There are a number of block ciphers implemented, all with
extremely similar interfaces. However, block ciphers aren't
actually at all pleasant to use directly. They're really
- intended to be used only by higher-level `modes'.
+ intended to be used only by higher-level `modes'.
Anyway, I'll take Bruce Schneier's Blowfish as an example.
A number of constants are defined to describe further properties
of the cipher:
- BLOWFISH_KEYSZ Is zero, to indicate that Blowfish doesn't care
- much about the size of key you give it.
+ BLOWFISH_KEYSZ Is 32, to recommend 256-bit keys with Blowfish.
BLOWFISH_BLKSZ Is 8, because Blowfish works on 64-bit blocks,
which are therefore 8 bytes wide.
BLOWFISH_CLASS Is the triple (N, B, 64). This is explained
below.
+ The constant byte vector blowfish_keysz (lowercase) contains
+ more detailed descriptions of the key size limits. See
+ `keysz.h' for a description of key size tables.
+
The BLOWFISH_CLASS macro contains information useful to other
macros, rather than to direct users of the interface. The three
components are:
The `type' Simply N if specific macros for handling blocks
of the appropriate width have been written, or X
if the macros should use a loop instead.
-
+
The `endianness'
- Either `B' for big-endian, or L for little-
+ Either `B' for big-endian, or `L' for little-
endian.
-
+
The `width' The cipher's block size in bits.
This simple interface is thoroughly inconvenient for general
The peculiarities of the various ciphers are described below.
Blowfish Fairly standard, really. Accepts arbitrary-
- sized keys up to 448 bits. (The original
- definition only specified keys with a multiple
- of 32 bits -- the extension I use is due, I
- think, to Eric Young.) Blowfish is fast and
- looks very secure.
-
- IDEA Requires a 128-bit key. Not very fast. No
- known attacks on the full cipher. Used in
- PGP2. Patented!
+ sized keys up to 448 bits. 64-bit blocks. (The
+ original definition only specified keys with a
+ multiple of 32 bits -- the extension I use is
+ due, I think, to Eric Young.) Blowfish is fast
+ and looks very secure.
+
+ CAST-128 Accepts arbitrary-sized keys up to 128 bits.
+ 64-bit blocks. Uses three slightly different
+ types of rounds, based around 8 x 32 S-boxes
+ constructed from bent functions. Faster than
+ RC2. Looks very strong.
+
+ CAST-256 Accepts arbitrary-sized keys up to 256 bits.
+ 128-bit blocks. Submitted to the AES contest,
+ but didn't make it to the final five. Uses the
+ S-boxes and round functions from CAST-128.
+ Looks strong.
DES Good old reliable. Been around for donkey's
years and still going. Single-DES (implemented
of key sizes in bytes is: 7, 8, 14, 16, 21 or
24.
- RC5 Arbitrary-sized key. Designed by Ron Rivest.
- Not completely convincing in security. About as
- fast as Blowfish, but with a quicker key
- schedule. Patented, I think.
+ IDEA Requires a 128-bit key. About as fast as DES.
+ No known attacks on the full cipher. Used in
+ PGP2. Patented!
+
+ RC2 Arbitrary-sized key, up to 128 bytes. Used to
+ be a trade secret of RSA Data Security Inc., but
+ leaked. About as fast as DES. Not convincing
+ in terms of security. Has a bizarre
+ `brain-damage' feature which limits the
+ effective key size.
+
+ RC5 Arbitrary-sized key, up to 256 bytes. Designed
+ by Ron Rivest. Not completely convincing in
+ security. Almost as fast as Blowfish, but with
+ a quicker key schedule. Patented!
+
+ Rijndael Accepts keys which are a multiple of 32 bits in
+ size, up to 256 bits. 128-bit block. AES
+ finalist. Fast, may not be strong.
+
+ Serpent Arbitrary-sized keys up to 256 bits. 128-bit
+ block. AES finalist. About the same speed as
+ DES. Very conservative design. Looks very
+ strong.
+
+ Twofish Accepts keys which are a multiple of 32 bits in
+ size, up to 256 bits. 128-bit block. AES
+ finalist. Fast, looks strong.
Block cipher modes
Other ciphers
- There's only one stream cipher implemented at the moment, and
- that's RC4. It was designed by Ron Rivest. It's the fastest
- cipher in Catacomb. It looks fairly strong (although see the
- note about churning the context after keying below). And also
- note that it works in output feedback -- you just XOR the output
- from RC4 with the plaintext. Never reuse an RC4 key!
+ RC4 was designed by Ron Rivest. It's the second fastest cipher
+ in Catacomb. It looks fairly strong (although see the note
+ about churning the context after keying below). And also note
+ that it works in output feedback -- you just XOR the output from
+ RC4 with the plaintext. Never reuse an RC4 key!
RC4 includes an OFB-like interface which should be familiar. It
also includes a pair of strange macros RC4_OPEN and RC4_BYTE.
theirs. It doesn't look very secret to me.
+ SEAL was designed by Phil Rogaway and Don Coppersmith. It's
+ ever-so slightly faster than RC4. It's also patented by IBM.
+ See the header for the interface.
+
+
Generic cipher interfaces
It can be convenient to implement routines where the cipher to
c->ops->decrypt(c, s, t, sz) Like encrypt, only it decrypts.
- c->ops->destroy(c) Destroys the cipher object `r'.
+ c->ops->destroy(c) Destroys the cipher object `c'.
c->ops->setiv(c, iv) Sets the IV to be `iv' -- must
be blksz bytes long.
generic cipher class is called simply `rc4'.
---
-[mdw]
+-- [mdw]
\f
Local variables: