Cryptomathic offers a wide range of security modules with strong encryption and digital signatures. Cryptomathic is one of the oldest companies in Europe to offer cryptographic solutions, and has in its staff world leading researchers in cryptography, which ensures that our products are the best available.


The basis for all solutions is PrimeInk (ANSI C + assembly) (or PrimeDrink, which is the equivalent toolbox implemented in Java). PrimeInk has the following features:

PrimeInk – The cryptographic toolbox


The PrimeInk toolbox is especially designed for integrators, programmers and developers. The following is an overview as well as a description of its technical features and requirements.


In general, our range of software products include some of the fastest implementations available on the world market. We cover almost any cryptographic algorithm and protocol including: RSA, DSA and DES/Triple DES, numerous evaluated hash functions, ASN.1 and X.509 toolboxes and support standards from the PKCS, ISO, and PKIX series.


Product overview

PrimeInk enables effective state-of-the-art cryptographic security in any environment, by offering high-speed implementation of algorithms supporting digital signatures, message authentication and confidentiality. As PrimeInk adheres to common security standards it can be used to establish security in open systems as well as in closed standalone applications. While PrimeInk is sufficiently fast to enable large server applications, it is possible to enhance the application with dedicated hardware, as a number of crypto boxes can be accessed through PrimeInk.



Cryptomathic has taken the necessary steps to ensure that the product is deliverable to several countries, including all EU-countries, Australia, New Zealand, United States, Canada, Japan, and many, many more. Please contact us for further details on availability and exportability.


Continuous development

As part of Cryptomathic’s R&D program for all products, updates and upgrades are available and guaranteed periodically under a maintenance agreement.


Technical overview


A variety of cryptographic functions are available as ANSI C source code - 100% portable, and performance critical modules are replaceable by assembler code optimised for specific processors. Many Intel implementations are available, including 80x86, 8051 optimisations and DSP-implementations (Motorola 56000).

The software has been tested for platform independence and is running on a variety of platforms (ranging from the smallest PC's, over Unix workstations to MVS Mainframes) practically all over the world. The product is running in hundreds of installations, for example in more than 50 banks all over Europe, and in use on 5 continents. It is used in virtually all banks and savings banks in Denmark. The code is used as well in CBT, an electronic banking product sold by IBM all over Europe.



PrimeInk covers the whole range of techniques that may be derived from the use of modern cryptography. Authenticity and Confidentiality are enabled by using cryptographic algorithms and techniques, such as DES, triple DES, MD-4, MD-5, RIPE-MD, RIPE-MD-160, SHA, SHA-1, RSA algorithm, DSA / DSS, DH. All are adjustable to specific needs for types and modes.


PrimeInk also covers prime number generation for public key pairs based on extensive in-house research, published in international journals. One of the latest additions to the PrimeInk toolbox is Elliptic Curves in characteristic p for large prime numbers p.


Hardware Security Modules

It is possible to enhance the security with dedicated hardware that can be accessed through PrimeInk (such as advanced smartcards and crypto boxes).


Software Security Modules

The software is organised in three layers:



Security API

Top level interface

Security Mechanisms

RSA Key generation, 9796, Diffie-Hellman, DES modes of use, hashing mechanisms, DSA key generation and signatures.

Security Kernels

Multiprecision Arithmetic, DES, DSA, hash functions.


All modules follow a common principle for sensitive memory management. This ensures that all temporary storage of sensitive data is erased after use.

Security API

High level API for a wide range of cryptographic services. A homogeneous interface to the following services:


Security Mechanisms

Signature services based on plain RSA or ISO 9796(-2) variants.

RSA based services for confidentiality: encryption/decryption of DES keys.

Key generation for the ZKA variant of RSA.

Signature services based on ZKA.

ZKA based services for confidentiality: encryption/decryption of DES keys.

Signature services based on ISO 9796(-2) and the Rabin variant of RSA (public exponent 2).

Signature services based on the NIST DSA standard.

Encryption/decryption and MAC services based on DES.

Encryption/decryption under PIN codes of private RSA or DSA keys.

Hash security mechanisms

Diffie-Hellman security mechanisms


Security Kernels

Low level APIs for direct access to the kernels:

Multiprecision Kernel

DES Kernel

Hash function Kernel


Key generation for RSA is based on two different random seeds each providing 128 bits. DES key generation can be provided using a variety of methods, including modular squaring.


The prime generation is provably uniformly distributed amongst possible primes, and although key generation of say a 1024 bit modulus takes well under 1 sec on any reasonably fast PC using the Rabin probability test, yet guarantees an error rate which is below 2-64. As an alternative, deterministic tests are available, too. The theory behind our key generation principles is described in some 100 pages of advanced research, published in renowned journals, and put CRYPTOMAThIC products in a class of its own.


In principle we have no upper limit of the key lengths of our public keys.



Our products have been evaluated on numerous occasions by independent experts, initiated by our customers.


End-user products

What we have described above is the basis for the hearing: Strong crypto. But to the end-user this is not enough; She wants a product she can use. The vast majority of all users depend on browsers developed in USA which are only exportable with weak cryptography, in that keys lengths are very limited.


We believe that the best way of circumventing this problem is to introduce proxy solutions, which are as transparent to the user as possible. They take care of the needed cryptographic operations outside the browser or application the end user is working with, but otherwise provide him with the same functionality.


In order to meet the requirements of a number of pilots we have participated in Denmark as well as other European countries, we have developed a product with the assistance of our partner, IT+, which offers such a solution. This has the further advantage that it is prepared for the Public Key Infrastructure which is inevitable, if a substantial part of Danish citizens and companies are going to take advantage of strong cryptographic products.


The end users products are based on or own ASN.1 toolbox, on the basis of which we offer browser compatible S/MIME according to the PKCS standards. It can be extended with Key Management modules based on our own PKIX-solutions, including timestamping, as well as other products, such as LDAP.



What we have described above ranges from advanced crypto-engines to user-friendly applications. So do our prices. For the products above, they vary from 50 DKK per user for a PrimeInk license, to 500 DKK per user for a proxy-solution based on S/MIME, excluding hardware-equipment, assuming large volumes.


For a complete reference, please consult