dropbear: crypt.tex annotate

annotate crypt.tex @ 143:5d99163f7e32 libtomcrypt-orig

import of libtomcrypt 0.99

author	Matt Johnston <matt@ucc.asn.au>
date	Sun, 19 Dec 2004 11:34:45 +0000
parents	6362d3854bb4
children	1c15b283127b

rev	line source
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1 \documentclass[a4paper]{book}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2 \usepackage{hyperref}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3 \usepackage{makeidx}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	4 \usepackage{amssymb}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	5 \usepackage{color}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	6 \usepackage{alltt}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	7 \usepackage{graphicx}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	8 \usepackage{layout}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	9 \def\union{\cup}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	10 \def\intersect{\cap}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	11 \def\getsrandom{\stackrel{\rm R}{\gets}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	12 \def\cross{\times}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	13 \def\cat{\hspace{0.5em} \\| \hspace{0.5em}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	14 \def\catn{$\\|$}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	15 \def\divides{\hspace{0.3em} \| \hspace{0.3em}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	16 \def\nequiv{\not\equiv}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	17 \def\approx{\raisebox{0.2ex}{\mbox{\small $\sim$}}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	18 \def\lcm{{\rm lcm}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	19 \def\gcd{{\rm gcd}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	20 \def\log{{\rm log}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	21 \def\ord{{\rm ord}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	22 \def\abs{{\mathit abs}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	23 \def\rep{{\mathit rep}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	24 \def\mod{{\mathit\ mod\ }}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	25 \renewcommand{\pmod}[1]{\ ({\rm mod\ }{#1})}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	26 \newcommand{\floor}[1]{\left\lfloor{#1}\right\rfloor}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	27 \newcommand{\ceil}[1]{\left\lceil{#1}\right\rceil}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	28 \def\Or{{\rm\ or\ }}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	29 \def\And{{\rm\ and\ }}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	30 \def\iff{\hspace{1em}\Longleftrightarrow\hspace{1em}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	31 \def\implies{\Rightarrow}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	32 \def\undefined{{\rm ``undefined"}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	33 \def\Proof{\vspace{1ex}\noindent {\bf Proof:}\hspace{1em}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	34 \let\oldphi\phi
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	35 \def\phi{\varphi}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	36 \def\Pr{{\rm Pr}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	37 \newcommand{\str}[1]{{\mathbf{#1}}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	38 \def\F{{\mathbb F}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	39 \def\N{{\mathbb N}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	40 \def\Z{{\mathbb Z}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	41 \def\R{{\mathbb R}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	42 \def\C{{\mathbb C}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	43 \def\Q{{\mathbb Q}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	44
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	45 \def\twiddle{\raisebox{0.3ex}{\mbox{\tiny $\sim$}}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	46
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	47 \def\gap{\vspace{0.5ex}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	48 \makeindex
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	49 \begin{document}
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	50 \title{LibTomCrypt \\ Version 0.99}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	51 \author{Tom St Denis \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	52 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	53 [email protected] \\
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	54 http://libtomcrypt.org
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	55 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	56 \maketitle
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	57 This text and source code library are both hereby placed in the public domain. This book has been
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	58 formatted for A4 paper using the \LaTeX{} {\em book} macro package.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	59
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	60 \vspace{10cm}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	61
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	62 \begin{flushright}Open Source. Open Academia. Open Minds.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	63
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	64 \mbox{ }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	65
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	66 Tom St Denis,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	67
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	68 Phone: 1-613-836-3160
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	69
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	70 111 Banning Rd
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	71
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	72 Kanata, Ontario
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	73
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	74 K2L 1C3
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	75
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	76 Canada
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	77 \end{flushright}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	78 \newpage
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	79 \tableofcontents
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	80 \chapter{Introduction}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	81 \section{What is the LibTomCrypt?}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	82 LibTomCrypt is a portable ANSI C cryptographic library that supports symmetric ciphers, one-way hashes,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	83 pseudo-random number generators, public key cryptography (via RSA,DH or ECC/DH) and a plethora of support
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	84 routines. It is designed to compile out of the box with the GNU C Compiler (GCC) version 2.95.3 (and higher)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	85 and with MSVC version 6 in win32.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	86
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	87 The library has been successfully tested on quite a few other platforms ranging from the ARM7TDMI in a
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	88 Gameboy Advanced to various PowerPC processors and even the MIPS processor in the PlayStation 2. Suffice it
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	89 to say the code is portable.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	90
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	91 The library is designed so new ciphers/hashes/PRNGs can be added at runtime and the existing API (and helper API functions) will
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	92 be able to use the new designs automatically. There exist self-check functions for each cipher and hash to ensure that
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	93 they compile and execute to the published design specifications. The library also performs extensive parameter error checking
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	94 and will give verbose error messages when possible.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	95
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	96 Essentially the library saves the time of having to implement the ciphers, hashes, prngs yourself. Typically implementing
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	97 useful cryptography is an error prone business which means anything that can save considerable time and effort is a good
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	98 thing.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	99
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	100 \subsection{What the library IS for?}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	101
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	102 The library typically serves as a basis for other protocols and message formats. For example, it should be possible to
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	103 take the RSA routines out of this library, apply the appropriate message padding and get PKCS compliant RSA routines.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	104 Similarly SSL protocols could be formed on top of the low-level symmetric cipher functions. The goal of this package is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	105 to provide these low level core functions in a robust and easy to use fashion.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	106
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	107 The library also serves well as a toolkit for applications where they don't need to be OpenPGP, PKCS, etc. compliant.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	108 Included are fully operational public key routines for encryption, decryption, signature generation and verification.
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	109 These routines are fully portable but are not conformant to any known set of standards\footnote{With the exception of
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	110 the RSA code which is based on the PKCS \#1 standards.}. They are all based on established
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	111 number theory and cryptography.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	112
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	113 \subsection{What the library IS NOT for?}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	114
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	115 The library is not designed to be in anyway an implementation of the SSL or OpenPGP standards. The library
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	116 is not designed to be compliant with any known form of API or programming hierarchy. It is not a port of any other
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	117 library and it is not platform specific (like the MS CSP). So if you're looking to drop in some buzzword
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	118 compliant crypto library this is not for you. The library has been written from scratch to provide basic functions as
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	119 well as non-standard higher level functions.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	120
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	121 This is not to say that the library is a ``homebrew'' project. All of the symmetric ciphers and one-way hash functions
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	122 conform to published test vectors. The public key functions are derived from publicly available material and the majority
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	123 of the code has been reviewed by a growing community of developers.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	124
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	125 \subsubsection{Why not?}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	126 You may be asking why I didn't choose to go all out and support standards like P1363, PKCS and the whole lot. The reason
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	127 is quite simple too much money gets in the way. When I tried to access the P1363 draft documents and was denied (it
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	128 requires a password) I realized that they're just a business anyways. See what happens is a company will sit down and
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	129 invent a ``standard''. Then they try to sell it to as many people as they can. All of a sudden this ``standard'' is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	130 everywhere. Then the standard is updated every so often to keep people dependent. Then you become RSA. If people are
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	131 supposed to support these standards they had better make them more accessible.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	132
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	133 \section{Why did I write it?}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	134 You may be wondering, ``Tom, why did you write a crypto library. I already have one.''. Well the reason falls into
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	135 two categories:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	136 \begin{enumerate}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	137 \item I am too lazy to figure out someone else's API. I'd rather invent my own simpler API and use that.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	138 \item It was (still is) good coding practice.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	139 \end{enumerate}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	140
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	141 The idea is that I am not striving to replace OpenSSL or Crypto++ or Cryptlib or etc. I'm trying to write my
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	142 {\bf own} crypto library and hopefully along the way others will appreciate the work.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	143
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	144 With this library all core functions (ciphers, hashes, prngs) have the {\bf exact} same prototype definition. They all load
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	145 and store data in a format independent of the platform. This means if you encrypt with Blowfish on a PPC it should decrypt
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	146 on an x86 with zero problems. The consistent API also means that if you learn how to use blowfish with my library you
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	147 know how to use Safer+ or RC6 or Serpent or ... as well. With all of the core functions there are central descriptor tables
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	148 that can be used to make a program automatically pick between ciphers, hashes and PRNGs at runtime. That means your
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	149 application can support all ciphers/hashes/prngs without changing the source code.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	150
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	151 \subsection{Modular}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	152 The LibTomCrypt package has also been written to be very modular. The block ciphers, one-way hashes and
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	153 pseudo-random number generators (PRNG) are all used within the API through ``descriptor'' tables which
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	154 are essentially structures with pointers to functions. While you can still call particular functions
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	155 directly (\textit{e.g. sha256\_process()}) this descriptor interface allows the developer to customize their
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	156 usage of the library.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	157
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	158 For example, consider a hardware platform with a specialized RNG device. Obviously one would like to tap
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	159 that for the PRNG needs within the library (\textit{e.g. making a RSA key}). All the developer has todo
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	160 is write a descriptor and the few support routines required for the device. After that the rest of the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	161 API can make use of it without change. Similiarly imagine a few years down the road when AES2 (\textit{or whatever they call it}) is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	162 invented. It can be added to the library and used within applications with zero modifications to the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	163 end applications provided they are written properly.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	164
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	165 This flexibility within the library means it can be used with any combination of primitive algorithms and
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	166 unlike libraries like OpenSSL is not tied to direct routines. For instance, in OpenSSL there are CBC block
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	167 mode routines for every single cipher. That means every time you add or remove a cipher from the library
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	168 you have to update the associated support code as well. In LibTomCrypt the associated code (\textit{chaining modes in this case})
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	169 are not directly tied to the ciphers. That is a new cipher can be added to the library by simply providing
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	170 the key setup, ECB decrypt and encrypt and test vector routines. After that all five chaining mode routines
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	171 can make use of the cipher right away.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	172
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	173
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	174 \section{License}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	175
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	176 All of the source code except for the following files have been written by the author or donated to the project
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	177 under a public domain license:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	178
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	179 \begin{enumerate}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	180 \item rc2.c
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	181 \item safer.c
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	182 \end{enumerate}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	183
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	184 `mpi.c'' was originally written by Michael Fromberger ([email protected]) but has since been replaced with my LibTomMath
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	185 library.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	186
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	187 ``rc2.c'' is based on publicly available code that is not attributed to a person from the given source. ``safer.c''
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	188 was written by Richard De Moliner ([email protected]) and seems to be free for use.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	189
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	190 The project is hereby released as public domain.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	191
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	192 \section{Patent Disclosure}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	193
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	194 The author (Tom St Denis) is not a patent lawyer so this section is not to be treated as legal advice. To the best
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	195 of the authors knowledge the only patent related issues within the library are the RC5 and RC6 symmetric block ciphers.
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	196 They can be removed from a build by simply commenting out the two appropriate lines in ``mycrypt\_custom.h''. The rest
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	197 of the ciphers and hashes are patent free or under patents that have since expired.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	198
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	199 The RC2 and RC4 symmetric ciphers are not under patents but are under trademark regulations. This means you can use
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	200 the ciphers you just can't advertise that you are doing so.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	201
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	202 \section{Thanks}
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	203 I would like to give thanks to the following people (in no particular order) for helping me develop this project from
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	204 early on:
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	205 \begin{enumerate}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	206 \item Richard van de Laarschot
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	207 \item Richard Heathfield
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	208 \item Ajay K. Agrawal
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	209 \item Brian Gladman
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	210 \item Svante Seleborg
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	211 \item Clay Culver
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	212 \item Jason Klapste
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	213 \item Dobes Vandermeer
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	214 \item Daniel Richards
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	215 \item Wayne Scott
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	216 \item Andrew Tyler
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	217 \item Sky Schulz
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	218 \item Christopher Imes
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	219 \end{enumerate}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	220
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	221 There have been quite a few other people as well. Please check the change log to see who else has contributed from
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	222 time to time.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	223
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	224
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	225 \chapter{The Application Programming Interface (API)}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	226 \section{Introduction}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	227 \index{CRYPT\_ERROR} \index{CRYPT\_OK}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	228
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	229 In general the API is very simple to memorize and use. Most of the functions return either {\bf void} or {\bf int}. Functions
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	230 that return {\bf int} will return {\bf CRYPT\_OK} if the function was successful or one of the many error codes
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	231 if it failed. Certain functions that return int will return $-1$ to indicate an error. These functions will be explicitly
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	232 commented upon. When a function does return a CRYPT error code it can be translated into a string with
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	233
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	234 \index{error\_to\_string()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	235 \begin{verbatim}
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	236 const char *error_to_string(int err);
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	237 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	238
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	239 An example of handling an error is:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	240 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	241 void somefunc(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	242 {
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	243 int err;
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	244
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	245 /* call a cryptographic function */
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	246 if ((err = some_crypto_function(...)) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	247 printf("A crypto error occured, %s\n", error_to_string(err));
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	248 /* perform error handling */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	249 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	250 /* continue on if no error occured */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	251 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	252 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	253
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	254 There is no initialization routine for the library and for the most part the code is thread safe. The only thread
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	255 related issue is if you use the same symmetric cipher, hash or public key state data in multiple threads. Normally
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	256 that is not an issue.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	257
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	258 To include the prototypes for ``LibTomCrypt.a'' into your own program simply include ``mycrypt.h'' like so:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	259 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	260 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	261 int main(void) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	262 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	263 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	264 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	265
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	266 The header file ``mycrypt.h'' also includes ``stdio.h'', ``string.h'', ``stdlib.h'', ``time.h'', ``ctype.h'' and ``mpi.h''
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	267 (the bignum library routines).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	268
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	269 \section{Macros}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	270
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	271 There are a few helper macros to make the coding process a bit easier. The first set are related to loading and storing
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	272 32/64-bit words in little/big endian format. The macros are:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	273
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	274 \index{STORE32L} \index{STORE64L} \index{LOAD32L} \index{LOAD64L}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	275 \index{STORE32H} \index{STORE64H} \index{LOAD32H} \index{LOAD64H} \index{BSWAP}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	276 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	277 \begin{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	278 \begin{tabular}{\|c\|c\|c\|}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	279 \hline STORE32L(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $x \to y[0 \ldots 3]$ \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	280 \hline STORE64L(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $x \to y[0 \ldots 7]$ \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	281 \hline LOAD32L(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $y[0 \ldots 3] \to x$ \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	282 \hline LOAD64L(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $y[0 \ldots 7] \to x$ \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	283 \hline STORE32H(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $x \to y[3 \ldots 0]$ \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	284 \hline STORE64H(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $x \to y[7 \ldots 0]$ \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	285 \hline LOAD32H(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $y[3 \ldots 0] \to x$ \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	286 \hline LOAD64H(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $y[7 \ldots 0] \to x$ \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	287 \hline BSWAP(x) & {\bf unsigned long} x & Swaps the byte order of x. \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	288 \hline
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	289 \end{tabular}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	290 \end{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	291 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	292
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	293 There are 32-bit cyclic rotations as well:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	294 \index{ROL} \index{ROR}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	295 \begin{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	296 \begin{tabular}{\|c\|c\|c\|}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	297 \hline ROL(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x << y$ \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	298 \hline ROR(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x >> y$ \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	299 \hline
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	300 \end{tabular}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	301 \end{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	302
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	303 \section{Functions with Variable Length Output}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	304 Certain functions such as (for example) ``rsa\_export()'' give an output that is variable length. To prevent buffer overflows you
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	305 must pass it the length of the buffer\footnote{Extensive error checking is not in place but it will be in future releases so it is a good idea to follow through with these guidelines.} where
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	306 the output will be stored. For example:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	307 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	308 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	309 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	310 int main(void) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	311 rsa_key key;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	312 unsigned char buffer[1024];
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	313 unsigned long x;
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	314 int err;
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	315
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	316 /* ... Make up the RSA key somehow */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	317
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	318 /* lets export the key, set x to the size of the output buffer */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	319 x = sizeof(buffer);
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	320 if ((err = rsa_export(buffer, &x, PK_PUBLIC, &key)) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	321 printf("Export error: %s\n", error_to_string(err));
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	322 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	323 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	324
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	325 /* if rsa_export() was successful then x will have the size of the output */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	326 printf("RSA exported key takes %d bytes\n", x);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	327
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	328 /* ... do something with the buffer */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	329
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	330 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	331 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	332 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	333 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	334 In the above example if the size of the RSA public key was more than 1024 bytes this function would not store anything in
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	335 either ``buffer'' or ``x'' and simply return an error code. If the function suceeds it stores the length of the output
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	336 back into ``x'' so that the calling application will know how many bytes used.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	337
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	338 \section{Functions that need a PRNG}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	339 Certain functions such as ``rsa\_make\_key()'' require a PRNG. These functions do not setup the PRNG themselves so it is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	340 the responsibility of the calling function to initialize the PRNG before calling them.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	341
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	342 \section{Functions that use Arrays of Octets}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	343 Most functions require inputs that are arrays of the data type ``unsigned char''. Whether it is a symmetric key, IV
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	344 for a chaining mode or public key packet it is assumed that regardless of the actual size of ``unsigned char'' only the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	345 lower eight bits contain data. For example, if you want to pass a 256 bit key to a symmetric ciphers setup routine
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	346 you must pass it in (a pointer to) an array of 32 ``unsigned char'' variables. Certain routines
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	347 (such as SAFER+) take special care to work properly on platforms where an ``unsigned char'' is not eight bits.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	348
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	349 For the purposes of this library the term ``byte'' will refer to an octet or eight bit word. Typically an array of
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	350 type ``byte'' will be synonymous with an array of type ``unsigned char''.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	351
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	352 \chapter{Symmetric Block Ciphers}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	353 \section{Core Functions}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	354
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	355 Libtomcrypt provides several block ciphers all in a plain vanilla ECB block mode. Its important to first note that you
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	356 should never use the ECB modes directly to encrypt data. Instead you should use the ECB functions to make a chaining mode
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	357 or use one of the provided chaining modes. All of the ciphers are written as ECB interfaces since it allows the rest of
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	358 the API to grow in a modular fashion.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	359
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	360 All ciphers store their scheduled keys in a single data type called ``symmetric\_key''. This allows all ciphers to
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	361 have the same prototype and store their keys as naturally as possible. All ciphers provide five visible functions which
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	362 are (given that XXX is the name of the cipher):
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	363 \index{Cipher Setup}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	364 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	365 int XXX_setup(const unsigned char *key, int keylen, int rounds,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	366 symmetric_key *skey);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	367 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	368
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	369 The XXX\_setup() routine will setup the cipher to be used with a given number of rounds and a given key length (in bytes).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	370 The number of rounds can be set to zero to use the default, which is generally a good idea.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	371
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	372 If the function returns successfully the variable ``skey'' will have a scheduled key stored in it. Its important to note
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	373 that you should only used this scheduled key with the intended cipher. For example, if you call
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	374 ``blowfish\_setup()'' do not pass the scheduled key onto ``rc5\_ecb\_encrypt()''. All setup functions do not allocate
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	375 memory off the heap so when you are done with a key you can simply discard it (e.g. they can be on the stack).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	376
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	377 To encrypt or decrypt a block in ECB mode there are these two functions:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	378 \index{Cipher Encrypt} \index{Cipher Decrypt}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	379 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	380 void XXX_ecb_encrypt(const unsigned char pt, unsigned char ct,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	381 symmetric_key *skey);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	382
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	383 void XXX_ecb_decrypt(const unsigned char ct, unsigned char pt,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	384 symmetric_key *skey);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	385 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	386 These two functions will encrypt or decrypt (respectively) a single block of text\footnote{The size of which depends on
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	387 which cipher you are using.} and store the result where you want it. It is possible that the input and output buffer are
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	388 the same buffer. For the encrypt function ``pt''\footnote{pt stands for plaintext.} is the input and ``ct'' is the output.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	389 For the decryption function its the opposite. To test a particular cipher against test vectors\footnote{As published in their design papers.} call: \index{Cipher Testing}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	390 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	391 int XXX_test(void);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	392 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	393 This function will return {\bf CRYPT\_OK} if the cipher matches the test vectors from the design publication it is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	394 based upon. Finally for each cipher there is a function which will help find a desired key size:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	395 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	396 int XXX_keysize(int *keysize);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	397 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	398 Essentially it will round the input keysize in ``keysize'' down to the next appropriate key size. This function
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	399 return {\bf CRYPT\_OK} if the key size specified is acceptable. For example:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	400 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	401 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	402 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	403 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	404 {
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	405 int keysize, err;
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	406
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	407 /* now given a 20 byte key what keysize does Twofish want to use? */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	408 keysize = 20;
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	409 if ((err = twofish_keysize(&keysize)) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	410 printf("Error getting key size: %s\n", error_to_string(err));
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	411 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	412 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	413 printf("Twofish suggested a key size of %d\n", keysize);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	414 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	415 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	416 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	417 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	418 This should indicate a keysize of sixteen bytes is suggested. An example snippet that encodes a block with
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	419 Blowfish in ECB mode is below.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	420
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	421 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	422 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	423 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	424 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	425 {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	426 unsigned char pt[8], ct[8], key[8];
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	427 symmetric_key skey;
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	428 int err;
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	429
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	430 /* ... key is loaded appropriately in ``key'' ... */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	431 /* ... load a block of plaintext in ``pt'' ... */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	432
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	433 /* schedule the key */
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	434 if ((err = blowfish_setup(key, /* the key we will use */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	435 8, /* key is 8 bytes (64-bits) long */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	436 0, /* 0 == use default # of rounds */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	437 &skey) /* where to put the scheduled key */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	438 ) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	439 printf("Setup error: %s\n", error_to_string(err));
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	440 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	441 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	442
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	443 /* encrypt the block */
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	444 blowfish_ecb_encrypt(pt, /* encrypt this 8-byte array */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	445 ct, /* store encrypted data here */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	446 &skey); /* our previously scheduled key */
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	447
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	448 /* decrypt the block */
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	449 blowfish_ecb_decrypt(ct, /* decrypt this 8-byte array */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	450 pt, /* store decrypted data here */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	451 &skey); /* our previously scheduled key */
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	452
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	453 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	454 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	455 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	456 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	457
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	458 \section{Key Sizes and Number of Rounds}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	459 \index{Symmetric Keys}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	460 As a general rule of thumb do not use symmetric keys under 80 bits if you can. Only a few of the ciphers support smaller
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	461 keys (mainly for test vectors anyways). Ideally your application should be making at least 256 bit keys. This is not
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	462 because you're supposed to be paranoid. Its because if your PRNG has a bias of any sort the more bits the better. For
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	463 example, if you have $\mbox{Pr}\left[X = 1\right] = {1 \over 2} \pm \gamma$ where $\vert \gamma \vert > 0$ then the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	464 total amount of entropy in N bits is $N \cdot -log_2\left ({1 \over 2} + \vert \gamma \vert \right)$. So if $\gamma$
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	465 were $0.25$ (a severe bias) a 256-bit string would have about 106 bits of entropy whereas a 128-bit string would have
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	466 only 53 bits of entropy.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	467
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	468 The number of rounds of most ciphers is not an option you can change. Only RC5 allows you to change the number of
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	469 rounds. By passing zero as the number of rounds all ciphers will use their default number of rounds. Generally the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	470 ciphers are configured such that the default number of rounds provide adequate security for the given block size.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	471
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	472 \section{The Cipher Descriptors}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	473 \index{Cipher Descriptor}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	474 To facilitate automatic routines an array of cipher descriptors is provided in the array ``cipher\_descriptor''. An element
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	475 of this array has the following format:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	476
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	477 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	478 struct _cipher_descriptor {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	479 char *name;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	480 unsigned long min_key_length, max_key_length,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	481 block_length, default_rounds;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	482 int (setup) (const unsigned char key, int keylength,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	483 int num_rounds, symmetric_key *skey);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	484 void (ecb_encrypt)(const unsigned char pt, unsigned char *ct,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	485 symmetric_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	486 void (ecb_decrypt)(const unsigned char ct, unsigned char *pt,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	487 symmetric_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	488 int (*test) (void);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	489 int (keysize) (int desired_keysize);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	490 };
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	491 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	492
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	493 Where ``name'' is the lower case ASCII version of the name. The fields ``min\_key\_length'', ``max\_key\_length'' and
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	494 ``block\_length'' are all the number of bytes not bits. As a good rule of thumb it is assumed that the cipher supports
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	495 the min and max key lengths but not always everything in between. The ``default\_rounds'' field is the default number
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	496 of rounds that will be used.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	497
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	498 The remaining fields are all pointers to the core functions for each cipher. The end of the cipher\_descriptor array is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	499 marked when ``name'' equals {\bf NULL}.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	500
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	501 As of this release the current cipher\_descriptors elements are
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	502
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	503 \index{Cipher descriptor table}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	504 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	505 \begin{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	506 \begin{tabular}{\|c\|c\|c\|c\|c\|c\|}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	507 \hline Name & Descriptor Name & Block Size & Key Range & Rounds \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	508 \hline Blowfish & blowfish\_desc & 8 & 8 $\ldots$ 56 & 16 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	509 \hline X-Tea & xtea\_desc & 8 & 16 & 32 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	510 \hline RC2 & rc2\_desc & 8 & 8 $\ldots$ 128 & 16 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	511 \hline RC5-32/12/b & rc5\_desc & 8 & 8 $\ldots$ 128 & 12 $\ldots$ 24 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	512 \hline RC6-32/20/b & rc6\_desc & 16 & 8 $\ldots$ 128 & 20 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	513 \hline SAFER+ & saferp\_desc &16 & 16, 24, 32 & 8, 12, 16 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	514 \hline Safer K64 & safer\_k64\_desc & 8 & 8 & 6 $\ldots$ 13 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	515 \hline Safer SK64 & safer\_sk64\_desc & 8 & 8 & 6 $\ldots$ 13 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	516 \hline Safer K128 & safer\_k128\_desc & 8 & 16 & 6 $\ldots$ 13 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	517 \hline Safer SK128 & safer\_sk128\_desc & 8 & 16 & 6 $\ldots$ 13 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	518 \hline AES & aes\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	519 & aes\_enc\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	520 \hline Twofish & twofish\_desc & 16 & 16, 24, 32 & 16 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	521 \hline DES & des\_desc & 8 & 7 & 16 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	522 \hline 3DES (EDE mode) & des3\_desc & 8 & 21 & 16 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	523 \hline CAST5 (CAST-128) & cast5\_desc & 8 & 5 $\ldots$ 16 & 12, 16 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	524 \hline Noekeon & noekeon\_desc & 16 & 16 & 16 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	525 \hline Skipjack & skipjack\_desc & 8 & 10 & 32 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	526 \hline
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	527 \end{tabular}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	528 \end{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	529 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	530
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	531 \subsection{Notes}
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	532 \begin{small}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	533 \begin{enumerate}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	534 \item
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	535 For AES (also known as Rijndael) there are four descriptors which complicate issues a little. The descriptors
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	536 rijndael\_desc and rijndael\_enc\_desc provide the cipher named ``rijndael''. The descriptors aes\_desc and
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	537 aes\_enc\_desc provide the cipher name ``aes''. Functionally both ``rijndael'' and ``aes'' are the same cipher. The
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	538 only difference is when you call find\_cipher() you have to pass the correct name. The cipher descriptors with ``enc''
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	539 in the middle (e.g. rijndael\_enc\_desc) are related to an implementation of Rijndael with only the encryption routine
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	540 and tables. The decryption and self--test function pointers of both ``encrypt only'' descriptors are set to \textbf{NULL} and
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	541 should not be called.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	542
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	543 The ``encrypt only'' descriptors are useful for applications that only use the encryption function of the cipher. Algorithms such
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	544 as EAX, PMAC and OMAC only require the encryption function. So far this ``encrypt only'' functionality has only been implemented for
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	545 Rijndael as it makes the most sense for this cipher.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	546
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	547 \item
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	548 For the 64-bit SAFER famliy of ciphers (e.g K64, SK64, K128, SK128) the ecb\_encrypt() and ecb\_decrypt()
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	549 functions are the same. So if you want to use those functions directly just call safer\_ecb\_encrypt()
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	550 or safer\_ecb\_decrypt() respectively.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	551
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	552 \item
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	553 Note that for ``DES'' and ``3DES'' they use 8 and 24 byte keys but only 7 and 21 [respectively] bytes of the keys are in
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	554 fact used for the purposes of encryption. My suggestion is just to use random 8/24 byte keys instead of trying to make a 8/24
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	555 byte string from the real 7/21 byte key.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	556
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	557 \item
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	558 Note that ``Twofish'' has additional configuration options that take place at build time. These options are found in
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	559 the file ``mycrypt\_cfg.h''. The first option is ``TWOFISH\_SMALL'' which when defined will force the Twofish code
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	560 to not pre-compute the Twofish ``$g(X)$'' function as a set of four $8 \times 32$ s-boxes. This means that a scheduled
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	561 key will require less ram but the resulting cipher will be slower. The second option is ``TWOFISH\_TABLES'' which when
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	562 defined will force the Twofish code to use pre-computed tables for the two s-boxes $q_0, q_1$ as well as the multiplication
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	563 by the polynomials 5B and EF used in the MDS multiplication. As a result the code is faster and slightly larger. The
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	564 speed increase is useful when ``TWOFISH\_SMALL'' is defined since the s-boxes and MDS multiply form the heart of the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	565 Twofish round function.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	566
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	567 \index{Twofish build options}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	568 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	569 \begin{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	570 \begin{tabular}{\|l\|l\|l\|}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	571 \hline TWOFISH\_SMALL & TWOFISH\_TABLES & Speed and Memory (per key) \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	572 \hline undefined & undefined & Very fast, 4.2KB of ram. \\
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	573 \hline undefined & defined & Faster keysetup, larger code. \\
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	574 \hline defined & undefined & Very slow, 0.2KB of ram. \\
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	575 \hline defined & defined & Faster, 0.2KB of ram, larger code. \\
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	576 \hline
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	577 \end{tabular}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	578 \end{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	579 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	580
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	581 \end{enumerate}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	582 \end{small}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	583
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	584 To work with the cipher\_descriptor array there is a function:
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	585 \index{find\_cipher()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	586 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	587 int find_cipher(char *name)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	588 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	589 Which will search for a given name in the array. It returns negative one if the cipher is not found, otherwise it returns
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	590 the location in the array where the cipher was found. For example, to indirectly setup Blowfish you can also use:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	591 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	592 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	593 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	594 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	595 {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	596 unsigned char key[8];
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	597 symmetric_key skey;
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	598 int err;
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	599
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	600 /* you must register a cipher before you use it */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	601 if (register_cipher(&blowfish_desc)) == -1) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	602 printf("Unable to register Blowfish cipher.");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	603 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	604 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	605
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	606 /* generic call to function (assuming the key in key[] was already setup) */
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	607 if ((err = cipher_descriptor[find_cipher("blowfish")].setup(key, 8, 0, &skey)) !=
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	608 CRYPT_OK) {
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	609 printf("Error setting up Blowfish: %s\n", error_to_string(err));
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	610 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	611 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	612
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	613 /* ... use cipher ... */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	614 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	615 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	616 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	617
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	618 A good safety would be to check the return value of ``find\_cipher()'' before accessing the desired function. In order
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	619 to use a cipher with the descriptor table you must register it first using:
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	620 \index{register\_cipher()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	621 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	622 int register_cipher(const struct _cipher_descriptor *cipher);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	623 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	624 Which accepts a pointer to a descriptor and returns the index into the global descriptor table. If an error occurs such
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	625 as there is no more room (it can have 32 ciphers at most) it will return {\bf{-1}}. If you try to add the same cipher more
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	626 than once it will just return the index of the first copy. To remove a cipher call:
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	627 \index{unregister\_cipher()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	628 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	629 int unregister_cipher(const struct _cipher_descriptor *cipher);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	630 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	631 Which returns {\bf CRYPT\_OK} if it removes it otherwise it returns {\bf CRYPT\_ERROR}. Consider:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	632 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	633 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	634 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	635 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	636 {
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	637 int err;
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	638
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	639 /* register the cipher */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	640 if (register_cipher(&rijndael_desc) == -1) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	641 printf("Error registering Rijndael\n");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	642 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	643 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	644
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	645 /* use Rijndael */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	646
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	647 /* remove it */
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	648 if ((err = unregister_cipher(&rijndael_desc)) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	649 printf("Error removing Rijndael: %s\n", error_to_string(err));
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	650 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	651 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	652
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	653 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	654 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	655 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	656 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	657 This snippet is a small program that registers only Rijndael only.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	658
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	659 \section{Symmetric Modes of Operations}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	660 \subsection{Background}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	661 A typical symmetric block cipher can be used in chaining modes to effectively encrypt messages larger than the block
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	662 size of the cipher. Given a key $k$, a plaintext $P$ and a cipher $E$ we shall denote the encryption of the block
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	663 $P$ under the key $k$ as $E_k(P)$. In some modes there exists an initial vector denoted as $C_{-1}$.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	664
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	665 \subsubsection{ECB Mode}
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	666 \index{ECB mode}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	667 ECB or Electronic Codebook Mode is the simplest method to use. It is given as:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	668 \begin{equation}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	669 C_i = E_k(P_i)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	670 \end{equation}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	671 This mode is very weak since it allows people to swap blocks and perform replay attacks if the same key is used more
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	672 than once.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	673
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	674 \subsubsection{CBC Mode}
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	675 \index{CBC mode}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	676 CBC or Cipher Block Chaining mode is a simple mode designed to prevent trivial forms of replay and swap attacks on ciphers.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	677 It is given as:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	678 \begin{equation}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	679 C_i = E_k(P_i \oplus C_{i - 1})
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	680 \end{equation}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	681 It is important that the initial vector be unique and preferably random for each message encrypted under the same key.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	682
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	683 \subsubsection{CTR Mode}
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	684 \index{CTR mode}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	685 CTR or Counter Mode is a mode which only uses the encryption function of the cipher. Given a initial vector which is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	686 treated as a large binary counter the CTR mode is given as:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	687 \begin{eqnarray}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	688 C_{-1} = C_{-1} + 1\mbox{ }(\mbox{mod }2^W) \nonumber \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	689 C_i = P_i \oplus E_k(C_{-1})
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	690 \end{eqnarray}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	691 Where $W$ is the size of a block in bits (e.g. 64 for Blowfish). As long as the initial vector is random for each message
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	692 encrypted under the same key replay and swap attacks are infeasible. CTR mode may look simple but it is as secure
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	693 as the block cipher is under a chosen plaintext attack (provided the initial vector is unique).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	694
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	695 \subsubsection{CFB Mode}
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	696 \index{CFB mode}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	697 CFB or Ciphertext Feedback Mode is a mode akin to CBC. It is given as:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	698 \begin{eqnarray}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	699 C_i = P_i \oplus C_{-1} \nonumber \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	700 C_{-1} = E_k(C_i)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	701 \end{eqnarray}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	702 Note that in this library the output feedback width is equal to the size of the block cipher. That is this mode is used
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	703 to encrypt whole blocks at a time. However, the library will buffer data allowing the user to encrypt or decrypt partial
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	704 blocks without a delay. When this mode is first setup it will initially encrypt the initial vector as required.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	705
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	706 \subsubsection{OFB Mode}
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	707 \index{OFB mode}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	708 OFB or Output Feedback Mode is a mode akin to CBC as well. It is given as:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	709 \begin{eqnarray}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	710 C_{-1} = E_k(C_{-1}) \nonumber \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	711 C_i = P_i \oplus C_{-1}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	712 \end{eqnarray}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	713 Like the CFB mode the output width in CFB mode is the same as the width of the block cipher. OFB mode will also
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	714 buffer the output which will allow you to encrypt or decrypt partial blocks without delay.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	715
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	716 \subsection{Choice of Mode}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	717 My personal preference is for the CTR mode since it has several key benefits:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	718 \begin{enumerate}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	719 \item No short cycles which is possible in the OFB and CFB modes.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	720 \item Provably as secure as the block cipher being used under a chosen plaintext attack.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	721 \item Technically does not require the decryption routine of the cipher.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	722 \item Allows random access to the plaintext.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	723 \item Allows the encryption of block sizes that are not equal to the size of the block cipher.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	724 \end{enumerate}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	725 The CTR, CFB and OFB routines provided allow you to encrypt block sizes that differ from the ciphers block size. They
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	726 accomplish this by buffering the data required to complete a block. This allows you to encrypt or decrypt any size
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	727 block of memory with either of the three modes.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	728
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	729 The ECB and CBC modes process blocks of the same size as the cipher at a time. Therefore they are less flexible than the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	730 other modes.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	731
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	732 \subsection{Implementation}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	733 \index{CBC Mode} \index{CTR Mode}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	734 \index{OFB Mode} \index{CFB Mode}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	735 The library provides simple support routines for handling CBC, CTR, CFB, OFB and ECB encoded messages. Assuming the mode
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	736 you want is XXX there is a structure called ``symmetric\_XXX'' that will contain the information required to
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	737 use that mode. They have identical setup routines (except ECB mode for obvious reasons):
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	738 \index{ecb\_start()} \index{cfb\_start()} \index{cbc\_start()} \index{ofb\_start()} \index{ctr\_start()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	739 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	740 int XXX_start(int cipher, const unsigned char *IV,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	741 const unsigned char *key, int keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	742 int num_rounds, symmetric_XXX *XXX);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	743
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	744 int ecb_start(int cipher, const unsigned char *key, int keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	745 int num_rounds, symmetric_ECB *ecb);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	746 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	747
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	748 In each case ``cipher'' is the index into the cipher\_descriptor array of the cipher you want to use. The ``IV'' value is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	749 the initialization vector to be used with the cipher. You must fill the IV yourself and it is assumed they are the same
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	750 length as the block size\footnote{In otherwords the size of a block of plaintext for the cipher, e.g. 8 for DES, 16 for AES, etc.}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	751 of the cipher you choose. It is important that the IV be random for each unique message you want to encrypt. The
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	752 parameters ``key'', ``keylen'' and ``num\_rounds'' are the same as in the XXX\_setup() function call. The final parameter
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	753 is a pointer to the structure you want to hold the information for the mode of operation.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	754
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	755 Both routines return {\bf CRYPT\_OK} if the cipher initialized correctly, otherwise they return an error code. To
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	756 actually encrypt or decrypt the following routines are provided:
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	757 \index{ecb\_encrypt()} \index{ecb\_decrypt()} \index{cfb\_encrypt()} \index{cfb\_decrypt()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	758 \index{cbc\_encrypt()} \index{cbc\_decrypt()} \index{ofb\_encrypt()} \index{ofb\_decrypt()} \index{ctr\_encrypt()} \index{ctr\_decrypt()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	759 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	760 int XXX_encrypt(const unsigned char pt, unsigned char ct,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	761 symmetric_XXX *XXX);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	762 int XXX_decrypt(const unsigned char ct, unsigned char pt,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	763 symmetric_XXX *XXX);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	764
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	765 int YYY_encrypt(const unsigned char pt, unsigned char ct,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	766 unsigned long len, symmetric_YYY *YYY);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	767 int YYY_decrypt(const unsigned char ct, unsigned char pt,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	768 unsigned long len, symmetric_YYY *YYY);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	769 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	770 Where ``XXX'' is one of (ecb, cbc) and ``YYY'' is one of (ctr, ofb, cfb). In the CTR, OFB and CFB cases ``len'' is the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	771 size of the buffer (as number of chars) to encrypt or decrypt. The CTR, OFB and CFB modes are order sensitive but not
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	772 chunk sensitive. That is you can encrypt ``ABCDEF'' in three calls like ``AB'', ``CD'', ``EF'' or two like ``ABCDE'' and ``F''
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	773 and end up with the same ciphertext. However, encrypting ``ABC'' and ``DABC'' will result in different ciphertexts. All
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	774 five of the modes will return {\bf CRYPT\_OK} on success from the encrypt or decrypt functions.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	775
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	776 To decrypt in either mode you simply perform the setup like before (recall you have to fetch the IV value you used)
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	777 and use the decrypt routine on all of the blocks.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	778
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	779 To change or read the IV of a previously initialized chaining mode use the following two functions.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	780
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	781 \index{cbc\_setiv()} \index{cbc\_getiv()} \index{ofb\_setiv()} \index{ofb\_getiv()} \index{cfb\_setiv()} \index{cfb\_getiv()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	782 \index{ctr\_setiv()} \index{ctr\_getiv()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	783 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	784 int XXX_getiv(unsigned char IV, unsigned long len, symmetric_XXX *XXX);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	785 int XXX_setiv(const unsigned char IV, unsigned long len, symmetric_XXX XXX);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	786 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	787
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	788 The XXX\_getiv function will read the IV out of the chaining mode and store it into ``IV'' along with the length of the IV
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	789 stored in ``len''. The XXX\_setiv will initialize the chaining mode state as if the original IV were the new IV specified. The length
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	790 of the IV passed in must be the size of the ciphers block size.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	791
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	792 The XXX\_setiv functions are handy if you wish to change the IV without re--keying the cipher.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	793
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	794 \newpage
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	795 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	796 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	797 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	798 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	799 {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	800 unsigned char key[16], IV[16], buffer[512];
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	801 symmetric_CTR ctr;
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	802 int x, err;
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	803
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	804 /* register twofish first */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	805 if (register_cipher(&twofish_desc) == -1) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	806 printf("Error registering cipher.\n");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	807 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	808 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	809
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	810 /* somehow fill out key and IV */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	811
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	812 /* start up CTR mode */
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	813 if ((err = ctr_start(
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	814 find_cipher("twofish"), /* index of desired cipher */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	815 IV, /* the initial vector */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	816 key, /* the secret key */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	817 16, /* length of secret key (16 bytes, 128 bits) */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	818 0, /* 0 == default # of rounds */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	819 &ctr) /* where to store initialized CTR state */
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	820 ) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	821 printf("ctr_start error: %s\n", error_to_string(err));
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	822 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	823 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	824
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	825 /* somehow fill buffer than encrypt it */
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	826 if ((err = ctr_encrypt( buffer, /* plaintext */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	827 buffer, /* ciphertext */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	828 sizeof(buffer), /* length of data to encrypt */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	829 &ctr) /* previously initialized CTR state */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	830 ) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	831 printf("ctr_encrypt error: %s\n", error_to_string(err));
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	832 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	833 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	834
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	835 /* make use of ciphertext... */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	836
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	837 /* now we want to decrypt so let's use ctr_setiv */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	838 if ((err = ctr_setiv( IV, /* the initial IV we gave to ctr_start */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	839 16, /* the IV is 16 bytes long */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	840 &ctr) /* the ctr state we wish to modify */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	841 ) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	842 printf("ctr_setiv error: %s\n", error_to_string(err));
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	843 return -1;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	844 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	845
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	846 if ((err = ctr_decrypt( buffer, /* ciphertext */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	847 buffer, /* plaintext */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	848 sizeof(buffer), /* length of data to encrypt */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	849 &ctr) /* previously initialized CTR state */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	850 ) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	851 printf("ctr_decrypt error: %s\n", error_to_string(err));
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	852 return -1;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	853 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	854
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	855 /* clear up and return */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	856 zeromem(key, sizeof(key));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	857 zeromem(&ctr, sizeof(ctr));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	858
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	859 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	860 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	861 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	862 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	863
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	864 \section{Encrypt and Authenticate Modes}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	865
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	866 \subsection{EAX Mode}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	867 LibTomCrypt provides support for a mode called EAX\footnote{See
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	868 M. Bellare, P. Rogaway, D. Wagner, A Conventional Authenticated-Encryption Mode.} in a manner similar to the
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	869 way it was intended to be used by the designers. First a short description of what EAX mode is before I explain how to use it.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	870 EAX is a mode that requires a cipher, CTR and OMAC support and provides encryption and authentication\footnote{Note that since EAX only requires OMAC and CTR you may use ``encrypt only'' cipher descriptors with this mode.}.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	871 It is initialized with a random ``nonce'' that can be shared publicly as well as a ``header'' which can be fixed and public as well as a random
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	872 secret symmetric key.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	873
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	874 The ``header'' data is meant to be meta-data associated with a stream that isn't private (e.g. protocol messages). It can
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	875 be added at anytime during an EAX stream and is part of the authentication tag. That is, changes in the meta-data can
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	876 be detected by changes in the output tag.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	877
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	878 The mode can then process plaintext producing ciphertext as well as compute a partial checksum. The actual checksum
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	879 called a ``tag'' is only emitted when the message is finished. In the interim though the user can process any arbitrary
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	880 sized message block to send to the recipient as ciphertext. This makes the EAX mode especially suited for streaming modes
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	881 of operation.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	882
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	883 The mode is initialized with the following function.
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	884 \index{eax\_init()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	885 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	886 int eax_init(eax_state *eax, int cipher,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	887 const unsigned char *key, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	888 const unsigned char *nonce, unsigned long noncelen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	889 const unsigned char *header, unsigned long headerlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	890 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	891
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	892 Where ``eax'' is the EAX state. ``cipher'' is the index of the desired cipher in the descriptor table.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	893 ``key'' is the shared secret symmetric key of length ``keylen''. ``nonce'' is the random public string of
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	894 length ``noncelen''. ``header'' is the random (or fixed or \textbf{NULL}) header for the message of length
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	895 ``headerlen''.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	896
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	897 When this function completes ``eax'' will be initialized such that you can now either have data decrypted or
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	898 encrypted in EAX mode. Note that if ``headerlen'' is zero you may pass ``header'' as \textbf{NULL} to indicate
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	899 there is no initial header data.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	900
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	901 To encrypt or decrypt data in a streaming mode use the following.
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	902 \index{eax\_encrypt()} \index{eax\_decrypt()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	903 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	904 int eax_encrypt(eax_state eax, const unsigned char pt,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	905 unsigned char *ct, unsigned long length);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	906
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	907 int eax_decrypt(eax_state eax, const unsigned char ct,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	908 unsigned char *pt, unsigned long length);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	909 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	910 The function ``eax\_encrypt'' will encrypt the bytes in ``pt'' of ``length'' bytes and store the ciphertext in
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	911 ``ct''. Note that ``ct'' and ``pt'' may be the same region in memory. This function will also send the ciphertext
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	912 through the OMAC function. The function ``eax\_decrypt'' decrypts ``ct'' and stores it in ``pt''. This also allows
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	913 ``pt'' and ``ct'' to be the same region in memory.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	914
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	915 You cannot both encrypt or decrypt with the same ``eax'' context. For bi-directional communication you
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	916 will need to initialize two EAX contexts (preferably with different headers and nonces).
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	917
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	918 Note that both of these functions allow you to send the data in any granularity but the order is important. While
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	919 the eax\_init() function allows you to add initial header data to the stream you can also add header data during the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	920 EAX stream with the following.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	921
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	922 \index{eax\_addheader()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	923 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	924 int eax_addheader(eax_state *eax,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	925 const unsigned char *header, unsigned long length);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	926 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	927
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	928 This will add the ``length'' bytes from ``header'' to the given ``eax'' stream. Once the message is finished the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	929 ``tag'' (checksum) may be computed with the following function.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	930
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	931 \index{eax\_done()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	932 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	933 int eax_done(eax_state *eax,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	934 unsigned char tag, unsigned long taglen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	935 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	936 This will terminate the EAX state ``eax'' and store upto ``taglen'' bytes of the message tag in ``tag''. The function
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	937 then stores how many bytes of the tag were written out back into ``taglen''.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	938
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	939 The EAX mode code can be tested to ensure it matches the test vectors by calling the following function.
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	940 \index{eax\_test()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	941 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	942 int eax_test(void);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	943 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	944 This requires that the AES (or Rijndael) block cipher be registered with the cipher\_descriptor table first.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	945
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	946 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	947 #include <mycrypt.h>
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	948 int main(void)
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	949 {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	950 int err;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	951 eax_state eax;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	952 unsigned char pt[64], ct[64], nonce[16], key[16], tag[16];
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	953 unsigned long taglen;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	954
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	955 if (register_cipher(&rijndael_desc) == -1) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	956 printf("Error registering Rijndael");
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	957 return EXIT_FAILURE;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	958 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	959
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	960 /* ... make up random nonce and key ... */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	961
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	962 /* initialize context */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	963 if ((err = eax_init( &eax, /* the context */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	964 find_cipher("rijndael"), /* cipher we want to use */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	965 nonce, /* our state nonce */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	966 16, /* none is 16 bytes */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	967 "TestApp", /* example header, identifies this program */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	968 7) /* length of the header */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	969 ) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	970 printf("Error eax_init: %s", error_to_string(err));
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	971 return EXIT_FAILURE;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	972 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	973
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	974 /* now encrypt data, say in a loop or whatever */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	975 if ((err = eax_encrypt( &eax, /* eax context */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	976 pt, /* plaintext (source) */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	977 ct, /* ciphertext (destination) */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	978 sizeof(pt) /* size of plaintext */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	979 ) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	980 printf("Error eax_encrypt: %s", error_to_string(err));
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	981 return EXIT_FAILURE;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	982 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	983
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	984 /* finish message and get authentication tag */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	985 taglen = sizeof(tag);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	986 if ((err = eax_done( &eax, /* eax context */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	987 tag, /* where to put tag */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	988 &taglen /* length of tag space */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	989 ) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	990 printf("Error eax_done: %s", error_to_string(err));
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	991 return EXIT_FAILURE;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	992 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	993
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	994 /* now we have the authentication tag in "tag" and it's taglen bytes long */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	995
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	996 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	997 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	998
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	999 You can also perform an entire EAX state on a block of memory in a single function call with the
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1000 following functions.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1001
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1002
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1003 \index{eax\_encrypt\_authenticate\_memory} \index{eax\_decrypt\_verify\_memory}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1004 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1005 int eax_encrypt_authenticate_memory(int cipher,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1006 const unsigned char *key, unsigned long keylen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1007 const unsigned char *nonce, unsigned long noncelen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1008 const unsigned char *header, unsigned long headerlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1009 const unsigned char *pt, unsigned long ptlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1010 unsigned char *ct,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1011 unsigned char tag, unsigned long taglen);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1012
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1013 int eax_decrypt_verify_memory(int cipher,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1014 const unsigned char *key, unsigned long keylen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1015 const unsigned char *nonce, unsigned long noncelen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1016 const unsigned char *header, unsigned long headerlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1017 const unsigned char *ct, unsigned long ctlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1018 unsigned char *pt,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1019 unsigned char *tag, unsigned long taglen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1020 int *res);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1021 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1022
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1023 Both essentially just call eax\_init() followed by eax\_encrypt() (or eax\_decrypt() respectively) and eax\_done(). The parameters
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1024 have the same meaning as with those respective functions.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1025
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1026 The only difference is eax\_decrypt\_verify\_memory() does not emit a tag. Instead you pass it a tag as input and it compares it against
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1027 the tag it computed while decrypting the message. If the tags match then it stores a $1$ in ``res'', otherwise it stores a $0$.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1028
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1029 \subsection{OCB Mode}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1030 LibTomCrypt provides support for a mode called OCB\footnote{See
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1031 P. Rogaway, M. Bellare, J. Black, T. Krovetz, ``OCB: A Block Cipher Mode of Operation for Efficient Authenticated Encryption''.}
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1032 . OCB is an encryption protocol that simultaneously provides authentication. It is slightly faster to use than EAX mode
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1033 but is less flexible. Let's review how to initialize an OCB context.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1034
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1035 \index{ocb\_init()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1036 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1037 int ocb_init(ocb_state *ocb, int cipher,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1038 const unsigned char *key, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1039 const unsigned char *nonce);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1040 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1041
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1042 This will initialize the ``ocb'' context using cipher descriptor ``cipher''. It will use a ``key'' of length ``keylen''
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1043 and the random ``nonce''. Note that ``nonce'' must be a random (public) string the same length as the block ciphers
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1044 block size (e.g. 16 bytes for AES).
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1045
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1046 This mode has no ``Associated Data'' like EAX mode does which means you cannot authenticate metadata along with the stream.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1047 To encrypt or decrypt data use the following.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1048
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1049 \index{ocb\_encrypt()} \index{ocb\_decrypt()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1050 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1051 int ocb_encrypt(ocb_state ocb, const unsigned char pt, unsigned char *ct);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1052 int ocb_decrypt(ocb_state ocb, const unsigned char ct, unsigned char *pt);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1053 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1054
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1055 This will encrypt (or decrypt for the latter) a fixed length of data from ``pt'' to ``ct'' (vice versa for the latter).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1056 They assume that ``pt'' and ``ct'' are the same size as the block cipher's block size. Note that you cannot call
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1057 both functions given a single ``ocb'' state. For bi-directional communication you will have to initialize two ``ocb''
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1058 states (with different nonces). Also ``pt'' and ``ct'' may point to the same location in memory.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1059
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1060 When you are finished encrypting the message you call the following function to compute the tag.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1061
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1062 \index{ocb\_done\_encrypt()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1063 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1064 int ocb_done_encrypt(ocb_state *ocb,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1065 const unsigned char *pt, unsigned long ptlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1066 unsigned char *ct,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1067 unsigned char tag, unsigned long taglen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1068 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1069
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1070 This will terminate an encrypt stream ``ocb''. If you have trailing bytes of plaintext that will not complete a block
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1071 you can pass them here. This will also encrypt the ``ptlen'' bytes in ``pt'' and store them in ``ct''. It will also
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1072 store upto ``taglen'' bytes of the tag into ``tag''.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1073
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1074 Note that ``ptlen'' must be less than or equal to the block size of block cipher chosen. Also note that if you have
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1075 an input message equal to the length of the block size then you pass the data here (not to ocb\_encrypt()) only.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1076
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1077 To terminate a decrypt stream and compared the tag you call the following.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1078
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1079 \index{ocb\_done\_decrypt()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1080 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1081 int ocb_done_decrypt(ocb_state *ocb,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1082 const unsigned char *ct, unsigned long ctlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1083 unsigned char *pt,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1084 const unsigned char *tag, unsigned long taglen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1085 int *res);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1086 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1087
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1088 Similarly to the previous function you can pass trailing message bytes into this function. This will compute the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1089 tag of the message (internally) and then compare it against the ``taglen'' bytes of ``tag'' provided. By default
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1090 ``res'' is set to zero. If all ``taglen'' bytes of ``tag'' can be verified then ``res'' is set to one (authenticated
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1091 message).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1092
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1093 To make life simpler the following two functions are provided for memory bound OCB.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1094
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1095 \index{ocb\_encrypt\_authenticate\_memory()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1096 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1097 int ocb_encrypt_authenticate_memory(int cipher,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1098 const unsigned char *key, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1099 const unsigned char *nonce,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1100 const unsigned char *pt, unsigned long ptlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1101 unsigned char *ct,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1102 unsigned char tag, unsigned long taglen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1103 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1104
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1105 This will OCB encrypt the message ``pt'' of length ``ptlen'' and store the ciphertext in ``ct''. The length ``ptlen''
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1106 can be any arbitrary length.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1107
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1108 \index{ocb\_decrypt\_verify\_memory()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1109 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1110 int ocb_decrypt_verify_memory(int cipher,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1111 const unsigned char *key, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1112 const unsigned char *nonce,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1113 const unsigned char *ct, unsigned long ctlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1114 unsigned char *pt,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1115 const unsigned char *tag, unsigned long taglen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1116 int *res);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1117 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1118
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1119 Similarly this will OCB decrypt and compare the internally computed tag against the tag provided. ``res'' is set
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1120 appropriately.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1121
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1122 \chapter{One-Way Cryptographic Hash Functions}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1123 \section{Core Functions}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1124
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1125 Like the ciphers there are hash core functions and a universal data type to hold the hash state called ``hash\_state''.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1126 To initialize hash XXX (where XXX is the name) call:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1127 \index{Hash Functions}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1128 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1129 void XXX_init(hash_state *md);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1130 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1131
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1132 This simply sets up the hash to the default state governed by the specifications of the hash. To add data to the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1133 message being hashed call:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1134 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1135 int XXX_process(hash_state md, const unsigned char in, unsigned long len);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1136 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1137
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1138 Essentially all hash messages are virtually infinitely\footnote{Most hashes are limited to $2^{64}$ bits or 2,305,843,009,213,693,952 bytes.} long message which
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1139 are buffered. The data can be passed in any sized chunks as long as the order of the bytes are the same the message digest
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1140 (hash output) will be the same. For example, this means that:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1141 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1142 md5_process(&md, "hello ", 6);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1143 md5_process(&md, "world", 5);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1144 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1145 Will produce the same message digest as the single call:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1146 \index{Message Digest}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1147 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1148 md5_process(&md, "hello world", 11);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1149 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1150
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1151 To finally get the message digest (the hash) call:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1152 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1153 int XXX_done(hash_state *md,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1154 unsigned char *out);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1155 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1156
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1157 This function will finish up the hash and store the result in the ``out'' array. You must ensure that ``out'' is long
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1158 enough for the hash in question. Often hashes are used to get keys for symmetric ciphers so the ``XXX\_done()'' functions
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1159 will wipe the ``md'' variable before returning automatically.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1160
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1161 To test a hash function call:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1162 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1163 int XXX_test(void);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1164 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1165
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1166 This will return {\bf CRYPTO\_OK} if the hash matches the test vectors, otherwise it returns an error code. An
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1167 example snippet that hashes a message with md5 is given below.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1168 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1169 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1170 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1171 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1172 {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1173 hash_state md;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1174 unsigned char *in = "hello world", out[16];
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1175
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1176 /* setup the hash */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1177 md5_init(&md);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1178
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1179 /* add the message */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1180 md5_process(&md, in, strlen(in));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1181
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1182 /* get the hash in out[0..15] */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1183 md5_done(&md, out);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1184
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1185 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1186 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1187 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1188 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1189
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1190 \section{Hash Descriptors}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1191 Like the set of ciphers the set of hashes have descriptors too. They are stored in an array called ``hash\_descriptor'' and
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1192 are defined by:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1193 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1194 struct _hash_descriptor {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1195 char *name;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1196 unsigned long hashsize; /* digest output size in bytes */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1197 unsigned long blocksize; /* the block size the hash uses */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1198 void (init) (hash_state );
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1199 int (process)(hash_state , const unsigned char *, unsigned long);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1200 int (done) (hash_state , unsigned char *);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1201 int (*test) (void);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1202 };
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1203 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1204
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1205 Similarly ``name'' is the name of the hash function in ASCII (all lowercase). ``hashsize'' is the size of the digest output
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1206 in bytes. The remaining fields are pointers to the functions that do the respective tasks. There is a function to
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1207 search the array as well called ``int find\_hash(char *name)''. It returns -1 if the hash is not found, otherwise the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1208 position in the descriptor table of the hash.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1209
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1210 You can use the table to indirectly call a hash function that is chosen at runtime. For example:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1211 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1212 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1213 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1214 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1215 {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1216 unsigned char buffer[100], hash[MAXBLOCKSIZE];
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1217 int idx, x;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1218 hash_state md;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1219
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1220 /* register hashes .... */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1221 if (register_hash(&md5_desc) == -1) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1222 printf("Error registering MD5.\n");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1223 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1224 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1225
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1226 /* register other hashes ... */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1227
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1228 /* prompt for name and strip newline */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1229 printf("Enter hash name: \n");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1230 fgets(buffer, sizeof(buffer), stdin);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1231 buffer[strlen(buffer) - 1] = 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1232
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1233 /* get hash index */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1234 idx = find_hash(buffer);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1235 if (idx == -1) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1236 printf("Invalid hash name!\n");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1237 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1238 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1239
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1240 /* hash input until blank line */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1241 hash_descriptor[idx].init(&md);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1242 while (fgets(buffer, sizeof(buffer), stdin) != NULL)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1243 hash_descriptor[idx].process(&md, buffer, strlen(buffer));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1244 hash_descriptor[idx].done(&md, hash);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1245
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1246 /* dump to screen */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1247 for (x = 0; x < hash_descriptor[idx].hashsize; x++)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1248 printf("%02x ", hash[x]);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1249 printf("\n");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1250 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1251 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1252 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1253 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1254
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1255 Note the usage of ``MAXBLOCKSIZE''. In Libtomcrypt no symmetric block, key or hash digest is larger than MAXBLOCKSIZE in
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1256 length. This provides a simple size you can set your automatic arrays to that will not get overrun.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1257
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1258 There are three helper functions as well:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1259 \index{hash\_memory()} \index{hash\_file()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1260 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1261 int hash_memory(int hash, const unsigned char *data,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1262 unsigned long len, unsigned char *dst,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1263 unsigned long *outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1264
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1265 int hash_file(int hash, const char *fname,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1266 unsigned char *dst,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1267 unsigned long *outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1268
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1269 int hash_filehandle(int hash, FILE *in,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1270 unsigned char dst, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1271 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1272
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1273 The ``hash'' parameter is the location in the descriptor table of the hash (\textit{e.g. the return of find\_hash()}).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1274 The ``*outlen'' variable is used to keep track of the output size. You
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1275 must set it to the size of your output buffer before calling the functions. When they complete succesfully they store
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1276 the length of the message digest back in it. The functions are otherwise straightforward. The ``hash\_filehandle''
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1277 function assumes that ``in'' is an file handle opened in binary mode. It will hash to the end of file and not reset
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1278 the file position when finished.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1279
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1280 To perform the above hash with md5 the following code could be used:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1281 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1282 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1283 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1284 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1285 {
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1286 int idx, err;
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1287 unsigned long len;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1288 unsigned char out[MAXBLOCKSIZE];
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1289
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1290 /* register the hash */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1291 if (register_hash(&md5_desc) == -1) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1292 printf("Error registering MD5.\n");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1293 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1294 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1295
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1296 /* get the index of the hash */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1297 idx = find_hash("md5");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1298
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1299 /* call the hash */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1300 len = sizeof(out);
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1301 if ((err = hash_memory(idx, "hello world", 11, out, &len)) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1302 printf("Error hashing data: %s\n", error_to_string(err));
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1303 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1304 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1305 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1306 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1307 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1308 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1309
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1310 The following hashes are provided as of this release:
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1311 \index{Hash descriptor table}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1312 \begin{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1313 \begin{tabular}{\|c\|c\|c\|}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1314 \hline Name & Descriptor Name & Size of Message Digest (bytes) \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1315 \hline WHIRLPOOL & whirlpool\_desc & 64 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1316 \hline SHA-512 & sha512\_desc & 64 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1317 \hline SHA-384 & sha384\_desc & 48 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1318 \hline SHA-256 & sha256\_desc & 32 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1319 \hline SHA-224 & sha224\_desc & 28 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1320 \hline TIGER-192 & tiger\_desc & 24 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1321 \hline SHA-1 & sha1\_desc & 20 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1322 \hline RIPEMD-160 & rmd160\_desc & 20 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1323 \hline RIPEMD-128 & rmd128\_desc & 16 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1324 \hline MD5 & md5\_desc & 16 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1325 \hline MD4 & md4\_desc & 16 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1326 \hline MD2 & md2\_desc & 16 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1327 \hline
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1328 \end{tabular}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1329 \end{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1330
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1331 Similar to the cipher descriptor table you must register your hash algorithms before you can use them. These functions
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1332 work exactly like those of the cipher registration code. The functions are:
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1333 \index{register\_hash()} \index{unregister\_hash()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1334 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1335 int register_hash(const struct _hash_descriptor *hash);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1336 int unregister_hash(const struct _hash_descriptor *hash);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1337 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1338
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1339 \section{Cipher Hash Construction}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1340 \index{Cipher Hash Construction}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1341 An addition to the suite of hash functions is the ``Cipher Hash Construction'' or ``CHC'' mode. In this mode
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1342 applicable block ciphers (such as AES) can be turned into hash functions that other LTC functions can use. In
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1343 particular this allows a cryptosystem to be designed using very few moving parts.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1344
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1345 In order to use the CHC system the developer will have to take a few extra steps. First the ``chc\_desc'' hash
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1346 descriptor must be registered with register\_hash(). At this point the CHC hash cannot be used to hash
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1347 data. While it is in the hash system you still have to tell the CHC code which cipher to use. This is accomplished
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1348 via the chc\_register() function.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1349
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1350 \index{chc\_register()}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1351 \begin{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1352 int chc_register(int cipher);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1353 \end{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1354
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1355 A cipher has to be registered with CHC (and also in the cipher descriptor tables with
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1356 register\_cipher()). The chc\_register() function will bind a cipher to the CHC system. Only one cipher can
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1357 be bound to the CHC hash at a time. There are additional requirements for the system to work.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1358
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1359 \begin{enumerate}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1360 \item The cipher must have a block size greater than 64--bits.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1361 \item The cipher must allow an input key the size of the block size.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1362 \end{enumerate}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1363
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1364 Example of using CHC with the AES block cipher.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1365
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1366 \begin{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1367 #include <mycrypt.h>
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1368 int main(void)
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1369 {
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1370 int err;
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1371
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1372 /* register cipher and hash */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1373 if (register_cipher(&aes_enc_desc) == -1) {
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1374 printf("Could not register cipher\n");
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1375 return EXIT_FAILURE;
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1376 }
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1377 if (register_hash(&chc_desc) == -1) {
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1378 printf("Could not register hash\n");
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1379 return EXIT_FAILURE;
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1380 }
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1381
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1382 /* start chc with AES */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1383 if ((err = chc_register(find_cipher("aes"))) != CRYPT_OK) {
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1384 printf("Error binding AES to CHC: %s\n", error_to_string(err));
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1385 }
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1386
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1387 /* now you can use chc_hash in any LTC function [aside from pkcs...] */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1388 /* ... */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1389 \end{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1390
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1391
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1392 \section{Notice}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1393 It is highly recommended that you \textbf{not} use the MD4 or MD5 hashes for the purposes of digital signatures or authentication codes.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1394 These hashes are provided for completeness and they still can be used for the purposes of password hashing or one-way accumulators
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1395 (e.g. Yarrow).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1396
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1397 The other hashes such as the SHA-1, SHA-2 (that includes SHA-512, SHA-384 and SHA-256) and TIGER-192 are still considered secure
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1398 for all purposes you would normally use a hash for.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1399
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1400 \chapter{Message Authentication Codes}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1401 \section{HMAC Protocol}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1402 Thanks to Dobes Vandermeer the library now includes support for hash based message authenication codes or HMAC for short. An HMAC
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1403 of a message is a keyed authenication code that only the owner of a private symmetric key will be able to verify. The purpose is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1404 to allow an owner of a private symmetric key to produce an HMAC on a message then later verify if it is correct. Any impostor or
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1405 eavesdropper will not be able to verify the authenticity of a message.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1406
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1407 The HMAC support works much like the normal hash functions except that the initialization routine requires you to pass a key
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1408 and its length. The key is much like a key you would pass to a cipher. That is, it is simply an array of octets stored in
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1409 chars. The initialization routine is:
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1410 \index{hmac\_init()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1411 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1412 int hmac_init(hmac_state *hmac, int hash,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1413 const unsigned char *key, unsigned long keylen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1414 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1415 The ``hmac'' parameter is the state for the HMAC code. ``hash'' is the index into the descriptor table of the hash you want
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1416 to use to authenticate the message. ``key'' is the pointer to the array of chars that make up the key. ``keylen'' is the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1417 length (in octets) of the key you want to use to authenticate the message. To send octets of a message through the HMAC system you must use the following function:
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1418 \index{hmac\_process()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1419 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1420 int hmac_process(hmac_state hmac, const unsigned char buf,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1421 unsigned long len);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1422 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1423 ``hmac'' is the HMAC state you are working with. ``buf'' is the array of octets to send into the HMAC process. ``len'' is the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1424 number of octets to process. Like the hash process routines you can send the data in arbitrarly sized chunks. When you
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1425 are finished with the HMAC process you must call the following function to get the HMAC code:
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1426 \index{hmac\_done()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1427 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1428 int hmac_done(hmac_state hmac, unsigned char hashOut,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1429 unsigned long *outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1430 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1431 ``hmac'' is the HMAC state you are working with. ``hashOut'' is the array of octets where the HMAC code should be stored. You must
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1432 set ``outlen'' to the size of the destination buffer before calling this function. It is updated with the length of the HMAC code
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1433 produced (depending on which hash was picked). If ``outlen'' is less than the size of the message digest (and ultimately
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1434 the HMAC code) then the HMAC code is truncated as per FIPS-198 specifications (e.g. take the first ``outlen'' bytes).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1435
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1436 There are two utility functions provided to make using HMACs easier todo. They accept the key and information about the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1437 message (file pointer, address in memory) and produce the HMAC result in one shot. These are useful if you want to avoid
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1438 calling the three step process yourself.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1439
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1440 \index{hmac\_memory()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1441 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1442 int hmac_memory(int hash, const unsigned char *key, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1443 const unsigned char *data, unsigned long len,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1444 unsigned char dst, unsigned long dstlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1445 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1446 This will produce an HMAC code for the array of octets in ``data'' of length ``len''. The index into the hash descriptor
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1447 table must be provided in ``hash''. It uses the key from ``key'' with a key length of ``keylen''.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1448 The result is stored in the array of octets ``dst'' and the length in ``dstlen''. The value of ``dstlen'' must be set
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1449 to the size of the destination buffer before calling this function. Similarly for files there is the following function:
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1450 \index{hmac\_file()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1451 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1452 int hmac_file(int hash, const char fname, const unsigned char key,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1453 unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1454 unsigned char dst, unsigned long dstlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1455 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1456 ``hash'' is the index into the hash descriptor table of the hash you want to use. ``fname'' is the filename to process.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1457 ``key'' is the array of octets to use as the key of length ``keylen''. ``dst'' is the array of octets where the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1458 result should be stored.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1459
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1460 To test if the HMAC code is working there is the following function:
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1461 \index{hmac\_test()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1462 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1463 int hmac_test(void);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1464 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1465 Which returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code. Some example code for using the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1466 HMAC system is given below.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1467
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1468 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1469 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1470 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1471 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1472 {
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1473 int idx, err;
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1474 hmac_state hmac;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1475 unsigned char key[16], dst[MAXBLOCKSIZE];
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1476 unsigned long dstlen;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1477
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1478 /* register SHA-1 */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1479 if (register_hash(&sha1_desc) == -1) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1480 printf("Error registering SHA1\n");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1481 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1482 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1483
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1484 /* get index of SHA1 in hash descriptor table */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1485 idx = find_hash("sha1");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1486
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1487 /* we would make up our symmetric key in "key[]" here */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1488
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1489 /* start the HMAC */
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1490 if ((err = hmac_init(&hmac, idx, key, 16)) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1491 printf("Error setting up hmac: %s\n", error_to_string(err));
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1492 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1493 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1494
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1495 /* process a few octets */
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1496 if((err = hmac_process(&hmac, "hello", 5) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1497 printf("Error processing hmac: %s\n", error_to_string(err));
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1498 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1499 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1500
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1501 /* get result (presumably to use it somehow...) */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1502 dstlen = sizeof(dst);
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1503 if ((err = hmac_done(&hmac, dst, &dstlen)) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1504 printf("Error finishing hmac: %s\n", error_to_string(err));
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1505 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1506 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1507 printf("The hmac is %lu bytes long\n", dstlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1508
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1509 /* return */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1510 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1511 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1512 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1513 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1514
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1515 \section{OMAC Support}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1516 OMAC\footnote{\url{http://crypt.cis.ibaraki.ac.jp/omac/omac.html}}, which stands for \textit{One-Key CBC MAC} is an
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1517 algorithm which produces a Message Authentication Code (MAC) using only a block cipher such as AES. From an API
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1518 standpoint the OMAC routines work much like the HMAC routines do. Instead in this case a cipher is used instead of a hash.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1519
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1520 To start an OMAC state you call
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1521 \index{omac\_init()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1522 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1523 int omac_init(omac_state *omac, int cipher,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1524 const unsigned char *key, unsigned long keylen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1525 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1526 The ``omac'' variable is the state for the OMAC algorithm. ``cipher'' is the index into the cipher\_descriptor table
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1527 of the cipher\footnote{The cipher must have a 64 or 128 bit block size. Such as CAST5, Blowfish, DES, AES, Twofish, etc.} you
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1528 wish to use. ``key'' and ``keylen'' are the keys used to authenticate the data.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1529
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1530 To send data through the algorithm call
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1531 \index{omac\_process()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1532 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1533 int omac_process(omac_state *state,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1534 const unsigned char *buf, unsigned long len);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1535 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1536 This will send ``len'' bytes from ``buf'' through the active OMAC state ``state''. Returns \textbf{CRYPT\_OK} if the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1537 function succeeds. The function is not sensitive to the granularity of the data. For example,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1538
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1539 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1540 omac_process(&mystate, "hello", 5);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1541 omac_process(&mystate, " world", 6);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1542 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1543
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1544 Would produce the same result as,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1545
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1546 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1547 omac_process(&mystate, "hello world", 11);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1548 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1549
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1550 When you are done processing the message you can call the following to compute the message tag.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1551
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1552 \index{omac\_done()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1553 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1554 int omac_done(omac_state *state,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1555 unsigned char out, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1556 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1557 Which will terminate the OMAC and output the \textit{tag} (MAC) to ``out''. Note that unlike the HMAC and other code
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1558 ``outlen'' can be smaller than the default MAC size (for instance AES would make a 16-byte tag). Part of the OMAC
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1559 specification states that the output may be truncated. So if you pass in $outlen = 5$ and use AES as your cipher than
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1560 the output MAC code will only be five bytes long. If ``outlen'' is larger than the default size it is set to the default
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1561 size to show how many bytes were actually used.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1562
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1563 Similar to the HMAC code the file and memory functions are also provided. To OMAC a buffer of memory in one shot use the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1564 following function.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1565
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1566 \index{omac\_memory()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1567 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1568 int omac_memory(int cipher,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1569 const unsigned char *key, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1570 const unsigned char *msg, unsigned long msglen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1571 unsigned char out, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1572 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1573 This will compute the OMAC of ``msglen'' bytes of ``msg'' using the key ``key'' of length ``keylen'' bytes and the cipher
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1574 specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with the same
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1575 rules as omac\_done.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1576
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1577 To OMAC a file use
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1578 \index{omac\_file()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1579 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1580 int omac_file(int cipher,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1581 const unsigned char *key, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1582 const char *filename,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1583 unsigned char out, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1584 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1585
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1586 Which will OMAC the entire contents of the file specified by ``filename'' using the key ``key'' of length ``keylen'' bytes
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1587 and the cipher specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1588 the same rules as omac\_done.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1589
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1590 To test if the OMAC code is working there is the following function:
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1591 \index{omac\_test()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1592 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1593 int omac_test(void);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1594 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1595 Which returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code. Some example code for using the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1596 OMAC system is given below.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1597
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1598 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1599 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1600 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1601 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1602 {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1603 int idx, err;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1604 omac_state omac;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1605 unsigned char key[16], dst[MAXBLOCKSIZE];
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1606 unsigned long dstlen;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1607
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1608 /* register Rijndael */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1609 if (register_cipher(&rijndael_desc) == -1) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1610 printf("Error registering Rijndael\n");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1611 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1612 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1613
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1614 /* get index of Rijndael in cipher descriptor table */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1615 idx = find_cipher("rijndael");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1616
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1617 /* we would make up our symmetric key in "key[]" here */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1618
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1619 /* start the OMAC */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1620 if ((err = omac_init(&omac, idx, key, 16)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1621 printf("Error setting up omac: %s\n", error_to_string(err));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1622 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1623 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1624
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1625 /* process a few octets */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1626 if((err = omac_process(&omac, "hello", 5) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1627 printf("Error processing omac: %s\n", error_to_string(err));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1628 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1629 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1630
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1631 /* get result (presumably to use it somehow...) */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1632 dstlen = sizeof(dst);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1633 if ((err = omac_done(&omac, dst, &dstlen)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1634 printf("Error finishing omac: %s\n", error_to_string(err));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1635 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1636 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1637 printf("The omac is %lu bytes long\n", dstlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1638
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1639 /* return */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1640 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1641 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1642 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1643 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1644
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1645 \section{PMAC Support}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1646 The PMAC\footnote{J.Black, P.Rogaway, ``A Block--Cipher Mode of Operation for Parallelizable Message Authentication''}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1647 protocol is another MAC algorithm that relies solely on a symmetric-key block cipher. It uses essentially the same
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1648 API as the provided OMAC code.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1649
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1650 A PMAC state is initialized with the following.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1651
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1652 \index{pmac\_init()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1653 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1654 int pmac_init(pmac_state *pmac, int cipher,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1655 const unsigned char *key, unsigned long keylen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1656 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1657 Which initializes the ``pmac'' state with the given ``cipher'' and ``key'' of length ``keylen'' bytes. The chosen cipher
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1658 must have a 64 or 128 bit block size (e.x. AES).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1659
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1660 To MAC data simply send it through the process function.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1661
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1662 \index{pmac\_process()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1663 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1664 int pmac_process(pmac_state *state,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1665 const unsigned char *buf, unsigned long len);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1666 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1667 This will process ``len'' bytes of ``buf'' in the given ``state''. The function is not sensitive to the granularity of the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1668 data. For example,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1669
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1670 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1671 pmac_process(&mystate, "hello", 5);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1672 pmac_process(&mystate, " world", 6);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1673 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1674
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1675 Would produce the same result as,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1676
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1677 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1678 pmac_process(&mystate, "hello world", 11);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1679 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1680
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1681 When a complete message has been processed the following function can be called to compute the message tag.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1682
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1683 \index{pmac\_done()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1684 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1685 int pmac_done(pmac_state *state,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1686 unsigned char out, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1687 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1688 This will store upto ``outlen'' bytes of the tag for the given ``state'' into ``out''. Note that if ``outlen'' is larger
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1689 than the size of the tag it is set to the amount of bytes stored in ``out''.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1690
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1691 Similar to the PMAC code the file and memory functions are also provided. To PMAC a buffer of memory in one shot use the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1692 following function.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1693
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1694 \index{pmac\_memory()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1695 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1696 int pmac_memory(int cipher,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1697 const unsigned char *key, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1698 const unsigned char *msg, unsigned long msglen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1699 unsigned char out, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1700 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1701 This will compute the PMAC of ``msglen'' bytes of ``msg'' using the key ``key'' of length ``keylen'' bytes and the cipher
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1702 specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with the same
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1703 rules as omac\_done.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1704
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1705 To PMAC a file use
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	1706 \index{pmac\_file()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1707 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1708 int pmac_file(int cipher,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1709 const unsigned char *key, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1710 const char *filename,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1711 unsigned char out, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1712 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1713
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1714 Which will PMAC the entire contents of the file specified by ``filename'' using the key ``key'' of length ``keylen'' bytes
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1715 and the cipher specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1716 the same rules as omac\_done.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1717
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1718 To test if the PMAC code is working there is the following function:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1719 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1720 int pmac_test(void);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1721 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1722 Which returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1723
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1724
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1725
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1726
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1727
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1728 \chapter{Pseudo-Random Number Generators}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1729 \section{Core Functions}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1730 The library provides an array of core functions for Pseudo-Random Number Generators (PRNGs) as well. A cryptographic PRNG is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1731 used to expand a shorter bit string into a longer bit string. PRNGs are used wherever random data is required such as Public Key (PK)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1732 key generation. There is a universal structure called ``prng\_state''. To initialize a PRNG call:
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1733 \index{PRNG start}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1734 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1735 int XXX_start(prng_state *prng);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1736 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1737
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1738 This will setup the PRNG for future use and not seed it. In order
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1739 for the PRNG to be cryptographically useful you must give it entropy. Ideally you'd have some OS level source to tap
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1740 like in UNIX (see section 5.3). To add entropy to the PRNG call:
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1741 \index{PRNG add\_entropy}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1742 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1743 int XXX_add_entropy(const unsigned char *in, unsigned long len,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1744 prng_state *prng);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1745 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1746
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1747 Which returns {\bf CRYPTO\_OK} if the entropy was accepted. Once you think you have enough entropy you call another
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1748 function to put the entropy into action.
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1749 \index{PRNG ready}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1750 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1751 int XXX_ready(prng_state *prng);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1752 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1753
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1754 Which returns {\bf CRYPTO\_OK} if it is ready. Finally to actually read bytes call:
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1755 \index{PRNG read}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1756 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1757 unsigned long XXX_read(unsigned char *out, unsigned long len,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1758 prng_state *prng);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1759 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1760
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1761 Which returns the number of bytes read from the PRNG. When you are finished with a PRNG state you call
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1762 the following.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1763
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1764 \index{PRNG done}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1765 \begin{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1766 void XXX_done(prng_state *prng);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1767 \end{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1768
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1769 This will terminate a PRNG state and free any memory (if any) allocated. To export a PRNG state
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1770 so that you can later resume the PRNG call the following.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1771
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1772 \index{PRNG export}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1773 \begin{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1774 int XXX_export(unsigned char out, unsigned long outlen,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1775 prng_state *prng);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1776 \end{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1777
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1778 This will write a ``PRNG state'' to the buffer ``out'' of length ``outlen'' bytes. The idea of
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1779 the export is meant to be used as a ``seed file''. That is, when the program starts up there will not likely
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1780 be that much entropy available. To import a state to seed a PRNG call the following function.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1781
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1782 \index{PRNG import}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1783 \begin{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1784 int XXX_import(const unsigned char *in, unsigned long inlen,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1785 prng_state *prng);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1786 \end{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1787
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1788 This will call the start and add\_entropy functions of the given PRNG. It will use the state in
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1789 ``in'' of length ``inlen'' as the initial seed. You must pass the same seed length as was exported
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1790 by the corresponding export function.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1791
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1792 Note that importing a state will not ``resume'' the PRNG from where it left off. That is, if you export
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1793 a state, emit (say) 8 bytes and then import the previously exported state the next 8 bytes will not
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1794 specifically equal the 8 bytes you generated previously.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1795
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1796 When a program is first executed the normal course of operation is
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1797
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1798 \begin{enumerate}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1799 \item Gather entropy from your sources for a given period of time or number of events.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1800 \item Start, use your entropy via add\_entropy and ready the PRNG yourself.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1801 \end{enumerate}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1802
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1803 When your program is finished you simply call the export function and save the state to a medium (disk,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1804 flash memory, etc). The next time your application starts up you can detect the state, feed it to the
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1805 import function and go on your way. It is ideal that (as soon as possible) after startup you export a
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1806 fresh state. This helps in the case that the program aborts or the machine is powered down without
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1807 being given a chance to exit properly.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1808
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1809 Note that even if you have a state to import it is important to add new entropy to the state. However,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1810 there is less pressure to do so.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1811
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1812 To test a PRNG for operational conformity call the following functions.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1813
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1814 \index{PRNG test}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1815 \begin{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1816 int XXX_test(void);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1817 \end{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1818
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1819 This will return \textbf{CRYPT\_OK} if PRNG is operating properly.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1820
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1821 \subsection{Remarks}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1822
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1823 It is possible to be adding entropy and reading from a PRNG at the same time. For example, if you first seed the PRNG
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1824 and call ready() you can now read from it. You can also keep adding new entropy to it. The new entropy will not be used
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1825 in the PRNG until ready() is called again. This allows the PRNG to be used and re-seeded at the same time. No real error
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1826 checking is guaranteed to see if the entropy is sufficient or if the PRNG is even in a ready state before reading.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1827
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1828 \subsection{Example}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1829
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1830 Below is a simple snippet to read 10 bytes from yarrow. Its important to note that this snippet is
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1831 {\bf NOT} secure since the entropy added is not random.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1832
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1833 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1834 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1835 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1836 {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1837 prng_state prng;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1838 unsigned char buf[10];
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1839 int err;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1840
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1841 /* start it */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1842 if ((err = yarrow_start(&prng)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1843 printf("Start error: %s\n", error_to_string(err));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1844 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1845 /* add entropy */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1846 if ((err = yarrow_add_entropy("hello world", 11, &prng)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1847 printf("Add_entropy error: %s\n", error_to_string(err));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1848 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1849 /* ready and read */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1850 if ((err = yarrow_ready(&prng)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1851 printf("Ready error: %s\n", error_to_string(err));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1852 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1853 printf("Read %lu bytes from yarrow\n", yarrow_read(buf, 10, &prng));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1854 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1855 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1856 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1857
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1858 \section{PRNG Descriptors}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1859 \index{PRNG Descriptor}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1860 PRNGs have descriptors too (surprised?). Stored in the structure ``prng\_descriptor''. The format of an element is:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1861 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1862 struct _prng_descriptor {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1863 char *name;
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1864 int export_size; /* size in bytes of exported state */
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1865 int (start) (prng_state );
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1866 int (add_entropy)(const unsigned char , unsigned long, prng_state *);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1867 int (ready) (prng_state );
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1868 unsigned long (read)(unsigned char , unsigned long len, prng_state *);
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1869 void (done)(prng_state );
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1870 int (export)(unsigned char , unsigned long , prng_state );
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1871 int (import)(const unsigned char , unsigned long, prng_state *);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1872 int (*test)(void);
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1873 };
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1874 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1875
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1876 There is a ``int find\_prng(char *name)'' function as well. Returns -1 if the PRNG is not found, otherwise it returns
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1877 the position in the prng\_descriptor array.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1878
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1879 Just like the ciphers and hashes you must register your prng before you can use it. The two functions provided work
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1880 exactly as those for the cipher registry functions. They are:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1881 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1882 int register_prng(const struct _prng_descriptor *prng);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1883 int unregister_prng(const struct _prng_descriptor *prng);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1884 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1885
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1886 \subsection{PRNGs Provided}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1887 \begin{figure}[here]
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1888 \begin{center}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1889 \begin{small}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1890 \begin{tabular}{\|c\|c\|l\|}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1891 \hline \textbf{Name} & \textbf{Descriptor} & \textbf{Usage} \\
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1892 \hline Yarrow & yarrow\_desc & Fast short-term PRNG \\
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1893 \hline Fortuna & fortuna\_desc & Fast long-term PRNG (recommended) \\
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1894 \hline RC4 & rc4\_desc & Stream Cipher \\
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1895 \hline SOBER-128 & sober128\_desc & Stream Cipher (also very fast PRNG) \\
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1896 \hline
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1897 \end{tabular}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1898 \end{small}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1899 \end{center}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1900 \caption{List of Provided PRNGs}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1901 \end{figure}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1902
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1903 \subsubsection{Yarrow}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1904 Yarrow is fast PRNG meant to collect an unspecified amount of entropy from sources
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1905 (keyboard, mouse, interrupts, etc) and produce an unbounded string of random bytes.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1906
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1907 \textit{Note:} This PRNG is still secure for most taskings but is no longer recommended. Users
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1908 should use Fortuna instead.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1909
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1910 \subsubsection{Fortuna}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1911
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1912 Fortuna is a fast attack tolerant and more thoroughly designed PRNG suitable for long term
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1913 usage. It is faster than the default implementation of Yarrow\footnote{Yarrow has been implemented
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1914 to work with most cipher and hash combos based on which you have chosen to build into the library.} while
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1915 providing more security.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1916
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1917 Fortuna is slightly less flexible than Yarrow in the sense that it only works with the AES block cipher
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1918 and SHA--256 hash function. Technically Fortuna will work with any block cipher that accepts a 256--bit
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1919 key and any hash that produces at least a 256--bit output. However, to make the implementation simpler
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1920 it has been fixed to those choices.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1921
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1922 Fortuna is more secure than Yarrow in the sense that attackers who learn parts of the entropy being
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1923 added to the PRNG learn far less about the state than that of Yarrow. Without getting into to many
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1924 details Fortuna has the ability to recover from state determination attacks where the attacker starts
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1925 to learn information from the PRNGs output about the internal state. Yarrow on the other hand cannot
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1926 recover from that problem until new entropy is added to the pool and put to use through the ready() function.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1927
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1928 \subsubsection{RC4}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1929
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1930 RC4 is an old stream cipher that can also double duty as a PRNG in a pinch. You ``key'' it by
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1931 calling add\_entropy() and setup the key by calling ready(). You can only add upto 256 bytes via
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1932 add\_entropy().
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1933
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1934 When you read from RC4 the output of the RC4 algorithm is XOR'd against your buffer you provide. In this
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1935 manner you can use rc4\_read() as an encrypt (and decrypt) function.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1936
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1937 You really shouldn't use RC4 anymore. This isn't because RC4 is weak (though biases are known to exist) just
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1938 simply that faster alternatives exist.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1939
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1940 \subsubsection{SOBER-128}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1941
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1942 SOBER-128 is a stream cipher designed by the QUALCOMM Australia team. Like RC4 you ``key'' it by
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1943 calling add\_entropy(). There is no need to call ready() for this PRNG as it does not do anything.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1944
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1945 Note that this cipher has several oddities about how it operates. The first time you call
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1946 add\_entropy() that sets the cipher's key. Every other time you call the same function it sets
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1947 the cipher's IV variable. The IV mechanism allows you to encrypt several messages with the same
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1948 key and not re--use the same key material.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1949
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1950 Unlike Yarrow and Fortuna all of the entropy (and hence security) of this algorithm rests in the data
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1951 you pass it on the first call to add\_entropy(). All buffers sent to add\_entropy() must have a length
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1952 that is a multiple of four bytes.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1953
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1954 Like RC4 the output of SOBER--128 is XOR'ed against the buffer you provide it. In this manner you can use
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1955 sober128\_read() as an encrypt (and decrypt) function.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1956
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1957 Since SOBER-128 has a fixed keying scheme and is very fast (faster than RC4) the ideal usage of SOBER-128 is to
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1958 key it from the output of Fortuna (or Yarrow) and use it to encrypt messages. It is also ideal for
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1959 simulations which need a high quality (and fast) stream of bytes.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1960
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	1961 \subsubsection{Example Usage}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1962 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1963 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1964 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1965 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1966 {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1967 prng_state prng;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1968 unsigned char buf[32];
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1969 int err;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1970
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1971 if ((err = rc4_start(&prng)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1972 printf("RC4 init error: %s\n", error_to_string(err));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1973 exit(-1);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1974 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1975
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1976 /* use ``key'' as the key */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1977 if ((err = rc4_add_entropy("key", 3, &prng)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1978 printf("RC4 add entropy error: %s\n", error_to_string(err));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1979 exit(-1);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1980 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1981
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1982 /* setup RC4 for use */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1983 if ((err = rc4_ready(&prng)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1984 printf("RC4 ready error: %s\n", error_to_string(err));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1985 exit(-1);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1986 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1987
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1988 /* encrypt buffer */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1989 strcpy(buf,"hello world");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1990 if (rc4_read(buf, 11, &prng) != 11) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1991 printf("RC4 read error\n");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1992 exit(-1);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1993 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1994 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1995 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1996 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1997 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1998 To decrypt you have to do the exact same steps.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1999
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2000 \section{The Secure RNG}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2001 \index{Secure RNG}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2002 An RNG is related to a PRNG except that it doesn't expand a smaller seed to get the data. They generate their random bits
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2003 by performing some computation on fresh input bits. Possibly the hardest thing to get correctly in a cryptosystem is the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2004 PRNG. Computers are deterministic beasts that try hard not to stray from pre-determined paths. That makes gathering
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2005 entropy needed to seed the PRNG a hard task.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2006
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2007 There is one small function that may help on certain platforms:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2008 \index{rng\_get\_bytes()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2009 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2010 unsigned long rng_get_bytes(unsigned char *buf, unsigned long len,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2011 void (*callback)(void));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2012 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2013
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2014 Which will try one of three methods of getting random data. The first is to open the popular ``/dev/random'' device which
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2015 on most *NIX platforms provides cryptographic random bits\footnote{This device is available in Windows through the Cygwin compiler suite. It emulates ``/dev/random'' via the Microsoft CSP.}.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2016 The second method is to try the Microsoft Cryptographic Service Provider and read the RNG. The third method is an ANSI C
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2017 clock drift method that is also somewhat popular but gives bits of lower entropy. The ``callback'' parameter is a pointer to a function that returns void. Its used when the slower ANSI C RNG must be
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2018 used so the calling application can still work. This is useful since the ANSI C RNG has a throughput of three
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2019 bytes a second. The callback pointer may be set to {\bf NULL} to avoid using it if you don't want to. The function
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2020 returns the number of bytes actually read from any RNG source. There is a function to help setup a PRNG as well:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2021 \index{rng\_make\_prng()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2022 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2023 int rng_make_prng(int bits, int wprng, prng_state *prng,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2024 void (*callback)(void));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2025 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2026 This will try to setup the prng with a state of at least ``bits'' of entropy. The ``callback'' parameter works much like
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2027 the callback in ``rng\_get\_bytes()''. It is highly recommended that you use this function to setup your PRNGs unless you have a
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2028 platform where the RNG doesn't work well. Example usage of this function is given below.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2029
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2030 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2031 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2032 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2033 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2034 {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2035 ecc_key mykey;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2036 prng_state prng;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2037 int err;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2038
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2039 /* register yarrow */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2040 if (register_prng(&yarrow_desc) == -1) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2041 printf("Error registering Yarrow\n");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2042 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2043 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2044
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2045 /* setup the PRNG */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2046 if ((err = rng_make_prng(128, find_prng("yarrow"), &prng, NULL)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2047 printf("Error setting up PRNG, %s\n", error_to_string(err));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2048 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2049 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2050
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2051 /* make a 192-bit ECC key */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2052 if ((err = ecc_make_key(&prng, find_prng("yarrow"), 24, &mykey)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2053 printf("Error making key: %s\n", error_to_string(err));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2054 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2055 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2056 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2057 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2058 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2059 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2060
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2061 \subsection{The Secure PRNG Interface}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2062 It is possible to access the secure RNG through the PRNG interface and in turn use it within dependent functions such
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2063 as the PK API. This simplifies the cryptosystem on platforms where the secure RNG is fast. The secure PRNG never
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2064 requires to be started, that is you need not call the start, add\_entropy or ready functions. For example, consider
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2065 the previous example using this PRNG.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2066
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2067 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2068 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2069 #include <mycrypt.h>
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2070 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2071 {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2072 ecc_key mykey;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2073 int err;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2074
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2075 /* register SPRNG */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2076 if (register_prng(&sprng_desc) == -1) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2077 printf("Error registering SPRNG\n");
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2078 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2079 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2080
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2081 /* make a 192-bit ECC key */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2082 if ((err = ecc_make_key(NULL, find_prng("sprng"), 24, &mykey)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2083 printf("Error making key: %s\n", error_to_string(err));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2084 return -1;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2085 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2086 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2087 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2088 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2089 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2090
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2091 \chapter{RSA Public Key Cryptography}
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2092
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2093 \section{Introduction}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2094 RSA wrote the PKCS \#1 specifications which detail RSA Public Key Cryptography. In the specifications are
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2095 padding algorithms for encryption and signatures. The standard includes ``v1.5'' and ``v2.0'' algorithms.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2096 To simplify matters a little the v2.0 encryption and signature padding algorithms are called OAEP and PSS
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2097 respectively.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2098
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2099 \section{PKCS \#1 Encryption}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2100
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2101 PKCS \#1 RSA Encryption amounts to OAEP padding of the input message followed by the modular exponentiation. As far as this portion of
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2102 the library is concerned we are only dealing with th OAEP padding of the message.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2103
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2104 \subsection{OAEP Encoding}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2105
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2106 \index{pkcs\_1\_oaep\_encode()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2107 \begin{alltt}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2108 int pkcs_1_oaep_encode(const unsigned char *msg, unsigned long msglen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2109 const unsigned char *lparam, unsigned long lparamlen,
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2110 unsigned long modulus_bitlen, prng_state *prng,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2111 int prng_idx, int hash_idx,
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2112 unsigned char out, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2113 \end{alltt}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2114
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2115 This accepts ``msg'' as input of length ``msglen'' which will be OAEP padded. The ``lparam'' variable is an additional system specific
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2116 tag that can be applied to the encoding. This is useful to identify which system encoded the message. If no variance is desired then
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2117 ``lparam'' can be set to \textbf{NULL}.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2118
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2119 OAEP encoding requires the length of the modulus in bits in order to calculate the size of the output. This is passed as the parameter
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2120 ``modulus\_bitlen''. ``hash\_idx'' is the index into the hash descriptor table of the hash desired. PKCS \#1 allows any hash to be
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2121 used but both the encoder and decoder must use the same hash in order for this to succeed. The size of hash output affects the maximum
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2122 sized input message. ``prng\_idx'' and ``prng'' are the random number generator arguments required to randomize the padding process.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2123 The padded message is stored in ``out'' along with the length in ``outlen''.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2124
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2125 If $h$ is the length of the hash and $m$ the length of the modulus (both in octets) then the maximum payload for ``msg'' is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2126 $m - 2h - 2$. For example, with a $1024$--bit RSA key and SHA--1 as the hash the maximum payload is $86$ bytes.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2127
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2128 Note that when the message is padded it still has not been RSA encrypted. You must pass the output of this function to
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2129 rsa\_exptmod() to encrypt it.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2130
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2131 \subsection{OAEP Decoding}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2132
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2133 \index{pkcs\_1\_oaep\_decode()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2134 \begin{alltt}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2135 int pkcs_1_oaep_decode(const unsigned char *msg, unsigned long msglen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2136 const unsigned char *lparam, unsigned long lparamlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2137 unsigned long modulus_bitlen, int hash_idx,
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2138 unsigned char out, unsigned long outlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2139 int *res);
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2140 \end{alltt}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2141
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2142 This function decodes an OAEP encoded message and outputs the original message that was passed to the OAEP encoder. ``msg'' is the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2143 output of pkcs\_1\_oaep\_encode() of length ``msglen''. ``lparam'' is the same system variable passed to the OAEP encoder. If it does not
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2144 match what was used during encoding this function will not decode the packet. ``modulus\_bitlen'' is the size of the RSA modulus in bits
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2145 and must match what was used during encoding. Similarly the ``hash\_idx'' index into the hash descriptor table must match what was used
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2146 during encoding.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2147
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2148 If the function succeeds it decodes the OAEP encoded message into ``out'' of length ``outlen'' and stores a
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2149 $1$ in ``res''. If the packet is invalid it stores $0$ in ``res'' and if the function fails for another reason
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2150 it returns an error code.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2151
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2152 \subsection{PKCS \#1 v1.5 Encoding}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2153
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2154 \index{pkcs\_1\_v15\_es\_encode()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2155 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2156 int pkcs_1_v15_es_encode(const unsigned char *msg, unsigned long msglen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2157 unsigned long modulus_bitlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2158 prng_state *prng, int prng_idx,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2159 unsigned char out, unsigned long outlen);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2160 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2161
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2162 This will PKCS v1.5 encode the data in ``msg'' of length ``msglen''. Pass the length (in bits) of your
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2163 RSA modulus in ``modulus\_bitlen''. The encoded data will be stored in ``out'' of length ``outlen''.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2164
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2165 \subsection{PKCS \#1 v1.5 Decoding}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2166 \index{pkcs\_1\_v15\_es\_decode()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2167 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2168 int pkcs_1_v15_es_decode(const unsigned char *msg, unsigned long msglen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2169 unsigned long modulus_bitlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2170 unsigned char *out, unsigned long outlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2171 int *res);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2172 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2173
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2174 This will PKCS v1.5 decode the message in ``msg'' of length ``msglen''. It will store the output in ``out''. Note
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2175 that the length of the output ``outlen'' is a constant. This decoder cannot determine the original message
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2176 length. If the data in ``msg'' is a valid packet then a $1$ is stored in ``res'', otherwise a $0$ is
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2177 stored.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2178
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2179 \section{PKCS \#1 Digital Signatures}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2180
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2181 \subsection{PSS Encoding}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2182 PSS encoding is the second half of the PKCS \#1 standard which is padding to be applied to messages that are signed.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2183
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2184 \index{pkcs\_1\_pss\_encode()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2185 \begin{alltt}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2186 int pkcs_1_pss_encode(const unsigned char *msghash, unsigned long msghashlen,
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2187 unsigned long saltlen, prng_state *prng,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2188 int prng_idx, int hash_idx,
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2189 unsigned long modulus_bitlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2190 unsigned char out, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2191 \end{alltt}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2192
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2193 This function assumes the message to be PSS encoded has previously been hashed. The input hash ``msghash'' is of length
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2194 ``msghashlen''. PSS allows a variable length random salt (it can be zero length) to be introduced in the signature process.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2195 ``hash\_idx'' is the index into the hash descriptor table of the hash to use. ``prng\_idx'' and ``prng'' are the random
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2196 number generator information required for the salt.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2197
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2198 Similar to OAEP encoding ``modulus\_bitlen'' is the size of the RSA modulus (in bits). It limits the size of the salt. If $m$ is the length
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2199 of the modulus $h$ the length of the hash output (in octets) then there can be $m - h - 2$ bytes of salt.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2200
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2201 This function does not actually sign the data it merely pads the hash of a message so that it can be processed by rsa\_exptmod().
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2202
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2203 \subsection{PSS Decoding}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2204
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2205 To decode a PSS encoded signature block you have to use the following.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2206
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2207 \index{pkcs\_1\_pss\_decode()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2208 \begin{alltt}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2209 int pkcs_1_pss_decode(const unsigned char *msghash, unsigned long msghashlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2210 const unsigned char *sig, unsigned long siglen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2211 unsigned long saltlen, int hash_idx,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2212 unsigned long modulus_bitlen, int *res);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2213 \end{alltt}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2214 This will decode the PSS encoded message in ``sig'' of length ``siglen'' and compare it to values in ``msghash'' of length
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2215 ``msghashlen''. If the block is a valid PSS block and the decoded hash equals the hash supplied ``res'' is set to non--zero. Otherwise,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2216 it is set to zero. The rest of the parameters are as in the PSS encode call.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2217
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2218 It's important to use the same ``saltlen'' and hash for both encoding and decoding as otherwise the procedure will not work.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2219
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2220 \subsection{PKCS \#1 v1.5 Encoding}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2221
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2222 \index{pkcs\_1\_v15\_sa\_encode()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2223 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2224 int pkcs_1_v15_sa_encode(const unsigned char *msghash, unsigned long msghashlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2225 int hash_idx, unsigned long modulus_bitlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2226 unsigned char out, unsigned long outlen);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2227 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2228
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2229 This will PKCS \#1 v1.5 signature encode the message hash ``msghash'' of length ``msghashlen''. You have
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2230 to tell this routine which hash produced the message hash in ``hash\_idx''. The encoded hash is stored
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2231 in ``out'' of length ``outlen''.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2232
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2233 \subsection{PKCS \#1 v1.5 Decoding}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2234
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2235 \index{pkcs\_1\_v15\_sa\_decode()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2236 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2237 int pkcs_1_v15_sa_decode(const unsigned char *msghash, unsigned long msghashlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2238 const unsigned char *sig, unsigned long siglen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2239 int hash_idx, unsigned long modulus_bitlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2240 int *res);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2241 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2242
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2243 This will PKCS \#1 v1.5 signature decode the data in ``sig'' of length ``siglen'' and compare the extracted
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2244 hash against ``msghash'' of length ``msghashlen''. You have to tell this routine which hash produced the
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2245 message digest in ``hash\_idx''. If the packet is valid and the hashes match ``res'' is set to $1$. Otherwise,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2246 it is set to $0$.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2247
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2248 \section{RSA Operations}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2249 \subsection{Background}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2250
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2251 RSA is a public key algorithm that is based on the inability to find the ``e-th'' root modulo a composite of unknown
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2252 factorization. Normally the difficulty of breaking RSA is associated with the integer factoring problem but they are
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2253 not strictly equivalent.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2254
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2255 The system begins with with two primes $p$ and $q$ and their product $N = pq$. The order or ``Euler totient'' of the
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2256 multiplicative sub-group formed modulo $N$ is given as $\phi(N) = (p - 1)(q - 1)$ which can be reduced to
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2257 $\mbox{lcm}(p - 1, q - 1)$. The public key consists of the composite $N$ and some integer $e$ such that
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2258 $\mbox{gcd}(e, \phi(N)) = 1$. The private key consists of the composite $N$ and the inverse of $e$ modulo $\phi(N)$
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2259 often simply denoted as $de \equiv 1\mbox{ }(\mbox{mod }\phi(N))$.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2260
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2261 A person who wants to encrypt with your public key simply forms an integer (the plaintext) $M$ such that
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2262 $1 < M < N-2$ and computes the ciphertext $C = M^e\mbox{ }(\mbox{mod }N)$. Since finding the inverse exponent $d$
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2263 given only $N$ and $e$ appears to be intractable only the owner of the private key can decrypt the ciphertext and compute
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2264 $C^d \equiv \left (M^e \right)^d \equiv M^1 \equiv M\mbox{ }(\mbox{mod }N)$. Similarly the owner of the private key
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2265 can sign a message by ``decrypting'' it. Others can verify it by ``encrypting'' it.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2266
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2267 Currently RSA is a difficult system to cryptanalyze provided that both primes are large and not close to each other.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2268 Ideally $e$ should be larger than $100$ to prevent direct analysis. For example, if $e$ is three and you do not pad
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2269 the plaintext to be encrypted than it is possible that $M^3 < N$ in which case finding the cube-root would be trivial.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2270 The most often suggested value for $e$ is $65537$ since it is large enough to make such attacks impossible and also well
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2271 designed for fast exponentiation (requires 16 squarings and one multiplication).
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2272
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2273 It is important to pad the input to RSA since it has particular mathematical structure. For instance
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2274 $M_1^dM_2^d = (M_1M_2)^d$ which can be used to forge a signature. Suppose $M_3 = M_1M_2$ is a message you want
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2275 to have a forged signature for. Simply get the signatures for $M_1$ and $M_2$ on their own and multiply the result
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2276 together. Similar tricks can be used to deduce plaintexts from ciphertexts. It is important not only to sign
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2277 the hash of documents only but also to pad the inputs with data to remove such structure.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2278
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2279 \subsection{RSA Key Generation}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2280
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2281 For RSA routines a single ``rsa\_key'' structure is used. To make a new RSA key call:
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2282 \index{rsa\_make\_key()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2283 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2284 int rsa_make_key(prng_state *prng,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2285 int wprng, int size,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2286 long e, rsa_key *key);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2287 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2288
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2289 Where ``wprng'' is the index into the PRNG descriptor array. ``size'' is the size in bytes of the RSA modulus desired.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2290 ``e'' is the encryption exponent desired, typical values are 3, 17, 257 and 65537. I suggest you stick with 65537 since its big
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2291 enough to prevent trivial math attacks and not super slow. ``key'' is where the key is placed. All keys must be at
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2292 least 128 bytes and no more than 512 bytes in size (\textit{that is from 1024 to 4096 bits}).
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2293
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2294 Note that the ``rsa\_make\_key()'' function allocates memory at runtime when you make the key. Make sure to call
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2295 ``rsa\_free()'' (see below) when you are finished with the key. If ``rsa\_make\_key()'' fails it will automatically
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2296 free the ram allocated itself.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2297
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2298 \index{PK\_PRIVATE} \index{PK\_PUBLIC}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2299 There are two types of RSA keys. The types are {\bf PK\_PRIVATE} and {\bf PK\_PUBLIC}. The first type is a private
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2300 RSA key which includes the CRT parameters\footnote{As of v0.99 the PK\_PRIVATE\_OPTIMIZED type has been deprecated
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2301 and has been replaced by the PK\_PRIVATE type.} in the form of a RSAPrivateKey. The second type is a public RSA key
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2302 which only includes the modulus and public exponent. It takes the form of a RSAPublicKey.
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2303
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2304 \subsection{RSA Exponentiation}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2305
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2306 To do raw work with the RSA function call:
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2307 \index{rsa\_exptmod()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2308 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2309 int rsa_exptmod(const unsigned char *in, unsigned long inlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2310 unsigned char out, unsigned long outlen, int which,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2311 prng_state *prng, int prng_idx,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2312 rsa_key *key);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2313 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2314 This loads the bignum from ``in'' as a big endian word in the format PKCS specifies, raises it to either ``e'' or ``d'' and stores the result
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2315 in ``out'' and the size of the result in ``outlen''. ``which'' is set to {\bf PK\_PUBLIC} to use ``e''
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2316 (i.e. for encryption/verifying) and set to {\bf PK\_PRIVATE} to use ``d'' as the exponent (i.e. for decrypting/signing).
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2317
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2318 Note that the output of his function is zero-padded as per PKCS \#1 specifications. This allows this routine to
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2319 interoprate with PKCS \#1 padding functions properly.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2320
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2321 \subsection{RSA Key Encryption}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2322 Normally RSA is used to encrypt short symmetric keys which are then used in block ciphers to encrypt a message.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2323 To facilitate encrypting short keys the following functions have been provided.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2324
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2325 \index{rsa\_encrypt\_key()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2326 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2327 int rsa_encrypt_key(const unsigned char *inkey, unsigned long inlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2328 unsigned char outkey, unsigned long outlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2329 const unsigned char *lparam, unsigned long lparamlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2330 prng_state prng, int prng_idx, int hash_idx, rsa_key key);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2331 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2332 This function will OAEP pad ``inkey'' of length inlen bytes then RSA encrypt it and store the ciphertext
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2333 in ``outkey'' of length ``outlen''. The ``lparam'' and ``lparamlen'' are the same parameters you would pass
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2334 to pkcs\_1\_oaep\_encode().
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2335
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2336 \index{rsa\_decrypt\_key()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2337 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2338 int rsa_decrypt_key(const unsigned char *in, unsigned long inlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2339 unsigned char outkey, unsigned long keylen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2340 const unsigned char *lparam, unsigned long lparamlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2341 prng_state *prng, int prng_idx,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2342 int hash_idx, int *res,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2343 rsa_key *key);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2344 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2345 This function will RSA decrypt ``in'' of length ``inlen'' then OAEP depad the resulting data and store it in
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2346 ``outkey'' of length ``outlen''. The ``lparam'' and ``lparamlen'' are the same parameters you would pass
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2347 to pkcs\_1\_oaep\_decode().
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2348
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2349 If the RSA decrypted data isn't a valid OAEP packet then ``res'' is set to $0$. Otherwise, it is set to $1$.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2350
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2351 \subsection{RSA Hash Signatures}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2352 Similar to RSA key encryption RSA is also used to ``digitally sign'' message digests (hashes). To facilitate this
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2353 process the following functions have been provided.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2354
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2355 \index{rsa\_sign\_hash()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2356 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2357 int rsa_sign_hash(const unsigned char *msghash, unsigned long msghashlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2358 unsigned char sig, unsigned long siglen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2359 prng_state *prng, int prng_idx,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2360 int hash_idx, unsigned long saltlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2361 rsa_key *key);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2362 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2363
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2364 This will PSS encode the message hash ``msghash'' of length ``msghashlen''. Next the PSS encoded message is
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2365 RSA ``signed'' and the output is stored in ``sig'' of length ``siglen''.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2366
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2367
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2368 \index{rsa\_verify\_hash()}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2369 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2370 int rsa_verify_hash(const unsigned char *sig, unsigned long siglen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2371 const unsigned char *msghash, unsigned long msghashlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2372 prng_state *prng, int prng_idx,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2373 int hash_idx, unsigned long saltlen,
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2374 int stat, rsa_key key);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2375 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2376
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2377 This will RSA ``verify'' the signature in ``sig'' of length ``siglen''. Next the RSA decoded data is PSS decoded
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2378 and the extracted hash is compared against the message hash ``msghash'' of length ``msghashlen''.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2379
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2380 If the RSA decoded data is not a valid PSS message or if the PSS decoded hash does not match the ``msghash''
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2381 the value ``res'' is set to $0$. Otherwise, if the function succeeds and signature is valid ``res'' is set
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2382 to $1$.
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2383
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2384 \begin{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2385 #include <mycrypt.h>
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2386 int main(void)
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2387 {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2388 int err, hash_idx, prng_idx, res;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2389 unsigned long l1, l2;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2390 unsigned char pt[16], pt2[16], out[1024];
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2391 rsa_key key;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2392
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2393 /* register prng/hash */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2394 if (register_prng(&sprng_desc) == -1) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2395 printf("Error registering sprng");
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2396 return EXIT_FAILURE;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2397 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2398
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2399 if (register_hash(&sha1_desc) == -1) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2400 printf("Error registering sha1");
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2401 return EXIT_FAILURE;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2402 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2403 hash_idx = find_hash("sha1");
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2404 prng_idx = find_prng("sprng");
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2405
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2406 /* make an RSA-1024 key */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2407 if ((err = rsa_make_key(NULL, /* PRNG state */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2408 prng_idx, /* PRNG idx */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2409 1024/8, /* 1024-bit key */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2410 65537, /* we like e=65537 */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2411 &key) /* where to store the key */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2412 ) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2413 printf("rsa_make_key %s", error_to_string(err));
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2414 return EXIT_FAILURE;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2415 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2416
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2417 /* fill in pt[] with a key we want to send ... */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2418 l1 = sizeof(out);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2419 if ((err = rsa_encrypt_key(pt, /* data we wish to encrypt */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2420 16, /* data is 16 bytes long */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2421 out, /* where to store ciphertext */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2422 &l1, /* length of ciphertext */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2423 "TestApp", /* our lparam for this program */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2424 7, /* lparam is 7 bytes long */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2425 NULL, /* PRNG state */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2426 prng_idx, /* prng idx */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2427 hash_idx, /* hash idx */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2428 &key) /* our RSA key */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2429 ) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2430 printf("rsa_encrypt_key %s", error_to_string(err));
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2431 return EXIT_FAILURE;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2432 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2433
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2434 /* now let's decrypt the encrypted key */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2435 l2 = sizeof(pt2);
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2436 if ((err = rsa_decrypt_key(out, /* encrypted data */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2437 l1, /* length of ciphertext */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2438 pt2, /* where to put plaintext */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2439 &l2, /* plaintext length */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2440 "TestApp", /* lparam for this program */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2441 7, /* lparam is 7 bytes long */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2442 NULL, /* PRNG state */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2443 prng_idx, /* prng idx */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2444 hash_idx, /* hash idx */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2445 &res, /* validity of data */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2446 &key) /* our RSA key */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2447 ) != CRYPT_OK) {
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2448 printf("rsa_decrypt_key %s", error_to_string(err));
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2449 return EXIT_FAILURE;
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2450 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2451 /* if all went well pt == pt2, l2 == 16, res == 1 */
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2452 }
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2453 \end{verbatim}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2454
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2455
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2456 \chapter{Diffie-Hellman Key Exchange}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2457
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2458 \section{Background}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2459
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2460 Diffie-Hellman was the original public key system proposed. The system is based upon the group structure
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2461 of finite fields. For Diffie-Hellman a prime $p$ is chosen and a ``base'' $b$ such that $b^x\mbox{ }(\mbox{mod }p)$
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2462 generates a large sub-group of prime order (for unique values of $x$).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2463
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2464 A secret key is an exponent $x$ and a public key is the value of $y \equiv g^x\mbox{ }(\mbox{mod }p)$. The term
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2465 ``discrete logarithm'' denotes the action of finding $x$ given only $y$, $g$ and $p$. The key exchange part of
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2466 Diffie-Hellman arises from the fact that two users A and B with keys $(A_x, A_y)$ and $(B_x, B_y)$ can exchange
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2467 a shared key $K \equiv B_y^{A_x} \equiv A_y^{B_x} \equiv g^{A_xB_x}\mbox{ }(\mbox{mod }p)$.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2468
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2469 From this public encryption and signatures can be developed. The trivial way to encrypt (for example) using a public key
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2470 $y$ is to perform the key exchange offline. The sender invents a key $k$ and its public copy
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2471 $k' \equiv g^k\mbox{ }(\mbox{mod }p)$ and uses $K \equiv k'^{A_x}\mbox{ }(\mbox{mod }p)$ as a key to encrypt
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2472 the message with. Typically $K$ would be sent to a one-way hash and the message digested used as a key in a
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2473 symmetric cipher.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2474
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2475 It is important that the order of the sub-group that $g$ generates not only be large but also prime. There are
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2476 discrete logarithm algorithms that take $\sqrt r$ time given the order $r$. The discrete logarithm can be computed
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2477 modulo each prime factor of $r$ and the results combined using the Chinese Remainder Theorem. In the cases where
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2478 $r$ is ``B-Smooth'' (e.g. all small factors or powers of small prime factors) the solution is trivial to find.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2479
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2480 To thwart such attacks the primes and bases in the library have been designed and fixed. Given a prime $p$ the order of
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2481 the sub-group generated is a large prime namely ${p - 1} \over 2$. Such primes are known as ``strong primes'' and the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2482 smaller prime (e.g. the order of the base) are known as Sophie-Germaine primes.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2483
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2484 \section{Core Functions}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2485
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2486 This library also provides core Diffie-Hellman functions so you can negotiate keys over insecure mediums. The routines
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2487 provided are relatively easy to use and only take two function calls to negotiate a shared key. There is a structure
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2488 called ``dh\_key'' which stores the Diffie-Hellman key in a format these routines can use. The first routine is to
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2489 make a Diffie-Hellman private key pair:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2490 \index{dh\_make\_key()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2491 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2492 int dh_make_key(prng_state *prng, int wprng,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2493 int keysize, dh_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2494 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2495 The ``keysize'' is the size of the modulus you want in bytes. Currently support sizes are 96 to 512 bytes which correspond
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2496 to key sizes of 768 to 4096 bits. The smaller the key the faster it is to use however it will be less secure. When
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2497 specifying a size not explicitly supported by the library it will round {\em up} to the next key size. If the size is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2498 above 512 it will return an error. So if you pass ``keysize == 32'' it will use a 768 bit key but if you pass
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2499 ``keysize == 20000'' it will return an error. The primes and generators used are built-into the library and were designed
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2500 to meet very specific goals. The primes are strong primes which means that if $p$ is the prime then
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2501 $p-1$ is equal to $2r$ where $r$ is a large prime. The bases are chosen to generate a group of order $r$ to prevent
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2502 leaking a bit of the key. This means the bases generate a very large prime order group which is good to make cryptanalysis
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2503 hard.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2504
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2505 The next two routines are for exporting/importing Diffie-Hellman keys in a binary format. This is useful for transport
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2506 over communication mediums.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2507
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2508 \index{dh\_export()} \index{dh\_import()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2509 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2510 int dh_export(unsigned char out, unsigned long outlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2511 int type, dh_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2512
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2513 int dh_import(const unsigned char in, unsigned long inlen, dh_key key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2514 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2515
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2516 These two functions work just like the ``rsa\_export()'' and ``rsa\_import()'' functions except these work with
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2517 Diffie-Hellman keys. Its important to note you do not have to free the ram for a ``dh\_key'' if an import fails. You can free a
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2518 ``dh\_key'' using:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2519 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2520 void dh_free(dh_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2521 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2522 After you have exported a copy of your public key (using {\bf PK\_PUBLIC} as ``type'') you can now create a shared secret
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2523 with the other user using:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2524 \index{dh\_shared\_secret()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2525 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2526 int dh_shared_secret(dh_key *private_key,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2527 dh_key *public_key,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2528 unsigned char out, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2529 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2530
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2531 Where ``private\_key'' is the key you made and ``public\_key'' is the copy of the public key the other user sent you. The result goes
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2532 into ``out'' and the length into ``outlen''. If all went correctly the data in ``out'' should be identical for both parties. It is important to
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2533 note that the two keys have to be the same size in order for this to work. There is a function to get the size of a
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2534 key:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2535 \index{dh\_get\_size()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2536 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2537 int dh_get_size(dh_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2538 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2539 This returns the size in bytes of the modulus chosen for that key.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2540
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2541 \subsection{Remarks on Usage}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2542 Its important that you hash the shared key before trying to use it as a key for a symmetric cipher or something. An
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2543 example program that communicates over sockets, using MD5 and 1024-bit DH keys is\footnote{This function is a small example. It is suggested that proper packaging be used. For example, if the public key sent is truncated these routines will not detect that.}:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2544 \newpage
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2545 \begin{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2546 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2547 int establish_secure_socket(int sock, int mode, unsigned char *key,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2548 prng_state *prng, int wprng)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2549 {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2550 unsigned char buf[4096], buf2[4096];
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2551 unsigned long x, len;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2552 int res, err, inlen;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2553 dh_key mykey, theirkey;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2554
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2555 /* make up our private key */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2556 if ((err = dh_make_key(prng, wprng, 128, &mykey)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2557 return err;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2558 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2559
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2560 /* export our key as public */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2561 x = sizeof(buf);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2562 if ((err = dh_export(buf, &x, PK_PUBLIC, &mykey)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2563 res = err;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2564 goto done2;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2565 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2566
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2567 if (mode == 0) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2568 /* mode 0 so we send first */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2569 if (send(sock, buf, x, 0) != x) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2570 res = CRYPT_ERROR;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2571 goto done2;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2572 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2573
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2574 /* get their key */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2575 if ((inlen = recv(sock, buf2, sizeof(buf2), 0)) <= 0) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2576 res = CRYPT_ERROR;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2577 goto done2;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2578 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2579 } else {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2580 /* mode >0 so we send second */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2581 if ((inlen = recv(sock, buf2, sizeof(buf2), 0)) <= 0) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2582 res = CRYPT_ERROR;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2583 goto done2;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2584 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2585
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2586 if (send(sock, buf, x, 0) != x) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2587 res = CRYPT_ERROR;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2588 goto done2;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2589 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2590 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2591
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2592 if ((err = dh_import(buf2, inlen, &theirkey)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2593 res = err;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2594 goto done2;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2595 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2596
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2597 /* make shared secret */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2598 x = sizeof(buf);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2599 if ((err = dh_shared_secret(&mykey, &theirkey, buf, &x)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2600 res = err;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2601 goto done;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2602 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2603
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2604 /* hash it */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2605 len = 16; /* default is MD5 so "key" must be at least 16 bytes long */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2606 if ((err = hash_memory(find_hash("md5"), buf, x, key, &len)) != CRYPT_OK) {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2607 res = err;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2608 goto done;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2609 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2610
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2611 /* clean up and return */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2612 res = CRYPT_OK;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2613 done:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2614 dh_free(&theirkey);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2615 done2:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2616 dh_free(&mykey);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2617 zeromem(buf, sizeof(buf));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2618 zeromem(buf2, sizeof(buf2));
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2619 return res;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2620 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2621 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2622 \end{small}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2623 \newpage
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2624 \subsection{Remarks on The Snippet}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2625 When the above code snippet is done (assuming all went well) their will be a shared 128-bit key in the ``key'' array
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2626 passed to ``establish\_secure\_socket()''.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2627
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2628 \section{Other Diffie-Hellman Functions}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2629 In order to test the Diffie-Hellman function internal workings (e.g. the primes and bases) their is a test function made
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2630 available:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2631 \index{dh\_test()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2632 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2633 int dh_test(void);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2634 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2635
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2636 This function returns {\bf CRYPT\_OK} if the bases and primes in the library are correct. There is one last helper
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2637 function:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2638 \index{dh\_sizes()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2639 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2640 void dh_sizes(int low, int high);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2641 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2642 Which stores the smallest and largest key sizes support into the two variables.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2643
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2644 \section{DH Packet}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2645 Similar to the RSA related functions there are functions to encrypt or decrypt symmetric keys using the DH public key
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2646 algorithms.
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2647 \index{dh\_encrypt\_key()} \index{dh\_decrypt\_key()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2648 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2649 int dh_encrypt_key(const unsigned char *inkey, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2650 unsigned char out, unsigned long len,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2651 prng_state *prng, int wprng, int hash,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2652 dh_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2653
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2654 int dh_decrypt_key(const unsigned char *in, unsigned long inlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2655 unsigned char outkey, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2656 dh_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2657 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2658 Where ``inkey'' is an input symmetric key of no more than 32 bytes. Essentially these routines created a random public key
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2659 and find the hash of the shared secret. The message digest is than XOR'ed against the symmetric key. All of the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2660 required data is placed in ``out'' by ``dh\_encrypt\_key()''. The hash must produce a message digest at least as large
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2661 as the symmetric key you are trying to share.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2662
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2663 Similar to the RSA system you can sign and verify a hash of a message.
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2664 \index{dh\_sign\_hash()} \index{dh\_verify\_hash()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2665 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2666 int dh_sign_hash(const unsigned char *in, unsigned long inlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2667 unsigned char out, unsigned long outlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2668 prng_state prng, int wprng, dh_key key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2669
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2670 int dh_verify_hash(const unsigned char *sig, unsigned long siglen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2671 const unsigned char *hash, unsigned long hashlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2672 int stat, dh_key key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2673 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2674
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2675 The ``dh\_sign\_hash'' function signs the message hash in ``in'' of length ``inlen'' and forms a DH packet in ``out''.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2676 The ``dh\_verify\_hash'' function verifies the DH signature in ``sig'' against the hash in ``hash''. It sets ``stat''
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2677 to non-zero if the signature passes or zero if it fails.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2678
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2679 \chapter{Elliptic Curve Cryptography}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2680
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2681 \section{Background}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2682 The library provides a set of core ECC functions as well that are designed to be the Elliptic Curve analogy of all of the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2683 Diffie-Hellman routines in the previous chapter. Elliptic curves (of certain forms) have the benefit that they are harder
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2684 to attack (no sub-exponential attacks exist unlike normal DH crypto) in fact the fastest attack requires the square root
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2685 of the order of the base point in time. That means if you use a base point of order $2^{192}$ (which would represent a
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2686 192-bit key) then the work factor is $2^{96}$ in order to find the secret key.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2687
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2688 The curves in this library are taken from the following website:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2689 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2690 http://csrc.nist.gov/cryptval/dss.htm
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2691 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2692
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2693 They are all curves over the integers modulo a prime. The curves have the basic equation that is:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2694 \begin{equation}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2695 y^2 = x^3 - 3x + b\mbox{ }(\mbox{mod }p)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2696 \end{equation}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2697
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2698 The variable $b$ is chosen such that the number of points is nearly maximal. In fact the order of the base points $\beta$
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2699 provided are very close to $p$ that is $\vert \vert \phi(\beta) \vert \vert \approx \vert \vert p \vert \vert$. The curves
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2700 range in order from $\approx 2^{192}$ points to $\approx 2^{521}$. According to the source document any key size greater
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2701 than or equal to 256-bits is sufficient for long term security.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2702
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2703 \section{Core Functions}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2704
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2705 Like the DH routines there is a key structure ``ecc\_key'' used by the functions. There is a function to make a key:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2706 \index{ecc\_make\_key()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2707 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2708 int ecc_make_key(prng_state *prng, int wprng,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2709 int keysize, ecc_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2710 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2711
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2712 The ``keysize'' is the size of the modulus in bytes desired. Currently directly supported values are 20, 24, 28, 32, 48 and 65 bytes which
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2713 correspond to key sizes of 160, 192, 224, 256, 384 and 521 bits respectively. If you pass a key size that is between any key size
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2714 it will round the keysize up to the next available one. The rest of the parameters work like they do in the ``dh\_make\_key()'' function.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2715 To free the ram allocated by a key call:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2716 \index{ecc\_free()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2717 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2718 void ecc_free(ecc_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2719 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2720
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2721 To import and export a key there are:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2722 \index{ecc\_export()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2723 \index{ecc\_import()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2724 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2725 int ecc_export(unsigned char out, unsigned long outlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2726 int type, ecc_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2727
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2728 int ecc_import(const unsigned char in, unsigned long inlen, ecc_key key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2729 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2730 These two work exactly like there DH counterparts. Finally when you share your public key you can make a shared secret
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2731 with:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2732 \index{ecc\_shared\_secret()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2733 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2734 int ecc_shared_secret(ecc_key *private_key,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2735 ecc_key *public_key,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2736 unsigned char out, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2737 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2738 Which works exactly like the DH counterpart, the ``private\_key'' is your own key and ``public\_key'' is the key the other
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2739 user sent you. Note that this function stores both $x$ and $y$ co-ordinates of the shared
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2740 elliptic point. You should hash the output to get a shared key in a more compact and useful form (most of the entropy is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2741 in $x$ anyways). Both keys have to be the same size for this to work, to help there is a function to get the size in bytes
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2742 of a key.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2743 \index{ecc\_get\_size()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2744 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2745 int ecc_get_size(ecc_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2746 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2747
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2748 To test the ECC routines and to get the minimum and maximum key sizes there are these two functions:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2749 \index{ecc\_test()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2750 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2751 int ecc_test(void);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2752 void ecc_sizes(int low, int high);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2753 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2754 Which both work like their DH counterparts.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2755
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2756 \section{ECC Packet}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2757 Similar to the RSA API there are two functions which encrypt and decrypt symmetric keys using the ECC public key
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2758 algorithms.
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2759
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2760 \index{ecc\_encrypt\_key()} \index{ecc\_decrypt\_key()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2761 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2762 int ecc_encrypt_key(const unsigned char *inkey, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2763 unsigned char out, unsigned long len,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2764 prng_state *prng, int wprng, int hash,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2765 ecc_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2766
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2767 int ecc_decrypt_key(const unsigned char *in, unsigned long inlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2768 unsigned char outkey, unsigned long keylen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2769 ecc_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2770 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2771
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2772 Where ``inkey'' is an input symmetric key of no more than 32 bytes. Essentially these routines created a random public key
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2773 and find the hash of the shared secret. The message digest is than XOR'ed against the symmetric key. All of the required
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2774 data is placed in ``out'' by ``ecc\_encrypt\_key()''. The hash chosen must produce a message digest at least as large
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2775 as the symmetric key you are trying to share.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2776
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2777 There are also functions to sign and verify the hash of a message.
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2778 \index{ecc\_sign\_hash()} \index{ecc\_verify\_hash()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2779 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2780 int ecc_sign_hash(const unsigned char *in, unsigned long inlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2781 unsigned char out, unsigned long outlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2782 prng_state prng, int wprng, ecc_key key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2783
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2784 int ecc_verify_hash(const unsigned char *sig, unsigned long siglen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2785 const unsigned char *hash, unsigned long hashlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2786 int stat, ecc_key key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2787 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2788
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2789 The ``ecc\_sign\_hash'' function signs the message hash in ``in'' of length ``inlen'' and forms a ECC packet in ``out''.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2790 The ``ecc\_verify\_hash'' function verifies the ECC signature in ``sig'' against the hash in ``hash''. It sets ``stat''
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2791 to non-zero if the signature passes or zero if it fails.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2792
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2793
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2794 \section{ECC Keysizes}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2795 With ECC if you try and sign a hash that is bigger than your ECC key you can run into problems. The math will still work
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2796 and in effect the signature will still work. With ECC keys the strength of the signature is limited by the size of
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2797 the hash or the size of they key, whichever is smaller. For example, if you sign with SHA256 and a ECC-160 key in effect
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2798 you have 160-bits of security (e.g. as if you signed with SHA-1).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2799
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2800 The library will not warn you if you make this mistake so it is important to check yourself before using the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2801 signatures.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2802
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2803 \chapter{Digital Signature Algorithm}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2804 \section{Introduction}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2805 The Digital Signature Algorithm (or DSA) is a variant of the ElGamal Signature scheme which has been modified to
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2806 reduce the bandwidth of a signature. For example, to have ``80-bits of security'' with ElGamal you need a group of
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2807 order at least 1024-bits. With DSA you need a group of order at least 160-bits. By comparison the ElGamal signature
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2808 would require at least 256 bytes where as the DSA signature would require only at least 40 bytes.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2809
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2810 The API for the DSA is essentially the same as the other PK algorithms. Except in the case of DSA no encryption or
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2811 decryption routines are provided.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2812
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2813 \section{Key Generation}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2814 To make a DSA key you must call the following function
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2815 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2816 int dsa_make_key(prng_state *prng, int wprng,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2817 int group_size, int modulus_size,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2818 dsa_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2819 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2820 The variable ``prng'' is an active PRNG state and ``wprng'' the index to the descriptor. ``group\_size'' and
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2821 ``modulus\_size'' control the difficulty of forging a signature. Both parameters are in bytes. The larger the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2822 ``group\_size'' the more difficult a forgery becomes upto a limit. The value of $group\_size$ is limited by
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2823 $15 < group\_size < 1024$ and $modulus\_size - group\_size < 512$. Suggested values for the pairs are as follows.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2824
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2825 \begin{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2826 \begin{tabular}{\|c\|c\|c\|}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2827 \hline \textbf{Bits of Security} & \textbf{group\_size} & \textbf{modulus\_size} \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2828 \hline 80 & 20 & 128 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2829 \hline 120 & 30 & 256 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2830 \hline 140 & 35 & 384 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2831 \hline 160 & 40 & 512 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2832 \hline
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2833 \end{tabular}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2834 \end{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2835
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2836 When you are finished with a DSA key you can call the following function to free the memory used.
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2837 \index{dsa\_free()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2838 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2839 void dsa_free(dsa_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2840 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2841
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2842 \section{Key Verification}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2843 Each DSA key is composed of the following variables.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2844
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2845 \begin{enumerate}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2846 \item $q$ a small prime of magnitude $256^{group\_size}$.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2847 \item $p = qr + 1$ a large prime of magnitude $256^{modulus\_size}$ where $r$ is a random even integer.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2848 \item $g = h^r \mbox{ (mod }p\mbox{)}$ a generator of order $q$ modulo $p$. $h$ can be any non-trivial random
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2849 value. For this library they start at $h = 2$ and step until $g$ is not $1$.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2850 \item $x$ a random secret (the secret key) in the range $1 < x < q$
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2851 \item $y = g^x \mbox{ (mod }p\mbox{)}$ the public key.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2852 \end{enumerate}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2853
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2854 A DSA key is considered valid if it passes all of the following tests.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2855
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2856 \begin{enumerate}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2857 \item $q$ must be prime.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2858 \item $p$ must be prime.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2859 \item $g$ cannot be one of $\lbrace -1, 0, 1 \rbrace$ (modulo $p$).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2860 \item $g$ must be less than $p$.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2861 \item $(p-1) \equiv 0 \mbox{ (mod }q\mbox{)}$.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2862 \item $g^q \equiv 1 \mbox{ (mod }p\mbox{)}$.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2863 \item $1 < y < p - 1$
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2864 \item $y^q \equiv 1 \mbox{ (mod }p\mbox{)}$.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2865 \end{enumerate}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2866
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2867 Tests one and two ensure that the values will at least form a field which is required for the signatures to
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2868 function. Tests three and four ensure that the generator $g$ is not set to a trivial value which would make signature
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2869 forgery easier. Test five ensures that $q$ divides the order of multiplicative sub-group of $\Z/p\Z$. Test six
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2870 ensures that the generator actually generates a prime order group. Tests seven and eight ensure that the public key
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2871 is within range and belongs to a group of prime order. Note that test eight does not prove that $g$ generated $y$ only
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2872 that $y$ belongs to a multiplicative sub-group of order $q$.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2873
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2874 The following function will perform these tests.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2875
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2876 \index{dsa\_verify\_key()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2877 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2878 int dsa_verify_key(dsa_key key, int stat);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2879 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2880
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2881 This will test ``key'' and store the result in ``stat''. If the result is $stat = 0$ the DSA key failed one of the tests
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2882 and should not be used at all. If the result is $stat = 1$ the DSA key is valid (as far as valid mathematics are concerned).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2883
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2884 \section{Signatures}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2885 To generate a DSA signature call the following function
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2886
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2887 \index{dsa\_sign\_hash()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2888 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2889 int dsa_sign_hash(const unsigned char *in, unsigned long inlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2890 unsigned char out, unsigned long outlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2891 prng_state prng, int wprng, dsa_key key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2892 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2893
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2894 Which will sign the data in ``in'' of length ``inlen'' bytes. The signature is stored in ``out'' and the size
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2895 of the signature in ``outlen''. If the signature is longer than the size you initially specify in ``outlen'' nothing
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2896 is stored and the function returns an error code. The DSA ``key'' must be of the \textbf{PK\_PRIVATE} persuasion.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2897
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2898 To verify a hash created with that function use the following function
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2899
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2900 \index{dsa\_verify\_hash()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2901 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2902 int dsa_verify_hash(const unsigned char *sig, unsigned long siglen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2903 const unsigned char *hash, unsigned long inlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2904 int stat, dsa_key key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2905 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2906 Which will verify the data in ``hash'' of length ``inlen'' against the signature stored in ``sig'' of length ``siglen''.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2907 It will set ``stat'' to $1$ if the signature is valid, otherwise it sets ``stat'' to $0$.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2908
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2909 \section{Import and Export}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2910
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2911 To export a DSA key so that it can be transported use the following function
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2912 \index{dsa\_export()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2913 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2914 int dsa_export(unsigned char out, unsigned long outlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2915 int type,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2916 dsa_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2917 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2918 This will export the DSA ``key'' to the buffer ``out'' and set the length in ``outlen'' (which must have been previously
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2919 initialized to the maximum buffer size). The ``type`` variable may be either \textbf{PK\_PRIVATE} or \textbf{PK\_PUBLIC}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2920 depending on whether you want to export a private or public copy of the DSA key.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2921
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2922 To import an exported DSA key use the following function
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2923
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	2924 \index{dsa\_import()}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2925 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2926 int dsa_import(const unsigned char *in, unsigned long inlen,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2927 dsa_key *key);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2928 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2929
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2930 This will import the DSA key from the buffer ``in'' of length ``inlen'' to the ``key''. If the process fails the function
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2931 will automatically free all of the heap allocated in the process (you don't have to call dsa\_free()).
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2932
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2933 \chapter{Standards Support}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2934 \section{DER Support}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2935 DER or ``Distinguished Encoding Rules'' is a subset of the ASN.1 encoding rules that is fully deterministic and
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2936 ideal for cryptography. In particular ASN.1 specifies an INTEGER type for storing arbitrary sized integers. DER
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2937 further limits the ASN.1 specifications to a deterministic encoding.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2938
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2939 \subsection{Storing INTEGER types}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2940 \index{der\_encode\_integer()}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2941 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2942 int der_encode_integer(mp_int num, unsigned char out, unsigned long *outlen);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2943 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2944
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2945 This will store the integer in ``num'' to the output buffer ``out'' of length ``outlen''. It only stores
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2946 non--negative numbers. It stores the number of octets used back in ``outlen''.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2947
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2948 \subsection{Reading INTEGER types}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2949 \index{der\_decode\_integer()}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2950 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2951 int der_decode_integer(const unsigned char in, unsigned long inlen, mp_int *num);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2952 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2953 This will decode the DER encoded INTEGER in ``in'' of length ``inlen'' and store the resulting integer
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2954 in ``num''. It will store the bytes read in ``inlen'' which is handy if you have to parse multiple
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2955 data items out of a binary packet.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2956
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2957 \subsection{INTEGER length}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2958 \index{der\_length\_integer()}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2959 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2960 int der_length_integer(mp_int num, unsigned long len);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2961 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2962 This will determine the length of the DER encoding of the integer ``num'' and store it in ``len''.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2963
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2964 \subsection{Multiple INTEGER types}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2965 To simplify the DER encoding/decoding there are two functions two handle multple types at once.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2966
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2967 \index{der\_put\_multi\_integer()}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2968 \index{der\_get\_multi\_integer()}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2969 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2970 int der_put_multi_integer(unsigned char dst, unsigned long outlen, mp_int *num, ...);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2971 int der_get_multi_integer(const unsigned char src, unsigned long inlen, mp_int *num, ...);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2972 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2973
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2974 These will handle multiple encodings/decodings at once. They work like their single operand counterparts
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2975 except they handle a \textbf{NULL} terminated list of operands.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2976
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2977 \begin{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2978 #include <mycrypt.h>
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2979 int main(void)
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2980 {
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2981 mp_int a, b, c, d;
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2982 unsigned char buffer[1000];
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2983 unsigned long len;
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2984 int err;
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2985
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2986 /* init a,b,c,d with some values ... */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2987
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2988 /* ok we want to store them now... */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2989 len = sizeof(buffer);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2990 if ((err = der_put_multi_integer(buffer, &len,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2991 &a, &b, &c, &d, NULL)) != CRYPT_OK) {
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2992 // error
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2993 }
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2994 printf("I stored %lu bytes in buf\n", len);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2995
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2996 /* ok say we want to get them back for fun */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2997 /* len set previously...otherwise set it to the size of the packet */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2998 if ((err = der_get_multi_integer(buffer, &len,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	2999 &a, &b, &c, &d, NULL)) != CRYPT_OK) {
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3000 // error
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3001 }
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3002 printf("I read %lu bytes from buf\n", len);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3003 }
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3004 \end{verbatim}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3005 \section{Password Based Cryptography}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3006 \subsection{PKCS \#5}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3007 In order to securely handle user passwords for the purposes of creating session keys and chaining IVs the PKCS \#5 was drafted. PKCS \#5
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3008 is made up of two algorithms, Algorithm One and Algorithm Two. Algorithm One is the older fairly limited algorithm which has been implemented
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3009 for completeness. Algorithm Two is a bit more modern and more flexible to work with.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3010
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3011 \subsection{Algorithm One}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3012 Algorithm One accepts as input a password, an 8--byte salt and an iteration counter. The iteration counter is meant to act as delay for
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3013 people trying to brute force guess the password. The higher the iteration counter the longer the delay. This algorithm also requires a hash
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3014 algorithm and produces an output no longer than the output of the hash.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3015
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3016 \index{pkcs\_5\_alg1()}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3017 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3018 int pkcs_5_alg1(const unsigned char *password, unsigned long password_len,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3019 const unsigned char *salt,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3020 int iteration_count, int hash_idx,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3021 unsigned char out, unsigned long outlen)
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3022 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3023 Where ``password'' is the users password. Since the algorithm allows binary passwords you must also specify the length in ``password\_len''.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3024 The ``salt'' is a fixed size 8--byte array which should be random for each user and session. The ``iteration\_count'' is the delay desired
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3025 on the password. The ``hash\_idx'' is the index of the hash you wish to use in the descriptor table.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3026
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3027 The output of length upto ``outlen'' is stored in ``out''. If ``outlen'' is initially larger than the size of the hash functions output
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3028 it is set to the number of bytes stored. If it is smaller than not all of the hash output is stored in ``out''.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3029
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3030 \subsection{Algorithm Two}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3031
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3032 Algorithm Two is the recommended algorithm for this task. It allows variable length salts and can produce outputs larger than the
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3033 hash functions output. As such it can easily be used to derive session keys for ciphers and MACs as well initial vectors as required
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3034 from a single password and invokation of this algorithm.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3035
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3036 \index{pkcs\_5\_alg2()}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3037 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3038 int pkcs_5_alg2(const unsigned char *password, unsigned long password_len,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3039 const unsigned char *salt, unsigned long salt_len,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3040 int iteration_count, int hash_idx,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3041 unsigned char out, unsigned long outlen)
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3042 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3043 Where ``password'' is the users password. Since the algorithm allows binary passwords you must also specify the length in ``password\_len''.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3044 The ``salt'' is an array of size ``salt\_len''. It should be random for each user and session. The ``iteration\_count'' is the delay desired
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3045 on the password. The ``hash\_idx'' is the index of the hash you wish to use in the descriptor table. The output of length upto
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3046 ``outlen'' is stored in ``out''.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3047
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3048 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3049 /* demo to show how to make session state material from a password */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3050 #include <mycrypt.h>
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3051 int main(void)
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3052 \{
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3053 unsigned char password[100], salt[100],
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3054 cipher_key[16], cipher_iv[16],
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3055 mac_key[16], outbuf[48];
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3056 int err, hash_idx;
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3057 unsigned long outlen, password_len, salt_len;
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3058
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3059 /* register hash and get it's idx .... */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3060
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3061 /* get users password and make up a salt ... */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3062
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3063 /* create the material (100 iterations in algorithm) */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3064 outlen = sizeof(outbuf);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3065 if ((err = pkcs_5_alg2(password, password_len, salt, salt_len,
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3066 100, hash_idx, outbuf, &outlen)) != CRYPT_OK) \{
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3067 /* error handle */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3068 \}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3069
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3070 /* now extract it */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3071 memcpy(cipher_key, outbuf, 16);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3072 memcpy(cipher_iv, outbuf+16, 16);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3073 memcpy(mac_key, outbuf+32, 16);
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3074
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3075 /* use material (recall to store the salt in the output) */
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3076 \}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3077 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3078
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3079
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3080 \chapter{Miscellaneous}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3081 \section{Base64 Encoding and Decoding}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3082 The library provides functions to encode and decode a RFC1521 base64 coding scheme. This means that it can decode what it
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3083 encodes but the format used does not comply to any known standard. The characters used in the mappings are:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3084 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3085 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3086 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3087 Those characters should are supported in virtually any 7-bit ASCII system which means they can be used for transport over
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3088 common e-mail, usenet and HTTP mediums. The format of an encoded stream is just a literal sequence of ASCII characters
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3089 where a group of four represent 24-bits of input. The first four chars of the encoders output is the length of the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3090 original input. After the first four characters is the rest of the message.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3091
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3092 Often it is desirable to line wrap the output to fit nicely in an e-mail or usenet posting. The decoder allows you to
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3093 put any character (that is not in the above sequence) in between any character of the encoders output. You may not however,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3094 break up the first four characters.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3095
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3096 To encode a binary string in base64 call:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3097 \index{base64\_encode()} \index{base64\_decode()}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3098 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3099 int base64_encode(const unsigned char *in, unsigned long len,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3100 unsigned char out, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3101 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3102 Where ``in'' is the binary string and ``out'' is where the ASCII output is placed. You must set the value of ``outlen'' prior
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3103 to calling this function and it sets the length of the base64 output in ``outlen'' when it is done. To decode a base64
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3104 string call:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3105 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3106 int base64_decode(const unsigned char *in, unsigned long len,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3107 unsigned char out, unsigned long outlen);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3108 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3109
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3110 \section{The Multiple Precision Integer Library (MPI)}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3111 The library comes with a copy of LibTomMath which is a multiple precision integer library written by the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3112 author of LibTomCrypt. LibTomMath is a trivial to use ANSI C compatible large integer library which is free
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3113 for all uses and is distributed freely.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3114
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3115 At the heart of all the functions is the data type ``mp\_int'' (defined in tommath.h). This data type is what
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3116 will hold all large integers. In order to use an mp\_int one must initialize it first, for example:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3117 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3118 #include <mycrypt.h> /* mycrypt.h includes mpi.h automatically */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3119 int main(void)
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3120 {
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3121 mp_int bignum;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3122
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3123 /* initialize it */
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3124 mp_init(&bignum);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3125
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3126 return 0;
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3127 }
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3128 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3129 If you are unfamiliar with the syntax of C the \& symbol is used to pass the address of ``bignum'' to the function. All
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3130 LibTomMath functions require the address of the parameters. To free the memory of a mp\_int use (for example):
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3131 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3132 mp_clear(&bignum);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3133 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3134
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3135 The functions also have the basic form of one of the following:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3136 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3137 mp_XXX(mp_int *a);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3138 mp_XXX(mp_int a, mp_int b, mp_int *c);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3139 mp_XXX(mp_int a, mp_int b, mp_int c, mp_int d);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3140 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3141
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3142 Where they perform some operation and store the result in the mp\_int variable passed on the far right.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3143 For example, to compute $c = a + b \mbox{ }(\mbox{mod }m)$ you would call:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3144 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3145 mp_addmod(&a, &b, &m, &c);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3146 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3147
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3148 \subsection{Binary Forms of ``mp\_int'' Variables}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3149
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3150 Often it is required to store a ``mp\_int'' in binary form for transport (e.g. exporting a key, packet
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3151 encryption, etc.). LibTomMath includes two functions to help when exporting numbers:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3152 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3153 int mp_raw_size(mp_int *num);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3154 mp_toraw(&num, buf);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3155 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3156
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3157 The former function gives the size in bytes of the raw format and the latter function actually stores the raw data. All
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3158 ``mp\_int'' numbers are stored in big endian form (like PKCS demands) with the first byte being the sign of the number. The
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3159 ``rsa\_exptmod()'' function differs slightly since it will take the input in the form exactly as PKCS demands (without the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3160 leading sign byte). All other functions include the sign byte (since its much simpler just to include it). The sign byte
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3161 must be zero for positive numbers and non-zero for negative numbers. For example,
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3162 the sequence:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3163 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3164 00 FF 30 04
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3165 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3166 Represents the integer $255 \cdot 256^2 + 48 \cdot 256^1 + 4 \cdot 256^0$ or 16,723,972.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3167
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3168 To read a binary string back into a ``mp\_int'' call:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3169 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3170 mp_read_raw(mp_int num, unsigned char str, int len);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3171 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3172 Where ``num'' is where to store it, ``str'' is the binary string (including the leading sign byte) and ``len'' is the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3173 length of the binary string.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3174
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3175 \subsection{Primality Testing}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3176 \index{Primality Testing}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3177 The library includes primality testing and random prime functions as well. The primality tester will perform the test in
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3178 two phases. First it will perform trial division by the first few primes. Second it will perform eight rounds of the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3179 Rabin-Miller primality testing algorithm. If the candidate passes both phases it is declared prime otherwise it is declared
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3180 composite. No prime number will fail the two phases but composites can. Each round of the Rabin-Miller algorithm reduces
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3181 the probability of a pseudo-prime by $1 \over 4$ therefore after sixteen rounds the probability is no more than
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3182 $\left ( { 1 \over 4 } \right )^{8} = 2^{-16}$. In practice the probability of error is in fact much lower than that.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3183
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3184 When making random primes the trial division step is in fact an optimized implementation of ``Implementation of Fast RSA Key Generation on Smart Cards''\footnote{Chenghuai Lu, Andre L. M. dos Santos and Francisco R. Pimentel}.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3185 In essence a table of machine-word sized residues are kept of a candidate modulo a set of primes. When the candiate
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3186 is rejected and ultimately incremented to test the next number the residues are updated without using multi-word precision
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3187 math operations. As a result the routine can scan ahead to the next number required for testing with very little work
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3188 involved.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3189
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3190 In the event that a composite did make it through it would most likely cause the the algorithm trying to use it to fail. For
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3191 instance, in RSA two primes $p$ and $q$ are required. The order of the multiplicative sub-group (modulo $pq$) is given
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3192 as $\phi(pq)$ or $(p - 1)(q - 1)$. The decryption exponent $d$ is found as $de \equiv 1\mbox{ }(\mbox{mod } \phi(pq))$. If either $p$ or $q$ is composite the value of $d$ will be incorrect and the user
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3193 will not be able to sign or decrypt messages at all. Suppose $p$ was prime and $q$ was composite this is just a variation of
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3194 the multi-prime RSA. Suppose $q = rs$ for two primes $r$ and $s$ then $\phi(pq) = (p - 1)(r - 1)(s - 1)$ which clearly is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3195 not equal to $(p - 1)(rs - 1)$.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3196
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3197 These are not technically part of the LibTomMath library but this is the best place to document them.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3198 To test if a ``mp\_int'' is prime call:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3199 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3200 int is_prime(mp_int N, int result);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3201 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3202 This puts a one in ``result'' if the number is probably prime, otherwise it places a zero in it. It is assumed that if
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3203 it returns an error that the value in ``result'' is undefined. To make
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3204 a random prime call:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3205 \begin{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3206 int rand_prime(mp_int N, unsigned long len, prng_state prng, int wprng);
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3207 \end{verbatim}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3208 Where ``len'' is the size of the prime in bytes ($2 \le len \le 256$). You can set ``len'' to the negative size you want
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3209 to get a prime of the form $p \equiv 3\mbox{ }(\mbox{mod } 4)$. So if you want a 1024-bit prime of this sort pass
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3210 ``len = -128'' to the function. Upon success it will return {\bf CRYPT\_OK} and ``N'' will contain an integer which
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3211 is very likely prime.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3212
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3213 \chapter{Programming Guidelines}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3214
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3215 \section{Secure Pseudo Random Number Generators}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3216 Probably the singal most vulnerable point of any cryptosystem is the PRNG. Without one generating and protecting secrets
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3217 would be impossible. The requirement that one be setup correctly is vitally important and to address this point the library
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3218 does provide two RNG sources that will address the largest amount of end users as possible. The ``sprng'' PRNG provided
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3219 provides and easy to access source of entropy for any application on a *NIX or Windows computer.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3220
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3221 However, when the end user is not on one of these platforms the application developer must address the issue of finding
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3222 entropy. This manual is not designed to be a text on cryptography. I would just like to highlight that when you design
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3223 a cryptosystem make sure the first problem you solve is getting a fresh source of entropy.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3224
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3225 \section{Preventing Trivial Errors}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3226 Two simple ways to prevent trivial errors is to prevent overflows and to check the return values. All of the functions
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3227 which output variable length strings will require you to pass the length of the destination. If the size of your output
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3228 buffer is smaller than the output it will report an error. Therefore, make sure the size you pass is correct!
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3229
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3230 Also virtually all of the functions return an error code or {\bf CRYPT\_OK}. You should detect all errors as simple
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3231 typos or such can cause algorithms to fail to work as desired.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3232
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3233 \section{Registering Your Algorithms}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3234 To avoid linking and other runtime errors it is important to register the ciphers, hashes and PRNGs you intend to use
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3235 before you try to use them. This includes any function which would use an algorithm indirectly through a descriptor table.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3236
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3237 A neat bonus to the registry system is that you can add external algorithms that are not part of the library without
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3238 having to hack the library. For example, suppose you have a hardware specific PRNG on your system. You could easily
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3239 write the few functions required plus a descriptor. After registering your PRNG all of the library functions that
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3240 need a PRNG can instantly take advantage of it.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3241
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3242 \section{Key Sizes}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3243
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3244 \subsection{Symmetric Ciphers}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3245 For symmetric ciphers use as large as of a key as possible. For the most part ``bits are cheap'' so using a 256-bit key
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3246 is not a hard thing todo.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3247
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3248 \subsection{Assymetric Ciphers}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3249 The following chart gives the work factor for solving a DH/RSA public key using the NFS. The work factor for a key of order
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3250 $n$ is estimated to be
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3251 \begin{equation}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3252 e^{1.923 \cdot ln(n)^{1 \over 3} \cdot ln(ln(n))^{2 \over 3}}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3253 \end{equation}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3254
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3255 Note that $n$ is not the bit-length but the magnitude. For example, for a 1024-bit key $n = 2^{1024}$. The work required
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3256 is:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3257 \begin{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3258 \begin{tabular}{\|c\|c\|}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3259 \hline RSA/DH Key Size (bits) & Work Factor ($log_2$) \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3260 \hline 512 & 63.92 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3261 \hline 768 & 76.50 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3262 \hline 1024 & 86.76 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3263 \hline 1536 & 103.37 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3264 \hline 2048 & 116.88 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3265 \hline 2560 & 128.47 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3266 \hline 3072 & 138.73 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3267 \hline 4096 & 156.49 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3268 \hline
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3269 \end{tabular}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3270 \end{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3271
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3272 The work factor for ECC keys is much higher since the best attack is still fully exponentional. Given a key of magnitude
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3273 $n$ it requires $\sqrt n$ work. The following table sumarizes the work required:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3274 \begin{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3275 \begin{tabular}{\|c\|c\|}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3276 \hline ECC Key Size (bits) & Work Factor ($log_2$) \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3277 \hline 160 & 80 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3278 \hline 192 & 96 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3279 \hline 224 & 112 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3280 \hline 256 & 128 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3281 \hline 384 & 192 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3282 \hline 521 & 260.5 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3283 \hline
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3284 \end{tabular}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3285 \end{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3286
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3287 Using the above tables the following suggestions for key sizes seems appropriate:
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3288 \begin{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3289 \begin{tabular}{\|c\|c\|c\|}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3290 \hline Security Goal & RSA/DH Key Size (bits) & ECC Key Size (bits) \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3291 \hline Short term (less than a year) & 1024 & 160 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3292 \hline Short term (less than five years) & 1536 & 192 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3293 \hline Long Term (less than ten years) & 2560 & 256 \\
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3294 \hline
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3295 \end{tabular}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3296 \end{center}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3297
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3298 \section{Thread Safety}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3299 The library is not thread safe but several simple precautions can be taken to avoid any problems. The registry functions
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3300 such as register\_cipher() are not thread safe no matter what you do. Its best to call them from your programs initializtion
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3301 code before threads are initiated.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3302
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3303 The rest of the code uses state variables you must pass it such as hash\_state, hmac\_state, etc. This means that if each
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3304 thread has its own state variables then they will not affect each other. This is fairly simple with symmetric ciphers
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3305 and hashes. However, the keyring and PRNG support is something the threads will want to share. The simplest workaround
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3306 is create semaphores or mutexes around calls to those functions.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3307
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3308 Since C does not have standard semaphores this support is not native to Libtomcrypt. Even a C based semaphore is not entire
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3309 possible as some compilers may ignore the ``volatile'' keyword or have multiple processors. Provide your host application
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3310 is modular enough putting the locks in the right place should not bloat the code significantly and will solve all thread
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3311 safety issues within the library.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3312
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3313 \chapter{Configuring and Building the Library}
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3314 \section{Introduction}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3315 The library is fairly flexible about how it can be built, used and generally distributed. Additions are being made with
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3316 each new release that will make the library even more flexible. Each of the classes of functions can be disabled during
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3317 the build process to make a smaller library. This is particularly useful for shared libraries.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3318
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3319 \section{Building a Static Library}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3320 The library can be built as a static library which is generally the simplest and most portable method of
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3321 building the library. With a CC or GCC equipped platform you can issue the following
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3322
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3323 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3324 make install_lib
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3325 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3326
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3327 Which will build the library and install it in /usr/lib (as well as the headers in /usr/include). The destination
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3328 directory of the library and headers can be changed by editing ``makefile''. The variable LIBNAME controls
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3329 where the library is to be installed and INCNAME controls where the headers are to be installed. A developer can
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3330 then use the library by including ``mycrypt.h'' in their program and linking against ``libtomcrypt.a''.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3331
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3332 A static library can also be built with the Intel C Compiler (ICC) by issuing the following
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3333
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3334 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3335 make -f makefile.icc install
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3336 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3337
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3338 This will also build ``libtomcrypt.a'' except that it will use ICC. Additionally Microsoft's Visual C 6.00 can be used
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3339 by issuing
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3340
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3341 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3342 nmake -f makefile.msvc
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3343 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3344
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3345 You will have to manually copy ``tomcrypt.lib'' and the headers to your MSVC lib/inc directories.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3346
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3347 \subsection{MPI Control}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3348 If you already have LibTomMath installed you can safely remove it from the build. By commenting the line
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3349 in the appropriate makefile which starts with
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3350
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3351 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3352 MPIOBJECT=mpi
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3353 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3354
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3355 Simply place a \# at the start and re-build the library. To properly link applications you will have to also
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3356 link in LibTomMath. Removing MPI has the benefit of cutting down the library size as well potentially have access
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3357 to the latest mpi.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3358
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3359 \section{Building a Shared Library}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3360 LibTomCrypt can also be built as a shared library (.so, .dll, etc...). With non-Windows platforms the assumption
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3361 of the presence of gcc and ``libtool'' has been made. These are fairly common on Unix/Linux/BSD platforms. To
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3362 build a .so shared library issue
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3363
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3364 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3365 make -f makefile.shared
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3366 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3367 This will use libtool and gcc to build a shared library ``libtomcrypt.la'' as well as a static library ``libtomcrypt.a''
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3368 and install them into /usr/lib (and the headers into /usr/include). To link your application you should use the
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3369 libtool program in ``--mode=link''.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3370
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3371 You can also build LibTomCrypt as a shared library (DLL) in Windows with Cygwin. Issue the following
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3372
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3373 \begin{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3374 make -f makefile.cygwin_dll
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3375 \end{alltt}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3376 This will build ``libtomcrypt.dll.a'' which is an import library for ``libtomcrypt.dll''. You must copy
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3377 ``libtomcrypt.dll.a'' to your library directory, ``libtomcrypt.dll' to somewhere in your PATH and the header
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3378 files to your include directory. So long as ``libtomcrypt.dll'' is in your system path you can run any LibTomCrypt
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3379 program that uses it.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3380
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3381 \section{mycrypt\_cfg.h}
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3382 The file ``mycrypt\_cfg.h'' is what lets you control various high level macros which control the behaviour
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3383 of the library.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3384
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3385 \subsubsection{ARGTYPE}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3386 This lets you control how the \_ARGCHK macro will behave. The macro is used to check pointers inside the functions against
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3387 NULL. There are three settings for ARGTYPE. When set to 0 it will have the default behaviour of printing a message to
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3388 stderr and raising a SIGABRT signal. This is provided so all platforms that use libtomcrypt can have an error that functions
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3389 similarly. When set to 1 it will simply pass on to the assert() macro. When set to 2 it will resolve to a empty macro
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3390 and no error checking will be performed.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3391
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3392 \subsubsection{Endianess}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3393 There are five macros related to endianess issues. For little endian platforms define, ENDIAN\_LITTLE. For big endian
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3394 platforms define ENDIAN\_BIG. Similarly when the default word size of an ``unsigned long'' is 32-bits define ENDIAN\_32BITWORD
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3395 or define ENDIAN\_64BITWORD when its 64-bits. If you do not define any of them the library will automatically use ENDIAN\_NEUTRAL
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3396 which will work on all platforms.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3397
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3398 Currently LibTomCrypt will detect x86-32 and x86-64 running GCC as well as x86-32 running MSVC.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3399
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3400 \section{The Configure Script}
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3401 There are also options you can specify from the configure script or ``mycrypt\_custom.h''.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3402
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3403 \subsubsection{X memory routines}
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3404 At the top of mycrypt\_custom.h are four macros denoted as XMALLOC, XCALLOC, XREALLOC and XFREE which resolve to
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3405 the name of the respective functions. This lets you substitute in your own memory routines. If you substitute in
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3406 your own functions they must behave like the standard C library functions in terms of what they expect as input and
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3407 output. By default the library uses the standard C routines.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3408
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3409 \subsubsection{X clock routines}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3410 The rng\_get\_bytes() function can call a function that requires the clock() function. These macros let you override
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3411 the default clock() used with a replacement. By default the standard C library clock() function is used.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3412
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3413 \subsubsection{NO\_FILE}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3414 During the build if NO\_FILE is defined then any function in the library that uses file I/O will not call the file I/O
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3415 functions and instead simply return CRYPT\_NOP. This should help resolve any linker errors stemming from a lack of
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3416 file I/O on embedded platforms.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3417
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3418 \subsubsection{CLEAN\_STACK}
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3419 When this functions is defined the functions that store key material on the stack will clean up afterwards.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3420 Assumes that you have no memory paging with the stack.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3421
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3422 \subsubsection{LTC\_TEST}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3423 When this has been defined the various self--test functions (for ciphers, hashes, prngs, etc) are included in the build.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3424 When this has been undefined the tests are removed and if called will return CRYPT\_NOP.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3425
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3426 \subsubsection{Symmetric Ciphers, One-way Hashes, PRNGS and Public Key Functions}
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3427 There are a plethora of macros for the ciphers, hashes, PRNGs and public key functions which are fairly
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3428 self-explanatory. When they are defined the functionality is included otherwise it is not. There are some
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3429 dependency issues which are noted in the file. For instance, Yarrow requires CTR chaining mode, a block
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3430 cipher and a hash function.
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3431
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3432 \subsubsection{TWOFISH\_SMALL and TWOFISH\_TABLES}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3433 Twofish is a 128-bit symmetric block cipher that is provided within the library. The cipher itself is flexible enough
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3434 to allow some tradeoffs in the implementation. When TWOFISH\_SMALL is defined the scheduled symmetric key for Twofish
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3435 requires only 200 bytes of memory. This is achieved by not pre-computing the substitution boxes. Having this
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3436 defined will also greatly slow down the cipher. When this macro is not defined Twofish will pre-compute the
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3437 tables at a cost of 4KB of memory. The cipher will be much faster as a result.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3438
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3439 When TWOFISH\_TABLES is defined the cipher will use pre-computed (and fixed in code) tables required to work. This is
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3440 useful when TWOFISH\_SMALL is defined as the table values are computed on the fly. When this is defined the code size
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3441 will increase by approximately 500 bytes. If this is defined but TWOFISH\_SMALL is not the cipher will still work but
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3442 it will not speed up the encryption or decryption functions.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3443
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3444 \subsubsection{SMALL\_CODE}
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3445 When this is defined some of the code such as the Rijndael and SAFER+ ciphers are replaced with smaller code variants.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3446 These variants are slower but can save quite a bit of code space.
7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3447
143 5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3448 \section{MPI Tweaks}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3449 \subsection{RSA Only Tweak}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3450 If you plan on only using RSA with moduli in the range of 1024 to 2560 bits you can enable a series of tweaks
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3451 to reduce the library size. Follow these steps
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3452
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3453 \begin{enumerate}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3454 \item Undefine MDSA, MECC and MDH from mycrypt\_custom.h
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3455 \item Undefine LTM\_ALL from tommath\_superclass.h
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3456 \item Define SC\_RSA\_1 from tommath\_superclass.h
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3457 \item Rebuild the library.
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3458 \end{enumerate}
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3459
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3460
5d99163f7e32 import of libtomcrypt 0.99 Matt Johnston <matt@ucc.asn.au> parents: 15 diff changeset	3461
15 6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	3462 \input{crypt.ind}
6362d3854bb4 0.96 release of LibTomCrypt Matt Johnston <matt@ucc.asn.au> parents: 3 diff changeset	3463
3 7faae8f46238 Branch renaming Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3464 \end{document}

Mercurial > dropbear

annotate crypt.tex @ 143:5d99163f7e32 libtomcrypt-orig