Network Security Services (NSS) is a collection of cryptographic

computer libraries A computer is a machine that can be programmed to automatically carry out sequences of arithmetic or logical operations (''computation''). Modern digital electronic computers can perform generic sets of operations known as ''programs'', wh ...

designed to support

cross-platform Within computing, cross-platform software (also called multi-platform software, platform-agnostic software, or platform-independent software) is computer software that is designed to work in several Computing platform, computing platforms. Some ...

development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete

open-source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...

implementation of cryptographic libraries supporting

Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over ...

(TLS) /

Secure Sockets Layer Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, ...

(SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the

Mozilla Public License The Mozilla Public License (MPL) is a free and open-source weak copyleft license for most Mozilla Foundation software such as Firefox and Thunderbird. The MPL is developed and maintained by Mozilla, which seeks to balance the concerns of bo ...

1.1, the

GNU General Public License The GNU General Public Licenses (GNU GPL or simply GPL) are a series of widely used free software licenses, or ''copyleft'' licenses, that guarantee end users the freedom to run, study, share, or modify the software. The GPL was the first ...

, and the

GNU Lesser General Public License The GNU Lesser General Public License (LGPL) is a free-software license published by the Free Software Foundation (FSF). The license allows developers and companies to use and integrate a software component released under the LGPL into their own ...

. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

History

NSS originated from the libraries developed when

Netscape Netscape Communications Corporation (originally Mosaic Communications Corporation) was an American independent computer services company with headquarters in Mountain View, California, and then Dulles, Virginia. Its Netscape web browser was o ...

invented the SSL security protocol.

FIPS 140 validation and NISCC testing

The NSS software crypto module has been validated five times (in 1997, 1999, 2002, 2007, and 2010) for conformance to FIPS 140 at Security Levels 1 and 2. NSS was the first open source cryptographic library to receive FIPS 140 validation. The NSS libraries passed the NISCC TLS/SSL and S/MIME test suites (1.6 million test cases of invalid input data).

Applications that use NSS

AOL,

Red Hat Red Hat, Inc. (formerly Red Hat Software, Inc.) is an American software company that provides open source software products to enterprises and is a subsidiary of IBM. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North ...

Sun Microsystems Sun Microsystems, Inc., often known as Sun for short, was an American technology company that existed from 1982 to 2010 which developed and sold computers, computer components, software, and information technology services. Sun contributed sig ...

Oracle Corporation Oracle Corporation is an American Multinational corporation, multinational computer technology company headquartered in Austin, Texas. Co-founded in 1977 in Santa Clara, California, by Larry Ellison, who remains executive chairman, Oracle was ...

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

and other companies and individual contributors have co-developed NSS.

Mozilla Mozilla is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, publishes and supports Mozilla products, thereby promoting free software and open standards. The community is supported institution ...

provides the source code repository, bug tracking system, and infrastructure for mailing lists and discussion groups. They and others named below use NSS in a variety of products, including the following: *

client products, including

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements curr ...

, Thunderbird, SeaMonkey, and Firefox for mobile. * AOL Communicator and AOL Instant Messenger (AIM) * Open source client applications such as

Evolution Evolution is the change in the heritable Phenotypic trait, characteristics of biological populations over successive generations. It occurs when evolutionary processes such as natural selection and genetic drift act on genetic variation, re ...

Pidgin A pidgin , or pidgin language, is a grammatically simplified form of contact language that develops between two or more groups of people that do not have a language in common: typically, its vocabulary and grammar are limited and often drawn f ...

, and OpenOffice.org 2.0 onward (and its descendants). * Server products from

: Red Hat Directory Server, Red Hat Certificate System, and the mod nss SSL module for the

Apache web server The Apache HTTP Server ( ) is a free and open-source cross-platform web server, released under the terms of Apache License 2.0. It is developed and maintained by a community of developers under the auspices of the Apache Software Foundation. ...

. * Sun server products from the Sun Java Enterprise System, including Sun Java System Web Server, Sun Java System Directory Server,

Sun Java System Portal Server The Sun Java System Portal Server is a component of the Sun Microsystems, Sun Java Platform, Enterprise Edition, a software system that supports a wide range of enterprise computing needs. Portal Server allows administrators and delegated adminis ...

, Sun Java System Messaging Server, and Sun Java System Application Server, open source version of Directory Server OpenDS. * Libreswan IKE/IPsec requires NSS. It is a fork of Openswan which could optionally use NSS.

Architecture

NSS includes a framework to which developers and OEMs can contribute patches, such as assembly code, to optimize performance on their platforms. Mozilla has certified NSS 3.x on 18 platforms. NSS makes use of Netscape Portable Runtime (NSPR), a platform-neutral open-source API for system functions designed to facilitate cross-platform development. Like NSS, NSPR has been used heavily in multiple products.

Software development kit

In addition to libraries and APIs, NSS provides security tools required for debugging, diagnostics, certificate and key management, cryptography-module management, and other development tasks. NSS comes with an extensive and growing set of documentation, including introductory material, API references, man pages for command-line tools, and sample code. Programmers can utilize NSS as source and as shared (dynamic) libraries. Every NSS release is backward-compatible with previous releases, allowing NSS users to upgrade to new NSS shared libraries without recompiling or relinking their applications.

Interoperability and open standards

NSS supports a range of security standards, including the following: * TLS 1.0 (RFC 2246), 1.1 (RFC 4346), 1.2 (RFC 5246), and 1.3 (RFC 8446). The Transport Layer Security (TLS) protocol from the

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...

supersedes SSL v3.0 while remaining backward-compatible with SSL v3 implementations. * SSL 3.0. The Secure Sockets Layer (SSL) protocol allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection. * DTLS 1.0 (RFC 4347) and 1.2 (RFC 6347). * DTLS-SRTP (RFC 5764). * The following

PKCS Public Key Cryptography Standards (PKCS) are a group of public-key cryptography standards devised and published by RSA Security LLC, starting in the early 1990s. The company published the standards to promote the use of the cryptography te ...

standards: ** PKCS #1. RSA standard that governs implementation of public-key cryptography based on the RSA algorithm. ** PKCS #3. RSA standard that governs implementation of Diffie–Hellman key agreement. ** PKCS #5. RSA standard that governs password-based cryptography, for example to encrypt private keys for storage. ** PKCS #7. RSA standard that governs the application of cryptography to data, for example digital signatures and digital envelopes. ** PKCS #8. RSA standard that governs the storage and encryption of private keys. ** PKCS #9. RSA standard that governs selected attribute types, including those used with PKCS #7, PKCS #8, and PKCS #10. ** PKCS #10. RSA standard that governs the syntax for certificate requests. ** PKCS #11. RSA standard that governs communication with cryptographic tokens (such as hardware accelerators and smart cards) and permits application independence from specific algorithms and implementations. ** PKCS #12. RSA standard that governs the format used to store or transport private keys, certificates, and other secret material. * Cryptographic Message Syntax, used in S/MIME (RFC 2311 and RFC 2633). IETF message specification (based on the popular Internet

MIME A mime artist, or simply mime (from Greek language, Greek , , "imitator, actor"), is a person who uses ''mime'' (also called ''pantomime'' outside of Britain), the acting out of a story through body motions without the use of speech, as a the ...

standard) that provides a consistent way to send and receive signed and encrypted MIME data. * X.509 v3. ITU standard that governs the format of certificates used for authentication in public-key cryptography. * OCSP (RFC 2560). The Online Certificate Status Protocol (OCSP) governs real-time confirmation of certificate validity. * PKIX Certificate and CRL Profile (RFC 3280). The first part of the four-part standard under development by the Public-Key Infrastructure (X.509) working group of the IETF (known as PKIX) for a public-key infrastructure for the Internet. * RSA, DSA, ECDSA, Diffie–Hellman, EC Diffie–Hellman, AES,

Triple DES In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The 56-bit key of the Dat ...

Camellia ''Camellia'' (pronounced or ) is a genus of flowering plants in the family Theaceae. They are found in tropical and subtropical areas in East Asia, eastern and South Asia, southern Asia, from the Himalayas east to Japan and Indonesia. There are ...

IDEA In philosophy and in common usage, an idea (from the Greek word: ἰδέα (idea), meaning 'a form, or a pattern') is the results of thought. Also in philosophy, ideas can also be mental representational images of some object. Many philosophe ...

SEED In botany, a seed is a plant structure containing an embryo and stored nutrients in a protective coat called a ''testa''. More generally, the term "seed" means anything that can be Sowing, sown, which may include seed and husk or tuber. Seeds ...

, DES, RC2, RC4,

SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States ...

, SHA-256, SHA-384, SHA-512, MD2,

MD5 The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as Request for Comments, RFC 1321. MD5 ...

HMAC In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a se ...

: Common cryptographic algorithms used in public-key and symmetric-key cryptography. * FIPS 186-2

pseudorandom number generator A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random number generation, random n ...

Hardware support

NSS supports the PKCS #11 interface for access to cryptographic hardware like TLS/SSL accelerators, hardware security modules and

smart card A smart card (SC), chip card, or integrated circuit card (ICC or IC card), is a card used to control access to a resource. It is typically a plastic credit card-sized card with an Embedded system, embedded integrated circuit (IC) chip. Many smart ...

s. Since most hardware vendors such as SafeNet, AEP and

Thales Thales of Miletus ( ; ; ) was an Ancient Greek philosophy, Ancient Greek Pre-Socratic philosophy, pre-Socratic Philosophy, philosopher from Miletus in Ionia, Asia Minor. Thales was one of the Seven Sages of Greece, Seven Sages, founding figure ...

also support this interface, NSS-enabled applications can work with high-speed crypto hardware and use private keys residing on various smart cards, if vendors provide the necessary middleware. NSS version 3.13 and above support the Advanced Encryption Standard New Instructions (AES-NI).

Java support

Network Security Services for

Java Java is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea (a part of Pacific Ocean) to the north. With a population of 156.9 million people (including Madura) in mid 2024, proje ...

(JSS) consists of a Java interface to NSS. It supports most of the security standards and encryption technologies supported by NSS. JSS also provides a pure Java interface for

ASN.1 Abstract Syntax Notation One (ASN.1) is a standard interface description language (IDL) for defining data structures that can be serialized and deserialized in a cross-platform way. It is broadly used in telecommunications and computer networ ...

types and BER/ DER encoding.

References

External links

* {{TLS/SSL Cryptographic software Internet Standards Internet protocols Mozilla Transport Layer Security implementation