cross-platform software ...

development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete

open-source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized so ...

implementation of cryptographic libraries supporting

Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...

(TLS) /

Secure Sockets Layer Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...

(SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the

Mozilla Public License The Mozilla Public License (MPL) is a free and open-source weak copyleft license for most Mozilla Foundation software such as Firefox and Thunderbird The MPL license is developed and maintained by Mozilla, which seeks to balance the conce ...

1.1, the

GNU General Public License The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the four freedoms to run, study, share, and modify the software. The license was the first copyleft for general ...

, and the

GNU Lesser General Public License The GNU Lesser General Public License (LGPL) is a free-software license published by the Free Software Foundation (FSF). The license allows developers and companies to use and integrate a software component released under the LGPL into their own ...

. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

History

NSS originated from the libraries developed when

Netscape Netscape Communications Corporation (originally Mosaic Communications Corporation) was an American independent computer services company with headquarters in Mountain View, California and then Dulles, Virginia. Its Netscape web browser was on ...

invented the SSL security protocol.

FIPS 140 validation and NISCC testing

The NSS software crypto module has been validated five times (in 1997, 1999, 2002, 2007, and 2010) for conformance to

FIPS 140 The 140 series of Federal Information Processing Standards ( FIPS) are U.S. government computer security standards that specify requirements for cryptography modules. , FIPS 140-2 and FIPS 140-3 are both accepted as current and active. FIPS 14 ...

at Security Levels 1 and 2. NSS was the first open source cryptographic library to receive FIPS 140 validation. The NSS libraries passed the NISCC TLS/SSL and S/MIME test suites (1.6 million test cases of invalid input data).

Applications that use NSS

AOL AOL (stylized as Aol., formerly a company known as AOL Inc. and originally known as America Online) is an American web portal and online service provider based in New York City. It is a brand marketed by the current incarnation of Yahoo! Inc. ...

Red Hat Red Hat, Inc. is an American software company that provides open source software products to enterprises. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina, with other offices worldwide. Red Hat has become a ...

Sun Microsystems Sun Microsystems, Inc. (Sun for short) was an American technology company that sold computers, computer components, software, and information technology services and created the Java programming language, the Solaris operating system, ZFS, t ...

Oracle Corporation Oracle Corporation is an American multinational computer technology corporation headquartered in Austin, Texas. In 2020, Oracle was the third-largest software company in the world by revenue and market capitalization. The company sells da ...

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

and other companies and individual contributors have co-developed NSS.

Mozilla Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products, thereby promoting exclusively free software and open standards, ...

provides the source code repository, bug tracking system, and infrastructure for mailing lists and discussion groups. They and others named below use NSS in a variety of products, including the following: *

client products, including

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current ...

Thunderbird Thunderbird, thunder bird or thunderbirds may refer to: * Thunderbird (mythology), a legendary creature in certain North American indigenous peoples' history and culture * Ford Thunderbird, a car Birds * Dromornithidae, extinct flightless birds ...

SeaMonkey SeaMonkey is a free and open-source Internet suite. It is the continuation of the former Mozilla Application Suite, based on the same source code, which itself grew out of Netscape Communicator and formed the base of Netscape 6 and Netscape ...

, and Firefox for mobile. * AOL Communicator and AOL Instant Messenger (AIM) * Open source client applications such as

Evolution Evolution is change in the heritable characteristics of biological populations over successive generations. These characteristics are the expressions of genes, which are passed on from parent to offspring during reproduction. Variation ...

Pidgin A pidgin , or pidgin language, is a grammatically simplified means of communication that develops between two or more groups of people that do not have a language in common: typically, its vocabulary and grammar are limited and often drawn from s ...

, and

OpenOffice.org OpenOffice.org (OOo), commonly known as OpenOffice, is a discontinued open-source office suite. Active successor projects include LibreOffice (the most actively developed), Apache OpenOffice, Collabora Online (enterprise ready LibreOffice) a ...

2.0 onward (and its descendants). * Server products from

Red Hat Directory Server The 389 Directory Server (previously Fedora Directory Server) is a Lightweight Directory Access Protocol (LDAP) server developed by Red Hat as part of the community-supported Fedora Project. The name "389" derives from the port number used by LD ...

, Red Hat Certificate System, and the mod nss SSL module for the

Apache web server The Apache HTTP Server ( ) is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache Soft ...

. * Sun server products from the Sun Java Enterprise System, including

Sun Java System Web Server Oracle iPlanet Web Server (OiWS) is a web server designed for medium and large business applications. Previous versions were marketed as Netscape Enterprise Server, iPlanet Web Server, Sun ONE Web Server, and Sun Java System Web Server. Oracl ...

Sun Java System Directory Server The Sun Java System Directory Server is a discontinued LDAP directory server and DSML server written in C and originally developed by Sun Microsystems. The Java System Directory Server is a component of the Java Enterprise System. Earlier itera ...

, Sun Java System Portal Server, Sun Java System Messaging Server, and

Sun Java System Application Server GlassFish is an open-source Jakarta EE platform application server project started by Sun Microsystems, then sponsored by Oracle Corporation, and now living at the Eclipse Foundation and supported by Payara, Oracle and Red Hat. The supported ve ...

, open source version of Directory Server OpenDS. * Libreswan IKE/IPsec requires NSS. It is a fork of Openswan which could optionally use NSS.

Architecture

NSS includes a framework to which developers and OEMs can contribute patches, such as assembly code, to optimize performance on their platforms. Mozilla has certified NSS 3.x on 18 platforms. NSS makes use of

Netscape Portable Runtime In computing, the Netscape Portable Runtime, or NSPR, a platform abstraction library, makes all operating systems it supports appear the same to (for example) Mozilla-style web-browsers. NSPR provides platform independence for non-GUI oper ...

(NSPR), a platform-neutral open-source API for system functions designed to facilitate cross-platform development. Like NSS, NSPR has been used heavily in multiple products.

Software development kit

In addition to libraries and APIs, NSS provides security tools required for debugging, diagnostics, certificate and key management, cryptography-module management, and other development tasks. NSS comes with an extensive and growing set of documentation, including introductory material, API references, man pages for command-line tools, and sample code. Programmers can utilize NSS as source and as shared (dynamic) libraries. Every NSS release is backward-compatible with previous releases, allowing NSS users to upgrade to new NSS shared libraries without recompiling or relinking their applications.

Interoperability and open standards

NSS supports a range of security standards, including the following: *

TLS TLS may refer to: Computing * Transport Layer Security, a cryptographic protocol for secure computer network communication * Thread level speculation, an optimisation on multiprocessor CPUs * Thread-local storage, a mechanism for allocating vari ...

1.0 (RFC 2246), 1.1 (RFC 4346), 1.2 (RFC 5246), and 1.3 (RFC 8446). The Transport Layer Security (TLS) protocol from the

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements an ...

supersedes SSL v3.0 while remaining backward-compatible with SSL v3 implementations. *

SSL SSL may refer to: Entertainment * RoboCup Small Size League, robotics football competition * ''Sesame Street Live'', a touring version of the children's television show * StarCraft II StarLeague, a Korean league in the video game Natural language ...

3.0. The Secure Sockets Layer (SSL) protocol allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection. * DTLS 1.0 (RFC 4347) and 1.2 (RFC 6347). *

DTLS-SRTP Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol ...

(RFC 5764). * The following PKCS standards: ** PKCS #1. RSA standard that governs implementation of public-key cryptography based on the RSA algorithm. ** PKCS #3. RSA standard that governs implementation of Diffie–Hellman key agreement. ** PKCS #5. RSA standard that governs password-based cryptography, for example to encrypt private keys for storage. ** PKCS #7. RSA standard that governs the application of cryptography to data, for example digital signatures and digital envelopes. ** PKCS #8. RSA standard that governs the storage and encryption of private keys. ** PKCS #9. RSA standard that governs selected attribute types, including those used with PKCS #7, PKCS #8, and PKCS #10. ** PKCS #10. RSA standard that governs the syntax for certificate requests. ** PKCS #11. RSA standard that governs communication with cryptographic tokens (such as hardware accelerators and smart cards) and permits application independence from specific algorithms and implementations. ** PKCS #12. RSA standard that governs the format used to store or transport private keys, certificates, and other secret material. *

Cryptographic Message Syntax The Cryptographic Message Syntax (CMS) is the IETF's standard for cryptographically protected messages. It can be used by cryptographic schemes and protocols to digitally sign, digest, authenticate or encrypt any form of digital data. CMS is b ...

, used in S/MIME (RFC 2311 and RFC 2633). IETF message specification (based on the popular Internet

MIME Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email messages to support text in character sets other than ASCII, as well as attachments of audio, video, images, and application programs. Message ...

standard) that provides a consistent way to send and receive signed and encrypted MIME data. * X.509 v3.

ITU The International Telecommunication Union is a specialized agency of the United Nations responsible for many matters related to information and communication technologies. It was established on 17 May 1865 as the International Telegraph Union ...

standard that governs the format of certificates used for authentication in public-key cryptography. *

OCSP The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative ...

(RFC 2560). The Online Certificate Status Protocol (OCSP) governs real-time confirmation of certificate validity. *

PKIX In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secur ...

Certificate and CRL Profile (RFC 3280). The first part of the four-part standard under development by the Public-Key Infrastructure (X.509) working group of the IETF (known as PKIX) for a public-key infrastructure for the Internet. * RSA, DSA, ECDSA, Diffie–Hellman, EC Diffie–Hellman, AES,

Triple DES In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standa ...

Camellia ''Camellia'' (pronounced or ) is a genus of flowering plants in the family Theaceae. They are found in eastern and southern Asia, from the Himalayas east to Japan and Indonesia. There are more than 220 described species, with some controve ...

IDEA In common usage and in philosophy, ideas are the results of thought. Also in philosophy, ideas can also be mental representational images of some object. Many philosophers have considered ideas to be a fundamental ontological category of bei ...

SEED A seed is an embryonic plant enclosed in a protective outer covering, along with a food reserve. The formation of the seed is a part of the process of reproduction in seed plants, the spermatophytes, including the gymnosperm and angiosper ...

DES Des is a masculine given name, mostly a short form (hypocorism) of Desmond. People named Des include: People * Des Buckingham, English football manager * Des Corcoran, (1928–2004), Australian politician * Des Dillon (disambiguation), sever ...

, RC2,

RC4 In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...

SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160- bit (20- byte) hash value known as a message digest – typically rendered as 40 hexa ...

, SHA-256, SHA-384, SHA-512, MD2, MD5,

HMAC In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret ...

: Common cryptographic algorithms used in public-key and symmetric-key cryptography. * FIPS 186-2 pseudorandom number generator.

Hardware support

NSS supports the PKCS #11 interface for access to cryptographic hardware like TLS/SSL accelerators, hardware security modules and

smart card A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...

s. Since most hardware vendors such as SafeNet, AEP and

Thales Thales of Miletus ( ; grc-gre, Θαλῆς; ) was a Greek mathematician, astronomer, statesman, and pre-Socratic philosopher from Miletus in Ionia, Asia Minor. He was one of the Seven Sages of Greece. Many, most notably Aristotle, regarded ...

also support this interface, NSS-enabled applications can work with high-speed crypto hardware and use private keys residing on various smart cards, if vendors provide the necessary middleware. NSS version 3.13 and above support the Advanced Encryption Standard New Instructions (AES-NI).

Java support

Network Security Services for

Java Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's mo ...

(JSS) consists of a Java interface to NSS. It supports most of the security standards and encryption technologies supported by NSS. JSS also provides a pure Java interface for

ASN.1 Abstract Syntax Notation One (ASN.1) is a standard interface description language for defining data structures that can be serialized and deserialized in a cross-platform way. It is broadly used in telecommunications and computer networking, and ...

types and

BER ''Ziziphus mauritiana'', also known as Indian jujube, Indian plum, Chinese date, Chinese apple, ber, and dunks is a tropical fruit tree species belonging to the family Rhamnaceae. It is often confused with the closely related Chinese jujube (' ...

/ DER encoding.

References

External links

* {{TLS/SSL Cryptographic software Internet Standards Internet protocols Mozilla Transport Layer Security implementation