Mercurial > dropbear
view libtomcrypt/notes/tech0006.txt @ 1705:5b701bf529aa
Fix ChaCha20 on 32-bit platforms (#99)
* Fix ChaCha20 on 32-bit platforms
On 32-bit platforms with old compiler STORE64H() parameter is
not auto-expanded to 64-bit value, causing wrong IV data.
Spotted on BCM4706 MIPS32r2 with GCC 4.2.4:
Exit before auth: Integrity error (bad packet size 2065808956)
* Fix Chacha20-Poly1305 and AES-GCM debug messages
Functions were renamed earlier and trace messages - not.
author | Vladislav Grishenko <themiron@users.noreply.github.com> |
---|---|
date | Fri, 29 May 2020 18:26:22 +0500 |
parents | 1b9e69c058d2 |
children |
line wrap: on
line source
Tech Note 0006 PK Standards Compliance Tom St Denis RSA ---- PKCS #1 compliance. Key Format: RSAPublicKey and RSAPrivateKey as per PKCS #1 v2.1 Encryption: OAEP as per PKCS #1 Signature : PSS as per PKCS #1 DSA ---- The NIST DSA algorithm Key Format: HomeBrew [see below] Signature : ANSI X9.62 format [see below]. Keys are stored as DSAPublicKey ::= SEQUENCE { publicFlags BIT STRING(1), -- must be 0 g INTEGER , -- base generator, check that g^q mod p == 1 -- and that 1 < g < p - 1 p INTEGER , -- prime modulus q INTEGER , -- order of sub-group (must be prime) y INTEGER , -- public key, specifically, g^x mod p, -- check that y^q mod p == 1 -- and that 1 < y < p - 1 } DSAPrivateKey ::= SEQUENCE { publicFlags BIT STRING(1), -- must be 1 g INTEGER , -- base generator, check that g^q mod p == 1 -- and that 1 < g < p - 1 p INTEGER , -- prime modulus q INTEGER , -- order of sub-group (must be prime) y INTEGER , -- public key, specifically, g^x mod p, -- check that y^q mod p == 1 -- and that 1 < y < p - 1 x INTEGER -- private key } Signatures are stored as DSASignature ::= SEQUENCE { r, s INTEGER -- signature parameters } ECC ---- The ANSI X9.62 and X9.63 algorithms [partial]. Supports all NIST GF(p) curves. Key Format : Homebrew [see below, only GF(p) NIST curves supported] Signature : X9.62 compliant Encryption : Homebrew [based on X9.63, differs in that the public point is stored as an ECCPublicKey] Shared Secret: X9.63 compliant ECCPublicKey ::= SEQUENCE { flags BIT STRING(1), -- public/private flag (always zero), keySize INTEGER, -- Curve size (in bits) divided by eight -- and rounded down, e.g. 521 => 65 pubkey.x INTEGER, -- The X co-ordinate of the public key point pubkey.y INTEGER, -- The Y co-ordinate of the public key point } ECCPrivateKey ::= SEQUENCE { flags BIT STRING(1), -- public/private flag (always one), keySize INTEGER, -- Curve size (in bits) divided by eight -- and rounded down, e.g. 521 => 65 pubkey.x INTEGER, -- The X co-ordinate of the public key point pubkey.y INTEGER, -- The Y co-ordinate of the public key point secret.k INTEGER, -- The secret key scalar } The encryption works by finding the X9.63 shared secret and hashing it. The hash is then simply XOR'ed against the message [which must be at most the size of the hash digest]. The format of the encrypted text is as follows ECCEncrypted ::= SEQUENCE { hashOID OBJECT IDENTIFIER, -- The OID of the hash used pubkey OCTET STRING , -- Encapsulation of a random ECCPublicKey skey OCTET STRING -- The encrypted text (which the hash was XOR'ed against) } % $Source: /cvs/libtom/libtomcrypt/notes/tech0006.txt,v $ % $Revision: 1.2 $ % $Date: 2005/06/18 02:26:27 $