 |
Installing XP_CRYPT |
|
|
XP_CRYPT API |
|
|
Session |
|
|
Asymmetric keys |
|
|
DSA |
|
|
RSA |
|
|
DSA |
|
|
RSA |
|
|
Hashing |
|
|
Symmetric encryption |
|
|
AES128 |
|
|
AES |
|
|
DESX |
|
|
RC4 |
|
|
Triple DES |
|
|
Tutorial |
|
|
Troubleshooting |
|
XP_CRYPT encryption methods overview
XP_CRYPT 3.6 supports:
Symmetric algorithms
Asymmetric algorithms
Hash
Digital signatures
AES
The Advanced Encryption Standard, more commonly referred to as AES,
is a block cipher with a block size of 128 bits and key sizes of 128,
192, and 256 bits. It was adopted by NIST as US FIPS PUB 197 in
November 2001 after a 5-year standardization process.
AES was developed by two Belgian cryptographers, Joan Daemen and
Vincent Rijmen. It is also known by the name in the original submission
"Rijndael", something best pronounced as "Rine dahl" with a long "i"
and a silent "e" for those that don't speak Dutch. Strictly speaking
AES is not precisely the same as Rijndael, because Rijndael supports
larger block sizes whereas AES has a fixed block size of 128 bits.
AES is fast in both software and hardware, is relatively easy to
implement, and requires little memory. As the new block cipher standard
it is currently being deployed on a large scale.
DESX
DESX is a strengthened variant of DES. The difference between DES
and DESX is that, in DESX, the input plaintext is bitwise XORed with 64
bits of additional key material before encryption with DES and the
output is also bitwise XORed with another 64 bits of key material. The
security of DESX against differential and linear attack appears to be
equivalent to that of DES with independent subkeys so there is not a
great increase in security with regards to these attacks. However the
main motivation for DESX was in providing a computationally simple way
to dramatically improve on the resistance of DES to exhaustive key
search attacks. The DESX construction is due to Rivest.
Triple DES
The financial services industry has developed ANSI X9.52, a standard for
Triple DES encryption, as one interim solution. In Triple DES, each 64-bit block of a message is encrypted with three successive DES operations rather than one, and the operations involve two or three different keys. Triple-DES offers an effective key size of 112 bits in typical applications, as opposed to 56 bits for DES -- but the encryption and decryption time per block is three times that of DES.
RC4
RC4 is a symmetric, secret key, stream cryptographic cipher designed
by Ron Rivest. RC apparently stands for "Ron's Code". Also publicly
known are the block ciphers RC2 and RC5. RC4 was initially a trade
secret, but in September of 1994 an anonymous person reverse engineered
it and posted it to the Cypherpunks mailing list. It quickly spread to
Usenet on the sci.crypt newsgroup, and on to many sites on the
Internet. Because the algorithm is known, it is no longer a trade
secret. The name RC4 is trademarked. The current status seems to be
that "unofficial" implementations are legal, but can't use the RC4
name. RC4 is often referred to as "ARCFOUR", to avoid possible
trademark problems. It has become part of some commonly used encryption
protocols and standards, including SSL, that is used for secure network
web browsers.
RC4 is initialized from a secret key. Then it generates a "keystream"
which is simply XORd with the plaintext to produce the ciphertext.
Decryption is exactly the same as encryption. One reason for its
popularity is its simplicity. The algorithm can be memorized and
quickly implemented from memory. It uses 256 bytes of memory, S[0]
through S[255], and it uses integer variables, i, j, and k. A message
is encrypted or decrypted with this algorithm:
for i = 0...255
S[i]=i
for i = 0...255
j=(j+S[i]+key[i mod key_length]) mod 256
swap S[i] and S[j]
i=0
j=0
loop until the entire message is encrypted/decrypted
i=(i+1) mod 256
j=(j+S[i]) mod 256
swap S[i] and S[j]
k=S[(S[i]+S[j]) mod 256]
output the XOR of k with the next byte of input
RC4 is one of the fastest ciphers to be widely used for serious work.
Cryptanalysis of RC4 is at a rather uncertain stage. Theoretical breaks
may be possible if gigabytes of known plaintext/known ciphertext stream
are available, but this is not necessarily a major problem in practice.
In 2001 a new and surprising discovery was made: over all possible RC4
keys, the statistics for the first byte of output keystream are
seriously non-random. It remains to be seen if this is an academic
curiousity, or a sign of more serious problems to be discovered soon.
Current implementations often discard the first 256 bytes of the stream
to avoid potential problems.
As with all stream ciphers, RC4 is easily broken if the same key is
used twice. This problem is usually solved by hashing the key with a
unique initialization vector (IV) each time it is used, and sending the
IV along with the message.
RSA
RSA is an asymmetric algorithm for public key cryptography. Credit
for its development is given to Ron Rivest, Adi Shamir and Len Adleman,
who described the algorithm in 1977, the letters RSA being the initials
of their surnames.
The security of the RSA system relies on the difficulty of factoring
very large numbers. RSA is widely used in electronic commerce.
It should be noted that Clifford Cocks, a British mathematician working
for GCHQ, developed an equivalent system several years earlier. His
discovery, however, was not revealed until much later due to its
top-secret nature.
The algorithm was patented by MIT in 1983 in the United States of
America. The patent expired in September 2000. Since the algorithm had
been published prior to the patent application, it could not be
patented in other countries.
DSA
DSA is the USA national aproved digital signatures standard. DSA is
similar to RSA public and private key system, but can not be used for
encryption. It produces more effective and smaller signs.
Because the DSA authenticates both the identity of the signer and the
integrity of the signed information, it can be used in a variety of
applications. For example, the DSA could be utilized in an electronic
mail system. After a party generated a message, that party could sign
it using the party's private key. The signed message could then be
sent to a second party. After verifying the received message, the
second party would have confidence that the message was signed by the
first party. The second party would also know that the message was not
altered after the first party signed it.
In legal systems, it is often necessary to affix a time stamp to a
document in order to indicate the date and time at which the document
was executed or became effective. An electronic time stamp could be
affixed to documents in electronic form and then signed using the DSA.
Applying the DSA to the document would protect and verify the integrity
of the document and its time stamp.
DES
Creates UNIX compatible DES hash. Equivalent to UNIX crypt(1) and
perl crypt() function. Only first 8 chars are involved in this
hash. This is more historical, then practical hash.
SHA1
The Secure Hash Algorithm (SHA), developed by NIST, along with the NSA,
for use with the Digital Signature Standard (DSS) is specified within
the Secure Hash Standard (SHS) [National Institute of Standards and
Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS).
May 1993.]. SHA-1 [National Institute of Standards and Technology
(NIST). Announcement of Weakness in the Secure Hash Standard. May
1994.] was a revision to SHA that was published in 1994. The revision
corrected an unpublished flaw in SHA.
SHA1 is a cryptographic message digest algorithm developed by Ronald
L. Rivest . The Secure Hash Algorithm takes a message of less than 264
bits in length and produces a 160-bit message digest which is designed
so that it should be computationally expensive to find a text which
matches a given hash. i.e. if you have a hash for document A, H(A), it
is difficult to find a document B which has the same hash, and even
more difficult to arrange that document.
MD5
An algorithm created in 1991 by Professor Ronald Rivest that is used
to create digital signatures. It is intended for use with 32 bit
machines and is safer than the MD4 algorithm, which has been broken.
MD5 is a one-way hash function, meaning that it takes a message and
converts it into a fixed string of digits, also called a message digest.
When using a one-way hash function, one can compare a calculated
message digest against the message digest that is decrypted with a
public key to verify that the message hasn't been tampered with. This
comparison is called a "hashcheck". MD5 described in RFC1321
|
