19992013 Ericsson AB. All Rights Reserved. The contents of this file are subject to the Erlang Public License, Version 1.1, (the "License"); you may not use this file except in compliance with the License. You should have received a copy of the Erlang Public License along with this software. If not, it can be retrieved online at http://www.erlang.org/. Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License. crypto Peter Högfeldt 2000-06-20 B
crypto Crypto Functions

This module provides a set of cryptographic functions.

References:

md4: The MD4 Message Digest Algorithm (RFC 1320)

md5: The MD5 Message Digest Algorithm (RFC 1321)

sha: Secure Hash Standard (FIPS 180-2)

hmac: Keyed-Hashing for Message Authentication (RFC 2104)

des: Data Encryption Standard (FIPS 46-3)

aes: Advanced Encryption Standard (AES) (FIPS 197)

ecb, cbc, cfb, ofb, ctr: Recommendation for Block Cipher Modes of Operation (NIST SP 800-38A).

rsa: Recommendation for Block Cipher Modes of Operation (NIST 800-38A)

dss: Digital Signature Standard (FIPS 186-2)

srp: Secure Remote Password Protocol (RFC 2945)

The above publications can be found at NIST publications, at IETF.

Types

byte() = 0 ... 255
ioelem() = byte() | binary() | iolist()
iolist() = [ioelem()]
Mpint() = >]]>
    

start() -> ok Start the crypto server.

Starts the crypto server.

stop() -> ok Stop the crypto server.

Stops the crypto server.

info() -> [atom()] Provide a list of available crypto functions.

Provides the available crypto functions in terms of a list of atoms.

algorithms() -> [atom()] Provide a list of available crypto algorithms.

Provides the available crypto algorithms in terms of a list of atoms.

info_lib() -> [{Name,VerNum,VerStr}] Provides information about the libraries used by crypto. Name = binary() VerNum = integer() VerStr = binary()

Provides the name and version of the libraries used by crypto.

Name is the name of the library. VerNum is the numeric version according to the library's own versioning scheme. VerStr contains a text variant of the version.

> info_lib().
[{<<"OpenSSL">>,9469983,<<"OpenSSL 0.9.8a 11 Oct 2005">>}]
        

From OTP R16 the numeric version represents the version of the OpenSSL header files (openssl/opensslv.h) used when crypto was compiled. The text variant represents the OpenSSL library used at runtime. In earlier OTP versions both numeric and text was taken from the library.

md4(Data) -> Digest Compute an MD4message digest from Data Data = iolist() | binary() Digest = binary()

Computes an MD4 message digest from Data, where the length of the digest is 128 bits (16 bytes).

md4_init() -> Context Creates an MD4 context Context = binary()

Creates an MD4 context, to be used in subsequent calls to md4_update/2.

md4_update(Context, Data) -> NewContext Update an MD4 Contextwith Data, and return a NewContext Data = iolist() | binary() Context = NewContext = binary()

Updates an MD4 Context with Data, and returns a NewContext.

md4_final(Context) -> Digest Finish the update of an MD4 Contextand return the computed MD4message digest Context = Digest = binary()

Finishes the update of an MD4 Context and returns the computed MD4 message digest.

md5(Data) -> Digest Compute an MD5message digest from Data Data = iolist() | binary() Digest = binary()

Computes an MD5 message digest from Data, where the length of the digest is 128 bits (16 bytes).

md5_init() -> Context Creates an MD5 context Context = binary()

Creates an MD5 context, to be used in subsequent calls to md5_update/2.

md5_update(Context, Data) -> NewContext Update an MD5 Contextwith Data, and return a NewContext Data = iolist() | binary() Context = NewContext = binary()

Updates an MD5 Context with Data, and returns a NewContext.

md5_final(Context) -> Digest Finish the update of an MD5 Contextand return the computed MD5message digest Context = Digest = binary()

Finishes the update of an MD5 Context and returns the computed MD5 message digest.

sha(Data) -> Digest Compute an SHAmessage digest from Data Data = iolist() | binary() Digest = binary()

Computes an SHA message digest from Data, where the length of the digest is 160 bits (20 bytes).

sha_init() -> Context Create an SHA context Context = binary()

Creates an SHA context, to be used in subsequent calls to sha_update/2.

sha_update(Context, Data) -> NewContext Update an SHA context Data = iolist() | binary() Context = NewContext = binary()

Updates an SHA Context with Data, and returns a NewContext.

sha_final(Context) -> Digest Finish the update of an SHA context Context = Digest = binary()

Finishes the update of an SHA Context and returns the computed SHA message digest.

hash(Type, Data) -> Digest Type = md4 | md5 | ripemd160 | sha | sha224 | sha256 | sha384 | sha512 Data = iodata() Digest = binary()

Computes a message digest of type Type from Data.

May throw exception notsup in case the chosen Type is not supported by the underlying OpenSSL implementation.

hash_init(Type) -> Context Type = md4 | md5 | ripemd160 | sha | sha224 | sha256 | sha384 | sha512

Initializes the context for streaming hash operations. Type determines which digest to use. The returned context should be used as argument to hash_update.

May throw exception notsup in case the chosen Type is not supported by the underlying OpenSSL implementation.

hash_update(Context, Data) -> NewContext Data = iodata()

Updates the digest represented by Context using the given Data. Context must have been generated using hash_init or a previous call to this function. Data can be any length. NewContext must be passed into the next call to hash_update or hash_final.

hash_final(Context) -> Digest Digest = binary()

Finalizes the hash operation referenced by Context returned from a previous call to hash_update. The size of Digest is determined by the type of hash function used to generate it.

md5_mac(Key, Data) -> Mac Compute an MD5 MACmessage authentification code Key = Data = iolist() | binary() Mac = binary()

Computes an MD5 MAC message authentification code from Key and Data, where the the length of the Mac is 128 bits (16 bytes).

md5_mac_96(Key, Data) -> Mac Compute an MD5 MACmessage authentification code Key = Data = iolist() | binary() Mac = binary()

Computes an MD5 MAC message authentification code from Key and Data, where the length of the Mac is 96 bits (12 bytes).

hmac(Type, Key, Data) -> Mac hmac(Type, Key, Data, MacLength) -> Mac Type = md5 | sha | sha224 | sha256 | sha384 | sha512 Key = iodata() Data = iodata() MacLength = integer() Mac = binary()

Computes a HMAC of type Type from Data using Key as the authentication key.

MacLength will limit the size of the resultant Mac.
hmac_init(Type, Key) -> Context Type = md5 | ripemd160 | sha | sha224 | sha256 | sha384 | sha512 Key = iolist() | binary() Context = binary()

Initializes the context for streaming HMAC operations. Type determines which hash function to use in the HMAC operation. Key is the authentication key. The key can be any length.

hmac_update(Context, Data) -> NewContext Context = NewContext = binary() Data = iolist() | binary()

Updates the HMAC represented by Context using the given Data. Context must have been generated using an HMAC init function (such as hmac_init). Data can be any length. NewContext must be passed into the next call to hmac_update.

hmac_final(Context) -> Mac Context = Mac = binary()

Finalizes the HMAC operation referenced by Context. The size of the resultant MAC is determined by the type of hash function used to generate it.

hmac_final_n(Context, HashLen) -> Mac Context = Mac = binary() HashLen = non_neg_integer()

Finalizes the HMAC operation referenced by Context. HashLen must be greater than zero. Mac will be a binary with at most HashLen bytes. Note that if HashLen is greater than the actual number of bytes returned from the underlying hash, the returned hash will have fewer than HashLen bytes.

sha_mac(Key, Data) -> Mac sha_mac(Key, Data, MacLength) -> Mac Compute an MD5 MACmessage authentification code Key = Data = iolist() | binary() Mac = binary() MacLenength = integer() =< 20

Computes an SHA MAC message authentification code from Key and Data, where the default length of the Mac is 160 bits (20 bytes).

sha_mac_96(Key, Data) -> Mac Compute an SHA MACmessage authentification code Key = Data = iolist() | binary() Mac = binary()

Computes an SHA MAC message authentification code from Key and Data, where the length of the Mac is 96 bits (12 bytes).

des_cbc_encrypt(Key, IVec, Text) -> Cipher Encrypt Textaccording to DES in CBC mode Key = Text = iolist() | binary() IVec = Cipher = binary()

Encrypts Text according to DES in CBC mode. Text must be a multiple of 64 bits (8 bytes). Key is the DES key, and IVec is an arbitrary initializing vector. The lengths of Key and IVec must be 64 bits (8 bytes).

des_cbc_decrypt(Key, IVec, Cipher) -> Text Decrypt Cipheraccording to DES in CBC mode Key = Cipher = iolist() | binary() IVec = Text = binary()

Decrypts Cipher according to DES in CBC mode. Key is the DES key, and IVec is an arbitrary initializing vector. Key and IVec must have the same values as those used when encrypting. Cipher must be a multiple of 64 bits (8 bytes). The lengths of Key and IVec must be 64 bits (8 bytes).

des_cbc_ivec(Data) -> IVec Get IVec to be used in next iteration of des_cbc_[ecrypt|decrypt] Data = iolist() | binary() IVec = binary()

Returns the IVec to be used in a next iteration of des_cbc_[encrypt|decrypt]. Data is the encrypted data from the previous iteration step.

des_cfb_encrypt(Key, IVec, Text) -> Cipher Encrypt Textaccording to DES in CFB mode Key = Text = iolist() | binary() IVec = Cipher = binary()

Encrypts Text according to DES in 8-bit CFB mode. Key is the DES key, and IVec is an arbitrary initializing vector. The lengths of Key and IVec must be 64 bits (8 bytes).

des_cfb_decrypt(Key, IVec, Cipher) -> Text Decrypt Cipheraccording to DES in CFB mode Key = Cipher = iolist() | binary() IVec = Text = binary()

Decrypts Cipher according to DES in 8-bit CFB mode. Key is the DES key, and IVec is an arbitrary initializing vector. Key and IVec must have the same values as those used when encrypting. The lengths of Key and IVec must be 64 bits (8 bytes).

des_cfb_ivec(IVec, Data) -> NextIVec Get IVec to be used in next iteration of des_cfb_[ecrypt|decrypt] IVec = iolist() | binary() Data = iolist() | binary() NextIVec = binary()

Returns the IVec to be used in a next iteration of des_cfb_[encrypt|decrypt]. IVec is the vector used in the previous iteration step. Data is the encrypted data from the previous iteration step.

des3_cbc_encrypt(Key1, Key2, Key3, IVec, Text) -> Cipher Encrypt Textaccording to DES3 in CBC mode Key1 =Key2 = Key3 Text = iolist() | binary() IVec = Cipher = binary()

Encrypts Text according to DES3 in CBC mode. Text must be a multiple of 64 bits (8 bytes). Key1, Key2, Key3, are the DES keys, and IVec is an arbitrary initializing vector. The lengths of each of Key1, Key2, Key3 and IVec must be 64 bits (8 bytes).

des3_cbc_decrypt(Key1, Key2, Key3, IVec, Cipher) -> Text Decrypt Cipheraccording to DES3 in CBC mode Key1 = Key2 = Key3 = Cipher = iolist() | binary() IVec = Text = binary()

Decrypts Cipher according to DES3 in CBC mode. Key1, Key2, Key3 are the DES key, and IVec is an arbitrary initializing vector. Key1, Key2, Key3 and IVec must and IVec must have the same values as those used when encrypting. Cipher must be a multiple of 64 bits (8 bytes). The lengths of Key1, Key2, Key3, and IVec must be 64 bits (8 bytes).

des3_cfb_encrypt(Key1, Key2, Key3, IVec, Text) -> Cipher Encrypt Textaccording to DES3 in CFB mode Key1 =Key2 = Key3 Text = iolist() | binary() IVec = Cipher = binary()

Encrypts Text according to DES3 in 8-bit CFB mode. Key1, Key2, Key3, are the DES keys, and IVec is an arbitrary initializing vector. The lengths of each of Key1, Key2, Key3 and IVec must be 64 bits (8 bytes).

May throw exception notsup for old OpenSSL versions (0.9.7) that does not support this encryption mode.

des3_cfb_decrypt(Key1, Key2, Key3, IVec, Cipher) -> Text Decrypt Cipheraccording to DES3 in CFB mode Key1 = Key2 = Key3 = Cipher = iolist() | binary() IVec = Text = binary()

Decrypts Cipher according to DES3 in 8-bit CFB mode. Key1, Key2, Key3 are the DES key, and IVec is an arbitrary initializing vector. Key1, Key2, Key3 and IVec must and IVec must have the same values as those used when encrypting. The lengths of Key1, Key2, Key3, and IVec must be 64 bits (8 bytes).

May throw exception notsup for old OpenSSL versions (0.9.7) that does not support this encryption mode.

des_ecb_encrypt(Key, Text) -> Cipher Encrypt Textaccording to DES in ECB mode Key = Text = iolist() | binary() Cipher = binary()

Encrypts Text according to DES in ECB mode. Key is the DES key. The lengths of Key and Text must be 64 bits (8 bytes).

des_ecb_decrypt(Key, Cipher) -> Text Decrypt Cipheraccording to DES in ECB mode Key = Cipher = iolist() | binary() Text = binary()

Decrypts Cipher according to DES in ECB mode. Key is the DES key. The lengths of Key and Cipher must be 64 bits (8 bytes).

blowfish_ecb_encrypt(Key, Text) -> Cipher Encrypt the first 64 bits of Text using Blowfish in ECB mode Key = Text = iolist() | binary() Cipher = binary()

Encrypts the first 64 bits of Text using Blowfish in ECB mode. Key is the Blowfish key. The length of Text must be at least 64 bits (8 bytes).

blowfish_ecb_decrypt(Key, Text) -> Cipher Decrypt the first 64 bits of Text using Blowfish in ECB mode Key = Text = iolist() | binary() Cipher = binary()

Decrypts the first 64 bits of Text using Blowfish in ECB mode. Key is the Blowfish key. The length of Text must be at least 64 bits (8 bytes).

blowfish_cbc_encrypt(Key, IVec, Text) -> Cipher Encrypt Text using Blowfish in CBC mode Key = Text = iolist() | binary() IVec = Cipher = binary()

Encrypts Text using Blowfish in CBC mode. Key is the Blowfish key, and IVec is an arbitrary initializing vector. The length of IVec must be 64 bits (8 bytes). The length of Text must be a multiple of 64 bits (8 bytes).

blowfish_cbc_decrypt(Key, IVec, Text) -> Cipher Decrypt Text using Blowfish in CBC mode Key = Text = iolist() | binary() IVec = Cipher = binary()

Decrypts Text using Blowfish in CBC mode. Key is the Blowfish key, and IVec is an arbitrary initializing vector. The length of IVec must be 64 bits (8 bytes). The length of Text must be a multiple 64 bits (8 bytes).

blowfish_cfb64_encrypt(Key, IVec, Text) -> Cipher Encrypt Textusing Blowfish in CFB mode with 64 bit feedback Key = Text = iolist() | binary() IVec = Cipher = binary()

Encrypts Text using Blowfish in CFB mode with 64 bit feedback. Key is the Blowfish key, and IVec is an arbitrary initializing vector. The length of IVec must be 64 bits (8 bytes).

blowfish_cfb64_decrypt(Key, IVec, Text) -> Cipher Decrypt Textusing Blowfish in CFB mode with 64 bit feedback Key = Text = iolist() | binary() IVec = Cipher = binary()

Decrypts Text using Blowfish in CFB mode with 64 bit feedback. Key is the Blowfish key, and IVec is an arbitrary initializing vector. The length of IVec must be 64 bits (8 bytes).

blowfish_ofb64_encrypt(Key, IVec, Text) -> Cipher Encrypt Textusing Blowfish in OFB mode with 64 bit feedback Key = Text = iolist() | binary() IVec = Cipher = binary()

Encrypts Text using Blowfish in OFB mode with 64 bit feedback. Key is the Blowfish key, and IVec is an arbitrary initializing vector. The length of IVec must be 64 bits (8 bytes).

aes_cfb_128_encrypt(Key, IVec, Text) -> Cipher Encrypt Textaccording to AES in Cipher Feedback mode Key = Text = iolist() | binary() IVec = Cipher = binary()

Encrypts Text according to AES in Cipher Feedback mode (CFB). Key is the AES key, and IVec is an arbitrary initializing vector. The lengths of Key and IVec must be 128 bits (16 bytes).

aes_cfb_128_decrypt(Key, IVec, Cipher) -> Text Decrypt Cipheraccording to AES in Cipher Feedback mode Key = Cipher = iolist() | binary() IVec = Text = binary()

Decrypts Cipher according to AES in Cipher Feedback Mode (CFB). Key is the AES key, and IVec is an arbitrary initializing vector. Key and IVec must have the same values as those used when encrypting. The lengths of Key and IVec must be 128 bits (16 bytes).

aes_cbc_128_encrypt(Key, IVec, Text) -> Cipher Encrypt Textaccording to AES in Cipher Block Chaining mode Key = Text = iolist() | binary() IVec = Cipher = binary()

Encrypts Text according to AES in Cipher Block Chaining mode (CBC). Text must be a multiple of 128 bits (16 bytes). Key is the AES key, and IVec is an arbitrary initializing vector. The lengths of Key and IVec must be 128 bits (16 bytes).

aes_cbc_128_decrypt(Key, IVec, Cipher) -> Text Decrypt Cipheraccording to AES in Cipher Block Chaining mode Key = Cipher = iolist() | binary() IVec = Text = binary()

Decrypts Cipher according to AES in Cipher Block Chaining mode (CBC). Key is the AES key, and IVec is an arbitrary initializing vector. Key and IVec must have the same values as those used when encrypting. Cipher must be a multiple of 128 bits (16 bytes). The lengths of Key and IVec must be 128 bits (16 bytes).

aes_cbc_ivec(Data) -> IVec Get IVec to be used in next iteration of aes_cbc_*_[ecrypt|decrypt] Data = iolist() | binary() IVec = binary()

Returns the IVec to be used in a next iteration of aes_cbc_*_[encrypt|decrypt]. Data is the encrypted data from the previous iteration step.

aes_ctr_encrypt(Key, IVec, Text) -> Cipher Encrypt Textaccording to AES in Counter mode Key = Text = iolist() | binary() IVec = Cipher = binary()

Encrypts Text according to AES in Counter mode (CTR). Text can be any number of bytes. Key is the AES key and must be either 128, 192 or 256 bits long. IVec is an arbitrary initializing vector of 128 bits (16 bytes).

aes_ctr_decrypt(Key, IVec, Cipher) -> Text Decrypt Cipheraccording to AES in Counter mode Key = Cipher = iolist() | binary() IVec = Text = binary()

Decrypts Cipher according to AES in Counter mode (CTR). Cipher can be any number of bytes. Key is the AES key and must be either 128, 192 or 256 bits long. IVec is an arbitrary initializing vector of 128 bits (16 bytes).

aes_ctr_stream_init(Key, IVec) -> State State = { K, I, E, C } Key = K = iolist() IVec = I = E = binary() C = integer()

Initializes the state for use in streaming AES encryption using Counter mode (CTR). Key is the AES key and must be either 128, 192, or 256 bts long. IVec is an arbitrary initializing vector of 128 bits (16 bytes). This state is for use with aes_ctr_stream_encrypt and aes_ctr_stream_decrypt.

aes_ctr_stream_encrypt(State, Text) -> { NewState, Cipher} Text = iolist() | binary() Cipher = binary()

Encrypts Text according to AES in Counter mode (CTR). This function can be used to encrypt a stream of text using a series of calls instead of requiring all text to be in memory. Text can be any number of bytes. State is initialized using aes_ctr_stream_init. NewState is the new streaming encryption state that must be passed to the next call to aes_ctr_stream_encrypt. Cipher is the encrypted cipher text.

aes_ctr_stream_decrypt(State, Cipher) -> { NewState, Text } Cipher = iolist() | binary() Text = binary()

Decrypts Cipher according to AES in Counter mode (CTR). This function can be used to decrypt a stream of ciphertext using a series of calls instead of requiring all ciphertext to be in memory. Cipher can be any number of bytes. State is initialized using aes_ctr_stream_init. NewState is the new streaming encryption state that must be passed to the next call to aes_ctr_stream_encrypt. Text is the decrypted data.

erlint(Mpint) -> N mpint(N) -> Mpint Convert between binary multi-precision integer and erlang big integer Mpint = binary() N = integer()

Convert a binary multi-precision integer Mpint to and from an erlang big integer. A multi-precision integer is a binary with the following form: >]]> where both ByteLen and Bytes are big-endian. Mpints are used in some of the functions in crypto and are not translated in the API for performance reasons.

rand_bytes(N) -> binary() Generate a binary of random bytes N = integer()

Generates N bytes randomly uniform 0..255, and returns the result in a binary. Uses the crypto library pseudo-random number generator.

strong_rand_bytes(N) -> binary() Generate a binary of random bytes N = integer()

Generates N bytes randomly uniform 0..255, and returns the result in a binary. Uses a cryptographically secure prng seeded and periodically mixed with operating system provided entropy. By default this is the RAND_bytes method from OpenSSL.

May throw exception low_entropy in case the random generator failed due to lack of secure "randomness".

rand_uniform(Lo, Hi) -> N Generate a random number Lo, Hi, N = Mpint | integer() Mpint = binary()

Generate a random number Uses the crypto library pseudo-random number generator. The arguments (and result) can be either erlang integers or binary multi-precision integers. Hi must be larger than Lo.

strong_rand_mpint(N, Top, Bottom) -> Mpint Generate an N bit random number N = non_neg_integer() Top = -1 | 0 | 1 Bottom = 0 | 1 Mpint = binary()

Generate an N bit random number using OpenSSL's cryptographically strong pseudo random number generator BN_rand.

The parameter Top places constraints on the most significant bits of the generated number. If Top is 1, then the two most significant bits will be set to 1, if Top is 0, the most significant bit will be 1, and if Top is -1 then no constraints are applied and thus the generated number may be less than N bits long.

If Bottom is 1, then the generated number is constrained to be odd.

May throw exception low_entropy in case the random generator failed due to lack of secure "randomness".

mod_exp(N, P, M) -> Result Perform N ^ P mod M N, P, M, Result = Mpint Mpint = binary()

This function performs the exponentiation N ^ P mod M, using the crypto library.

mod_exp_prime(N, P, M) -> Result Computes the function: N^P mod M N, P, M = binary() Result = binary() | error

Computes the function N^P mod M.

rsa_sign(DataOrDigest, Key) -> Signature rsa_sign(DigestType, DataOrDigest, Key) -> Signature Sign the data using rsa with the given key. DataOrDigest = Data | {digest,Digest} Data = Mpint Digest = binary() Key = [E, N, D] | [E, N, D, P1, P2, E1, E2, C] E, N, D = Mpint Where E is the public exponent, N is public modulus and D is the private exponent. P1, P2, E1, E2, C = Mpint The longer key format contains redundant information that will make the calculation faster. P1,P2 are first and second prime factors. E1,E2 are first and second exponents. C is the CRT coefficient. Terminology is taken from RFC 3447. DigestType = md5 | sha | sha224 | sha256 | sha384 | sha512 The default DigestType is sha. Mpint = binary() Signature = binary()

Creates a RSA signature with the private key Key of a digest. The digest is either calculated as a DigestType digest of Data or a precalculated binary Digest.

rsa_verify(DataOrDigest, Signature, Key) -> Verified rsa_verify(DigestType, DataOrDigest, Signature, Key) -> Verified Verify the digest and signature using rsa with given public key. Verified = boolean() DataOrDigest = Data | {digest|Digest} Data, Signature = Mpint Digest = binary() Key = [E, N] E, N = Mpint Where E is the public exponent and N is public modulus. DigestType = md5 | sha | sha224 | sha256 | sha384 | sha512 The default DigestType is sha. Mpint = binary()

Verifies that a digest matches the RSA signature using the signer's public key Key. The digest is either calculated as a DigestType digest of Data or a precalculated binary Digest.

May throw exception notsup in case the chosen DigestType is not supported by the underlying OpenSSL implementation.

rsa_public_encrypt(PlainText, PublicKey, Padding) -> ChipherText Encrypts Msg using the public Key. PlainText = binary() PublicKey = [E, N] E, N = Mpint Where E is the public exponent and N is public modulus. Padding = rsa_pkcs1_padding | rsa_pkcs1_oaep_padding | rsa_no_padding ChipherText = binary()

Encrypts the PlainText (usually a session key) using the PublicKey and returns the cipher. The Padding decides what padding mode is used, rsa_pkcs1_padding is PKCS #1 v1.5 currently the most used mode and rsa_pkcs1_oaep_padding is EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty encoding parameter. This mode is recommended for all new applications. The size of the Msg must be less than byte_size(N)-11 if rsa_pkcs1_padding is used, byte_size(N)-41 if rsa_pkcs1_oaep_padding is used and byte_size(N) if rsa_no_padding is used. Where byte_size(N) is the size part of an Mpint-1.

rsa_private_decrypt(ChipherText, PrivateKey, Padding) -> PlainText Decrypts ChipherText using the private Key. ChipherText = binary() PrivateKey = [E, N, D] | [E, N, D, P1, P2, E1, E2, C] E, N, D = Mpint Where E is the public exponent, N is public modulus and D is the private exponent. P1, P2, E1, E2, C = Mpint The longer key format contains redundant information that will make the calculation faster. P1,P2 are first and second prime factors. E1,E2 are first and second exponents. C is the CRT coefficient. Terminology is taken from RFC 3447. Padding = rsa_pkcs1_padding | rsa_pkcs1_oaep_padding | rsa_no_padding PlainText = binary()

Decrypts the ChipherText (usually a session key encrypted with rsa_public_encrypt/3) using the PrivateKey and returns the message. The Padding is the padding mode that was used to encrypt the data, see rsa_public_encrypt/3.

rsa_private_encrypt(PlainText, PrivateKey, Padding) -> ChipherText Encrypts Msg using the private Key. PlainText = binary() PrivateKey = [E, N, D] | [E, N, D, P1, P2, E1, E2, C] E, N, D = Mpint Where E is the public exponent, N is public modulus and D is the private exponent. P1, P2, E1, E2, C = Mpint The longer key format contains redundant information that will make the calculation faster. P1,P2 are first and second prime factors. E1,E2 are first and second exponents. C is the CRT coefficient. Terminology is taken from RFC 3447. Padding = rsa_pkcs1_padding | rsa_no_padding ChipherText = binary()

Encrypts the PlainText using the PrivateKey and returns the cipher. The Padding decides what padding mode is used, rsa_pkcs1_padding is PKCS #1 v1.5 currently the most used mode. The size of the Msg must be less than byte_size(N)-11 if rsa_pkcs1_padding is used, and byte_size(N) if rsa_no_padding is used. Where byte_size(N) is the size part of an Mpint-1.

rsa_public_decrypt(ChipherText, PublicKey, Padding) -> PlainText Decrypts ChipherText using the public Key. ChipherText = binary() PublicKey = [E, N] E, N = Mpint Where E is the public exponent and N is public modulus Padding = rsa_pkcs1_padding | rsa_no_padding PlainText = binary()

Decrypts the ChipherText (encrypted with rsa_private_encrypt/3) using the PrivateKey and returns the message. The Padding is the padding mode that was used to encrypt the data, see rsa_private_encrypt/3.

dss_sign(DataOrDigest, Key) -> Signature dss_sign(DigestType, DataOrDigest, Key) -> Signature Sign the data using dsa with given private key. DigestType = sha DataOrDigest = Mpint | {digest,Digest} Key = [P, Q, G, X] P, Q, G, X = Mpint Where P, Q and G are the dss parameters and X is the private key. Digest = binary() with length 20 bytes Signature = binary()

Creates a DSS signature with the private key Key of a digest. The digest is either calculated as a SHA1 digest of Data or a precalculated binary Digest.

A deprecated feature is having DigestType = 'none' in which case DataOrDigest is a precalculated SHA1 digest.

dss_verify(DataOrDigest, Signature, Key) -> Verified dss_verify(DigestType, DataOrDigest, Signature, Key) -> Verified Verify the data and signature using dsa with given public key. Verified = boolean() DigestType = sha DataOrDigest = Mpint | {digest,Digest} Data = Mpint | ShaDigest Signature = Mpint Key = [P, Q, G, Y] P, Q, G, Y = Mpint Where P, Q and G are the dss parameters and Y is the public key. Digest = binary() with length 20 bytes

Verifies that a digest matches the DSS signature using the public key Key. The digest is either calculated as a SHA1 digest of Data or is a precalculated binary Digest.

A deprecated feature is having DigestType = 'none' in which case DataOrDigest is a precalculated SHA1 digest binary.

rc2_cbc_encrypt(Key, IVec, Text) -> Cipher Encrypt Textaccording to RC2 in CBC mode Key = Text = iolist() | binary() Ivec = Cipher = binary()

Encrypts Text according to RC2 in CBC mode.

rc2_cbc_decrypt(Key, IVec, Cipher) -> Text Decrypts Cipheraccording to RC2 in CBC mode Key = Text = iolist() | binary() Ivec = Cipher = binary()

Decrypts Cipher according to RC2 in CBC mode.

rc4_encrypt(Key, Data) -> Result Encrypt data using RC4 Key, Data = iolist() | binary() Result = binary()

Encrypts the data with RC4 symmetric stream encryption. Since it is symmetric, the same function is used for decryption.

dh_generate_key(DHParams) -> {PublicKey,PrivateKey} dh_generate_key(PrivateKey, DHParams) -> {PublicKey,PrivateKey} Generates a Diffie-Hellman public key DHParameters = [P, G] P, G = Mpint Where P is the shared prime number and G is the shared generator. PublicKey, PrivateKey = Mpint()

Generates a Diffie-Hellman PublicKey and PrivateKey (if not given).

dh_compute_key(OthersPublicKey, MyPrivateKey, DHParams) -> SharedSecret Computes the shared secret DHParameters = [P, G] P, G = Mpint Where P is the shared prime number and G is the shared generator. OthersPublicKey, MyPrivateKey = Mpint() SharedSecret = binary()

Computes the shared secret from the private key and the other party's public key.

srp_generate_key(Generator, Prime, Version) -> {PublicKey, PrivateKey} srp_generate_key(Generator, Prime, Version, Private) -> {PublicKey, PrivateKey} srp_generate_key(Verifier, Generator, Prime, Version) -> {PublicKey, PrivateKey} srp_generate_key(Verifier, Generator, Prime, Version, Private) -> {PublicKey, PrivateKey} Generates SRP public keys Verifier = binary() Parameter v from SRP design Generator = binary() Parameter g from SRP design Prime = binary() Parameter N from SRP design Version = '3' | '6' | '6a' SRP version, TLS SRP cipher suites uses '6a'. PublicKey = binary() Parameter A or B from SRP design PrivateKey = binary() - generated if not supplied Parameter a or b from SRP design

Generates SRP public keys

srp_compute_key(DerivedKey, Prime, Generator, ClientPublic, ClientPrivate, ServerPublic, Version) -> SessionKey srp_compute_key(DerivedKey, Prime, Generator, ClientPublic, ClientPrivate, ServerPublic, Version, Scrambler) -> SessionKey srp_compute_key(Verifier, Prime, ClientPublic, ServerPublic, ServerPrivate, Version, Scrambler)-> SessionKey srp_compute_key(Verifier, Prime, ClientPublic, ServerPublic, ServerPrivate, Version) -> SessionKey Computes SRP session key DerivedKey = binary() Parameter x from SRP design Verifier = binary() Parameter v from SRP design Prime = binary() Parameter N from SRP design Generator = binary() Parameter g from SRP design ClientPublic = binary() Parameter A from SRP design ClientPrivate = binary() Parameter a from SRP design ServerPublic = binary() Parameter B from SRP design ServerPrivate = binary() Parameter b from SRP design Version = '3' | '6' | '6a' SRP version, TLS SRP cipher suites uses '6a'. SessionKey = binary() Result K from SRP design

Computes the SRP session key (shared secret). Also used as premaster secret by TLS-SRP ciher suites.

exor(Data1, Data2) -> Result XOR data Data1, Data2 = iolist() | binary() Result = binary()

Performs bit-wise XOR (exclusive or) on the data supplied.

DES in CBC mode

The Data Encryption Standard (DES) defines an algorithm for encrypting and decrypting an 8 byte quantity using an 8 byte key (actually only 56 bits of the key is used).

When it comes to encrypting and decrypting blocks that are multiples of 8 bytes various modes are defined (NIST SP 800-38A). One of those modes is the Cipher Block Chaining (CBC) mode, where the encryption of an 8 byte segment depend not only of the contents of the segment itself, but also on the result of encrypting the previous segment: the encryption of the previous segment becomes the initializing vector of the encryption of the current segment.

Thus the encryption of every segment depends on the encryption key (which is secret) and the encryption of the previous segment, except the first segment which has to be provided with an initial initializing vector. That vector could be chosen at random, or be a counter of some kind. It does not have to be secret.

The following example is drawn from the old FIPS 81 standard (replaced by NIST SP 800-38A), where both the plain text and the resulting cipher text is settled. The following code fragment returns `true'.

>,
      IVec = <<16#12,16#34,16#56,16#78,16#90,16#ab,16#cd,16#ef>>,
      P = "Now is the time for all ",
      C = crypto:des_cbc_encrypt(Key, IVec, P),
         % Which is the same as 
      P1 = "Now is t", P2 = "he time ", P3 = "for all ",
      C1 = crypto:des_cbc_encrypt(Key, IVec, P1),
      C2 = crypto:des_cbc_encrypt(Key, C1, P2),
      C3 = crypto:des_cbc_encrypt(Key, C2, P3),

      C = <>,
      C = <<16#e5,16#c7,16#cd,16#de,16#87,16#2b,16#f2,16#7c,
             16#43,16#e9,16#34,16#00,16#8c,16#38,16#9c,16#0f,
             16#68,16#37,16#88,16#49,16#9a,16#7c,16#05,16#f6>>,
      <<"Now is the time for all ">> == 
                        crypto:des_cbc_decrypt(Key, IVec, C).
    ]]>

The following is true for the DES CBC mode. For all decompositions P1 ++ P2 = P of a plain text message P (where the length of all quantities are multiples of 8 bytes), the encryption C of P is equal to C1 ++ C2, where C1 is obtained by encrypting P1 with Key and the initializing vector IVec, and where C2 is obtained by encrypting P2 with Key and the initializing vector last8(C1), where last(Binary) denotes the last 8 bytes of the binary Binary.

Similarly, for all decompositions C1 ++ C2 = C of a cipher text message C (where the length of all quantities are multiples of 8 bytes), the decryption P of C is equal to P1 ++ P2, where P1 is obtained by decrypting C1 with Key and the initializing vector IVec, and where P2 is obtained by decrypting C2 with Key and the initializing vector last8(C1), where last8(Binary) is as above.

For DES3 (which uses three 64 bit keys) the situation is the same.