Mercurial > dropbear
comparison crypt.tex @ 191:1c15b283127b libtomcrypt-orig
Import of libtomcrypt 1.02 with manual path rename rearrangement etc
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Fri, 06 May 2005 13:23:02 +0000 |
parents | 5d99163f7e32 |
children | 39d5d58461d6 |
comparison
equal
deleted
inserted
replaced
143:5d99163f7e32 | 191:1c15b283127b |
---|---|
45 \def\twiddle{\raisebox{0.3ex}{\mbox{\tiny $\sim$}}} | 45 \def\twiddle{\raisebox{0.3ex}{\mbox{\tiny $\sim$}}} |
46 | 46 |
47 \def\gap{\vspace{0.5ex}} | 47 \def\gap{\vspace{0.5ex}} |
48 \makeindex | 48 \makeindex |
49 \begin{document} | 49 \begin{document} |
50 \title{LibTomCrypt \\ Version 0.99} | 50 \title{LibTomCrypt \\ Version 1.02} |
51 \author{Tom St Denis \\ | 51 \author{Tom St Denis \\ |
52 \\ | 52 \\ |
53 [email protected] \\ | 53 [email protected] \\ |
54 http://libtomcrypt.org | 54 http://libtomcrypt.org |
55 } | 55 } |
56 \maketitle | 56 \maketitle |
57 This text and source code library are both hereby placed in the public domain. This book has been | 57 This text and source code library are both hereby placed in the public domain. This book has been |
58 formatted for A4 paper using the \LaTeX{} {\em book} macro package. | 58 formatted for A4 paper using the \LaTeX{} {\em book} macro package. |
77 \end{flushright} | 77 \end{flushright} |
78 \newpage | 78 \newpage |
79 \tableofcontents | 79 \tableofcontents |
80 \chapter{Introduction} | 80 \chapter{Introduction} |
81 \section{What is the LibTomCrypt?} | 81 \section{What is the LibTomCrypt?} |
82 LibTomCrypt is a portable ANSI C cryptographic library that supports symmetric ciphers, one-way hashes, | 82 LibTomCrypt is a portable ISO C cryptographic library that is meant to be a toolset for cryptographers who are |
83 pseudo-random number generators, public key cryptography (via RSA,DH or ECC/DH) and a plethora of support | 83 designing a cryptosystem. It supports symmetric ciphers, one-way hashes, pseudo-random number generators, |
84 routines. It is designed to compile out of the box with the GNU C Compiler (GCC) version 2.95.3 (and higher) | 84 public key cryptography (via PKCS \#1 RSA, DH or ECCDH) and a plethora of support |
85 and with MSVC version 6 in win32. | 85 routines. |
86 | 86 |
87 The library has been successfully tested on quite a few other platforms ranging from the ARM7TDMI in a | 87 The library was designed such that new ciphers/hashes/PRNGs can be added at runtime and the existing API |
88 Gameboy Advanced to various PowerPC processors and even the MIPS processor in the PlayStation 2. Suffice it | 88 (and helper API functions) are able to use the new designs automatically. There exists self-check functions for each |
89 to say the code is portable. | 89 block cipher and hash function to ensure that they compile and execute to the published design specifications. The library |
90 | 90 also performs extensive parameter error checking to prevent any number of runtime exploits or errors. |
91 The library is designed so new ciphers/hashes/PRNGs can be added at runtime and the existing API (and helper API functions) will | |
92 be able to use the new designs automatically. There exist self-check functions for each cipher and hash to ensure that | |
93 they compile and execute to the published design specifications. The library also performs extensive parameter error checking | |
94 and will give verbose error messages when possible. | |
95 | |
96 Essentially the library saves the time of having to implement the ciphers, hashes, prngs yourself. Typically implementing | |
97 useful cryptography is an error prone business which means anything that can save considerable time and effort is a good | |
98 thing. | |
99 | 91 |
100 \subsection{What the library IS for?} | 92 \subsection{What the library IS for?} |
101 | 93 |
102 The library typically serves as a basis for other protocols and message formats. For example, it should be possible to | 94 The library serves as a toolkit for developers who have to solve cryptographic problems. Out of the box LibTomCrypt |
103 take the RSA routines out of this library, apply the appropriate message padding and get PKCS compliant RSA routines. | 95 does not process SSL or OpenPGP messages, it doesn't read x.591 certificates or write PEM encoded data. It does, however, |
104 Similarly SSL protocols could be formed on top of the low-level symmetric cipher functions. The goal of this package is | 96 provide all of the tools required to build such functionality. LibTomCrypt was designed to be a flexible library that |
105 to provide these low level core functions in a robust and easy to use fashion. | 97 was not tied to any particular cryptographic problem. |
106 | |
107 The library also serves well as a toolkit for applications where they don't need to be OpenPGP, PKCS, etc. compliant. | |
108 Included are fully operational public key routines for encryption, decryption, signature generation and verification. | |
109 These routines are fully portable but are not conformant to any known set of standards\footnote{With the exception of | |
110 the RSA code which is based on the PKCS \#1 standards.}. They are all based on established | |
111 number theory and cryptography. | |
112 | |
113 \subsection{What the library IS NOT for?} | |
114 | |
115 The library is not designed to be in anyway an implementation of the SSL or OpenPGP standards. The library | |
116 is not designed to be compliant with any known form of API or programming hierarchy. It is not a port of any other | |
117 library and it is not platform specific (like the MS CSP). So if you're looking to drop in some buzzword | |
118 compliant crypto library this is not for you. The library has been written from scratch to provide basic functions as | |
119 well as non-standard higher level functions. | |
120 | |
121 This is not to say that the library is a ``homebrew'' project. All of the symmetric ciphers and one-way hash functions | |
122 conform to published test vectors. The public key functions are derived from publicly available material and the majority | |
123 of the code has been reviewed by a growing community of developers. | |
124 | |
125 \subsubsection{Why not?} | |
126 You may be asking why I didn't choose to go all out and support standards like P1363, PKCS and the whole lot. The reason | |
127 is quite simple too much money gets in the way. When I tried to access the P1363 draft documents and was denied (it | |
128 requires a password) I realized that they're just a business anyways. See what happens is a company will sit down and | |
129 invent a ``standard''. Then they try to sell it to as many people as they can. All of a sudden this ``standard'' is | |
130 everywhere. Then the standard is updated every so often to keep people dependent. Then you become RSA. If people are | |
131 supposed to support these standards they had better make them more accessible. | |
132 | 98 |
133 \section{Why did I write it?} | 99 \section{Why did I write it?} |
134 You may be wondering, ``Tom, why did you write a crypto library. I already have one.''. Well the reason falls into | 100 You may be wondering, ``Tom, why did you write a crypto library. I already have one.''. Well the reason falls into |
135 two categories: | 101 two categories: |
136 \begin{enumerate} | 102 \begin{enumerate} |
141 The idea is that I am not striving to replace OpenSSL or Crypto++ or Cryptlib or etc. I'm trying to write my | 107 The idea is that I am not striving to replace OpenSSL or Crypto++ or Cryptlib or etc. I'm trying to write my |
142 {\bf own} crypto library and hopefully along the way others will appreciate the work. | 108 {\bf own} crypto library and hopefully along the way others will appreciate the work. |
143 | 109 |
144 With this library all core functions (ciphers, hashes, prngs) have the {\bf exact} same prototype definition. They all load | 110 With this library all core functions (ciphers, hashes, prngs) have the {\bf exact} same prototype definition. They all load |
145 and store data in a format independent of the platform. This means if you encrypt with Blowfish on a PPC it should decrypt | 111 and store data in a format independent of the platform. This means if you encrypt with Blowfish on a PPC it should decrypt |
146 on an x86 with zero problems. The consistent API also means that if you learn how to use blowfish with my library you | 112 on an x86 with zero problems. The consistent API also means that if you learn how to use Blowfish with my library you |
147 know how to use Safer+ or RC6 or Serpent or ... as well. With all of the core functions there are central descriptor tables | 113 know how to use Safer+ or RC6 or Serpent or ... as well. With all of the core functions there are central descriptor tables |
148 that can be used to make a program automatically pick between ciphers, hashes and PRNGs at runtime. That means your | 114 that can be used to make a program automatically pick between ciphers, hashes and PRNGs at runtime. That means your |
149 application can support all ciphers/hashes/prngs without changing the source code. | 115 application can support all ciphers/hashes/prngs without changing the source code. |
150 | 116 |
117 Not only did I strive to make a consistent and simple API to work with but I also strived to make the library | |
118 configurable in terms of its build options. Out of the box the library will build with any modern version of GCC | |
119 without having to use configure scripts. This means that the library will work with platforms where development | |
120 tools may be limited (e.g. no autoconf). | |
121 | |
122 On top of making the build simple and the API approachable I've also strived for a reasonably high level of | |
123 robustness and efficiency. LibTomCrypt traps and returns a series of errors ranging from invalid | |
124 arguments to buffer overflows/overruns. It is mostly thread safe and has been clocked on various platforms | |
125 with ``cycles per byte'' timings that are comparable (and often favourable) to other libraries such as OpenSSL and | |
126 Crypto++. | |
127 | |
151 \subsection{Modular} | 128 \subsection{Modular} |
152 The LibTomCrypt package has also been written to be very modular. The block ciphers, one-way hashes and | 129 The LibTomCrypt package has also been written to be very modular. The block ciphers, one--way hashes and |
153 pseudo-random number generators (PRNG) are all used within the API through ``descriptor'' tables which | 130 pseudo--random number generators (PRNG) are all used within the API through ``descriptor'' tables which |
154 are essentially structures with pointers to functions. While you can still call particular functions | 131 are essentially structures with pointers to functions. While you can still call particular functions |
155 directly (\textit{e.g. sha256\_process()}) this descriptor interface allows the developer to customize their | 132 directly (\textit{e.g. sha256\_process()}) this descriptor interface allows the developer to customize their |
156 usage of the library. | 133 usage of the library. |
157 | 134 |
158 For example, consider a hardware platform with a specialized RNG device. Obviously one would like to tap | 135 For example, consider a hardware platform with a specialized RNG device. Obviously one would like to tap |
159 that for the PRNG needs within the library (\textit{e.g. making a RSA key}). All the developer has todo | 136 that for the PRNG needs within the library (\textit{e.g. making a RSA key}). All the developer has to do |
160 is write a descriptor and the few support routines required for the device. After that the rest of the | 137 is write a descriptor and the few support routines required for the device. After that the rest of the |
161 API can make use of it without change. Similiarly imagine a few years down the road when AES2 (\textit{or whatever they call it}) is | 138 API can make use of it without change. Similiarly imagine a few years down the road when AES2 |
162 invented. It can be added to the library and used within applications with zero modifications to the | 139 (\textit{or whatever they call it}) has been invented. It can be added to the library and used within applications |
163 end applications provided they are written properly. | 140 with zero modifications to the end applications provided they are written properly. |
164 | 141 |
165 This flexibility within the library means it can be used with any combination of primitive algorithms and | 142 This flexibility within the library means it can be used with any combination of primitive algorithms and |
166 unlike libraries like OpenSSL is not tied to direct routines. For instance, in OpenSSL there are CBC block | 143 unlike libraries like OpenSSL is not tied to direct routines. For instance, in OpenSSL there are CBC block |
167 mode routines for every single cipher. That means every time you add or remove a cipher from the library | 144 mode routines for every single cipher. That means every time you add or remove a cipher from the library |
168 you have to update the associated support code as well. In LibTomCrypt the associated code (\textit{chaining modes in this case}) | 145 you have to update the associated support code as well. In LibTomCrypt the associated code (\textit{chaining modes in this case}) |
169 are not directly tied to the ciphers. That is a new cipher can be added to the library by simply providing | 146 are not directly tied to the ciphers. That is a new cipher can be added to the library by simply providing |
170 the key setup, ECB decrypt and encrypt and test vector routines. After that all five chaining mode routines | 147 the key setup, ECB decrypt and encrypt and test vector routines. After that all five chaining mode routines |
171 can make use of the cipher right away. | 148 can make use of the cipher right away. |
172 | 149 |
173 | |
174 \section{License} | 150 \section{License} |
175 | 151 |
176 All of the source code except for the following files have been written by the author or donated to the project | 152 All of the source code except for the following files have been written by the author or donated to the project |
177 under a public domain license: | 153 under a public domain license: |
178 | 154 |
179 \begin{enumerate} | 155 \begin{enumerate} |
180 \item rc2.c | 156 \item rc2.c |
181 \item safer.c | |
182 \end{enumerate} | 157 \end{enumerate} |
183 | 158 |
184 `mpi.c'' was originally written by Michael Fromberger ([email protected]) but has since been replaced with my LibTomMath | 159 `mpi.c'' was originally written by Michael Fromberger ([email protected]) but has since been replaced with |
185 library. | 160 my LibTomMath library which is public domain. |
186 | 161 |
187 ``rc2.c'' is based on publicly available code that is not attributed to a person from the given source. ``safer.c'' | 162 ``rc2.c'' is based on publicly available code that is not attributed to a person from the given source. |
188 was written by Richard De Moliner ([email protected]) and seems to be free for use. | |
189 | 163 |
190 The project is hereby released as public domain. | 164 The project is hereby released as public domain. |
191 | 165 |
192 \section{Patent Disclosure} | 166 \section{Patent Disclosure} |
193 | 167 |
194 The author (Tom St Denis) is not a patent lawyer so this section is not to be treated as legal advice. To the best | 168 The author (Tom St Denis) is not a patent lawyer so this section is not to be treated as legal advice. To the best |
195 of the authors knowledge the only patent related issues within the library are the RC5 and RC6 symmetric block ciphers. | 169 of the authors knowledge the only patent related issues within the library are the RC5 and RC6 symmetric block ciphers. |
196 They can be removed from a build by simply commenting out the two appropriate lines in ``mycrypt\_custom.h''. The rest | 170 They can be removed from a build by simply commenting out the two appropriate lines in ``tomcrypt\_custom.h''. The rest |
197 of the ciphers and hashes are patent free or under patents that have since expired. | 171 of the ciphers and hashes are patent free or under patents that have since expired. |
198 | 172 |
199 The RC2 and RC4 symmetric ciphers are not under patents but are under trademark regulations. This means you can use | 173 The RC2 and RC4 symmetric ciphers are not under patents but are under trademark regulations. This means you can use |
200 the ciphers you just can't advertise that you are doing so. | 174 the ciphers you just can't advertise that you are doing so. |
201 | 175 |
219 \end{enumerate} | 193 \end{enumerate} |
220 | 194 |
221 There have been quite a few other people as well. Please check the change log to see who else has contributed from | 195 There have been quite a few other people as well. Please check the change log to see who else has contributed from |
222 time to time. | 196 time to time. |
223 | 197 |
224 | |
225 \chapter{The Application Programming Interface (API)} | 198 \chapter{The Application Programming Interface (API)} |
226 \section{Introduction} | 199 \section{Introduction} |
227 \index{CRYPT\_ERROR} \index{CRYPT\_OK} | 200 \index{CRYPT\_ERROR} \index{CRYPT\_OK} |
228 | 201 |
229 In general the API is very simple to memorize and use. Most of the functions return either {\bf void} or {\bf int}. Functions | 202 In general the API is very simple to memorize and use. Most of the functions return either {\bf void} or {\bf int}. Functions |
253 | 226 |
254 There is no initialization routine for the library and for the most part the code is thread safe. The only thread | 227 There is no initialization routine for the library and for the most part the code is thread safe. The only thread |
255 related issue is if you use the same symmetric cipher, hash or public key state data in multiple threads. Normally | 228 related issue is if you use the same symmetric cipher, hash or public key state data in multiple threads. Normally |
256 that is not an issue. | 229 that is not an issue. |
257 | 230 |
258 To include the prototypes for ``LibTomCrypt.a'' into your own program simply include ``mycrypt.h'' like so: | 231 To include the prototypes for ``LibTomCrypt.a'' into your own program simply include ``tomcrypt.h'' like so: |
259 \begin{verbatim} | 232 \begin{verbatim} |
260 #include <mycrypt.h> | 233 #include <tomcrypt.h> |
261 int main(void) { | 234 int main(void) { |
262 return 0; | 235 return 0; |
263 } | 236 } |
264 \end{verbatim} | 237 \end{verbatim} |
265 | 238 |
266 The header file ``mycrypt.h'' also includes ``stdio.h'', ``string.h'', ``stdlib.h'', ``time.h'', ``ctype.h'' and ``mpi.h'' | 239 The header file ``tomcrypt.h'' also includes ``stdio.h'', ``string.h'', ``stdlib.h'', ``time.h'', ``ctype.h'' and |
267 (the bignum library routines). | 240 ``ltc\_tommath.h'' (the bignum library routines). |
268 | 241 |
269 \section{Macros} | 242 \section{Macros} |
270 | 243 |
271 There are a few helper macros to make the coding process a bit easier. The first set are related to loading and storing | 244 There are a few helper macros to make the coding process a bit easier. The first set are related to loading and storing |
272 32/64-bit words in little/big endian format. The macros are: | 245 32/64-bit words in little/big endian format. The macros are: |
273 | 246 |
274 \index{STORE32L} \index{STORE64L} \index{LOAD32L} \index{LOAD64L} | 247 \index{STORE32L} \index{STORE64L} \index{LOAD32L} \index{LOAD64L} \index{STORE32H} \index{STORE64H} \index{LOAD32H} \index{LOAD64H} \index{BSWAP} |
275 \index{STORE32H} \index{STORE64H} \index{LOAD32H} \index{LOAD64H} \index{BSWAP} | |
276 \begin{small} | 248 \begin{small} |
277 \begin{center} | 249 \begin{center} |
278 \begin{tabular}{|c|c|c|} | 250 \begin{tabular}{|c|c|c|} |
279 \hline STORE32L(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $x \to y[0 \ldots 3]$ \\ | 251 \hline STORE32L(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $x \to y[0 \ldots 3]$ \\ |
280 \hline STORE64L(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $x \to y[0 \ldots 7]$ \\ | 252 \hline STORE64L(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $x \to y[0 \ldots 7]$ \\ |
282 \hline LOAD64L(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $y[0 \ldots 7] \to x$ \\ | 254 \hline LOAD64L(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $y[0 \ldots 7] \to x$ \\ |
283 \hline STORE32H(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $x \to y[3 \ldots 0]$ \\ | 255 \hline STORE32H(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $x \to y[3 \ldots 0]$ \\ |
284 \hline STORE64H(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $x \to y[7 \ldots 0]$ \\ | 256 \hline STORE64H(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $x \to y[7 \ldots 0]$ \\ |
285 \hline LOAD32H(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $y[3 \ldots 0] \to x$ \\ | 257 \hline LOAD32H(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $y[3 \ldots 0] \to x$ \\ |
286 \hline LOAD64H(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $y[7 \ldots 0] \to x$ \\ | 258 \hline LOAD64H(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $y[7 \ldots 0] \to x$ \\ |
287 \hline BSWAP(x) & {\bf unsigned long} x & Swaps the byte order of x. \\ | 259 \hline BSWAP(x) & {\bf unsigned long} x & Swaps byte order (32--bits only) \\ |
288 \hline | 260 \hline |
289 \end{tabular} | 261 \end{tabular} |
290 \end{center} | 262 \end{center} |
291 \end{small} | 263 \end{small} |
292 | 264 |
293 There are 32-bit cyclic rotations as well: | 265 There are 32 and 64-bit cyclic rotations as well: |
294 \index{ROL} \index{ROR} | 266 \index{ROL} \index{ROR} \index{ROL64} \index{ROR64} \index{ROLc} \index{RORc} \index{ROL64c} \index{ROR64c} |
295 \begin{center} | 267 \begin{center} |
296 \begin{tabular}{|c|c|c|} | 268 \begin{tabular}{|c|c|c|} |
297 \hline ROL(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x << y$ \\ | 269 \hline ROL(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x << y, 0 \le y \le 31$ \\ |
298 \hline ROR(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x >> y$ \\ | 270 \hline ROLc(x, y) & {\bf unsigned long} x, {\bf const unsigned long} y & $x << y, 0 \le y \le 31$ \\ |
271 \hline ROR(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x >> y, 0 \le y \le 31$ \\ | |
272 \hline RORc(x, y) & {\bf unsigned long} x, {\bf const unsigned long} y & $x >> y, 0 \le y \le 31$ \\ | |
273 \hline && \\ | |
274 \hline ROL64(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x << y, 0 \le y \le 63$ \\ | |
275 \hline ROL64c(x, y) & {\bf unsigned long} x, {\bf const unsigned long} y & $x << y, 0 \le y \le 63$ \\ | |
276 \hline ROR64(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x >> y, 0 \le y \le 63$ \\ | |
277 \hline ROR64c(x, y) & {\bf unsigned long} x, {\bf const unsigned long} y & $x >> y, 0 \le y \le 63$ \\ | |
299 \hline | 278 \hline |
300 \end{tabular} | 279 \end{tabular} |
301 \end{center} | 280 \end{center} |
302 | 281 |
303 \section{Functions with Variable Length Output} | 282 \section{Functions with Variable Length Output} |
304 Certain functions such as (for example) ``rsa\_export()'' give an output that is variable length. To prevent buffer overflows you | 283 Certain functions such as (for example) ``rsa\_export()'' give an output that is variable length. To prevent buffer overflows you |
305 must pass it the length of the buffer\footnote{Extensive error checking is not in place but it will be in future releases so it is a good idea to follow through with these guidelines.} where | 284 must pass it the length of the buffer\footnote{Extensive error checking is not in place but it will be in future releases so it is a good idea to follow through with these guidelines.} where |
306 the output will be stored. For example: | 285 the output will be stored. For example: |
307 \begin{small} | 286 \begin{small} |
308 \begin{verbatim} | 287 \begin{verbatim} |
309 #include <mycrypt.h> | 288 #include <tomcrypt.h> |
310 int main(void) { | 289 int main(void) { |
311 rsa_key key; | 290 rsa_key key; |
312 unsigned char buffer[1024]; | 291 unsigned char buffer[1024]; |
313 unsigned long x; | 292 unsigned long x; |
314 int err; | 293 int err; |
315 | 294 |
316 /* ... Make up the RSA key somehow */ | 295 /* ... Make up the RSA key somehow ... */ |
317 | 296 |
318 /* lets export the key, set x to the size of the output buffer */ | 297 /* lets export the key, set x to the size of the output buffer */ |
319 x = sizeof(buffer); | 298 x = sizeof(buffer); |
320 if ((err = rsa_export(buffer, &x, PK_PUBLIC, &key)) != CRYPT_OK) { | 299 if ((err = rsa_export(buffer, &x, PK_PUBLIC, &key)) != CRYPT_OK) { |
321 printf("Export error: %s\n", error_to_string(err)); | 300 printf("Export error: %s\n", error_to_string(err)); |
329 | 308 |
330 return 0; | 309 return 0; |
331 } | 310 } |
332 \end{verbatim} | 311 \end{verbatim} |
333 \end{small} | 312 \end{small} |
334 In the above example if the size of the RSA public key was more than 1024 bytes this function would not store anything in | 313 In the above example if the size of the RSA public key was more than 1024 bytes this function would return an error code |
335 either ``buffer'' or ``x'' and simply return an error code. If the function suceeds it stores the length of the output | 314 indicating a buffer overflow would have occurred. If the function succeeds it stores the length of the output |
336 back into ``x'' so that the calling application will know how many bytes used. | 315 back into ``x'' so that the calling application will know how many bytes were used. |
337 | 316 |
338 \section{Functions that need a PRNG} | 317 \section{Functions that need a PRNG} |
339 Certain functions such as ``rsa\_make\_key()'' require a PRNG. These functions do not setup the PRNG themselves so it is | 318 \index{Pseudo Random Number Generator} \index{PRNG} |
340 the responsibility of the calling function to initialize the PRNG before calling them. | 319 Certain functions such as ``rsa\_make\_key()'' require a Pseudo Random Number Generator (PRNG). These functions do not setup |
320 the PRNG themselves so it is the responsibility of the calling function to initialize the PRNG before calling them. | |
321 | |
322 Certain PRNG algorithms do not require a ``prng\_state'' argument (sprng for example). The ``prng\_state'' argument | |
323 may be passed as \textbf{NULL} in such situations. | |
341 | 324 |
342 \section{Functions that use Arrays of Octets} | 325 \section{Functions that use Arrays of Octets} |
343 Most functions require inputs that are arrays of the data type ``unsigned char''. Whether it is a symmetric key, IV | 326 Most functions require inputs that are arrays of the data type ``unsigned char''. Whether it is a symmetric key, IV |
344 for a chaining mode or public key packet it is assumed that regardless of the actual size of ``unsigned char'' only the | 327 for a chaining mode or public key packet it is assumed that regardless of the actual size of ``unsigned char'' only the |
345 lower eight bits contain data. For example, if you want to pass a 256 bit key to a symmetric ciphers setup routine | 328 lower eight bits contain data. For example, if you want to pass a 256 bit key to a symmetric ciphers setup routine |
350 type ``byte'' will be synonymous with an array of type ``unsigned char''. | 333 type ``byte'' will be synonymous with an array of type ``unsigned char''. |
351 | 334 |
352 \chapter{Symmetric Block Ciphers} | 335 \chapter{Symmetric Block Ciphers} |
353 \section{Core Functions} | 336 \section{Core Functions} |
354 | 337 |
355 Libtomcrypt provides several block ciphers all in a plain vanilla ECB block mode. Its important to first note that you | 338 LibTomCrypt provides several block ciphers with an ECB block mode interface. It's important to first note that you |
356 should never use the ECB modes directly to encrypt data. Instead you should use the ECB functions to make a chaining mode | 339 should never use the ECB modes directly to encrypt data. Instead you should use the ECB functions to make a chaining mode |
357 or use one of the provided chaining modes. All of the ciphers are written as ECB interfaces since it allows the rest of | 340 or use one of the provided chaining modes. All of the ciphers are written as ECB interfaces since it allows the rest of |
358 the API to grow in a modular fashion. | 341 the API to grow in a modular fashion. |
359 | 342 |
343 \subsection{Key Scheduling} | |
360 All ciphers store their scheduled keys in a single data type called ``symmetric\_key''. This allows all ciphers to | 344 All ciphers store their scheduled keys in a single data type called ``symmetric\_key''. This allows all ciphers to |
361 have the same prototype and store their keys as naturally as possible. All ciphers provide five visible functions which | 345 have the same prototype and store their keys as naturally as possible. This also removes the need for dynamic memory |
362 are (given that XXX is the name of the cipher): | 346 allocation and allows you to allocate a fixed sized buffer for storing scheduled keys. All ciphers provide five visible |
347 functions which are (given that XXX is the name of the cipher): | |
363 \index{Cipher Setup} | 348 \index{Cipher Setup} |
364 \begin{verbatim} | 349 \begin{verbatim} |
365 int XXX_setup(const unsigned char *key, int keylen, int rounds, | 350 int XXX_setup(const unsigned char *key, int keylen, int rounds, |
366 symmetric_key *skey); | 351 symmetric_key *skey); |
367 \end{verbatim} | 352 \end{verbatim} |
368 | 353 |
369 The XXX\_setup() routine will setup the cipher to be used with a given number of rounds and a given key length (in bytes). | 354 The XXX\_setup() routine will setup the cipher to be used with a given number of rounds and a given key length (in bytes). |
370 The number of rounds can be set to zero to use the default, which is generally a good idea. | 355 The number of rounds can be set to zero to use the default, which is generally a good idea. |
371 | 356 |
372 If the function returns successfully the variable ``skey'' will have a scheduled key stored in it. Its important to note | 357 If the function returns successfully the variable ``skey'' will have a scheduled key stored in it. It's important to note |
373 that you should only used this scheduled key with the intended cipher. For example, if you call | 358 that you should only used this scheduled key with the intended cipher. For example, if you call ``blowfish\_setup()'' do not |
374 ``blowfish\_setup()'' do not pass the scheduled key onto ``rc5\_ecb\_encrypt()''. All setup functions do not allocate | 359 pass the scheduled key onto ``rc5\_ecb\_encrypt()''. All setup functions do not allocate memory off the heap so when you are |
375 memory off the heap so when you are done with a key you can simply discard it (e.g. they can be on the stack). | 360 done with a key you can simply discard it (e.g. they can be on the stack). |
376 | 361 |
377 To encrypt or decrypt a block in ECB mode there are these two functions: | 362 \subsection{ECB Encryption and Decryption} |
363 To encrypt or decrypt a block in ECB mode there are these two function classes | |
378 \index{Cipher Encrypt} \index{Cipher Decrypt} | 364 \index{Cipher Encrypt} \index{Cipher Decrypt} |
379 \begin{verbatim} | 365 \begin{verbatim} |
380 void XXX_ecb_encrypt(const unsigned char *pt, unsigned char *ct, | 366 void XXX_ecb_encrypt(const unsigned char *pt, unsigned char *ct, |
381 symmetric_key *skey); | 367 symmetric_key *skey); |
382 | 368 |
383 void XXX_ecb_decrypt(const unsigned char *ct, unsigned char *pt, | 369 void XXX_ecb_decrypt(const unsigned char *ct, unsigned char *pt, |
384 symmetric_key *skey); | 370 symmetric_key *skey); |
385 \end{verbatim} | 371 \end{verbatim} |
386 These two functions will encrypt or decrypt (respectively) a single block of text\footnote{The size of which depends on | 372 These two functions will encrypt or decrypt (respectively) a single block of text\footnote{The size of which depends on |
387 which cipher you are using.} and store the result where you want it. It is possible that the input and output buffer are | 373 which cipher you are using.} and store the result where you want it. It is possible that the input and output buffer are |
388 the same buffer. For the encrypt function ``pt''\footnote{pt stands for plaintext.} is the input and ``ct'' is the output. | 374 the same buffer. For the encrypt function ``pt''\footnote{pt stands for plaintext.} is the input and |
389 For the decryption function its the opposite. To test a particular cipher against test vectors\footnote{As published in their design papers.} call: \index{Cipher Testing} | 375 ``ct''\footnote{ct stands for ciphertext.} is the output. For the decryption function it's the opposite. To test a particular |
376 cipher against test vectors\footnote{As published in their design papers.} call the self-test function | |
377 | |
378 \subsection{Self--Testing} | |
379 \index{Cipher Testing} | |
390 \begin{verbatim} | 380 \begin{verbatim} |
391 int XXX_test(void); | 381 int XXX_test(void); |
392 \end{verbatim} | 382 \end{verbatim} |
393 This function will return {\bf CRYPT\_OK} if the cipher matches the test vectors from the design publication it is | 383 This function will return {\bf CRYPT\_OK} if the cipher matches the test vectors from the design publication it is |
394 based upon. Finally for each cipher there is a function which will help find a desired key size: | 384 based upon. |
385 | |
386 \subsection{Key Sizing} | |
387 For each cipher there is a function which will help find a desired key size: | |
395 \begin{verbatim} | 388 \begin{verbatim} |
396 int XXX_keysize(int *keysize); | 389 int XXX_keysize(int *keysize); |
397 \end{verbatim} | 390 \end{verbatim} |
398 Essentially it will round the input keysize in ``keysize'' down to the next appropriate key size. This function | 391 Essentially it will round the input keysize in ``keysize'' down to the next appropriate key size. This function |
399 return {\bf CRYPT\_OK} if the key size specified is acceptable. For example: | 392 return {\bf CRYPT\_OK} if the key size specified is acceptable. For example: |
400 \begin{small} | 393 \begin{small} |
401 \begin{verbatim} | 394 \begin{verbatim} |
402 #include <mycrypt.h> | 395 #include <tomcrypt.h> |
403 int main(void) | 396 int main(void) |
404 { | 397 { |
405 int keysize, err; | 398 int keysize, err; |
406 | 399 |
407 /* now given a 20 byte key what keysize does Twofish want to use? */ | 400 /* now given a 20 byte key what keysize does Twofish want to use? */ |
413 printf("Twofish suggested a key size of %d\n", keysize); | 406 printf("Twofish suggested a key size of %d\n", keysize); |
414 return 0; | 407 return 0; |
415 } | 408 } |
416 \end{verbatim} | 409 \end{verbatim} |
417 \end{small} | 410 \end{small} |
418 This should indicate a keysize of sixteen bytes is suggested. An example snippet that encodes a block with | 411 This should indicate a keysize of sixteen bytes is suggested. |
419 Blowfish in ECB mode is below. | 412 |
413 \subsection{Cipher Termination} | |
414 When you are finished with a cipher you can de--initialize it with the done function. | |
415 \begin{verbatim} | |
416 void XXX_done(symmetric_key *skey); | |
417 \end{verbatim} | |
418 For the software based ciphers within LibTomCrypt this function will not do anything. However, user supplied | |
419 cipher descriptors may require calls to it for resource management. To be compliant all functions which call a cipher | |
420 setup function must also call the respective cipher done function when finished. | |
421 | |
422 \subsection{Simple Encryption Demonstration} | |
423 An example snippet that encodes a block with Blowfish in ECB mode is below. | |
420 | 424 |
421 \begin{small} | 425 \begin{small} |
422 \begin{verbatim} | 426 \begin{verbatim} |
423 #include <mycrypt.h> | 427 #include <tomcrypt.h> |
424 int main(void) | 428 int main(void) |
425 { | 429 { |
426 unsigned char pt[8], ct[8], key[8]; | 430 unsigned char pt[8], ct[8], key[8]; |
427 symmetric_key skey; | 431 symmetric_key skey; |
428 int err; | 432 int err; |
442 | 446 |
443 /* encrypt the block */ | 447 /* encrypt the block */ |
444 blowfish_ecb_encrypt(pt, /* encrypt this 8-byte array */ | 448 blowfish_ecb_encrypt(pt, /* encrypt this 8-byte array */ |
445 ct, /* store encrypted data here */ | 449 ct, /* store encrypted data here */ |
446 &skey); /* our previously scheduled key */ | 450 &skey); /* our previously scheduled key */ |
451 | |
452 /* now ct holds the encrypted version of pt */ | |
447 | 453 |
448 /* decrypt the block */ | 454 /* decrypt the block */ |
449 blowfish_ecb_decrypt(ct, /* decrypt this 8-byte array */ | 455 blowfish_ecb_decrypt(ct, /* decrypt this 8-byte array */ |
450 pt, /* store decrypted data here */ | 456 pt, /* store decrypted data here */ |
451 &skey); /* our previously scheduled key */ | 457 &skey); /* our previously scheduled key */ |
452 | 458 |
459 /* now we have decrypted ct to the original plaintext in pt */ | |
460 | |
461 /* Terminate the cipher context */ | |
462 blowfish_done(&skey); | |
463 | |
453 return 0; | 464 return 0; |
454 } | 465 } |
455 \end{verbatim} | 466 \end{verbatim} |
456 \end{small} | 467 \end{small} |
457 | 468 |
458 \section{Key Sizes and Number of Rounds} | 469 \section{Key Sizes and Number of Rounds} |
459 \index{Symmetric Keys} | 470 \index{Symmetric Keys} |
460 As a general rule of thumb do not use symmetric keys under 80 bits if you can. Only a few of the ciphers support smaller | 471 As a general rule of thumb do not use symmetric keys under 80 bits if you can. Only a few of the ciphers support smaller |
461 keys (mainly for test vectors anyways). Ideally your application should be making at least 256 bit keys. This is not | 472 keys (mainly for test vectors anyways). Ideally your application should be making at least 256 bit keys. This is not |
462 because you're supposed to be paranoid. Its because if your PRNG has a bias of any sort the more bits the better. For | 473 because you're supposed to be paranoid. It's because if your PRNG has a bias of any sort the more bits the better. For |
463 example, if you have $\mbox{Pr}\left[X = 1\right] = {1 \over 2} \pm \gamma$ where $\vert \gamma \vert > 0$ then the | 474 example, if you have $\mbox{Pr}\left[X = 1\right] = {1 \over 2} \pm \gamma$ where $\vert \gamma \vert > 0$ then the |
464 total amount of entropy in N bits is $N \cdot -log_2\left ({1 \over 2} + \vert \gamma \vert \right)$. So if $\gamma$ | 475 total amount of entropy in N bits is $N \cdot -log_2\left ({1 \over 2} + \vert \gamma \vert \right)$. So if $\gamma$ |
465 were $0.25$ (a severe bias) a 256-bit string would have about 106 bits of entropy whereas a 128-bit string would have | 476 were $0.25$ (a severe bias) a 256-bit string would have about 106 bits of entropy whereas a 128-bit string would have |
466 only 53 bits of entropy. | 477 only 53 bits of entropy. |
467 | 478 |
468 The number of rounds of most ciphers is not an option you can change. Only RC5 allows you to change the number of | 479 The number of rounds of most ciphers is not an option you can change. Only RC5 allows you to change the number of |
469 rounds. By passing zero as the number of rounds all ciphers will use their default number of rounds. Generally the | 480 rounds. By passing zero as the number of rounds all ciphers will use their default number of rounds. Generally the |
470 ciphers are configured such that the default number of rounds provide adequate security for the given block size. | 481 ciphers are configured such that the default number of rounds provide adequate security for the given block and key |
482 size. | |
471 | 483 |
472 \section{The Cipher Descriptors} | 484 \section{The Cipher Descriptors} |
473 \index{Cipher Descriptor} | 485 \index{Cipher Descriptor} |
474 To facilitate automatic routines an array of cipher descriptors is provided in the array ``cipher\_descriptor''. An element | 486 To facilitate automatic routines an array of cipher descriptors is provided in the array ``cipher\_descriptor''. An element |
475 of this array has the following format: | 487 of this array has the following format: |
476 | 488 |
489 \begin{small} | |
477 \begin{verbatim} | 490 \begin{verbatim} |
478 struct _cipher_descriptor { | 491 struct _cipher_descriptor { |
479 char *name; | 492 char *name; |
480 unsigned long min_key_length, max_key_length, | 493 unsigned char ID; |
481 block_length, default_rounds; | 494 int min_key_length, |
482 int (*setup) (const unsigned char *key, int keylength, | 495 max_key_length, |
483 int num_rounds, symmetric_key *skey); | 496 block_length, |
484 void (*ecb_encrypt)(const unsigned char *pt, unsigned char *ct, | 497 default_rounds; |
485 symmetric_key *key); | 498 int (*setup)(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey); |
486 void (*ecb_decrypt)(const unsigned char *ct, unsigned char *pt, | 499 void (*ecb_encrypt)(const unsigned char *pt, unsigned char *ct, symmetric_key *skey); |
487 symmetric_key *key); | 500 void (*ecb_decrypt)(const unsigned char *ct, unsigned char *pt, symmetric_key *skey); |
488 int (*test) (void); | 501 int (*test)(void); |
489 int (*keysize) (int *desired_keysize); | 502 void (*done)(symmetric_key *skey); |
503 int (*keysize)(int *keysize); | |
504 | |
505 void (*accel_ecb_encrypt)(const unsigned char *pt, | |
506 unsigned char *ct, | |
507 unsigned long blocks, symmetric_key *skey); | |
508 void (*accel_ecb_decrypt)(const unsigned char *ct, | |
509 unsigned char *pt, | |
510 unsigned long blocks, symmetric_key *skey); | |
511 void (*accel_cbc_encrypt)(const unsigned char *pt, | |
512 unsigned char *ct, | |
513 unsigned long blocks, unsigned char *IV, | |
514 symmetric_key *skey); | |
515 void (*accel_cbc_decrypt)(const unsigned char *ct, | |
516 unsigned char *pt, | |
517 unsigned long blocks, unsigned char *IV, | |
518 symmetric_key *skey); | |
519 void (*accel_ctr_encrypt)(const unsigned char *pt, | |
520 unsigned char *ct, | |
521 unsigned long blocks, unsigned char *IV, | |
522 int mode, symmetric_key *skey); | |
523 void (*accel_ccm_memory)( | |
524 const unsigned char *key, unsigned long keylen, | |
525 const unsigned char *nonce, unsigned long noncelen, | |
526 const unsigned char *header, unsigned long headerlen, | |
527 unsigned char *pt, unsigned long ptlen, | |
528 unsigned char *ct, | |
529 unsigned char *tag, unsigned long *taglen, | |
530 int direction); | |
531 | |
490 }; | 532 }; |
491 \end{verbatim} | 533 \end{verbatim} |
492 | 534 \end{small} |
493 Where ``name'' is the lower case ASCII version of the name. The fields ``min\_key\_length'', ``max\_key\_length'' and | 535 |
494 ``block\_length'' are all the number of bytes not bits. As a good rule of thumb it is assumed that the cipher supports | 536 Where ``name'' is the lower case ASCII version of the name. The fields ``min\_key\_length'' and ``max\_key\_length'' |
537 are the minimum and maximum key sizes in bytes. The ``block\_length'' member is the block size of the cipher | |
538 in bytes. As a good rule of thumb it is assumed that the cipher supports | |
495 the min and max key lengths but not always everything in between. The ``default\_rounds'' field is the default number | 539 the min and max key lengths but not always everything in between. The ``default\_rounds'' field is the default number |
496 of rounds that will be used. | 540 of rounds that will be used. |
497 | 541 |
498 The remaining fields are all pointers to the core functions for each cipher. The end of the cipher\_descriptor array is | 542 The remaining fields are all pointers to the core functions for each cipher. The end of the cipher\_descriptor array is |
499 marked when ``name'' equals {\bf NULL}. | 543 marked when ``name'' equals {\bf NULL}. |
509 \hline X-Tea & xtea\_desc & 8 & 16 & 32 \\ | 553 \hline X-Tea & xtea\_desc & 8 & 16 & 32 \\ |
510 \hline RC2 & rc2\_desc & 8 & 8 $\ldots$ 128 & 16 \\ | 554 \hline RC2 & rc2\_desc & 8 & 8 $\ldots$ 128 & 16 \\ |
511 \hline RC5-32/12/b & rc5\_desc & 8 & 8 $\ldots$ 128 & 12 $\ldots$ 24 \\ | 555 \hline RC5-32/12/b & rc5\_desc & 8 & 8 $\ldots$ 128 & 12 $\ldots$ 24 \\ |
512 \hline RC6-32/20/b & rc6\_desc & 16 & 8 $\ldots$ 128 & 20 \\ | 556 \hline RC6-32/20/b & rc6\_desc & 16 & 8 $\ldots$ 128 & 20 \\ |
513 \hline SAFER+ & saferp\_desc &16 & 16, 24, 32 & 8, 12, 16 \\ | 557 \hline SAFER+ & saferp\_desc &16 & 16, 24, 32 & 8, 12, 16 \\ |
514 \hline Safer K64 & safer\_k64\_desc & 8 & 8 & 6 $\ldots$ 13 \\ | |
515 \hline Safer SK64 & safer\_sk64\_desc & 8 & 8 & 6 $\ldots$ 13 \\ | |
516 \hline Safer K128 & safer\_k128\_desc & 8 & 16 & 6 $\ldots$ 13 \\ | |
517 \hline Safer SK128 & safer\_sk128\_desc & 8 & 16 & 6 $\ldots$ 13 \\ | |
518 \hline AES & aes\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\ | 558 \hline AES & aes\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\ |
519 & aes\_enc\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\ | 559 & aes\_enc\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\ |
520 \hline Twofish & twofish\_desc & 16 & 16, 24, 32 & 16 \\ | 560 \hline Twofish & twofish\_desc & 16 & 16, 24, 32 & 16 \\ |
521 \hline DES & des\_desc & 8 & 7 & 16 \\ | 561 \hline DES & des\_desc & 8 & 7 & 16 \\ |
522 \hline 3DES (EDE mode) & des3\_desc & 8 & 21 & 16 \\ | 562 \hline 3DES (EDE mode) & des3\_desc & 8 & 21 & 16 \\ |
523 \hline CAST5 (CAST-128) & cast5\_desc & 8 & 5 $\ldots$ 16 & 12, 16 \\ | 563 \hline CAST5 (CAST-128) & cast5\_desc & 8 & 5 $\ldots$ 16 & 12, 16 \\ |
524 \hline Noekeon & noekeon\_desc & 16 & 16 & 16 \\ | 564 \hline Noekeon & noekeon\_desc & 16 & 16 & 16 \\ |
525 \hline Skipjack & skipjack\_desc & 8 & 10 & 32 \\ | 565 \hline Skipjack & skipjack\_desc & 8 & 10 & 32 \\ |
566 \hline Anubis & anubis\_desc & 16 & 16 $\ldots$ 40 & 12 $\ldots$ 18 \\ | |
567 \hline Khazad & khazad\_desc & 8 & 16 & 8 \\ | |
526 \hline | 568 \hline |
527 \end{tabular} | 569 \end{tabular} |
528 \end{center} | 570 \end{center} |
529 \end{small} | 571 \end{small} |
530 | 572 |
543 The ``encrypt only'' descriptors are useful for applications that only use the encryption function of the cipher. Algorithms such | 585 The ``encrypt only'' descriptors are useful for applications that only use the encryption function of the cipher. Algorithms such |
544 as EAX, PMAC and OMAC only require the encryption function. So far this ``encrypt only'' functionality has only been implemented for | 586 as EAX, PMAC and OMAC only require the encryption function. So far this ``encrypt only'' functionality has only been implemented for |
545 Rijndael as it makes the most sense for this cipher. | 587 Rijndael as it makes the most sense for this cipher. |
546 | 588 |
547 \item | 589 \item |
548 For the 64-bit SAFER famliy of ciphers (e.g K64, SK64, K128, SK128) the ecb\_encrypt() and ecb\_decrypt() | |
549 functions are the same. So if you want to use those functions directly just call safer\_ecb\_encrypt() | |
550 or safer\_ecb\_decrypt() respectively. | |
551 | |
552 \item | |
553 Note that for ``DES'' and ``3DES'' they use 8 and 24 byte keys but only 7 and 21 [respectively] bytes of the keys are in | 590 Note that for ``DES'' and ``3DES'' they use 8 and 24 byte keys but only 7 and 21 [respectively] bytes of the keys are in |
554 fact used for the purposes of encryption. My suggestion is just to use random 8/24 byte keys instead of trying to make a 8/24 | 591 fact used for the purposes of encryption. My suggestion is just to use random 8/24 byte keys instead of trying to make a 8/24 |
555 byte string from the real 7/21 byte key. | 592 byte string from the real 7/21 byte key. |
556 | 593 |
557 \item | 594 \item |
558 Note that ``Twofish'' has additional configuration options that take place at build time. These options are found in | 595 Note that ``Twofish'' has additional configuration options that take place at build time. These options are found in |
559 the file ``mycrypt\_cfg.h''. The first option is ``TWOFISH\_SMALL'' which when defined will force the Twofish code | 596 the file ``tomcrypt\_cfg.h''. The first option is ``TWOFISH\_SMALL'' which when defined will force the Twofish code |
560 to not pre-compute the Twofish ``$g(X)$'' function as a set of four $8 \times 32$ s-boxes. This means that a scheduled | 597 to not pre-compute the Twofish ``$g(X)$'' function as a set of four $8 \times 32$ s-boxes. This means that a scheduled |
561 key will require less ram but the resulting cipher will be slower. The second option is ``TWOFISH\_TABLES'' which when | 598 key will require less ram but the resulting cipher will be slower. The second option is ``TWOFISH\_TABLES'' which when |
562 defined will force the Twofish code to use pre-computed tables for the two s-boxes $q_0, q_1$ as well as the multiplication | 599 defined will force the Twofish code to use pre-computed tables for the two s-boxes $q_0, q_1$ as well as the multiplication |
563 by the polynomials 5B and EF used in the MDS multiplication. As a result the code is faster and slightly larger. The | 600 by the polynomials 5B and EF used in the MDS multiplication. As a result the code is faster and slightly larger. The |
564 speed increase is useful when ``TWOFISH\_SMALL'' is defined since the s-boxes and MDS multiply form the heart of the | 601 speed increase is useful when ``TWOFISH\_SMALL'' is defined since the s-boxes and MDS multiply form the heart of the |
588 \end{verbatim} | 625 \end{verbatim} |
589 Which will search for a given name in the array. It returns negative one if the cipher is not found, otherwise it returns | 626 Which will search for a given name in the array. It returns negative one if the cipher is not found, otherwise it returns |
590 the location in the array where the cipher was found. For example, to indirectly setup Blowfish you can also use: | 627 the location in the array where the cipher was found. For example, to indirectly setup Blowfish you can also use: |
591 \begin{small} | 628 \begin{small} |
592 \begin{verbatim} | 629 \begin{verbatim} |
593 #include <mycrypt.h> | 630 #include <tomcrypt.h> |
594 int main(void) | 631 int main(void) |
595 { | 632 { |
596 unsigned char key[8]; | 633 unsigned char key[8]; |
597 symmetric_key skey; | 634 symmetric_key skey; |
598 int err; | 635 int err; |
629 int unregister_cipher(const struct _cipher_descriptor *cipher); | 666 int unregister_cipher(const struct _cipher_descriptor *cipher); |
630 \end{verbatim} | 667 \end{verbatim} |
631 Which returns {\bf CRYPT\_OK} if it removes it otherwise it returns {\bf CRYPT\_ERROR}. Consider: | 668 Which returns {\bf CRYPT\_OK} if it removes it otherwise it returns {\bf CRYPT\_ERROR}. Consider: |
632 \begin{small} | 669 \begin{small} |
633 \begin{verbatim} | 670 \begin{verbatim} |
634 #include <mycrypt.h> | 671 #include <tomcrypt.h> |
635 int main(void) | 672 int main(void) |
636 { | 673 { |
637 int err; | 674 int err; |
638 | 675 |
639 /* register the cipher */ | 676 /* register the cipher */ |
727 block of memory with either of the three modes. | 764 block of memory with either of the three modes. |
728 | 765 |
729 The ECB and CBC modes process blocks of the same size as the cipher at a time. Therefore they are less flexible than the | 766 The ECB and CBC modes process blocks of the same size as the cipher at a time. Therefore they are less flexible than the |
730 other modes. | 767 other modes. |
731 | 768 |
732 \subsection{Implementation} | 769 \subsection{Initialization} |
733 \index{CBC Mode} \index{CTR Mode} | 770 \index{CBC Mode} \index{CTR Mode} |
734 \index{OFB Mode} \index{CFB Mode} | 771 \index{OFB Mode} \index{CFB Mode} |
735 The library provides simple support routines for handling CBC, CTR, CFB, OFB and ECB encoded messages. Assuming the mode | 772 The library provides simple support routines for handling CBC, CTR, CFB, OFB and ECB encoded messages. Assuming the mode |
736 you want is XXX there is a structure called ``symmetric\_XXX'' that will contain the information required to | 773 you want is XXX there is a structure called ``symmetric\_XXX'' that will contain the information required to |
737 use that mode. They have identical setup routines (except ECB mode for obvious reasons): | 774 use that mode. They have identical setup routines (except ECB mode for obvious reasons): |
750 length as the block size\footnote{In otherwords the size of a block of plaintext for the cipher, e.g. 8 for DES, 16 for AES, etc.} | 787 length as the block size\footnote{In otherwords the size of a block of plaintext for the cipher, e.g. 8 for DES, 16 for AES, etc.} |
751 of the cipher you choose. It is important that the IV be random for each unique message you want to encrypt. The | 788 of the cipher you choose. It is important that the IV be random for each unique message you want to encrypt. The |
752 parameters ``key'', ``keylen'' and ``num\_rounds'' are the same as in the XXX\_setup() function call. The final parameter | 789 parameters ``key'', ``keylen'' and ``num\_rounds'' are the same as in the XXX\_setup() function call. The final parameter |
753 is a pointer to the structure you want to hold the information for the mode of operation. | 790 is a pointer to the structure you want to hold the information for the mode of operation. |
754 | 791 |
755 Both routines return {\bf CRYPT\_OK} if the cipher initialized correctly, otherwise they return an error code. To | 792 Both routines return {\bf CRYPT\_OK} if the cipher initialized correctly, otherwise they return an error code. |
756 actually encrypt or decrypt the following routines are provided: | 793 |
794 \subsection{Encryption and Decryption} | |
795 To actually encrypt or decrypt the following routines are provided: | |
757 \index{ecb\_encrypt()} \index{ecb\_decrypt()} \index{cfb\_encrypt()} \index{cfb\_decrypt()} | 796 \index{ecb\_encrypt()} \index{ecb\_decrypt()} \index{cfb\_encrypt()} \index{cfb\_decrypt()} |
758 \index{cbc\_encrypt()} \index{cbc\_decrypt()} \index{ofb\_encrypt()} \index{ofb\_decrypt()} \index{ctr\_encrypt()} \index{ctr\_decrypt()} | 797 \index{cbc\_encrypt()} \index{cbc\_decrypt()} \index{ofb\_encrypt()} \index{ofb\_decrypt()} \index{ctr\_encrypt()} \index{ctr\_decrypt()} |
759 \begin{verbatim} | 798 \begin{verbatim} |
760 int XXX_encrypt(const unsigned char *pt, unsigned char *ct, | 799 int XXX_encrypt(const unsigned char *pt, unsigned char *ct, |
761 symmetric_XXX *XXX); | |
762 int XXX_decrypt(const unsigned char *ct, unsigned char *pt, | |
763 symmetric_XXX *XXX); | |
764 | |
765 int YYY_encrypt(const unsigned char *pt, unsigned char *ct, | |
766 unsigned long len, symmetric_YYY *YYY); | 800 unsigned long len, symmetric_YYY *YYY); |
767 int YYY_decrypt(const unsigned char *ct, unsigned char *pt, | 801 int XXX_decrypt(const unsigned char *ct, unsigned char *pt, |
768 unsigned long len, symmetric_YYY *YYY); | 802 unsigned long len, symmetric_YYY *YYY); |
769 \end{verbatim} | 803 \end{verbatim} |
770 Where ``XXX'' is one of (ecb, cbc) and ``YYY'' is one of (ctr, ofb, cfb). In the CTR, OFB and CFB cases ``len'' is the | 804 Where ``XXX'' is one of $\lbrace ecb, cbc, ctr, cfb, ofb \rbrace$. |
771 size of the buffer (as number of chars) to encrypt or decrypt. The CTR, OFB and CFB modes are order sensitive but not | 805 |
806 In all cases ``len'' is the size of the buffer (as number of octets) to encrypt or decrypt. The CTR, OFB and CFB modes are order sensitive but not | |
772 chunk sensitive. That is you can encrypt ``ABCDEF'' in three calls like ``AB'', ``CD'', ``EF'' or two like ``ABCDE'' and ``F'' | 807 chunk sensitive. That is you can encrypt ``ABCDEF'' in three calls like ``AB'', ``CD'', ``EF'' or two like ``ABCDE'' and ``F'' |
773 and end up with the same ciphertext. However, encrypting ``ABC'' and ``DABC'' will result in different ciphertexts. All | 808 and end up with the same ciphertext. However, encrypting ``ABC'' and ``DABC'' will result in different ciphertexts. All |
774 five of the modes will return {\bf CRYPT\_OK} on success from the encrypt or decrypt functions. | 809 five of the modes will return {\bf CRYPT\_OK} on success from the encrypt or decrypt functions. |
775 | 810 |
811 In the ECB and CBC cases ``len'' must be a multiple of the ciphers block size. In the CBC case you must manually pad the end of your message (either with | |
812 zeroes or with whatever your protocol requires). | |
813 | |
776 To decrypt in either mode you simply perform the setup like before (recall you have to fetch the IV value you used) | 814 To decrypt in either mode you simply perform the setup like before (recall you have to fetch the IV value you used) |
777 and use the decrypt routine on all of the blocks. | 815 and use the decrypt routine on all of the blocks. |
778 | 816 |
817 \subsection{IV Manipulation} | |
779 To change or read the IV of a previously initialized chaining mode use the following two functions. | 818 To change or read the IV of a previously initialized chaining mode use the following two functions. |
780 | 819 |
781 \index{cbc\_setiv()} \index{cbc\_getiv()} \index{ofb\_setiv()} \index{ofb\_getiv()} \index{cfb\_setiv()} \index{cfb\_getiv()} | 820 \index{cbc\_setiv()} \index{cbc\_getiv()} \index{ofb\_setiv()} \index{ofb\_getiv()} \index{cfb\_setiv()} \index{cfb\_getiv()} |
782 \index{ctr\_setiv()} \index{ctr\_getiv()} | 821 \index{ctr\_setiv()} \index{ctr\_getiv()} |
783 \begin{verbatim} | 822 \begin{verbatim} |
784 int XXX_getiv(unsigned char *IV, unsigned long *len, symmetric_XXX *XXX); | 823 int XXX_getiv(unsigned char *IV, unsigned long *len, symmetric_XXX *XXX); |
785 int XXX_setiv(const unsigned char *IV, unsigned long len, symmetric_XXX *XXX); | 824 int XXX_setiv(const unsigned char *IV, unsigned long len, symmetric_XXX *XXX); |
786 \end{verbatim} | 825 \end{verbatim} |
787 | 826 |
788 The XXX\_getiv function will read the IV out of the chaining mode and store it into ``IV'' along with the length of the IV | 827 The XXX\_getiv() functions will read the IV out of the chaining mode and store it into ``IV'' along with the length of the IV |
789 stored in ``len''. The XXX\_setiv will initialize the chaining mode state as if the original IV were the new IV specified. The length | 828 stored in ``len''. The XXX\_setiv will initialize the chaining mode state as if the original IV were the new IV specified. The length |
790 of the IV passed in must be the size of the ciphers block size. | 829 of the IV passed in must be the size of the ciphers block size. |
791 | 830 |
792 The XXX\_setiv functions are handy if you wish to change the IV without re--keying the cipher. | 831 The XXX\_setiv() functions are handy if you wish to change the IV without re--keying the cipher. |
832 | |
833 \subsection{Stream Termination} | |
834 To terminate an open stream call the done function. | |
835 | |
836 \index{ecb\_done()} \index{cbc\_done()}\index{cfb\_done()}\index{ofb\_done()} \index{ctr\_done()} | |
837 \begin{verbatim} | |
838 int XXX_done(symmetric_XXX *XXX); | |
839 \end{verbatim} | |
840 | |
841 This will terminate the stream (by terminating the cipher) and return \textbf{CRYPT\_OK} if successful. | |
842 | |
843 \subsection{Examples} | |
793 | 844 |
794 \newpage | 845 \newpage |
795 \begin{small} | 846 \begin{small} |
796 \begin{verbatim} | 847 \begin{verbatim} |
797 #include <mycrypt.h> | 848 #include <tomcrypt.h> |
798 int main(void) | 849 int main(void) |
799 { | 850 { |
800 unsigned char key[16], IV[16], buffer[512]; | 851 unsigned char key[16], IV[16], buffer[512]; |
801 symmetric_CTR ctr; | 852 symmetric_CTR ctr; |
802 int x, err; | 853 int x, err; |
850 ) != CRYPT_OK) { | 901 ) != CRYPT_OK) { |
851 printf("ctr_decrypt error: %s\n", error_to_string(err)); | 902 printf("ctr_decrypt error: %s\n", error_to_string(err)); |
852 return -1; | 903 return -1; |
853 } | 904 } |
854 | 905 |
906 /* terminate the stream */ | |
907 if ((err = ctr_done(&ctr)) != CRYPT_OK) { | |
908 printf("ctr_done error: %s\n", error_to_string(err)); | |
909 return -1; | |
910 } | |
911 | |
855 /* clear up and return */ | 912 /* clear up and return */ |
856 zeromem(key, sizeof(key)); | 913 zeromem(key, sizeof(key)); |
857 zeromem(&ctr, sizeof(ctr)); | 914 zeromem(&ctr, sizeof(ctr)); |
858 | 915 |
859 return 0; | 916 return 0; |
942 int eax_test(void); | 999 int eax_test(void); |
943 \end{verbatim} | 1000 \end{verbatim} |
944 This requires that the AES (or Rijndael) block cipher be registered with the cipher\_descriptor table first. | 1001 This requires that the AES (or Rijndael) block cipher be registered with the cipher\_descriptor table first. |
945 | 1002 |
946 \begin{verbatim} | 1003 \begin{verbatim} |
947 #include <mycrypt.h> | 1004 #include <tomcrypt.h> |
948 int main(void) | 1005 int main(void) |
949 { | 1006 { |
950 int err; | 1007 int err; |
951 eax_state eax; | 1008 eax_state eax; |
952 unsigned char pt[64], ct[64], nonce[16], key[16], tag[16]; | 1009 unsigned char pt[64], ct[64], nonce[16], key[16], tag[16]; |
1055 This will encrypt (or decrypt for the latter) a fixed length of data from ``pt'' to ``ct'' (vice versa for the latter). | 1112 This will encrypt (or decrypt for the latter) a fixed length of data from ``pt'' to ``ct'' (vice versa for the latter). |
1056 They assume that ``pt'' and ``ct'' are the same size as the block cipher's block size. Note that you cannot call | 1113 They assume that ``pt'' and ``ct'' are the same size as the block cipher's block size. Note that you cannot call |
1057 both functions given a single ``ocb'' state. For bi-directional communication you will have to initialize two ``ocb'' | 1114 both functions given a single ``ocb'' state. For bi-directional communication you will have to initialize two ``ocb'' |
1058 states (with different nonces). Also ``pt'' and ``ct'' may point to the same location in memory. | 1115 states (with different nonces). Also ``pt'' and ``ct'' may point to the same location in memory. |
1059 | 1116 |
1117 \subsubsection{State Termination} | |
1118 | |
1060 When you are finished encrypting the message you call the following function to compute the tag. | 1119 When you are finished encrypting the message you call the following function to compute the tag. |
1061 | 1120 |
1062 \index{ocb\_done\_encrypt()} | 1121 \index{ocb\_done\_encrypt()} |
1063 \begin{verbatim} | 1122 \begin{verbatim} |
1064 int ocb_done_encrypt(ocb_state *ocb, | 1123 int ocb_done_encrypt(ocb_state *ocb, |
1088 Similarly to the previous function you can pass trailing message bytes into this function. This will compute the | 1147 Similarly to the previous function you can pass trailing message bytes into this function. This will compute the |
1089 tag of the message (internally) and then compare it against the ``taglen'' bytes of ``tag'' provided. By default | 1148 tag of the message (internally) and then compare it against the ``taglen'' bytes of ``tag'' provided. By default |
1090 ``res'' is set to zero. If all ``taglen'' bytes of ``tag'' can be verified then ``res'' is set to one (authenticated | 1149 ``res'' is set to zero. If all ``taglen'' bytes of ``tag'' can be verified then ``res'' is set to one (authenticated |
1091 message). | 1150 message). |
1092 | 1151 |
1152 \subsubsection{Packet Functions} | |
1093 To make life simpler the following two functions are provided for memory bound OCB. | 1153 To make life simpler the following two functions are provided for memory bound OCB. |
1094 | 1154 |
1095 \index{ocb\_encrypt\_authenticate\_memory()} | 1155 \index{ocb\_encrypt\_authenticate\_memory()} |
1096 \begin{verbatim} | 1156 \begin{verbatim} |
1097 int ocb_encrypt_authenticate_memory(int cipher, | 1157 int ocb_encrypt_authenticate_memory(int cipher, |
1117 \end{verbatim} | 1177 \end{verbatim} |
1118 | 1178 |
1119 Similarly this will OCB decrypt and compare the internally computed tag against the tag provided. ``res'' is set | 1179 Similarly this will OCB decrypt and compare the internally computed tag against the tag provided. ``res'' is set |
1120 appropriately. | 1180 appropriately. |
1121 | 1181 |
1182 \subsection{CCM Mode} | |
1183 CCM is a NIST proposal for Encrypt+Authenticate that is centered around using AES (or any 16--byte cipher) as a primitive. Unlike EAX and OCB mode | |
1184 it is only meant for ``packet'' mode where the length of the input is known in advance. Since it is a packet mode function CCM only has one | |
1185 function that performs the protocol. | |
1186 | |
1187 \index{ccm\_memory()} | |
1188 \begin{verbatim} | |
1189 int ccm_memory(int cipher, | |
1190 const unsigned char *key, unsigned long keylen, | |
1191 const unsigned char *nonce, unsigned long noncelen, | |
1192 const unsigned char *header, unsigned long headerlen, | |
1193 unsigned char *pt, unsigned long ptlen, | |
1194 unsigned char *ct, | |
1195 unsigned char *tag, unsigned long *taglen, | |
1196 int direction); | |
1197 \end{verbatim} | |
1198 | |
1199 This performs the ``CCM'' operation on the data. The ``cipher'' variable indicates which cipher in the descriptor table to use. It must have a | |
1200 16--byte block size for CCM. The key is ``key'' with a length of ``keylen'' octets. The nonce or salt is ``nonce'' of | |
1201 length ``noncelen'' octets. The header is meta--data you want to send with the message but not have encrypted, it is stored in ``header'' | |
1202 of length ``headerlen'' octets. The header can be zero octets long (if $headerlen = 0$ then you can pass ``header'' as \textbf{NULL}). | |
1203 | |
1204 The plaintext is stored in ``pt'' and the ciphertext in ``ct''. The length of both are expected to be equal and is passed in as ``ptlen''. It is | |
1205 allowable that $pt = ct$. The ``direction'' variable indicates whether encryption (direction $=$ \textbf{CCM\_ENCRYPT}) or | |
1206 decryption (direction $=$ \textbf{CCM\_DECRYPT}) is to be performed. | |
1207 | |
1208 As implemented this copy of CCM cannot handle a header or plaintext longer than $2^{32} - 1$ octets long. | |
1209 | |
1210 You can test the implementation of CCM with the following function. | |
1211 | |
1212 \index{ccm\_test()} | |
1213 \begin{verbatim} | |
1214 int ccm_test(void); | |
1215 \end{verbatim} | |
1216 | |
1217 This will return \textbf{CRYPT\_OK} if the CCM routine passes known test vectors. | |
1218 | |
1219 \subsection{GCM Mode} | |
1220 Galois counter mode is an IEEE proposal for authenticated encryption. Like EAX and OCB it can be used in a streaming capacity however, unlike EAX it cannot | |
1221 accept ``additional authentication data'' (meta--data) after plaintext has been processed. This mode also only works with block ciphers with a sixteen | |
1222 byte block. | |
1223 | |
1224 A GCM stream is meant to be processed in three modes each one sequential serial. First the initial vector (per session) data is processed. This should be | |
1225 unique to every session. Next the the optional additional authentication data is processed and finally the plaintext. | |
1226 | |
1227 \subsubsection{Initialization} | |
1228 To initialize the GCM context with a secret key call the following function. | |
1229 | |
1230 \index{gcm\_init()} | |
1231 \begin{verbatim} | |
1232 int gcm_init(gcm_state *gcm, int cipher, | |
1233 const unsigned char *key, int keylen); | |
1234 \end{verbatim} | |
1235 This initializes the GCM state ``gcm'' for the given cipher indexed by ``cipher'' with a secret key ``key'' of length ``keylen'' octets. The cipher chosen | |
1236 must have a 16--byte block size (e.g. AES). | |
1237 | |
1238 \subsubsection{Initial Vector} | |
1239 After the state has been initialized (or reset) the next step is to add the session (or packet) initial vector. It should be unique per packet encrypted. | |
1240 | |
1241 \index{gcm\_add\_iv()} | |
1242 \begin{verbatim} | |
1243 int gcm_add_iv(gcm_state *gcm, | |
1244 const unsigned char *IV, unsigned long IVlen); | |
1245 \end{verbatim} | |
1246 | |
1247 This adds the initial vector octets from ``IV'' of length ``IVlen'' to the GCM state ``gcm''. You can call this function as many times as required | |
1248 to process the entire IV. | |
1249 | |
1250 Note that the GCM protocols provides a ``shortcut'' for 12--byte IVs where no preprocessing is to be done. If you want to minimize per packet latency it's ideal | |
1251 to only use 12--byte IVs. You can just increment it like a counter for each packet and the CTR [privacy] will be ensured. | |
1252 | |
1253 \subsubsection{Additional Authentication Data} | |
1254 After the entire IV has been processed the additional authentication data can be processed. Unlike the IV a packet/session does not require additional | |
1255 authentication data (AAD) for security. The AAD is meant to be used as side--channel data you want to be authenticated with the packet. Note that once | |
1256 you begin adding AAD to the GCM state you cannot return to adding IV data until the state is reset. | |
1257 | |
1258 \index{gcm\_add\_aad()} | |
1259 \begin{verbatim} | |
1260 int gcm_add_aad(gcm_state *gcm, | |
1261 const unsigned char *adata, unsigned long adatalen); | |
1262 \end{verbatim} | |
1263 This adds the additional authentication data ``adata'' of length ``adatalen'' to the GCM state ``gcm''. | |
1264 | |
1265 \subsubsection{Plaintext Processing} | |
1266 After the AAD has been processed the plaintext (or ciphertext depending on the direction) can be processed. | |
1267 | |
1268 \index{gcm\_process()} | |
1269 \begin{verbatim} | |
1270 int gcm_process(gcm_state *gcm, | |
1271 unsigned char *pt, unsigned long ptlen, | |
1272 unsigned char *ct, | |
1273 int direction); | |
1274 \end{verbatim} | |
1275 This processes message data where ``pt'' is the plaintext and ``ct'' is the ciphertext. The length of both are equal and stored in ``ptlen''. Depending on the | |
1276 mode ``pt'' is the input and ``ct'' is the output (or vice versa). When ``direction'' equals \textbf{GCM\_ENCRYPT} the plaintext is read, encrypted and stored | |
1277 in the ciphertext buffer. When ``direction'' equals \textbf{GCM\_DECRYPT} the opposite occurs. | |
1278 | |
1279 \subsubsection{State Termination} | |
1280 To terminate a GCM state and retrieve the message authentication tag call the following function. | |
1281 | |
1282 \index{gcm\_done()} | |
1283 \begin{verbatim} | |
1284 int gcm_done(gcm_state *gcm, | |
1285 unsigned char *tag, unsigned long *taglen); | |
1286 \end{verbatim} | |
1287 This terminates the GCM state ``gcm'' and stores the tag in ``tag'' of length ``taglen'' octets. | |
1288 | |
1289 \subsubsection{State Reset} | |
1290 The call to gcm\_init() will perform considerable pre--computation (when \textbf{GCM\_TABLES} is defined) and if you're going to be dealing with a lot of packets | |
1291 it is very costly to have to call it repeatedly. To aid in this endeavour the reset function has been provided. | |
1292 | |
1293 \index{gcm\_reset()} | |
1294 \begin{verbatim} | |
1295 int gcm_reset(gcm_state *gcm); | |
1296 \end{verbatim} | |
1297 | |
1298 This will reset the GCM state ``gcm'' to the state that gcm\_init() left it. The user would then call gcm\_add\_iv(), gcm\_add\_aad(), etc. | |
1299 | |
1300 \subsubsection{One--Shot Packet} | |
1301 To process a single packet under any given key the following helper function can be used. | |
1302 | |
1303 \index{gcm\_memory()} | |
1304 \begin{verbatim} | |
1305 int gcm_memory( int cipher, | |
1306 const unsigned char *key, unsigned long keylen, | |
1307 const unsigned char *IV, unsigned long IVlen, | |
1308 const unsigned char *adata, unsigned long adatalen, | |
1309 unsigned char *pt, unsigned long ptlen, | |
1310 unsigned char *ct, | |
1311 unsigned char *tag, unsigned long *taglen, | |
1312 int direction); | |
1313 \end{verbatim} | |
1314 | |
1315 This will initialize the GCM state with the given key, IV and AAD value then proceed to encrypt or decrypt the message text and store the final | |
1316 message tag. The definition of the variables is the same as it is for all the manual functions. | |
1317 | |
1318 If you are processing many packets under the same key you shouldn't use this function as it invokes the pre--computation with each call. | |
1319 | |
1320 \subsubsection{Example Usage} | |
1321 The following is an example usage of how to use GCM over multiple packets with a shared secret key. | |
1322 | |
1323 \begin{small} | |
1324 \begin{verbatim} | |
1325 #include <tomcrypt.h> | |
1326 | |
1327 int send_packet(const unsigned char *pt, unsigned long ptlen, | |
1328 const unsigned char *iv, unsigned long ivlen, | |
1329 const unsigned char *aad, unsigned long aadlen, | |
1330 gcm_state *gcm) | |
1331 { | |
1332 int err; | |
1333 unsigned long taglen; | |
1334 unsigned char tag[16]; | |
1335 | |
1336 /* reset the state */ | |
1337 if ((err = gcm_reset(gcm)) != CRYPT_OK) { | |
1338 return err; | |
1339 } | |
1340 | |
1341 /* Add the IV */ | |
1342 if ((err = gcm_add_iv(gcm, iv, ivlen)) != CRYPT_OK) { | |
1343 return err; | |
1344 } | |
1345 | |
1346 /* Add the AAD (note: aad can be NULL if aadlen == 0) */ | |
1347 if ((err = gcm_add_aad(gcm, aad, aadlen)) != CRYPT_OK) { | |
1348 return err; | |
1349 } | |
1350 | |
1351 /* process the plaintext */ | |
1352 if ((err = gcm_add_process(gcm, pt, ptlen, pt, GCM_ENCRYPT)) != CRYPT_OK) { | |
1353 return err; | |
1354 } | |
1355 | |
1356 /* Finish up and get the MAC tag */ | |
1357 taglen = sizeof(tag); | |
1358 if ((err = gcm_done(gcm, tag, &taglen)) != CRYPT_OK) { | |
1359 return err; | |
1360 } | |
1361 | |
1362 /* depending on the protocol and how IV is generated you may have to send it too... */ | |
1363 send(socket, iv, ivlen, 0); | |
1364 | |
1365 /* send the aad */ | |
1366 send(socket, aad, aadlen, 0); | |
1367 | |
1368 /* send the ciphertext */ | |
1369 send(socket, pt, ptlen, 0); | |
1370 | |
1371 /* send the tag */ | |
1372 send(socket, tag, taglen, 0); | |
1373 | |
1374 return CRYPT_OK; | |
1375 } | |
1376 | |
1377 int main(void) | |
1378 { | |
1379 gcm_state gcm; | |
1380 unsigned char key[16], IV[12], pt[PACKET_SIZE]; | |
1381 int err, x; | |
1382 unsigned long ptlen; | |
1383 | |
1384 /* somehow fill key/IV with random values */ | |
1385 | |
1386 /* register AES */ | |
1387 register_cipher(&aes_desc); | |
1388 | |
1389 /* init the GCM state */ | |
1390 if ((err = gcm_init(&gcm, find_cipher("aes"), key, 16)) != CRYPT_OK) { | |
1391 whine_and_pout(err); | |
1392 } | |
1393 | |
1394 /* handle us some packets */ | |
1395 for (;;) { | |
1396 ptlen = make_packet_we_want_to_send(pt); | |
1397 | |
1398 /* use IV as counter (12 byte counter) */ | |
1399 for (x = 11; x >= 0; x--) { | |
1400 if (++IV[x]) { | |
1401 break; | |
1402 } | |
1403 } | |
1404 | |
1405 if ((err = send_packet(pt, ptlen, iv, 12, NULL, 0, &gcm)) != CRYPT_OK) { | |
1406 whine_and_pout(err); | |
1407 } | |
1408 } | |
1409 return EXIT_SUCCESS; | |
1410 } | |
1411 \end{verbatim} | |
1412 \end{small} | |
1413 | |
1122 \chapter{One-Way Cryptographic Hash Functions} | 1414 \chapter{One-Way Cryptographic Hash Functions} |
1123 \section{Core Functions} | 1415 \section{Core Functions} |
1124 | 1416 |
1125 Like the ciphers there are hash core functions and a universal data type to hold the hash state called ``hash\_state''. | 1417 Like the ciphers there are hash core functions and a universal data type to hold the hash state called ``hash\_state''. |
1126 To initialize hash XXX (where XXX is the name) call: | 1418 To initialize hash XXX (where XXX is the name) call: |
1130 \end{verbatim} | 1422 \end{verbatim} |
1131 | 1423 |
1132 This simply sets up the hash to the default state governed by the specifications of the hash. To add data to the | 1424 This simply sets up the hash to the default state governed by the specifications of the hash. To add data to the |
1133 message being hashed call: | 1425 message being hashed call: |
1134 \begin{verbatim} | 1426 \begin{verbatim} |
1135 int XXX_process(hash_state *md, const unsigned char *in, unsigned long len); | 1427 int XXX_process(hash_state *md, const unsigned char *in, unsigned long inlen); |
1136 \end{verbatim} | 1428 \end{verbatim} |
1137 | 1429 |
1138 Essentially all hash messages are virtually infinitely\footnote{Most hashes are limited to $2^{64}$ bits or 2,305,843,009,213,693,952 bytes.} long message which | 1430 Essentially all hash messages are virtually infinitely\footnote{Most hashes are limited to $2^{64}$ bits or 2,305,843,009,213,693,952 bytes.} long message which |
1139 are buffered. The data can be passed in any sized chunks as long as the order of the bytes are the same the message digest | 1431 are buffered. The data can be passed in any sized chunks as long as the order of the bytes are the same the message digest |
1140 (hash output) will be the same. For example, this means that: | 1432 (hash output) will be the same. For example, this means that: |
1165 | 1457 |
1166 This will return {\bf CRYPTO\_OK} if the hash matches the test vectors, otherwise it returns an error code. An | 1458 This will return {\bf CRYPTO\_OK} if the hash matches the test vectors, otherwise it returns an error code. An |
1167 example snippet that hashes a message with md5 is given below. | 1459 example snippet that hashes a message with md5 is given below. |
1168 \begin{small} | 1460 \begin{small} |
1169 \begin{verbatim} | 1461 \begin{verbatim} |
1170 #include <mycrypt.h> | 1462 #include <tomcrypt.h> |
1171 int main(void) | 1463 int main(void) |
1172 { | 1464 { |
1173 hash_state md; | 1465 hash_state md; |
1174 unsigned char *in = "hello world", out[16]; | 1466 unsigned char *in = "hello world", out[16]; |
1175 | 1467 |
1193 \begin{verbatim} | 1485 \begin{verbatim} |
1194 struct _hash_descriptor { | 1486 struct _hash_descriptor { |
1195 char *name; | 1487 char *name; |
1196 unsigned long hashsize; /* digest output size in bytes */ | 1488 unsigned long hashsize; /* digest output size in bytes */ |
1197 unsigned long blocksize; /* the block size the hash uses */ | 1489 unsigned long blocksize; /* the block size the hash uses */ |
1198 void (*init) (hash_state *); | 1490 void (*init) (hash_state *hash); |
1199 int (*process)(hash_state *, const unsigned char *, unsigned long); | 1491 int (*process)(hash_state *hash, |
1200 int (*done) (hash_state *, unsigned char *); | 1492 const unsigned char *in, unsigned long inlen); |
1493 int (*done) (hash_state *hash, unsigned char *out); | |
1201 int (*test) (void); | 1494 int (*test) (void); |
1202 }; | 1495 }; |
1203 \end{verbatim} | 1496 \end{verbatim} |
1204 | 1497 |
1205 Similarly ``name'' is the name of the hash function in ASCII (all lowercase). ``hashsize'' is the size of the digest output | 1498 Similarly ``name'' is the name of the hash function in ASCII (all lowercase). ``hashsize'' is the size of the digest output |
1208 position in the descriptor table of the hash. | 1501 position in the descriptor table of the hash. |
1209 | 1502 |
1210 You can use the table to indirectly call a hash function that is chosen at runtime. For example: | 1503 You can use the table to indirectly call a hash function that is chosen at runtime. For example: |
1211 \begin{small} | 1504 \begin{small} |
1212 \begin{verbatim} | 1505 \begin{verbatim} |
1213 #include <mycrypt.h> | 1506 #include <tomcrypt.h> |
1214 int main(void) | 1507 int main(void) |
1215 { | 1508 { |
1216 unsigned char buffer[100], hash[MAXBLOCKSIZE]; | 1509 unsigned char buffer[100], hash[MAXBLOCKSIZE]; |
1217 int idx, x; | 1510 int idx, x; |
1218 hash_state md; | 1511 hash_state md; |
1256 length. This provides a simple size you can set your automatic arrays to that will not get overrun. | 1549 length. This provides a simple size you can set your automatic arrays to that will not get overrun. |
1257 | 1550 |
1258 There are three helper functions as well: | 1551 There are three helper functions as well: |
1259 \index{hash\_memory()} \index{hash\_file()} | 1552 \index{hash\_memory()} \index{hash\_file()} |
1260 \begin{verbatim} | 1553 \begin{verbatim} |
1261 int hash_memory(int hash, const unsigned char *data, | 1554 int hash_memory(int hash, |
1262 unsigned long len, unsigned char *dst, | 1555 const unsigned char *in, unsigned long inlen, |
1263 unsigned long *outlen); | 1556 unsigned char *out, unsigned long *outlen); |
1264 | 1557 |
1265 int hash_file(int hash, const char *fname, | 1558 int hash_file(int hash, const char *fname, |
1266 unsigned char *dst, | 1559 unsigned char *out, unsigned long *outlen); |
1267 unsigned long *outlen); | |
1268 | 1560 |
1269 int hash_filehandle(int hash, FILE *in, | 1561 int hash_filehandle(int hash, FILE *in, |
1270 unsigned char *dst, unsigned long *outlen); | 1562 unsigned char *out, unsigned long *outlen); |
1271 \end{verbatim} | 1563 \end{verbatim} |
1272 | 1564 |
1273 The ``hash'' parameter is the location in the descriptor table of the hash (\textit{e.g. the return of find\_hash()}). | 1565 The ``hash'' parameter is the location in the descriptor table of the hash (\textit{e.g. the return of find\_hash()}). |
1274 The ``*outlen'' variable is used to keep track of the output size. You | 1566 The ``*outlen'' variable is used to keep track of the output size. You must set it to the size of your output buffer before |
1275 must set it to the size of your output buffer before calling the functions. When they complete succesfully they store | 1567 calling the functions. When they complete succesfully they store the length of the message digest back in it. The functions |
1276 the length of the message digest back in it. The functions are otherwise straightforward. The ``hash\_filehandle'' | 1568 are otherwise straightforward. The ``hash\_filehandle'' function assumes that ``in'' is an file handle opened in binary mode. |
1277 function assumes that ``in'' is an file handle opened in binary mode. It will hash to the end of file and not reset | 1569 It will hash to the end of file and not reset the file position when finished. |
1278 the file position when finished. | |
1279 | 1570 |
1280 To perform the above hash with md5 the following code could be used: | 1571 To perform the above hash with md5 the following code could be used: |
1281 \begin{small} | 1572 \begin{small} |
1282 \begin{verbatim} | 1573 \begin{verbatim} |
1283 #include <mycrypt.h> | 1574 #include <tomcrypt.h> |
1284 int main(void) | 1575 int main(void) |
1285 { | 1576 { |
1286 int idx, err; | 1577 int idx, err; |
1287 unsigned long len; | 1578 unsigned long len; |
1288 unsigned char out[MAXBLOCKSIZE]; | 1579 unsigned char out[MAXBLOCKSIZE]; |
1362 \end{enumerate} | 1653 \end{enumerate} |
1363 | 1654 |
1364 Example of using CHC with the AES block cipher. | 1655 Example of using CHC with the AES block cipher. |
1365 | 1656 |
1366 \begin{verbatim} | 1657 \begin{verbatim} |
1367 #include <mycrypt.h> | 1658 #include <tomcrypt.h> |
1368 int main(void) | 1659 int main(void) |
1369 { | 1660 { |
1370 int err; | 1661 int err; |
1371 | 1662 |
1372 /* register cipher and hash */ | 1663 /* register cipher and hash */ |
1415 The ``hmac'' parameter is the state for the HMAC code. ``hash'' is the index into the descriptor table of the hash you want | 1706 The ``hmac'' parameter is the state for the HMAC code. ``hash'' is the index into the descriptor table of the hash you want |
1416 to use to authenticate the message. ``key'' is the pointer to the array of chars that make up the key. ``keylen'' is the | 1707 to use to authenticate the message. ``key'' is the pointer to the array of chars that make up the key. ``keylen'' is the |
1417 length (in octets) of the key you want to use to authenticate the message. To send octets of a message through the HMAC system you must use the following function: | 1708 length (in octets) of the key you want to use to authenticate the message. To send octets of a message through the HMAC system you must use the following function: |
1418 \index{hmac\_process()} | 1709 \index{hmac\_process()} |
1419 \begin{verbatim} | 1710 \begin{verbatim} |
1420 int hmac_process(hmac_state *hmac, const unsigned char *buf, | 1711 int hmac_process(hmac_state *hmac, |
1421 unsigned long len); | 1712 const unsigned char *in, unsigned long inlen); |
1422 \end{verbatim} | 1713 \end{verbatim} |
1423 ``hmac'' is the HMAC state you are working with. ``buf'' is the array of octets to send into the HMAC process. ``len'' is the | 1714 ``hmac'' is the HMAC state you are working with. ``buf'' is the array of octets to send into the HMAC process. ``len'' is the |
1424 number of octets to process. Like the hash process routines you can send the data in arbitrarly sized chunks. When you | 1715 number of octets to process. Like the hash process routines you can send the data in arbitrarly sized chunks. When you |
1425 are finished with the HMAC process you must call the following function to get the HMAC code: | 1716 are finished with the HMAC process you must call the following function to get the HMAC code: |
1426 \index{hmac\_done()} | 1717 \index{hmac\_done()} |
1427 \begin{verbatim} | 1718 \begin{verbatim} |
1428 int hmac_done(hmac_state *hmac, unsigned char *hashOut, | 1719 int hmac_done(hmac_state *hmac, |
1429 unsigned long *outlen); | 1720 unsigned char *out, unsigned long *outlen); |
1430 \end{verbatim} | 1721 \end{verbatim} |
1431 ``hmac'' is the HMAC state you are working with. ``hashOut'' is the array of octets where the HMAC code should be stored. You must | 1722 ``hmac'' is the HMAC state you are working with. ``out'' is the array of octets where the HMAC code should be stored. You must |
1432 set ``outlen'' to the size of the destination buffer before calling this function. It is updated with the length of the HMAC code | 1723 set ``outlen'' to the size of the destination buffer before calling this function. It is updated with the length of the HMAC code |
1433 produced (depending on which hash was picked). If ``outlen'' is less than the size of the message digest (and ultimately | 1724 produced (depending on which hash was picked). If ``outlen'' is less than the size of the message digest (and ultimately |
1434 the HMAC code) then the HMAC code is truncated as per FIPS-198 specifications (e.g. take the first ``outlen'' bytes). | 1725 the HMAC code) then the HMAC code is truncated as per FIPS-198 specifications (e.g. take the first ``outlen'' bytes). |
1435 | 1726 |
1436 There are two utility functions provided to make using HMACs easier todo. They accept the key and information about the | 1727 There are two utility functions provided to make using HMACs easier todo. They accept the key and information about the |
1437 message (file pointer, address in memory) and produce the HMAC result in one shot. These are useful if you want to avoid | 1728 message (file pointer, address in memory) and produce the HMAC result in one shot. These are useful if you want to avoid |
1438 calling the three step process yourself. | 1729 calling the three step process yourself. |
1439 | 1730 |
1440 \index{hmac\_memory()} | 1731 \index{hmac\_memory()} |
1441 \begin{verbatim} | 1732 \begin{verbatim} |
1442 int hmac_memory(int hash, const unsigned char *key, unsigned long keylen, | 1733 int hmac_memory(int hash, |
1443 const unsigned char *data, unsigned long len, | 1734 const unsigned char *key, unsigned long keylen, |
1444 unsigned char *dst, unsigned long *dstlen); | 1735 const unsigned char *in, unsigned long inlen, |
1445 \end{verbatim} | 1736 unsigned char *out, unsigned long *outlen); |
1446 This will produce an HMAC code for the array of octets in ``data'' of length ``len''. The index into the hash descriptor | 1737 \end{verbatim} |
1738 This will produce an HMAC code for the array of octets in ``in'' of length ``inlen''. The index into the hash descriptor | |
1447 table must be provided in ``hash''. It uses the key from ``key'' with a key length of ``keylen''. | 1739 table must be provided in ``hash''. It uses the key from ``key'' with a key length of ``keylen''. |
1448 The result is stored in the array of octets ``dst'' and the length in ``dstlen''. The value of ``dstlen'' must be set | 1740 The result is stored in the array of octets ``out'' and the length in ``outlen''. The value of ``outlen'' must be set |
1449 to the size of the destination buffer before calling this function. Similarly for files there is the following function: | 1741 to the size of the destination buffer before calling this function. Similarly for files there is the following function: |
1450 \index{hmac\_file()} | 1742 \index{hmac\_file()} |
1451 \begin{verbatim} | 1743 \begin{verbatim} |
1452 int hmac_file(int hash, const char *fname, const unsigned char *key, | 1744 int hmac_file(int hash, const char *fname, |
1453 unsigned long keylen, | 1745 const unsigned char *key, unsigned long keylen, |
1454 unsigned char *dst, unsigned long *dstlen); | 1746 unsigned char *out, unsigned long *outlen); |
1455 \end{verbatim} | 1747 \end{verbatim} |
1456 ``hash'' is the index into the hash descriptor table of the hash you want to use. ``fname'' is the filename to process. | 1748 ``hash'' is the index into the hash descriptor table of the hash you want to use. ``fname'' is the filename to process. |
1457 ``key'' is the array of octets to use as the key of length ``keylen''. ``dst'' is the array of octets where the | 1749 ``key'' is the array of octets to use as the key of length ``keylen''. ``out'' is the array of octets where the |
1458 result should be stored. | 1750 result should be stored. |
1459 | 1751 |
1460 To test if the HMAC code is working there is the following function: | 1752 To test if the HMAC code is working there is the following function: |
1461 \index{hmac\_test()} | 1753 \index{hmac\_test()} |
1462 \begin{verbatim} | 1754 \begin{verbatim} |
1465 Which returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code. Some example code for using the | 1757 Which returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code. Some example code for using the |
1466 HMAC system is given below. | 1758 HMAC system is given below. |
1467 | 1759 |
1468 \begin{small} | 1760 \begin{small} |
1469 \begin{verbatim} | 1761 \begin{verbatim} |
1470 #include <mycrypt.h> | 1762 #include <tomcrypt.h> |
1471 int main(void) | 1763 int main(void) |
1472 { | 1764 { |
1473 int idx, err; | 1765 int idx, err; |
1474 hmac_state hmac; | 1766 hmac_state hmac; |
1475 unsigned char key[16], dst[MAXBLOCKSIZE]; | 1767 unsigned char key[16], dst[MAXBLOCKSIZE]; |
1529 | 1821 |
1530 To send data through the algorithm call | 1822 To send data through the algorithm call |
1531 \index{omac\_process()} | 1823 \index{omac\_process()} |
1532 \begin{verbatim} | 1824 \begin{verbatim} |
1533 int omac_process(omac_state *state, | 1825 int omac_process(omac_state *state, |
1534 const unsigned char *buf, unsigned long len); | 1826 const unsigned char *in, unsigned long inlen); |
1535 \end{verbatim} | 1827 \end{verbatim} |
1536 This will send ``len'' bytes from ``buf'' through the active OMAC state ``state''. Returns \textbf{CRYPT\_OK} if the | 1828 This will send ``inlen'' bytes from ``in'' through the active OMAC state ``state''. Returns \textbf{CRYPT\_OK} if the |
1537 function succeeds. The function is not sensitive to the granularity of the data. For example, | 1829 function succeeds. The function is not sensitive to the granularity of the data. For example, |
1538 | 1830 |
1539 \begin{verbatim} | 1831 \begin{verbatim} |
1540 omac_process(&mystate, "hello", 5); | 1832 omac_process(&mystate, "hello", 5); |
1541 omac_process(&mystate, " world", 6); | 1833 omac_process(&mystate, " world", 6); |
1565 | 1857 |
1566 \index{omac\_memory()} | 1858 \index{omac\_memory()} |
1567 \begin{verbatim} | 1859 \begin{verbatim} |
1568 int omac_memory(int cipher, | 1860 int omac_memory(int cipher, |
1569 const unsigned char *key, unsigned long keylen, | 1861 const unsigned char *key, unsigned long keylen, |
1570 const unsigned char *msg, unsigned long msglen, | 1862 const unsigned char *in, unsigned long inlen, |
1571 unsigned char *out, unsigned long *outlen); | 1863 unsigned char *out, unsigned long *outlen); |
1572 \end{verbatim} | 1864 \end{verbatim} |
1573 This will compute the OMAC of ``msglen'' bytes of ``msg'' using the key ``key'' of length ``keylen'' bytes and the cipher | 1865 This will compute the OMAC of ``inlen'' bytes of ``in'' using the key ``key'' of length ``keylen'' bytes and the cipher |
1574 specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with the same | 1866 specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with the same |
1575 rules as omac\_done. | 1867 rules as omac\_done. |
1576 | 1868 |
1577 To OMAC a file use | 1869 To OMAC a file use |
1578 \index{omac\_file()} | 1870 \index{omac\_file()} |
1579 \begin{verbatim} | 1871 \begin{verbatim} |
1580 int omac_file(int cipher, | 1872 int omac_file(int cipher, |
1581 const unsigned char *key, unsigned long keylen, | 1873 const unsigned char *key, unsigned long keylen, |
1582 const char *filename, | 1874 const char *filename, |
1583 unsigned char *out, unsigned long *outlen); | 1875 unsigned char *out, unsigned long *outlen); |
1584 \end{verbatim} | 1876 \end{verbatim} |
1585 | 1877 |
1586 Which will OMAC the entire contents of the file specified by ``filename'' using the key ``key'' of length ``keylen'' bytes | 1878 Which will OMAC the entire contents of the file specified by ``filename'' using the key ``key'' of length ``keylen'' bytes |
1587 and the cipher specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with | 1879 and the cipher specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with |
1588 the same rules as omac\_done. | 1880 the same rules as omac\_done. |
1595 Which returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code. Some example code for using the | 1887 Which returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code. Some example code for using the |
1596 OMAC system is given below. | 1888 OMAC system is given below. |
1597 | 1889 |
1598 \begin{small} | 1890 \begin{small} |
1599 \begin{verbatim} | 1891 \begin{verbatim} |
1600 #include <mycrypt.h> | 1892 #include <tomcrypt.h> |
1601 int main(void) | 1893 int main(void) |
1602 { | 1894 { |
1603 int idx, err; | 1895 int idx, err; |
1604 omac_state omac; | 1896 omac_state omac; |
1605 unsigned char key[16], dst[MAXBLOCKSIZE]; | 1897 unsigned char key[16], dst[MAXBLOCKSIZE]; |
1660 To MAC data simply send it through the process function. | 1952 To MAC data simply send it through the process function. |
1661 | 1953 |
1662 \index{pmac\_process()} | 1954 \index{pmac\_process()} |
1663 \begin{verbatim} | 1955 \begin{verbatim} |
1664 int pmac_process(pmac_state *state, | 1956 int pmac_process(pmac_state *state, |
1665 const unsigned char *buf, unsigned long len); | 1957 const unsigned char *in, unsigned long inlen); |
1666 \end{verbatim} | 1958 \end{verbatim} |
1667 This will process ``len'' bytes of ``buf'' in the given ``state''. The function is not sensitive to the granularity of the | 1959 This will process ``inlen'' bytes of ``in'' in the given ``state''. The function is not sensitive to the granularity of the |
1668 data. For example, | 1960 data. For example, |
1669 | 1961 |
1670 \begin{verbatim} | 1962 \begin{verbatim} |
1671 pmac_process(&mystate, "hello", 5); | 1963 pmac_process(&mystate, "hello", 5); |
1672 pmac_process(&mystate, " world", 6); | 1964 pmac_process(&mystate, " world", 6); |
1692 following function. | 1984 following function. |
1693 | 1985 |
1694 \index{pmac\_memory()} | 1986 \index{pmac\_memory()} |
1695 \begin{verbatim} | 1987 \begin{verbatim} |
1696 int pmac_memory(int cipher, | 1988 int pmac_memory(int cipher, |
1697 const unsigned char *key, unsigned long keylen, | 1989 const unsigned char *key, unsigned long keylen, |
1698 const unsigned char *msg, unsigned long msglen, | 1990 const unsigned char *in, unsigned long inlen, |
1699 unsigned char *out, unsigned long *outlen); | 1991 unsigned char *out, unsigned long *outlen); |
1700 \end{verbatim} | 1992 \end{verbatim} |
1701 This will compute the PMAC of ``msglen'' bytes of ``msg'' using the key ``key'' of length ``keylen'' bytes and the cipher | 1993 This will compute the PMAC of ``msglen'' bytes of ``msg'' using the key ``key'' of length ``keylen'' bytes and the cipher |
1702 specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with the same | 1994 specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with the same |
1703 rules as omac\_done. | 1995 rules as omac\_done. |
1704 | 1996 |
1714 Which will PMAC the entire contents of the file specified by ``filename'' using the key ``key'' of length ``keylen'' bytes | 2006 Which will PMAC the entire contents of the file specified by ``filename'' using the key ``key'' of length ``keylen'' bytes |
1715 and the cipher specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with | 2007 and the cipher specified by the ``cipher'''th entry in the cipher\_descriptor table. It will store the MAC in ``out'' with |
1716 the same rules as omac\_done. | 2008 the same rules as omac\_done. |
1717 | 2009 |
1718 To test if the PMAC code is working there is the following function: | 2010 To test if the PMAC code is working there is the following function: |
2011 \index{pmac\_test()} | |
1719 \begin{verbatim} | 2012 \begin{verbatim} |
1720 int pmac_test(void); | 2013 int pmac_test(void); |
1721 \end{verbatim} | 2014 \end{verbatim} |
1722 Which returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code. | 2015 Which returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code. |
1723 | 2016 |
1724 | 2017 \section{Pelican MAC} |
1725 | 2018 Pelican MAC is a new (experimental) MAC by the AES team that uses four rounds of AES as a ``mixing function''. It achieves a very high |
2019 rate of processing and is potentially very secure. It requires AES to be enabled to function. You do not have to register\_cipher() AES first though | |
2020 as it calls AES directly. | |
2021 | |
2022 \index{pelican\_init()} | |
2023 \begin{verbatim} | |
2024 int pelican_init(pelican_state *pelmac, const unsigned char *key, unsigned long keylen); | |
2025 \end{verbatim} | |
2026 This will initialize the Pelican state with the given AES key. Once this has been done you can begin processing data. | |
2027 | |
2028 \index{pelican\_process()} | |
2029 \begin{verbatim} | |
2030 int pelican_process(pelican_state *pelmac, const unsigned char *in, unsigned long inlen); | |
2031 \end{verbatim} | |
2032 This will process ``inlen'' bytes of ``in'' through the Pelican MAC. It's best that you pass in multiples of 16 bytes as it makes the | |
2033 routine more efficient but you may pass in any length of text. You can call this function as many times as required to process | |
2034 an entire message. | |
2035 | |
2036 \index{pelican\_done()} | |
2037 \begin{verbatim} | |
2038 int pelican_done(pelican_state *pelmac, unsigned char *out); | |
2039 \end{verbatim} | |
2040 This terminates a Pelican MAC and writes the 16--octet tag to ``out''. | |
2041 | |
2042 \subsection{Example} | |
2043 | |
2044 \begin{verbatim} | |
2045 #include <tomcrypt.h> | |
2046 int main(void) | |
2047 { | |
2048 pelican_state pelstate; | |
2049 unsigned char key[32], tag[16]; | |
2050 int err; | |
2051 | |
2052 /* somehow initialize a key */ | |
2053 | |
2054 /* initialize pelican mac */ | |
2055 if ((err = pelican_init(&pelstate, /* the state */ | |
2056 key, /* user key */ | |
2057 32 /* key length in octets */ | |
2058 )) != CRYPT_OK) { | |
2059 printf("Error initializing Pelican: %s", error_to_string(err)); | |
2060 return EXIT_FAILURE; | |
2061 } | |
2062 | |
2063 /* MAC some data */ | |
2064 if ((err = pelican_process(&pelstate, /* the state */ | |
2065 "hello world", /* data to mac */ | |
2066 11 /* length of data */ | |
2067 )) != CRYPT_OK) { | |
2068 printf("Error processing Pelican: %s", error_to_string(err)); | |
2069 return EXIT_FAILURE; | |
2070 } | |
2071 | |
2072 /* Terminate the MAC */ | |
2073 if ((err = pelican_done(&pelstate, /* the state */ | |
2074 tag /* where to store the tag */ | |
2075 )) != CRYPT_OK) { | |
2076 printf("Error terminating Pelican: %s", error_to_string(err)); | |
2077 return EXIT_FAILURE; | |
2078 } | |
2079 | |
2080 /* tag[0..15] has the MAC output now */ | |
2081 | |
2082 return EXIT_SUCCESS; | |
2083 } | |
2084 \end{verbatim} | |
1726 | 2085 |
1727 | 2086 |
1728 \chapter{Pseudo-Random Number Generators} | 2087 \chapter{Pseudo-Random Number Generators} |
1729 \section{Core Functions} | 2088 \section{Core Functions} |
1730 The library provides an array of core functions for Pseudo-Random Number Generators (PRNGs) as well. A cryptographic PRNG is | 2089 The library provides an array of core functions for Pseudo-Random Number Generators (PRNGs) as well. A cryptographic PRNG is |
1733 \index{PRNG start} | 2092 \index{PRNG start} |
1734 \begin{verbatim} | 2093 \begin{verbatim} |
1735 int XXX_start(prng_state *prng); | 2094 int XXX_start(prng_state *prng); |
1736 \end{verbatim} | 2095 \end{verbatim} |
1737 | 2096 |
1738 This will setup the PRNG for future use and not seed it. In order | 2097 This will setup the PRNG for future use and not seed it. In order for the PRNG to be cryptographically useful you must give it |
1739 for the PRNG to be cryptographically useful you must give it entropy. Ideally you'd have some OS level source to tap | 2098 entropy. Ideally you'd have some OS level source to tap like in UNIX. To add entropy to the PRNG call: |
1740 like in UNIX (see section 5.3). To add entropy to the PRNG call: | |
1741 \index{PRNG add\_entropy} | 2099 \index{PRNG add\_entropy} |
1742 \begin{verbatim} | 2100 \begin{verbatim} |
1743 int XXX_add_entropy(const unsigned char *in, unsigned long len, | 2101 int XXX_add_entropy(const unsigned char *in, unsigned long inlen, |
1744 prng_state *prng); | 2102 prng_state *prng); |
1745 \end{verbatim} | 2103 \end{verbatim} |
1746 | 2104 |
1747 Which returns {\bf CRYPTO\_OK} if the entropy was accepted. Once you think you have enough entropy you call another | 2105 Which returns {\bf CRYPTO\_OK} if the entropy was accepted. Once you think you have enough entropy you call another |
1748 function to put the entropy into action. | 2106 function to put the entropy into action. |
1752 \end{verbatim} | 2110 \end{verbatim} |
1753 | 2111 |
1754 Which returns {\bf CRYPTO\_OK} if it is ready. Finally to actually read bytes call: | 2112 Which returns {\bf CRYPTO\_OK} if it is ready. Finally to actually read bytes call: |
1755 \index{PRNG read} | 2113 \index{PRNG read} |
1756 \begin{verbatim} | 2114 \begin{verbatim} |
1757 unsigned long XXX_read(unsigned char *out, unsigned long len, | 2115 unsigned long XXX_read(unsigned char *out, unsigned long outlen, |
1758 prng_state *prng); | 2116 prng_state *prng); |
1759 \end{verbatim} | 2117 \end{verbatim} |
1760 | 2118 |
1761 Which returns the number of bytes read from the PRNG. When you are finished with a PRNG state you call | 2119 Which returns the number of bytes read from the PRNG. When you are finished with a PRNG state you call |
1762 the following. | 2120 the following. |
1829 | 2187 |
1830 Below is a simple snippet to read 10 bytes from yarrow. Its important to note that this snippet is | 2188 Below is a simple snippet to read 10 bytes from yarrow. Its important to note that this snippet is |
1831 {\bf NOT} secure since the entropy added is not random. | 2189 {\bf NOT} secure since the entropy added is not random. |
1832 | 2190 |
1833 \begin{verbatim} | 2191 \begin{verbatim} |
1834 #include <mycrypt.h> | 2192 #include <tomcrypt.h> |
1835 int main(void) | 2193 int main(void) |
1836 { | 2194 { |
1837 prng_state prng; | 2195 prng_state prng; |
1838 unsigned char buf[10]; | 2196 unsigned char buf[10]; |
1839 int err; | 2197 int err; |
1959 simulations which need a high quality (and fast) stream of bytes. | 2317 simulations which need a high quality (and fast) stream of bytes. |
1960 | 2318 |
1961 \subsubsection{Example Usage} | 2319 \subsubsection{Example Usage} |
1962 \begin{small} | 2320 \begin{small} |
1963 \begin{verbatim} | 2321 \begin{verbatim} |
1964 #include <mycrypt.h> | 2322 #include <tomcrypt.h> |
1965 int main(void) | 2323 int main(void) |
1966 { | 2324 { |
1967 prng_state prng; | 2325 prng_state prng; |
1968 unsigned char buf[32]; | 2326 unsigned char buf[32]; |
1969 int err; | 2327 int err; |
2027 the callback in ``rng\_get\_bytes()''. It is highly recommended that you use this function to setup your PRNGs unless you have a | 2385 the callback in ``rng\_get\_bytes()''. It is highly recommended that you use this function to setup your PRNGs unless you have a |
2028 platform where the RNG doesn't work well. Example usage of this function is given below. | 2386 platform where the RNG doesn't work well. Example usage of this function is given below. |
2029 | 2387 |
2030 \begin{small} | 2388 \begin{small} |
2031 \begin{verbatim} | 2389 \begin{verbatim} |
2032 #include <mycrypt.h> | 2390 #include <tomcrypt.h> |
2033 int main(void) | 2391 int main(void) |
2034 { | 2392 { |
2035 ecc_key mykey; | 2393 ecc_key mykey; |
2036 prng_state prng; | 2394 prng_state prng; |
2037 int err; | 2395 int err; |
2064 requires to be started, that is you need not call the start, add\_entropy or ready functions. For example, consider | 2422 requires to be started, that is you need not call the start, add\_entropy or ready functions. For example, consider |
2065 the previous example using this PRNG. | 2423 the previous example using this PRNG. |
2066 | 2424 |
2067 \begin{small} | 2425 \begin{small} |
2068 \begin{verbatim} | 2426 \begin{verbatim} |
2069 #include <mycrypt.h> | 2427 #include <tomcrypt.h> |
2070 int main(void) | 2428 int main(void) |
2071 { | 2429 { |
2072 ecc_key mykey; | 2430 ecc_key mykey; |
2073 int err; | 2431 int err; |
2074 | 2432 |
2085 } | 2443 } |
2086 return 0; | 2444 return 0; |
2087 } | 2445 } |
2088 \end{verbatim} | 2446 \end{verbatim} |
2089 \end{small} | 2447 \end{small} |
2448 | |
2449 | |
2090 | 2450 |
2091 \chapter{RSA Public Key Cryptography} | 2451 \chapter{RSA Public Key Cryptography} |
2092 | 2452 |
2093 \section{Introduction} | 2453 \section{Introduction} |
2094 RSA wrote the PKCS \#1 specifications which detail RSA Public Key Cryptography. In the specifications are | 2454 RSA wrote the PKCS \#1 specifications which detail RSA Public Key Cryptography. In the specifications are |
2305 | 2665 |
2306 To do raw work with the RSA function call: | 2666 To do raw work with the RSA function call: |
2307 \index{rsa\_exptmod()} | 2667 \index{rsa\_exptmod()} |
2308 \begin{verbatim} | 2668 \begin{verbatim} |
2309 int rsa_exptmod(const unsigned char *in, unsigned long inlen, | 2669 int rsa_exptmod(const unsigned char *in, unsigned long inlen, |
2310 unsigned char *out, unsigned long *outlen, int which, | 2670 unsigned char *out, unsigned long *outlen, |
2311 prng_state *prng, int prng_idx, | 2671 int which, prng_state *prng, int prng_idx, |
2312 rsa_key *key); | 2672 rsa_key *key); |
2313 \end{verbatim} | 2673 \end{verbatim} |
2314 This loads the bignum from ``in'' as a big endian word in the format PKCS specifies, raises it to either ``e'' or ``d'' and stores the result | 2674 This loads the bignum from ``in'' as a big endian word in the format PKCS specifies, raises it to either ``e'' or ``d'' and stores the result |
2315 in ``out'' and the size of the result in ``outlen''. ``which'' is set to {\bf PK\_PUBLIC} to use ``e'' | 2675 in ``out'' and the size of the result in ``outlen''. ``which'' is set to {\bf PK\_PUBLIC} to use ``e'' |
2316 (i.e. for encryption/verifying) and set to {\bf PK\_PRIVATE} to use ``d'' as the exponent (i.e. for decrypting/signing). | 2676 (i.e. for encryption/verifying) and set to {\bf PK\_PRIVATE} to use ``d'' as the exponent (i.e. for decrypting/signing). |
2322 Normally RSA is used to encrypt short symmetric keys which are then used in block ciphers to encrypt a message. | 2682 Normally RSA is used to encrypt short symmetric keys which are then used in block ciphers to encrypt a message. |
2323 To facilitate encrypting short keys the following functions have been provided. | 2683 To facilitate encrypting short keys the following functions have been provided. |
2324 | 2684 |
2325 \index{rsa\_encrypt\_key()} | 2685 \index{rsa\_encrypt\_key()} |
2326 \begin{verbatim} | 2686 \begin{verbatim} |
2327 int rsa_encrypt_key(const unsigned char *inkey, unsigned long inlen, | 2687 int rsa_encrypt_key(const unsigned char *in, unsigned long inlen, |
2328 unsigned char *outkey, unsigned long *outlen, | 2688 unsigned char *out, unsigned long *outlen, |
2329 const unsigned char *lparam, unsigned long lparamlen, | 2689 const unsigned char *lparam, unsigned long lparamlen, |
2330 prng_state *prng, int prng_idx, int hash_idx, rsa_key *key); | 2690 prng_state *prng, int prng_idx, int hash_idx, rsa_key *key); |
2331 \end{verbatim} | 2691 \end{verbatim} |
2332 This function will OAEP pad ``inkey'' of length inlen bytes then RSA encrypt it and store the ciphertext | 2692 This function will OAEP pad ``in'' of length inlen bytes then RSA encrypt it and store the ciphertext |
2333 in ``outkey'' of length ``outlen''. The ``lparam'' and ``lparamlen'' are the same parameters you would pass | 2693 in ``out'' of length ``outlen''. The ``lparam'' and ``lparamlen'' are the same parameters you would pass |
2334 to pkcs\_1\_oaep\_encode(). | 2694 to pkcs\_1\_oaep\_encode(). |
2335 | 2695 |
2336 \index{rsa\_decrypt\_key()} | 2696 \index{rsa\_decrypt\_key()} |
2337 \begin{verbatim} | 2697 \begin{verbatim} |
2338 int rsa_decrypt_key(const unsigned char *in, unsigned long inlen, | 2698 int rsa_decrypt_key(const unsigned char *in, unsigned long inlen, |
2339 unsigned char *outkey, unsigned long *keylen, | 2699 unsigned char *out, unsigned long *outlen, |
2340 const unsigned char *lparam, unsigned long lparamlen, | 2700 const unsigned char *lparam, unsigned long lparamlen, |
2341 prng_state *prng, int prng_idx, | 2701 prng_state *prng, int prng_idx, |
2342 int hash_idx, int *res, | 2702 int hash_idx, int *res, |
2343 rsa_key *key); | 2703 rsa_key *key); |
2344 \end{verbatim} | 2704 \end{verbatim} |
2345 This function will RSA decrypt ``in'' of length ``inlen'' then OAEP depad the resulting data and store it in | 2705 This function will RSA decrypt ``in'' of length ``inlen'' then OAEP depad the resulting data and store it in |
2346 ``outkey'' of length ``outlen''. The ``lparam'' and ``lparamlen'' are the same parameters you would pass | 2706 ``out'' of length ``outlen''. The ``lparam'' and ``lparamlen'' are the same parameters you would pass |
2347 to pkcs\_1\_oaep\_decode(). | 2707 to pkcs\_1\_oaep\_decode(). |
2348 | 2708 |
2349 If the RSA decrypted data isn't a valid OAEP packet then ``res'' is set to $0$. Otherwise, it is set to $1$. | 2709 If the RSA decrypted data isn't a valid OAEP packet then ``res'' is set to $0$. Otherwise, it is set to $1$. |
2350 | 2710 |
2351 \subsection{RSA Hash Signatures} | 2711 \subsection{RSA Hash Signatures} |
2352 Similar to RSA key encryption RSA is also used to ``digitally sign'' message digests (hashes). To facilitate this | 2712 Similar to RSA key encryption RSA is also used to ``digitally sign'' message digests (hashes). To facilitate this |
2353 process the following functions have been provided. | 2713 process the following functions have been provided. |
2354 | 2714 |
2355 \index{rsa\_sign\_hash()} | 2715 \index{rsa\_sign\_hash()} |
2356 \begin{verbatim} | 2716 \begin{verbatim} |
2357 int rsa_sign_hash(const unsigned char *msghash, unsigned long msghashlen, | 2717 int rsa_sign_hash(const unsigned char *in, unsigned long inlen, |
2358 unsigned char *sig, unsigned long *siglen, | 2718 unsigned char *out, unsigned long *outlen, |
2359 prng_state *prng, int prng_idx, | 2719 prng_state *prng, int prng_idx, |
2360 int hash_idx, unsigned long saltlen, | 2720 int hash_idx, unsigned long saltlen, |
2361 rsa_key *key); | 2721 rsa_key *key); |
2362 \end{verbatim} | 2722 \end{verbatim} |
2363 | 2723 |
2364 This will PSS encode the message hash ``msghash'' of length ``msghashlen''. Next the PSS encoded message is | 2724 This will PSS encode the message hash ``in'' of length ``inlen''. Next the PSS encoded message will be RSA ``signed'' and |
2365 RSA ``signed'' and the output is stored in ``sig'' of length ``siglen''. | 2725 the output is stored in ``out'' of length ``outlen''. |
2366 | 2726 |
2367 | 2727 |
2368 \index{rsa\_verify\_hash()} | 2728 \index{rsa\_verify\_hash()} |
2369 \begin{verbatim} | 2729 \begin{verbatim} |
2370 int rsa_verify_hash(const unsigned char *sig, unsigned long siglen, | 2730 int rsa_verify_hash(const unsigned char *sig, unsigned long siglen, |
2380 If the RSA decoded data is not a valid PSS message or if the PSS decoded hash does not match the ``msghash'' | 2740 If the RSA decoded data is not a valid PSS message or if the PSS decoded hash does not match the ``msghash'' |
2381 the value ``res'' is set to $0$. Otherwise, if the function succeeds and signature is valid ``res'' is set | 2741 the value ``res'' is set to $0$. Otherwise, if the function succeeds and signature is valid ``res'' is set |
2382 to $1$. | 2742 to $1$. |
2383 | 2743 |
2384 \begin{verbatim} | 2744 \begin{verbatim} |
2385 #include <mycrypt.h> | 2745 #include <tomcrypt.h> |
2386 int main(void) | 2746 int main(void) |
2387 { | 2747 { |
2388 int err, hash_idx, prng_idx, res; | 2748 int err, hash_idx, prng_idx, res; |
2389 unsigned long l1, l2; | 2749 unsigned long l1, l2; |
2390 unsigned char pt[16], pt2[16], out[1024]; | 2750 unsigned char pt[16], pt2[16], out[1024]; |
2644 \section{DH Packet} | 3004 \section{DH Packet} |
2645 Similar to the RSA related functions there are functions to encrypt or decrypt symmetric keys using the DH public key | 3005 Similar to the RSA related functions there are functions to encrypt or decrypt symmetric keys using the DH public key |
2646 algorithms. | 3006 algorithms. |
2647 \index{dh\_encrypt\_key()} \index{dh\_decrypt\_key()} | 3007 \index{dh\_encrypt\_key()} \index{dh\_decrypt\_key()} |
2648 \begin{verbatim} | 3008 \begin{verbatim} |
2649 int dh_encrypt_key(const unsigned char *inkey, unsigned long keylen, | 3009 int dh_encrypt_key(const unsigned char *in, unsigned long inlen, |
2650 unsigned char *out, unsigned long *len, | 3010 unsigned char *out, unsigned long *len, |
2651 prng_state *prng, int wprng, int hash, | 3011 prng_state *prng, int wprng, int hash, |
2652 dh_key *key); | 3012 dh_key *key); |
2653 | 3013 |
2654 int dh_decrypt_key(const unsigned char *in, unsigned long inlen, | 3014 int dh_decrypt_key(const unsigned char *in, unsigned long inlen, |
2655 unsigned char *outkey, unsigned long *keylen, | 3015 unsigned char *out, unsigned long *outlen, |
2656 dh_key *key); | 3016 dh_key *key); |
2657 \end{verbatim} | 3017 \end{verbatim} |
2658 Where ``inkey'' is an input symmetric key of no more than 32 bytes. Essentially these routines created a random public key | 3018 Where ``in'' is an input symmetric key of no more than 32 bytes. Essentially these routines created a random public key |
2659 and find the hash of the shared secret. The message digest is than XOR'ed against the symmetric key. All of the | 3019 and find the hash of the shared secret. The message digest is than XOR'ed against the symmetric key. All of the |
2660 required data is placed in ``out'' by ``dh\_encrypt\_key()''. The hash must produce a message digest at least as large | 3020 required data is placed in ``out'' by ``dh\_encrypt\_key()''. The hash must produce a message digest at least as large |
2661 as the symmetric key you are trying to share. | 3021 as the symmetric key you are trying to share. |
2662 | 3022 |
2663 Similar to the RSA system you can sign and verify a hash of a message. | 3023 Similar to the RSA system you can sign and verify a hash of a message. |
2757 Similar to the RSA API there are two functions which encrypt and decrypt symmetric keys using the ECC public key | 3117 Similar to the RSA API there are two functions which encrypt and decrypt symmetric keys using the ECC public key |
2758 algorithms. | 3118 algorithms. |
2759 | 3119 |
2760 \index{ecc\_encrypt\_key()} \index{ecc\_decrypt\_key()} | 3120 \index{ecc\_encrypt\_key()} \index{ecc\_decrypt\_key()} |
2761 \begin{verbatim} | 3121 \begin{verbatim} |
2762 int ecc_encrypt_key(const unsigned char *inkey, unsigned long keylen, | 3122 int ecc_encrypt_key(const unsigned char *in, unsigned long inlen, |
2763 unsigned char *out, unsigned long *len, | 3123 unsigned char *out, unsigned long *outlen, |
2764 prng_state *prng, int wprng, int hash, | 3124 prng_state *prng, int wprng, int hash, |
2765 ecc_key *key); | 3125 ecc_key *key); |
2766 | 3126 |
2767 int ecc_decrypt_key(const unsigned char *in, unsigned long inlen, | 3127 int ecc_decrypt_key(const unsigned char *in, unsigned long inlen, |
2768 unsigned char *outkey, unsigned long *keylen, | 3128 unsigned char *out, unsigned long *outlen, |
2769 ecc_key *key); | 3129 ecc_key *key); |
2770 \end{verbatim} | 3130 \end{verbatim} |
2771 | 3131 |
2772 Where ``inkey'' is an input symmetric key of no more than 32 bytes. Essentially these routines created a random public key | 3132 Where ``in'' is an input symmetric key of no more than 32 bytes. Essentially these routines created a random public key |
2773 and find the hash of the shared secret. The message digest is than XOR'ed against the symmetric key. All of the required | 3133 and find the hash of the shared secret. The message digest is than XOR'ed against the symmetric key. All of the required |
2774 data is placed in ``out'' by ``ecc\_encrypt\_key()''. The hash chosen must produce a message digest at least as large | 3134 data is placed in ``out'' by ``ecc\_encrypt\_key()''. The hash chosen must produce a message digest at least as large |
2775 as the symmetric key you are trying to share. | 3135 as the symmetric key you are trying to share. |
2776 | 3136 |
2777 There are also functions to sign and verify the hash of a message. | 3137 There are also functions to sign and verify the hash of a message. |
2973 | 3333 |
2974 These will handle multiple encodings/decodings at once. They work like their single operand counterparts | 3334 These will handle multiple encodings/decodings at once. They work like their single operand counterparts |
2975 except they handle a \textbf{NULL} terminated list of operands. | 3335 except they handle a \textbf{NULL} terminated list of operands. |
2976 | 3336 |
2977 \begin{verbatim} | 3337 \begin{verbatim} |
2978 #include <mycrypt.h> | 3338 #include <tomcrypt.h> |
2979 int main(void) | 3339 int main(void) |
2980 { | 3340 { |
2981 mp_int a, b, c, d; | 3341 mp_int a, b, c, d; |
2982 unsigned char buffer[1000]; | 3342 unsigned char buffer[1000]; |
2983 unsigned long len; | 3343 unsigned long len; |
3045 on the password. The ``hash\_idx'' is the index of the hash you wish to use in the descriptor table. The output of length upto | 3405 on the password. The ``hash\_idx'' is the index of the hash you wish to use in the descriptor table. The output of length upto |
3046 ``outlen'' is stored in ``out''. | 3406 ``outlen'' is stored in ``out''. |
3047 | 3407 |
3048 \begin{alltt} | 3408 \begin{alltt} |
3049 /* demo to show how to make session state material from a password */ | 3409 /* demo to show how to make session state material from a password */ |
3050 #include <mycrypt.h> | 3410 #include <tomcrypt.h> |
3051 int main(void) | 3411 int main(void) |
3052 \{ | 3412 \{ |
3053 unsigned char password[100], salt[100], | 3413 unsigned char password[100], salt[100], |
3054 cipher_key[16], cipher_iv[16], | 3414 cipher_key[16], cipher_iv[16], |
3055 mac_key[16], outbuf[48]; | 3415 mac_key[16], outbuf[48]; |
3113 for all uses and is distributed freely. | 3473 for all uses and is distributed freely. |
3114 | 3474 |
3115 At the heart of all the functions is the data type ``mp\_int'' (defined in tommath.h). This data type is what | 3475 At the heart of all the functions is the data type ``mp\_int'' (defined in tommath.h). This data type is what |
3116 will hold all large integers. In order to use an mp\_int one must initialize it first, for example: | 3476 will hold all large integers. In order to use an mp\_int one must initialize it first, for example: |
3117 \begin{verbatim} | 3477 \begin{verbatim} |
3118 #include <mycrypt.h> /* mycrypt.h includes mpi.h automatically */ | 3478 #include <tomcrypt.h> /* tomcrypt.h includes mpi.h automatically */ |
3119 int main(void) | 3479 int main(void) |
3120 { | 3480 { |
3121 mp_int bignum; | 3481 mp_int bignum; |
3122 | 3482 |
3123 /* initialize it */ | 3483 /* initialize it */ |
3325 \end{alltt} | 3685 \end{alltt} |
3326 | 3686 |
3327 Which will build the library and install it in /usr/lib (as well as the headers in /usr/include). The destination | 3687 Which will build the library and install it in /usr/lib (as well as the headers in /usr/include). The destination |
3328 directory of the library and headers can be changed by editing ``makefile''. The variable LIBNAME controls | 3688 directory of the library and headers can be changed by editing ``makefile''. The variable LIBNAME controls |
3329 where the library is to be installed and INCNAME controls where the headers are to be installed. A developer can | 3689 where the library is to be installed and INCNAME controls where the headers are to be installed. A developer can |
3330 then use the library by including ``mycrypt.h'' in their program and linking against ``libtomcrypt.a''. | 3690 then use the library by including ``tomcrypt.h'' in their program and linking against ``libtomcrypt.a''. |
3331 | 3691 |
3332 A static library can also be built with the Intel C Compiler (ICC) by issuing the following | 3692 A static library can also be built with the Intel C Compiler (ICC) by issuing the following |
3333 | 3693 |
3334 \begin{alltt} | 3694 \begin{alltt} |
3335 make -f makefile.icc install | 3695 make -f makefile.icc install |
3366 \end{alltt} | 3726 \end{alltt} |
3367 This will use libtool and gcc to build a shared library ``libtomcrypt.la'' as well as a static library ``libtomcrypt.a'' | 3727 This will use libtool and gcc to build a shared library ``libtomcrypt.la'' as well as a static library ``libtomcrypt.a'' |
3368 and install them into /usr/lib (and the headers into /usr/include). To link your application you should use the | 3728 and install them into /usr/lib (and the headers into /usr/include). To link your application you should use the |
3369 libtool program in ``--mode=link''. | 3729 libtool program in ``--mode=link''. |
3370 | 3730 |
3371 You can also build LibTomCrypt as a shared library (DLL) in Windows with Cygwin. Issue the following | 3731 \section{tomcrypt\_cfg.h} |
3372 | 3732 The file ``tomcrypt\_cfg.h'' is what lets you control various high level macros which control the behaviour |
3373 \begin{alltt} | |
3374 make -f makefile.cygwin_dll | |
3375 \end{alltt} | |
3376 This will build ``libtomcrypt.dll.a'' which is an import library for ``libtomcrypt.dll''. You must copy | |
3377 ``libtomcrypt.dll.a'' to your library directory, ``libtomcrypt.dll' to somewhere in your PATH and the header | |
3378 files to your include directory. So long as ``libtomcrypt.dll'' is in your system path you can run any LibTomCrypt | |
3379 program that uses it. | |
3380 | |
3381 \section{mycrypt\_cfg.h} | |
3382 The file ``mycrypt\_cfg.h'' is what lets you control various high level macros which control the behaviour | |
3383 of the library. | 3733 of the library. |
3384 | 3734 |
3385 \subsubsection{ARGTYPE} | 3735 \subsubsection{ARGTYPE} |
3386 This lets you control how the \_ARGCHK macro will behave. The macro is used to check pointers inside the functions against | 3736 This lets you control how the \_ARGCHK macro will behave. The macro is used to check pointers inside the functions against |
3387 NULL. There are three settings for ARGTYPE. When set to 0 it will have the default behaviour of printing a message to | 3737 NULL. There are three settings for ARGTYPE. When set to 0 it will have the default behaviour of printing a message to |
3396 which will work on all platforms. | 3746 which will work on all platforms. |
3397 | 3747 |
3398 Currently LibTomCrypt will detect x86-32 and x86-64 running GCC as well as x86-32 running MSVC. | 3748 Currently LibTomCrypt will detect x86-32 and x86-64 running GCC as well as x86-32 running MSVC. |
3399 | 3749 |
3400 \section{The Configure Script} | 3750 \section{The Configure Script} |
3401 There are also options you can specify from the configure script or ``mycrypt\_custom.h''. | 3751 There are also options you can specify from the configure script or ``tomcrypt\_custom.h''. |
3402 | 3752 |
3403 \subsubsection{X memory routines} | 3753 \subsection{X memory routines} |
3404 At the top of mycrypt\_custom.h are four macros denoted as XMALLOC, XCALLOC, XREALLOC and XFREE which resolve to | 3754 At the top of tomcrypt\_custom.h are four macros denoted as XMALLOC, XCALLOC, XREALLOC and XFREE which resolve to |
3405 the name of the respective functions. This lets you substitute in your own memory routines. If you substitute in | 3755 the name of the respective functions. This lets you substitute in your own memory routines. If you substitute in |
3406 your own functions they must behave like the standard C library functions in terms of what they expect as input and | 3756 your own functions they must behave like the standard C library functions in terms of what they expect as input and |
3407 output. By default the library uses the standard C routines. | 3757 output. By default the library uses the standard C routines. |
3408 | 3758 |
3409 \subsubsection{X clock routines} | 3759 \subsection{X clock routines} |
3410 The rng\_get\_bytes() function can call a function that requires the clock() function. These macros let you override | 3760 The rng\_get\_bytes() function can call a function that requires the clock() function. These macros let you override |
3411 the default clock() used with a replacement. By default the standard C library clock() function is used. | 3761 the default clock() used with a replacement. By default the standard C library clock() function is used. |
3412 | 3762 |
3413 \subsubsection{NO\_FILE} | 3763 \subsection{NO\_FILE} |
3414 During the build if NO\_FILE is defined then any function in the library that uses file I/O will not call the file I/O | 3764 During the build if NO\_FILE is defined then any function in the library that uses file I/O will not call the file I/O |
3415 functions and instead simply return CRYPT\_NOP. This should help resolve any linker errors stemming from a lack of | 3765 functions and instead simply return CRYPT\_NOP. This should help resolve any linker errors stemming from a lack of |
3416 file I/O on embedded platforms. | 3766 file I/O on embedded platforms. |
3417 | 3767 |
3418 \subsubsection{CLEAN\_STACK} | 3768 \subsection{CLEAN\_STACK} |
3419 When this functions is defined the functions that store key material on the stack will clean up afterwards. | 3769 When this functions is defined the functions that store key material on the stack will clean up afterwards. |
3420 Assumes that you have no memory paging with the stack. | 3770 Assumes that you have no memory paging with the stack. |
3421 | 3771 |
3422 \subsubsection{LTC\_TEST} | 3772 \subsection{LTC\_TEST} |
3423 When this has been defined the various self--test functions (for ciphers, hashes, prngs, etc) are included in the build. | 3773 When this has been defined the various self--test functions (for ciphers, hashes, prngs, etc) are included in the build. |
3424 When this has been undefined the tests are removed and if called will return CRYPT\_NOP. | 3774 When this has been undefined the tests are removed and if called will return CRYPT\_NOP. |
3425 | 3775 |
3426 \subsubsection{Symmetric Ciphers, One-way Hashes, PRNGS and Public Key Functions} | 3776 \subsection{Symmetric Ciphers, One-way Hashes, PRNGS and Public Key Functions} |
3427 There are a plethora of macros for the ciphers, hashes, PRNGs and public key functions which are fairly | 3777 There are a plethora of macros for the ciphers, hashes, PRNGs and public key functions which are fairly |
3428 self-explanatory. When they are defined the functionality is included otherwise it is not. There are some | 3778 self-explanatory. When they are defined the functionality is included otherwise it is not. There are some |
3429 dependency issues which are noted in the file. For instance, Yarrow requires CTR chaining mode, a block | 3779 dependency issues which are noted in the file. For instance, Yarrow requires CTR chaining mode, a block |
3430 cipher and a hash function. | 3780 cipher and a hash function. |
3431 | 3781 |
3432 \subsubsection{TWOFISH\_SMALL and TWOFISH\_TABLES} | 3782 \subsection{TWOFISH\_SMALL and TWOFISH\_TABLES} |
3433 Twofish is a 128-bit symmetric block cipher that is provided within the library. The cipher itself is flexible enough | 3783 Twofish is a 128-bit symmetric block cipher that is provided within the library. The cipher itself is flexible enough |
3434 to allow some tradeoffs in the implementation. When TWOFISH\_SMALL is defined the scheduled symmetric key for Twofish | 3784 to allow some tradeoffs in the implementation. When TWOFISH\_SMALL is defined the scheduled symmetric key for Twofish |
3435 requires only 200 bytes of memory. This is achieved by not pre-computing the substitution boxes. Having this | 3785 requires only 200 bytes of memory. This is achieved by not pre-computing the substitution boxes. Having this |
3436 defined will also greatly slow down the cipher. When this macro is not defined Twofish will pre-compute the | 3786 defined will also greatly slow down the cipher. When this macro is not defined Twofish will pre-compute the |
3437 tables at a cost of 4KB of memory. The cipher will be much faster as a result. | 3787 tables at a cost of 4KB of memory. The cipher will be much faster as a result. |
3439 When TWOFISH\_TABLES is defined the cipher will use pre-computed (and fixed in code) tables required to work. This is | 3789 When TWOFISH\_TABLES is defined the cipher will use pre-computed (and fixed in code) tables required to work. This is |
3440 useful when TWOFISH\_SMALL is defined as the table values are computed on the fly. When this is defined the code size | 3790 useful when TWOFISH\_SMALL is defined as the table values are computed on the fly. When this is defined the code size |
3441 will increase by approximately 500 bytes. If this is defined but TWOFISH\_SMALL is not the cipher will still work but | 3791 will increase by approximately 500 bytes. If this is defined but TWOFISH\_SMALL is not the cipher will still work but |
3442 it will not speed up the encryption or decryption functions. | 3792 it will not speed up the encryption or decryption functions. |
3443 | 3793 |
3444 \subsubsection{SMALL\_CODE} | 3794 \subsection{GCM\_TABLES} |
3795 When defined GCM will use a 64KB table (per GCM state) which will greatly lower up the per--packet latency. | |
3796 It also increases the initialization time. | |
3797 | |
3798 \subsection{SMALL\_CODE} | |
3445 When this is defined some of the code such as the Rijndael and SAFER+ ciphers are replaced with smaller code variants. | 3799 When this is defined some of the code such as the Rijndael and SAFER+ ciphers are replaced with smaller code variants. |
3446 These variants are slower but can save quite a bit of code space. | 3800 These variants are slower but can save quite a bit of code space. |
3801 | |
3802 \subsection{LTC\_FAST} | |
3803 This mode (autodetected with x86\_32,x86\_64 platforms with GCC or MSVC) configures various routines such as ctr\_encrypt() or | |
3804 cbc\_encrypt() that it can safely XOR multiple octets in one step by using a larger data type. This has the benefit of | |
3805 cutting down the overhead of the respective functions. | |
3806 | |
3807 This mode does have one downside. It can cause unaligned reads from memory if you are not careful with the functions. This is why | |
3808 it has been enabled by default only for the x86 class of processors where unaligned accesses are allowed. Technically LTC\_FAST | |
3809 is not ``portable'' since unaligned accesses are not covered by the ISO C specifications. | |
3810 | |
3811 In practice however, you can use it on pretty much any platform (even MIPS) with care. | |
3812 | |
3813 By design the ``fast'' mode functions won't get unaligned on their own. For instance, if you call ctr\_encrypt() right after calling | |
3814 ctr\_start() and all the inputs you gave are aligned than ctr\_encrypt() will perform aligned memory operations only. However, if you | |
3815 call ctr\_encrypt() with an odd amount of plaintext then call it again the CTR pad (the IV) will be partially used. This will | |
3816 cause the ctr routine to first use up the remaining pad bytes. Then if there are enough plaintext bytes left it will use | |
3817 whole word XOR operations. These operations will be unaligned. | |
3818 | |
3819 The simplest precaution is to make sure you process all data in power of two blocks and handle ``remainder'' at the end. e.g. If you are | |
3820 CTR'ing a long stream process it in blocks of (say) four kilobytes and handle any remaining incomplete blocks at the end of the stream. | |
3821 | |
3822 If you do plan on using the ``LTC\_FAST'' mode you have to also define a ``LTC\_FAST\_TYPE'' macro which resolves to an optimal sized | |
3823 data type you can perform integer operations with. Ideally it should be four or eight bytes since it must properly divide the size | |
3824 of your block cipher (e.g. 16 bytes for AES). This means sadly if you're on a platform with 57--bit words (or something) you can't | |
3825 use this mode. So sad. | |
3447 | 3826 |
3448 \section{MPI Tweaks} | 3827 \section{MPI Tweaks} |
3449 \subsection{RSA Only Tweak} | 3828 \subsection{RSA Only Tweak} |
3450 If you plan on only using RSA with moduli in the range of 1024 to 2560 bits you can enable a series of tweaks | 3829 If you plan on only using RSA with moduli in the range of 1024 to 2560 bits you can enable a series of tweaks |
3451 to reduce the library size. Follow these steps | 3830 to reduce the library size. Follow these steps |
3452 | 3831 |
3453 \begin{enumerate} | 3832 \begin{enumerate} |
3454 \item Undefine MDSA, MECC and MDH from mycrypt\_custom.h | 3833 \item Undefine MDSA, MECC and MDH from tomcrypt\_custom.h |
3455 \item Undefine LTM\_ALL from tommath\_superclass.h | 3834 \item Undefine LTM\_ALL from tommath\_superclass.h |
3456 \item Define SC\_RSA\_1 from tommath\_superclass.h | 3835 \item Define SC\_RSA\_1 from tommath\_superclass.h |
3457 \item Rebuild the library. | 3836 \item Rebuild the library. |
3458 \end{enumerate} | 3837 \end{enumerate} |
3459 | 3838 |
3460 | 3839 \chapter{Optimizations} |
3840 \section{Introduction} | |
3841 The entire API was designed with plug and play in mind at the low level. That is you can swap out any cipher, hash or PRNG and dependent API will not require | |
3842 updating. This has the nice benefit that I can add ciphers not have to re--write large portions of the API. For the most part LibTomCrypt has also been written | |
3843 to be highly portable and easy to build out of the box on pretty much any platform. As such there are no assembler inlines throughout the code, I make no assumptions | |
3844 about the platform, etc... | |
3845 | |
3846 That works well for most cases but there are times where time is of the essence. This API also allows optimized routines to be dropped in--place of the existing | |
3847 portable routines. For instance, hand optimized assembler versions of AES could be provided and any existing function that uses the cipher could automatically use | |
3848 the optimized code without re--writing. This also paves the way for hardware drivers that can access hardware accelerated cryptographic devices. | |
3849 | |
3850 At the heart of this flexibility is the ``descriptor'' system. A descriptor is essentially just a C ``struct'' which describes the algorithm and provides pointers | |
3851 to functions that do the work. For a given class of operation (e.g. cipher, hash, prng) the functions have identical prototypes which makes development simple. In most | |
3852 dependent routines all a developer has to do is register\_XXX() the descriptor and they're set. | |
3853 | |
3854 \section{Ciphers} | |
3855 The ciphers in LibTomCrypt are accessed through the ltc\_cipher\_descriptor structure. | |
3856 | |
3857 \begin{small} | |
3858 \begin{verbatim} | |
3859 struct ltc_cipher_descriptor { | |
3860 /** name of cipher */ | |
3861 char *name; | |
3862 /** internal ID */ | |
3863 unsigned char ID; | |
3864 /** min keysize (octets) */ | |
3865 int min_key_length, | |
3866 /** max keysize (octets) */ | |
3867 max_key_length, | |
3868 /** block size (octets) */ | |
3869 block_length, | |
3870 /** default number of rounds */ | |
3871 default_rounds; | |
3872 /** Setup the cipher | |
3873 @param key The input symmetric key | |
3874 @param keylen The length of the input key (octets) | |
3875 @param num_rounds The requested number of rounds (0==default) | |
3876 @param skey [out] The destination of the scheduled key | |
3877 @return CRYPT_OK if successful | |
3878 */ | |
3879 int (*setup)(const unsigned char *key, int keylen, | |
3880 int num_rounds, symmetric_key *skey); | |
3881 /** Encrypt a block | |
3882 @param pt The plaintext | |
3883 @param ct [out] The ciphertext | |
3884 @param skey The scheduled key | |
3885 */ | |
3886 void (*ecb_encrypt)(const unsigned char *pt, | |
3887 unsigned char *ct, symmetric_key *skey); | |
3888 /** Decrypt a block | |
3889 @param ct The ciphertext | |
3890 @param pt [out] The plaintext | |
3891 @param skey The scheduled key | |
3892 */ | |
3893 void (*ecb_decrypt)(const unsigned char *ct, | |
3894 unsigned char *pt, symmetric_key *skey); | |
3895 /** Test the block cipher | |
3896 @return CRYPT_OK if successful, CRYPT_NOP if self-testing has been disabled | |
3897 */ | |
3898 int (*test)(void); | |
3899 /** Determine a key size | |
3900 @param keysize [in/out] The size of the key desired and the suggested size | |
3901 @return CRYPT_OK if successful | |
3902 */ | |
3903 int (*keysize)(int *keysize); | |
3904 | |
3905 /** Accelerators **/ | |
3906 /** Accelerated ECB encryption | |
3907 @param pt Plaintext | |
3908 @param ct Ciphertext | |
3909 @param blocks The number of complete blocks to process | |
3910 @param skey The scheduled key context | |
3911 */ | |
3912 void (*accel_ecb_encrypt)(const unsigned char *pt, | |
3913 unsigned char *ct, unsigned long blocks, | |
3914 symmetric_key *skey); | |
3915 | |
3916 /** Accelerated ECB decryption | |
3917 @param pt Plaintext | |
3918 @param ct Ciphertext | |
3919 @param blocks The number of complete blocks to process | |
3920 @param skey The scheduled key context | |
3921 */ | |
3922 void (*accel_ecb_decrypt)(const unsigned char *ct, | |
3923 unsigned char *pt, unsigned long blocks, | |
3924 symmetric_key *skey); | |
3925 | |
3926 /** Accelerated CBC encryption | |
3927 @param pt Plaintext | |
3928 @param ct Ciphertext | |
3929 @param blocks The number of complete blocks to process | |
3930 @param IV The initial value (input/output) | |
3931 @param skey The scheduled key context | |
3932 */ | |
3933 void (*accel_cbc_encrypt)(const unsigned char *pt, | |
3934 unsigned char *ct, unsigned long blocks, | |
3935 unsigned char *IV, symmetric_key *skey); | |
3936 | |
3937 /** Accelerated CBC decryption | |
3938 @param pt Plaintext | |
3939 @param ct Ciphertext | |
3940 @param blocks The number of complete blocks to process | |
3941 @param IV The initial value (input/output) | |
3942 @param skey The scheduled key context | |
3943 */ | |
3944 void (*accel_cbc_decrypt)(const unsigned char *ct, | |
3945 unsigned char *pt, unsigned long blocks, | |
3946 unsigned char *IV, symmetric_key *skey); | |
3947 | |
3948 /** Accelerated CTR encryption | |
3949 @param pt Plaintext | |
3950 @param ct Ciphertext | |
3951 @param blocks The number of complete blocks to process | |
3952 @param IV The initial value (input/output) | |
3953 @param mode little or big endian counter (mode=0 or mode=1) | |
3954 @param skey The scheduled key context | |
3955 */ | |
3956 void (*accel_ctr_encrypt)(const unsigned char *pt, | |
3957 unsigned char *ct, unsigned long blocks, | |
3958 unsigned char *IV, int mode, symmetric_key *skey); | |
3959 | |
3960 /** Accelerated CCM packet (one-shot) | |
3961 @param key The secret key to use | |
3962 @param keylen The length of the secret key (octets) | |
3963 @param nonce The session nonce [use once] | |
3964 @param noncelen The length of the nonce | |
3965 @param header The header for the session | |
3966 @param headerlen The length of the header (octets) | |
3967 @param pt [out] The plaintext | |
3968 @param ptlen The length of the plaintext (octets) | |
3969 @param ct [out] The ciphertext | |
3970 @param tag [out] The destination tag | |
3971 @param taglen [in/out] The max size and resulting size of the authentication tag | |
3972 @param direction Encrypt or Decrypt direction (0 or 1) | |
3973 @return CRYPT_OK if successful | |
3974 */ | |
3975 void (*accel_ccm_memory)( | |
3976 const unsigned char *key, unsigned long keylen, | |
3977 const unsigned char *nonce, unsigned long noncelen, | |
3978 const unsigned char *header, unsigned long headerlen, | |
3979 unsigned char *pt, unsigned long ptlen, | |
3980 unsigned char *ct, | |
3981 unsigned char *tag, unsigned long *taglen, | |
3982 int direction); | |
3983 | |
3984 /** Accelerated GCM packet (one shot) | |
3985 @param key The secret key | |
3986 @param keylen The length of the secret key | |
3987 @param IV The initial vector | |
3988 @param IVlen The length of the initial vector | |
3989 @param adata The additional authentication data (header) | |
3990 @param adatalen The length of the adata | |
3991 @param pt The plaintext | |
3992 @param ptlen The length of the plaintext (ciphertext length is the same) | |
3993 @param ct The ciphertext | |
3994 @param tag [out] The MAC tag | |
3995 @param taglen [in/out] The MAC tag length | |
3996 @param direction Encrypt or Decrypt mode (GCM_ENCRYPT or GCM_DECRYPT) | |
3997 */ | |
3998 void (*accel_gcm_memory)( | |
3999 const unsigned char *key, unsigned long keylen, | |
4000 const unsigned char *IV, unsigned long IVlen, | |
4001 const unsigned char *adata, unsigned long adatalen, | |
4002 unsigned char *pt, unsigned long ptlen, | |
4003 unsigned char *ct, | |
4004 unsigned char *tag, unsigned long *taglen, | |
4005 int direction); | |
4006 | |
4007 }; | |
4008 \end{verbatim} | |
4009 \end{small} | |
4010 | |
4011 \subsection{Name} | |
4012 The ``name'' parameter specifies the name of the cipher. This is what a developer would pass to find\_cipher() to find the cipher in the descriptor | |
4013 tables. | |
4014 | |
4015 \subsection{Internal ID} | |
4016 This is a single byte Internal ID you can use to distingish ciphers from each other. | |
4017 | |
4018 \subsection{Key Lengths} | |
4019 The minimum key length is ``min\_key\_length'' and is measured in octets. Similarly the maximum key length is ``max\_key\_length''. They can be equal | |
4020 and both must valid key sizes for the cipher. Values in between are not assumed to be valid though they may be. | |
4021 | |
4022 \subsection{Block Length} | |
4023 The size of the ciphers plaintext or ciphertext is ``block\_length'' and is measured in octets. | |
4024 | |
4025 \subsection{Rounds} | |
4026 Some ciphers allow different number of rounds to be used. Usually you just use the default. The default round count is ``default\_rounds''. | |
4027 | |
4028 \subsection{Setup} | |
4029 To initialize a cipher (for ECB mode) the function setup() was provided. It accepts an array of key octets ``key'' of length ``keylen'' octets. The user | |
4030 can specify the number of rounds they want through ``num\_rounds'' where $num\_rounds = 0$ means use the default. The destination of a scheduled key is stored | |
4031 in ``skey''. | |
4032 | |
4033 This is where things get tricky. Currently there is no provision to allocate memory during initialization since there is no ``cipher done'' function. So you have | |
4034 to either use an existing member of the symmetric\_key union or alias your own structure over top of it provided symmetric\_key is not smaller. | |
4035 | |
4036 \subsection{Single block ECB} | |
4037 To process a single block in ECB mode the ecb\_encrypt() and ecb\_decrypt() functions were provided. The plaintext and ciphertext buffers are allowed to overlap so you | |
4038 must make sure you do not overwrite the output before you are finished with the input. | |
4039 | |
4040 \subsection{Testing} | |
4041 The test() function is used to self--test the ``device''. It takes no arguments and returns \textbf{CRYPT\_OK} if all is working properly. | |
4042 | |
4043 \subsection{Key Sizing} | |
4044 Occasionally a function will want to find a suitable key size to use since the input is oddly sized. The keysize() function is for this case. It accepts a | |
4045 pointer to an integer which represents the desired size. The function then has to match it to the exact or a lower key size that is valid for the cipher. For | |
4046 example, if the input is $25$ and $24$ is valid then it stores $24$ back in the pointed to integer. It must not round up and must return an error if the keysize | |
4047 cannot be mapped to a valid key size for the cipher. | |
4048 | |
4049 \subsection{Acceleration} | |
4050 The next set of functions cover the accelerated functionality of the cipher descriptor. Any combination of these functions may be set to \textbf{NULL} to indicate | |
4051 it is not supported. In those cases the software fallbacks are used (using the single ECB block routines). | |
4052 | |
4053 \subsubsection{Accelerated ECB} | |
4054 These two functions are meant for cases where a user wants to encrypt (in ECB mode no less) an array of blocks. These functions are accessed | |
4055 through the accel\_ecb\_encrypt and accel\_ecb\_decrypt pointers. The ``blocks'' count is the number of complete blocks to process. | |
4056 | |
4057 \subsubsection{Accelerated CBC} | |
4058 These two functions are meant for accelerated CBC encryption. These functions are accessed through the accel\_cbc\_encrypt and accel\_cbc\_decrypt pointers. | |
4059 The ``blocks'' value is the number of complete blocks to process. The ``IV'' is the CBC initial vector. It is an input upon calling this function and must be | |
4060 updated by the function before returning. | |
4061 | |
4062 \subsubsection{Accelerated CTR} | |
4063 This function is meant for accelerated CTR encryption. It is accessible through the accel\_ctr\_encrypt pointer. | |
4064 The ``blocks'' value is the number of complete blocks to process. The ``IV'' is the CTR counter vector. It is an input upon calling this function and must be | |
4065 updated by the function before returning. The ``mode'' value indicates whether the counter is big ($mode = 1$) or little ($mode = 0$) endian. | |
4066 | |
4067 This function (and the way it's called) differs from the other two since ctr\_encrypt() allows any size input plaintext. The accelerator will only be | |
4068 called if the following conditions are met. | |
4069 | |
4070 \begin{enumerate} | |
4071 \item The accelerator is present | |
4072 \item The CTR pad is empty | |
4073 \item The remaining length of the input to process is greater than or equal to the block size. | |
4074 \end{enumerate} | |
4075 | |
4076 The ``CTR pad'' is empty when a multiple (including zero) blocks of text have been processed. That is, if you pass in seven bytes to AES--CTR mode you would have to | |
4077 pass in a minimum of nine extra bytes before the accelerator could be called. The CTR accelerator must increment the counter (and store it back into the | |
4078 buffer provided) before encrypting it to create the pad. | |
4079 | |
4080 The accelerator will only be used to encrypt whole blocks. Partial blocks are always handled in software. | |
4081 | |
4082 \subsubsection{Accelerated CCM} | |
4083 This function is meant for accelerated CCM encryption or decryption. It processes the entire packet in one call. Note that the setup() function will not | |
4084 be called prior to this. This function must handle scheduling the key provided on its own. | |
4085 | |
4086 \subsubsection{Accelerated GCM} | |
4087 This function is meant for accelerated GCM encryption or decryption. It processes the entire packet in one call. Note that the setup() function will not | |
4088 be called prior to this. This function must handle scheduling the key provided on its own. | |
4089 | |
4090 \section{One--Way Hashes} | |
4091 The hash functions are accessed through the ltc\_hash\_descriptor structure. | |
4092 | |
4093 \begin{small} | |
4094 \begin{verbatim} | |
4095 struct ltc_hash_descriptor { | |
4096 /** name of hash */ | |
4097 char *name; | |
4098 /** internal ID */ | |
4099 unsigned char ID; | |
4100 /** Size of digest in octets */ | |
4101 unsigned long hashsize; | |
4102 /** Input block size in octets */ | |
4103 unsigned long blocksize; | |
4104 /** ASN.1 DER identifier */ | |
4105 unsigned char DER[64]; | |
4106 /** Length of DER encoding */ | |
4107 unsigned long DERlen; | |
4108 /** Init a hash state | |
4109 @param hash The hash to initialize | |
4110 @return CRYPT_OK if successful | |
4111 */ | |
4112 int (*init)(hash_state *hash); | |
4113 /** Process a block of data | |
4114 @param hash The hash state | |
4115 @param in The data to hash | |
4116 @param inlen The length of the data (octets) | |
4117 @return CRYPT_OK if successful | |
4118 */ | |
4119 int (*process)(hash_state *hash, const unsigned char *in, unsigned long inlen); | |
4120 /** Produce the digest and store it | |
4121 @param hash The hash state | |
4122 @param out [out] The destination of the digest | |
4123 @return CRYPT_OK if successful | |
4124 */ | |
4125 int (*done)(hash_state *hash, unsigned char *out); | |
4126 /** Self-test | |
4127 @return CRYPT_OK if successful, CRYPT_NOP if self-tests have been disabled | |
4128 */ | |
4129 int (*test)(void); | |
4130 }; | |
4131 \end{verbatim} | |
4132 \end{small} | |
4133 | |
4134 \subsection{Name} | |
4135 This is the name the hash is known by and what find\_hash() will look for. | |
4136 | |
4137 \subsection{Internal ID} | |
4138 This is the internal ID byte used to distinguish the hash from other hashes. | |
4139 | |
4140 \subsection{Digest Size} | |
4141 The ``hashsize'' variable indicates the length of the output in octets. | |
4142 | |
4143 \subsection{Block Size} | |
4144 The `blocksize'' variable indicates the length of input (in octets) that the hash processes in a given | |
4145 invokation. | |
4146 | |
4147 \subsection{DER Identifier} | |
4148 This is the DER identifier (including the SEQUENCE header). This is used solely for PKCS \#1 style signatures. | |
4149 | |
4150 \subsection{Initialization} | |
4151 The init function initializes the hash and prepares it to process message bytes. | |
4152 | |
4153 \subsection{Process} | |
4154 This processes message bytes. The algorithm must accept any length of input that the hash would allow. The input is not | |
4155 guaranteed to be a multiple of the block size in length. | |
4156 | |
4157 \subsection{Done} | |
4158 The done function terminates the hash and returns the message digest. | |
4159 | |
4160 \subsection{Acceleration} | |
4161 A compatible accelerator must allow processing data in any granularity which may require internal padding on the driver side. | |
4162 | |
4163 \section{Pseudo--Random Number Generators} | |
4164 The pseudo--random number generators are accessible through the ltc\_prng\_descriptor structure. | |
4165 | |
4166 \begin{small} | |
4167 \begin{verbatim} | |
4168 struct ltc_prng_descriptor { | |
4169 /** Name of the PRNG */ | |
4170 char *name; | |
4171 /** size in bytes of exported state */ | |
4172 int export_size; | |
4173 /** Start a PRNG state | |
4174 @param prng [out] The state to initialize | |
4175 @return CRYPT_OK if successful | |
4176 */ | |
4177 int (*start)(prng_state *prng); | |
4178 /** Add entropy to the PRNG | |
4179 @param in The entropy | |
4180 @param inlen Length of the entropy (octets)\ | |
4181 @param prng The PRNG state | |
4182 @return CRYPT_OK if successful | |
4183 */ | |
4184 int (*add_entropy)(const unsigned char *in, unsigned long inlen, prng_state *prng); | |
4185 /** Ready a PRNG state to read from | |
4186 @param prng The PRNG state to ready | |
4187 @return CRYPT_OK if successful | |
4188 */ | |
4189 int (*ready)(prng_state *prng); | |
4190 /** Read from the PRNG | |
4191 @param out [out] Where to store the data | |
4192 @param outlen Length of data desired (octets) | |
4193 @param prng The PRNG state to read from | |
4194 @return Number of octets read | |
4195 */ | |
4196 unsigned long (*read)(unsigned char *out, unsigned long outlen, prng_state *prng); | |
4197 /** Terminate a PRNG state | |
4198 @param prng The PRNG state to terminate | |
4199 @return CRYPT_OK if successful | |
4200 */ | |
4201 int (*done)(prng_state *prng); | |
4202 /** Export a PRNG state | |
4203 @param out [out] The destination for the state | |
4204 @param outlen [in/out] The max size and resulting size of the PRNG state | |
4205 @param prng The PRNG to export | |
4206 @return CRYPT_OK if successful | |
4207 */ | |
4208 int (*pexport)(unsigned char *out, unsigned long *outlen, prng_state *prng); | |
4209 /** Import a PRNG state | |
4210 @param in The data to import | |
4211 @param inlen The length of the data to import (octets) | |
4212 @param prng The PRNG to initialize/import | |
4213 @return CRYPT_OK if successful | |
4214 */ | |
4215 int (*pimport)(const unsigned char *in, unsigned long inlen, prng_state *prng); | |
4216 /** Self-test the PRNG | |
4217 @return CRYPT_OK if successful, CRYPT_NOP if self-testing has been disabled | |
4218 */ | |
4219 int (*test)(void); | |
4220 }; | |
4221 \end{verbatim} | |
4222 \end{small} | |
4223 | |
4224 \subsection{Name} | |
4225 The name by which find\_prng() will find the PRNG. | |
4226 | |
4227 \subsection{Export Size} | |
4228 When an PRNG state is to be exported for future use you specify the space required in this variable. | |
4229 | |
4230 \subsection{Start} | |
4231 Initialize the PRNG and make it ready to accept entropy. | |
4232 | |
4233 \subsection{Entropy Addition} | |
4234 Add entropy to the PRNG state. The exact behaviour of this function depends on the particulars of the PRNG. | |
4235 | |
4236 \subsection{Ready} | |
4237 This function makes the PRNG ready to read from by processing the entropy added. The behaviour of this function depends | |
4238 on the specific PRNG used. | |
4239 | |
4240 \subsection{Read} | |
4241 Read from the PRNG and return the number of bytes read. This function does not have to fill the buffer but it is best | |
4242 if it does as many protocols do not retry reads and will fail on the first try. | |
4243 | |
4244 \subsection{Done} | |
4245 Terminate a PRNG state. The behaviour of this function depends on the particular PRNG used. | |
4246 | |
4247 \subsection{Exporting and Importing} | |
4248 An exported PRNG state is data that the PRNG can later import to resume activity. They're not meant to resume ``the same session'' | |
4249 but should at least maintain the same level of state entropy. | |
3461 | 4250 |
3462 \input{crypt.ind} | 4251 \input{crypt.ind} |
3463 | 4252 |
3464 \end{document} | 4253 \end{document} |