DOCSLIB.ORG

The Libgcrypt Reference Manual Version 1.9.0 18 January 2021

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Libgcrypt Reference Manual Version 1.9.0 18 January 2021 The Libgcrypt Reference Manual Version 1.9.0 18 January 2021 Werner Koch ([email protected]) Moritz Schulte ([email protected]) This manual is for Libgcrypt version 1.9.0 and was last updated 18 January 2021. Libgcrypt is GNU's library of cryptographic building blocks. Copyright c 2000, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2011, 2012 Free Software Foundation, Inc. Copyright c 2012, 2013, 2016, 2017 g10 Code GmbH Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. The text of the license can be found in the section entitled \GNU General Public License". i Short Contents 1 Introduction ::::::::::::::::::::::::::::::::::::::::: 1 2 Preparation :::::::::::::::::::::::::::::::::::::::::: 3 3 Generalities :::::::::::::::::::::::::::::::::::::::::: 9 4 Handler Functions:::::::::::::::::::::::::::::::::::: 21 5 Symmetric cryptography :::::::::::::::::::::::::::::: 25 6 Public Key cryptography :::::::::::::::::::::::::::::: 35 7 Hashing :::::::::::::::::::::::::::::::::::::::::::: 51 8 Message Authentication Codes ::::::::::::::::::::::::: 59 9 Key Derivation :::::::::::::::::::::::::::::::::::::: 67 10 Random Numbers :::::::::::::::::::::::::::::::::::: 69 11 S-expressions :::::::::::::::::::::::::::::::::::::::: 71 12 MPI library ::::::::::::::::::::::::::::::::::::::::: 77 13 Prime numbers :::::::::::::::::::::::::::::::::::::: 87 14 Utilities :::::::::::::::::::::::::::::::::::::::::::: 89 15 Tools :::::::::::::::::::::::::::::::::::::::::::::: 91 16 Configuration files and environment variables:::::::::::::: 93 17 Architecture :::::::::::::::::::::::::::::::::::::::: 95 A Description of the Self-Tests::::::::::::::::::::::::::: 103 B Description of the FIPS Mode ::::::::::::::::::::::::: 109 GNU Lesser General Public License :::::::::::::::::::::::: 115 GNU General Public License :::::::::::::::::::::::::::::: 125 List of Figures and Tables :::::::::::::::::::::::::::::::: 131 Concept Index ::::::::::::::::::::::::::::::::::::::::: 133 Function and Data Index ::::::::::::::::::::::::::::::::: 135 ii The Libgcrypt Reference Manual iii Table of Contents 1 Introduction::::::::::::::::::::::::::::::::::::: 1 1.1 Getting Started :::::::::::::::::::::::::::::::::::::::::::::::: 1 1.2 Features ::::::::::::::::::::::::::::::::::::::::::::::::::::::: 1 1.3 Overview :::::::::::::::::::::::::::::::::::::::::::::::::::::: 1 2 Preparation ::::::::::::::::::::::::::::::::::::: 3 2.1 Header ::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 3 2.2 Building sources:::::::::::::::::::::::::::::::::::::::::::::::: 3 2.3 Building sources using Automake ::::::::::::::::::::::::::::::: 4 2.4 Initializing the library :::::::::::::::::::::::::::::::::::::::::: 4 2.5 Multi-Threading ::::::::::::::::::::::::::::::::::::::::::::::: 6 2.6 How to enable the FIPS mode :::::::::::::::::::::::::::::::::: 7 2.7 How to disable hardware features ::::::::::::::::::::::::::::::: 7 3 Generalities ::::::::::::::::::::::::::::::::::::: 9 3.1 Controlling the library ::::::::::::::::::::::::::::::::::::::::: 9 3.2 Error Handling:::::::::::::::::::::::::::::::::::::::::::::::: 15 3.2.1 Error Values ::::::::::::::::::::::::::::::::::::::::::::: 15 3.2.2 Error Sources :::::::::::::::::::::::::::::::::::::::::::: 17 3.2.3 Error Codes :::::::::::::::::::::::::::::::::::::::::::::: 18 3.2.4 Error Strings ::::::::::::::::::::::::::::::::::::::::::::: 20 4 Handler Functions ::::::::::::::::::::::::::::: 21 4.1 Progress handler :::::::::::::::::::::::::::::::::::::::::::::: 21 4.2 Allocation handler :::::::::::::::::::::::::::::::::::::::::::: 22 4.3 Error handler ::::::::::::::::::::::::::::::::::::::::::::::::: 22 4.4 Logging handler::::::::::::::::::::::::::::::::::::::::::::::: 23 5 Symmetric cryptography:::::::::::::::::::::: 25 5.1 Available ciphers :::::::::::::::::::::::::::::::::::::::::::::: 25 5.2 Available cipher modes :::::::::::::::::::::::::::::::::::::::: 27 5.3 Working with cipher handles :::::::::::::::::::::::::::::::::: 28 5.4 General cipher functions :::::::::::::::::::::::::::::::::::::: 32 6 Public Key cryptography ::::::::::::::::::::: 35 6.1 Available algorithms :::::::::::::::::::::::::::::::::::::::::: 35 6.2 Used S-expressions :::::::::::::::::::::::::::::::::::::::::::: 35 6.2.1 RSA key parameters ::::::::::::::::::::::::::::::::::::: 35 6.2.2 DSA key parameters ::::::::::::::::::::::::::::::::::::: 36 6.2.3 ECC key parameters ::::::::::::::::::::::::::::::::::::: 36 6.3 Cryptographic Functions :::::::::::::::::::::::::::::::::::::: 39 6.4 Dedicated functions for elliptic curves.::::::::::::::::::::::::: 43 6.5 General public-key related Functions :::::::::::::::::::::::::: 44 iv The Libgcrypt Reference Manual 7 Hashing :::::::::::::::::::::::::::::::::::::::: 51 7.1 Available hash algorithms ::::::::::::::::::::::::::::::::::::: 51 7.2 Working with hash algorithms::::::::::::::::::::::::::::::::: 54 8 Message Authentication Codes ::::::::::::::: 59 8.1 Available MAC algorithms :::::::::::::::::::::::::::::::::::: 59 8.2 Working with MAC algorithms :::::::::::::::::::::::::::::::: 63 9 Key Derivation :::::::::::::::::::::::::::::::: 67 10 Random Numbers:::::::::::::::::::::::::::: 69 10.1 Quality of random numbers :::::::::::::::::::::::::::::::::: 69 10.2 Retrieving random numbers :::::::::::::::::::::::::::::::::: 69 11 S-expressions ::::::::::::::::::::::::::::::::: 71 11.1 Data types for S-expressions ::::::::::::::::::::::::::::::::: 71 11.2 Working with S-expressions :::::::::::::::::::::::::::::::::: 71 12 MPI library::::::::::::::::::::::::::::::::::: 77 12.1 Data types::::::::::::::::::::::::::::::::::::::::::::::::::: 77 12.2 Basic functions :::::::::::::::::::::::::::::::::::::::::::::: 77 12.3 MPI formats ::::::::::::::::::::::::::::::::::::::::::::::::: 78 12.4 Calculations ::::::::::::::::::::::::::::::::::::::::::::::::: 79 12.5 Comparisons ::::::::::::::::::::::::::::::::::::::::::::::::: 80 12.6 Bit manipulations:::::::::::::::::::::::::::::::::::::::::::: 81 12.7 EC functions::::::::::::::::::::::::::::::::::::::::::::::::: 81 12.8 Miscellaneous :::::::::::::::::::::::::::::::::::::::::::::::: 84 13 Prime numbers ::::::::::::::::::::::::::::::: 87 13.1 Generation::::::::::::::::::::::::::::::::::::::::::::::::::: 87 13.2 Checking :::::::::::::::::::::::::::::::::::::::::::::::::::: 87 14 Utilities ::::::::::::::::::::::::::::::::::::::: 89 14.1 Memory allocation ::::::::::::::::::::::::::::::::::::::::::: 89 14.2 Context management :::::::::::::::::::::::::::::::::::::::: 89 14.3 Buffer description :::::::::::::::::::::::::::::::::::::::::::: 89 14.4 How to return Libgcrypt's configuration. ::::::::::::::::::::: 90 15 Tools :::::::::::::::::::::::::::::::::::::::::: 91 15.1 A HMAC-SHA-256 tool :::::::::::::::::::::::::::::::::::::: 91 16 Configuration files and environment variables :::::::::::::::::::::::::::::::::::::::::::::::: 93 v 17 Architecture :::::::::::::::::::::::::::::::::: 95 17.1 Public-Key Architecture ::::::::::::::::::::::::::::::::::::: 96 17.2 Symmetric Encryption Subsystem Architecture ::::::::::::::: 96 17.3 Hashing and MACing Subsystem Architecture :::::::::::::::: 97 17.4 Multi-Precision-Integer Subsystem Architecture :::::::::::::: 98 17.5 Prime-Number-Generator Subsystem Architecture :::::::::::: 98 17.6 Random-Number Subsystem Architecture :::::::::::::::::::: 99 17.6.1 Description of the CSPRNG:::::::::::::::::::::::::::: 100 17.6.2 Description of the FIPS X9.31 PRNG :::::::::::::::::: 100 Appendix A Description of the Self-Tests ::: 103 A.1 Power-Up Tests ::::::::::::::::::::::::::::::::::::::::::::: 103 A.1.1 Symmetric Cipher Algorithm Power-Up Tests ::::::::::: 103 A.1.2 Hash Algorithm Power-Up Tests :::::::::::::::::::::::: 103 A.1.3 MAC Algorithm Power-Up Tests:::::::::::::::::::::::: 104 A.1.4 Random Number Power-Up Test:::::::::::::::::::::::: 104 A.1.5 Public Key Algorithm Power-Up Tests :::::::::::::::::: 104 A.1.6 Integrity Power-Up Tests ::::::::::::::::::::::::::::::: 105 A.1.7 Critical Functions Power-Up Tests :::::::::::::::::::::: 105 A.2 Conditional Tests:::::::::::::::::::::::::::::::::::::::::::: 105 A.2.1 Key-Pair Generation Tests :::::::::::::::::::::::::::::: 105 A.2.2 Software Load Tests :::::::::::::::::::::::::::::::::::: 106 A.2.3 Manual Key Entry Tests :::::::::::::::::::::::::::::::: 106 A.2.4 Continuous RNG Tests ::::::::::::::::::::::::::::::::: 106 A.3 Application Requested Tests ::::::::::::::::::::::::::::::::: 106 A.3.1 Symmetric Cipher Algorithm Tests ::::::::::::::::::::: 106 A.3.2 Hash Algorithm Tests :::::::::::::::::::::::::::::::::: 106 A.3.3 MAC Algorithm Tests :::::::::::::::::::::::::::::::::: 107 Appendix B Description of the FIPS Mode ::::::::::::::::::::::::::::::::::::::::::::::: 109 B.1 Restrictions in FIPS Mode::::::::::::::::::::::::::::::::::: 109 B.2 FIPS Finite State Machine :::::::::::::::::::::::::::::::::: 110 B.3 FIPS Miscellaneous Information ::::::::::::::::::::::::::::: 114 GNU Lesser General Public License:::::::::::: 115 GNU General Public License ::::::::::::::::::: 125 List of Figures and Tables ::::::::::::::::::::::: 131 Concept Index:::::::::::::::::::::::::::::::::::: 133 Function and Data Index :::::::::::::::::::::::: 135 vi The Libgcrypt Reference Manual Chapter 1: Introduction 1 1 Introduction Libgcrypt is a library providing cryptographic building blocks. 1.1 Getting Started This manual documents the Libgcrypt library application programming
Load more

Recommended publications
  • On the Impact of Exception Handling Compatibility on Binary Instrumentation†
    On the Impact of Exception Handling Compatibility on Binary Instrumentation† Soumyakant Priyadarshan Huan Nguyen R. Sekar Stony Brook University Stony Brook University Stony Brook University Stony Brook, NY, USA Stony Brook, NY, USA Stony Brook, NY, USA [email protected] [email protected] [email protected] Abstract overheads, but has been held back by challenges in accurate dis- assembly and code pointer identification. With the emergence of To support C++ exception handling, compilers generate metadata position-independent (or relocatable) binaries as the dominant for- that is a rich source of information about the code layout. On mat in recent years, researchers have been able to address these Linux, this metadata is also used to support stack tracing, thread challenges, e.g., in Egalito [41], RetroWrite [11] and SBR[28, 29] cleanup and other functions. For this reason, Linux binaries contain systems. code-layout-revealing metadata for C-code as well. Even hand- written assembly in low-level system libraries is covered by such Despite recent advances, deployability of binary instrumentation metadata. We investigate the implications of this metadata in this continues to face significant challenges. One of the major concerns paper, and show that it can be used to (a) improve accuracy of is compatibility. In particular, existing static binary instrumentation disassembly, (b) achieve significantly better accuracy at function tools tend to break stack tracing (for C and C++) as well as C++ boundary identification as compared to previous research, and(c) exception handling. While compatibility with these features may as a rich source of information for defeating fine-grained code not be important for proof-of-concept instrumentations, it is hardly randomization.
    [Show full text]
  • FIPS 140-2 Non-Proprietary Security Policy
    Kernel Crypto API Cryptographic Module version 1.0 FIPS 140-2 Non-Proprietary Security Policy Version 1.3 Last update: 2020-03-02 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com © 2020 Canonical Ltd. / atsec information security This document can be reproduced and distributed only whole and intact, including this copyright notice. Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Table of Contents 1. Cryptographic Module Specification ..................................................................................................... 5 1.1. Module Overview ..................................................................................................................................... 5 1.2. Modes of Operation ................................................................................................................................. 9 2. Cryptographic Module Ports and Interfaces ........................................................................................ 10 3. Roles, Services and Authentication ..................................................................................................... 11 3.1. Roles .......................................................................................................................................................11 3.2. Services ...................................................................................................................................................11
    [Show full text]
  • MASTERCLASS GNUPG MASTERCLASS You Wouldn’T Want Other People Opening Your Letters and BEN EVERARD Your Data Is No Different
    MASTERCLASS GNUPG MASTERCLASS You wouldn’t want other people opening your letters and BEN EVERARD your data is no different. Encrypt it today! SECURE EMAIL WITH GNUPG AND ENIGMAIL Send encrypted emails from your favourite email client. our typical email is about as secure as a The first thing that you need to do is create a key to JOHN LANE postcard, which is good news if you’re a represent your identity in the OpenPGP world. You’d Ygovernment agency. But you wouldn’t use a typically create one key per identity that you have. postcard for most things sent in the post; you’d use a Most people would have one identity, being sealed envelope. Email is no different; you just need themselves as a person. However, some may find an envelope – and it’s called “Encryption”. having separate personal and professional identities Since the early 1990s, the main way to encrypt useful. It’s a personal choice, but starting with a single email has been PGP, which stands for “Pretty Good key will help while you’re learning. Privacy”. It’s a protocol for the secure encryption of Launch Seahorse and click on the large plus-sign email that has since evolved into an open standard icon that’s just below the menu. Select ‘PGP Key’ and called OpenPGP. work your way through the screens that follow to supply your name and email address and then My lovely horse generate the key. The GNU Privacy Guard (GnuPG), is a free, GPL-licensed You can, optionally, use the Advanced Key Options implementation of the OpenPGP standard (there are to add a comment that can help others identify your other implementations, both free and commercial – key and to select the cipher, its strength and set when the PGP name now refers to a commercial product the key should expire.
    [Show full text]
  • IMPLEMENTATION and BENCHMARKING of PADDING UNITS and HMAC for SHA-3 CANDIDATES in FPGAS and ASICS by Ambarish Vyas a Thesis Subm
    IMPLEMENTATION AND BENCHMARKING OF PADDING UNITS AND HMAC FOR SHA-3 CANDIDATES IN FPGAS AND ASICS by Ambarish Vyas A Thesis Submitted to the Graduate Faculty of George Mason University in Partial Fulfillment of The Requirements for the Degree of Master of Science Computer Engineering Committee: Dr. Kris Gaj, Thesis Director Dr. Jens-Peter Kaps. Committee Member Dr. Bernd-Peter Paris. Committee Member Dr. Andre Manitius, Department Chair of Electrical and Computer Engineering Dr. Lloyd J. Griffiths. Dean, Volgenau School of Engineering Date: ---J d. / q /9- 0 II Fall Semester 2011 George Mason University Fairfax, VA Implementation and Benchmarking of Padding Units and HMAC for SHA-3 Candidates in FPGAs and ASICs A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science at George Mason University By Ambarish Vyas Bachelor of Science University of Pune, 2009 Director: Dr. Kris Gaj, Associate Professor Department of Electrical and Computer Engineering Fall Semester 2011 George Mason University Fairfax, VA Copyright c 2011 by Ambarish Vyas All Rights Reserved ii Acknowledgments I would like to use this oppurtunity to thank the people who have supported me throughout my thesis. First and foremost my advisor Dr.Kris Gaj, without his zeal, his motivation, his patience, his confidence in me, his humility, his diverse knowledge, and his great efforts this thesis wouldn't be possible. It is difficult to exaggerate my gratitude towards him. I also thank Ekawat Homsirikamol for his contributions to this project. He has significantly contributed to the designs and implementations of the architectures. Additionally, I am indebted to my student colleagues in CERG for providing a fun environment to learn and giving invaluable tips and support.
    [Show full text]
  • Horizontal PDF Slides
    1 2 The first 10 years of Curve25519 Abstract: “This paper explains the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done. free key compression, free key validation, and state-of-the-art 2005.09.15: Software online. timing-attack protection), 2005.09.20: Invited talk at ECC. more than twice as fast as other authors’ results at the same 2005.11.15: Paper online; conjectured security level (with submitted to PKC 2006. or without the side benefits).” 1 2 3 The first 10 years of Curve25519 Abstract: “This paper explains Elliptic-curve computations the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done. free key compression, free key validation, and state-of-the-art 2005.09.15: Software online. timing-attack protection), 2005.09.20: Invited talk at ECC. more than twice as fast as other authors’ results at the same 2005.11.15: Paper online; conjectured security level (with submitted to PKC 2006. or without the side benefits).” 1 2 3 The first 10 years of Curve25519 Abstract: “This paper explains Elliptic-curve computations the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done.
    [Show full text]
  • Lecture9.Pdf
    Merkle- Suppose H is a Damgaord hash function built from a secure compression function : several to build a function ways keyed : m : = H Ilm 1 . end FCK ) (k ) Prep key , " " ↳ - Insecure due to structure of Merkle : can mount an extension attack: H (KH m) can Barnyard given , compute ' Hlkllmllm ) by extending Merkle- Danged chain = : m : 2 . FCK ) 11k) Append key , Hlm ↳ - - to : Similar to hash then MAC construction and vulnerable same offline attack adversary finds a collision in the - - > Merkle and uses that to construct a for SHA I used PDF files Barnyard prefix forgery f , they ↳ - Structure in SHA I (can matches exploited collision demonstration generate arbitrary collisions once prefix ) ' = : FCK m - H on h 3. method , ) ( K HMH K) for reasonable randomness ( both Envelope pseudo assumptions e.g , : = - = i - - : F ( m m } : h K m h m k 4. nest ( ki ) H Ck H (k m ( , and m ( ) is a PRF both Two , kz , ) (ka HH , )) F- , ) ) Falk , ) , ) key , - of these constructions are secure PRFS on a variable size domain hash- based MAC ✓ a the - nest with correlated : HMAC is PRF / MAC based on two key (though keys) : = m H H ka m HMACCK ( K H ( , )) , ) , where k ← k ④ and kz ← k to , ipad opad and and are fixed ( in the HMAC standard) ipad opad strings specified I 0×36 repeated %x5C repeated : k . a Since , and ka are correlated need to make on h remains under Sety , stronger assumption security leg , pseudorandom related attack) Instantiations : denoted HMAC- H where H is the hash function Typically , HMAC- SHAI %" - - HMAC SHA256
    [Show full text]
  • Analysis of Selected Block Cipher Modes for Authenticated Encryption
    Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3].
    [Show full text]
  • MD5 Collisions the Effect on Computer Forensics April 2006
    Paper MD5 Collisions The Effect on Computer Forensics April 2006 ACCESS DATA , ON YOUR RADAR MD5 Collisions: The Impact on Computer Forensics Hash functions are one of the basic building blocks of modern cryptography. They are used for everything from password verification to digital signatures. A hash function has three fundamental properties: • It must be able to easily convert digital information (i.e. a message) into a fixed length hash value. • It must be computationally impossible to derive any information about the input message from just the hash. • It must be computationally impossible to find two files to have the same hash. A collision is when you find two files to have the same hash. The research published by Wang, Feng, Lai and Yu demonstrated that MD5 fails this third requirement since they were able to generate two different messages that have the same hash. In computer forensics hash functions are important because they provide a means of identifying and classifying electronic evidence. Because hash functions play a critical role in evidence authentication, a judge and jury must be able trust the hash values to uniquely identify electronic evidence. A hash function is unreliable when you can find any two messages that have the same hash. Birthday Paradox The easiest method explaining a hash collision is through what is frequently referred to as the Birthday Paradox. How many people one the street would you have to ask before there is greater than 50% probability that one of those people will share your birthday (same day not the same year)? The answer is 183 (i.e.
    [Show full text]
  • FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS
    FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS Cryptographic Module FIPS 140-2 Level 1 Validation Software Version: R7-4.0.0 Date: January 22nd, 2020 Document Version 2.3 © Oracle Corporation This document may be reproduced whole and intact including the Copyright notice. Title: Oracle Linux 7 NSS Cryptographic Module Security Policy Date: January 22nd, 2020 Author: Oracle Security Evaluations – Global Product Security Contributing Authors: Oracle Linux Engineering Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright © 2020, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may reproduced or distributed whole and intact including this copyright notice. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 7 NSS Cryptographic Module Security Policy i TABLE OF CONTENTS Section Title
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • Fast Elliptic Curve Cryptography in Openssl
    Fast Elliptic Curve Cryptography in OpenSSL Emilia K¨asper1;2 1 Google 2 Katholieke Universiteit Leuven, ESAT/COSIC [email protected] Abstract. We present a 64-bit optimized implementation of the NIST and SECG-standardized elliptic curve P-224. Our implementation is fully integrated into OpenSSL 1.0.1: full TLS handshakes using a 1024-bit RSA certificate and ephemeral Elliptic Curve Diffie-Hellman key ex- change over P-224 now run at twice the speed of standard OpenSSL, while atomic elliptic curve operations are up to 4 times faster. In ad- dition, our implementation is immune to timing attacks|most notably, we show how to do small table look-ups in a cache-timing resistant way, allowing us to use precomputation. To put our results in context, we also discuss the various security-performance trade-offs available to TLS applications. Keywords: elliptic curve cryptography, OpenSSL, side-channel attacks, fast implementations 1 Introduction 1.1 Introduction to TLS Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a protocol for securing network communications. In its most common use, it is the \S" (standing for \Secure") in HTTPS. Two of the most popular open- source cryptographic libraries implementing SSL and TLS are OpenSSL [19] and Mozilla Network Security Services (NSS) [17]: OpenSSL is found in, e.g., the Apache-SSL secure web server, while NSS is used by Mozilla Firefox and Chrome web browsers, amongst others. TLS provides authentication between connecting parties, as well as encryp- tion of all transmitted content. Thus, before any application data is transmit- ted, peers perform authentication and key exchange in a TLS handshake.
    [Show full text]
  • BLAKE2: Simpler, Smaller, Fast As MD5
    BLAKE2: simpler, smaller, fast as MD5 Jean-Philippe Aumasson1, Samuel Neves2, Zooko Wilcox-O'Hearn3, and Christian Winnerlein4 1 Kudelski Security, Switzerland [email protected] 2 University of Coimbra, Portugal [email protected] 3 Least Authority Enterprises, USA [email protected] 4 Ludwig Maximilian University of Munich, Germany [email protected] Abstract. We present the hash function BLAKE2, an improved version of the SHA-3 finalist BLAKE optimized for speed in software. Target applications include cloud storage, intrusion detection, or version control systems. BLAKE2 comes in two main flavors: BLAKE2b is optimized for 64-bit platforms, and BLAKE2s for smaller architectures. On 64- bit platforms, BLAKE2 is often faster than MD5, yet provides security similar to that of SHA-3: up to 256-bit collision resistance, immunity to length extension, indifferentiability from a random oracle, etc. We specify parallel versions BLAKE2bp and BLAKE2sp that are up to 4 and 8 times faster, by taking advantage of SIMD and/or multiple cores. BLAKE2 reduces the RAM requirements of BLAKE down to 168 bytes, making it smaller than any of the five SHA-3 finalists, and 32% smaller than BLAKE. Finally, BLAKE2 provides a comprehensive support for tree-hashing as well as keyed hashing (be it in sequential or tree mode). 1 Introduction The SHA-3 Competition succeeded in selecting a hash function that comple- ments SHA-2 and is much faster than SHA-2 in hardware [1]. There is nev- ertheless a demand for fast software hashing for applications such as integrity checking and deduplication in filesystems and cloud storage, host-based intrusion detection, version control systems, or secure boot schemes.
    [Show full text]