[svn] gcry - r1315 - in trunk: . doc
svn author wk
cvs at cvs.gnupg.org
Fri Sep 5 20:06:09 CEST 2008
Author: wk
Date: 2008-09-05 20:06:09 +0200 (Fri, 05 Sep 2008)
New Revision: 1315
Modified:
trunk/README
trunk/doc/gcrypt.texi
Log:
Updated the architecture chapter
Modified: trunk/README
===================================================================
--- trunk/README 2008-09-05 16:00:51 UTC (rev 1314)
+++ trunk/README 2008-09-05 18:06:09 UTC (rev 1315)
@@ -176,9 +176,9 @@
The library is distributed under the terms of the GNU Lesser
General Public License (LGPL); see the file COPYING.LIB for the
- actual terms. The helper programs (gcryptrnd and getrandom) as
- well as the documentation are distributed under the terms of the
- GNU General Public License (GPL); see the file COPYING for teh
+ actual terms. The helper programs (e.g. gcryptrnd and getrandom)
+ as well as the documentation are distributed under the terms of
+ the GNU General Public License (GPL); see the file COPYING for the
actual terms.
This library used to be available under the GPL - this was changed
Modified: trunk/doc/gcrypt.texi
===================================================================
--- trunk/doc/gcrypt.texi 2008-09-05 16:00:51 UTC (rev 1314)
+++ trunk/doc/gcrypt.texi 2008-09-05 18:06:09 UTC (rev 1315)
@@ -772,7 +772,12 @@
application switch the library into FIPS mode. Note that Libgcrypt will
reject an attempt to switch to fips mode during or after the intialization.
+ at item GCRYCTL_SELFTEST; Arguments: none
+This may be used at anytime to have the library run all implemented
+selftests. It works in standard and in FIPS mode. Returns 0 on
+success or an error code.
+
@end table
@end deftypefun
@@ -4033,14 +4038,7 @@
Public key cryptography is based on mathematics with large numbers. To
implement the public key functions, a library for handling these large
numbers is required. Because of the general usefulness of such a
-library, its interface is exposed by Libgcrypt. The implementation is
-based on an old release of GNU Multi-Precision Library (GMP) but in the
-meantime heavily modified and stripped down to what is required for
-cryptography. For a lot of CPUs, high performance assembler
-implementations of some very low level functions are used to gain much
-better performance than with the standard C implementation.
-
- at noindent
+library, its interface is exposed by Libgcrypt.
In the context of Libgcrypt and in most other applications, these large
numbers are called MPIs (multi-precision-integers).
@@ -4508,7 +4506,7 @@
Provisions have been take so that the library can be directly used from
C++ applications; however building with a C++ compiler is not supported.
-Building libgcrypt is done by using the common @code{./configure && make}
+Building Libgcrypt is done by using the common @code{./configure && make}
approach. The configure command is included in the source distribution
and as a portable shell script it works on any Unix-alike system. The
result of running the configure script are a C header file
@@ -4539,18 +4537,18 @@
all these subsystems provide a public API; this includes the helper
subsystems like the one for S-expression. The API style depends on the
subsystem; in general an open, use, close approach is implemented. The
-open returns a handle to a context used for all futher operations on
+open returns a handle to a context used for all further operations on
this handle, several functions may then be used on this handle and a
final close function releases all resources associated with the handle.
@menu
-* Public-Key Subsystem Architecture:: All about public keys.
-* Symmetric Encryption Subsystem Architecture:: All about standard ciphers.
-* Hashing and MACing Subsystem Architecture:: All about hashing.
-* Multi-Precision-Integer Subsystem Architecture:: All about big integers.
-* Prime-Number-Generator Subsystem Architecture:: All about prime numbers.
-* Random-Number Subsystem Architecture:: All about random stuff.
-* Helper Subsystems Architecture:: All about other stuff.
+* Public-Key Subsystem Architecture:: About public keys.
+* Symmetric Encryption Subsystem Architecture:: About standard ciphers.
+* Hashing and MACing Subsystem Architecture:: About hashing.
+* Multi-Precision-Integer Subsystem Architecture:: About big integers.
+* Prime-Number-Generator Subsystem Architecture:: About prime numbers.
+* Random-Number Subsystem Architecture:: About random stuff.
+ at c * Helper Subsystems Architecture:: About other stuff.
@end menu
@@ -4558,68 +4556,424 @@
@node Public-Key Subsystem Architecture
@section Public-Key Architecture
-TBD.
+Libgcrypt implements two interfaces for public key cryptography: The
+standard interface is PK interface using functions in the
+ at code{gcry_pk_} name space. The AC interface in an alternative one
+which is now deprecated and will not be further described. The AC
+interface is also disabled in FIPS mode.
+Because public key cryptography is almost always used to process small
+amounts of data (hash values or session keys), the interface is not
+implemented using the open-use-close paradigm, but with single
+self-contained functions. Due to the wide variety of parameters
+required by different algorithms S-expressions, as flexible way to
+convey these parameters, are used. There is a set of helper functions
+to work with these S-expressions.
+ at c see @xref{S-expression Subsystem Architecture}.
+
+Aside of functions to register new algorithms, map algorithms names to
+algorithms identifiers and to lookup properties of a key, the
+following main functions are available:
+
+ at table @code
+
+ at item gcry_pk_encrypt
+Encrypt data using a public key.
+
+ at item gcry_pk_decrypt
+Decrypt data using a private key.
+
+ at item gcry_pk_sign
+Sign data using a private key.
+
+ at item gcry_pk_verify
+Verify that a signature matches the data.
+
+ at item gcry_pk_testkey
+Perform a consistency over a public or private key.
+
+ at item gcry_pk_genkey
+Create a new public/private key pair.
+
+ at end table
+
+With the help of the module registration system all these functions
+lookup the module implementing the algorithm and pass the actual work
+to that module. The parsing of the S-expression input and the
+construction of S-expression for the return values is done by the high
+level code (@file{cipher/pubkey.c}). Thus the internal interface
+between the algorithm modules and the high level functions passes data
+in a custom format. The interface to the modules is published
+(@file{gcrypt-modules.h}) so that it can used to register external
+implementations of algorithms with Libgcrypt. However, for some algorithms this
+module interface is to limited and thus for the internal modules an
+extra interface is sometimes used to convey more information.
+
+
@node Symmetric Encryption Subsystem Architecture
- at section Symmetric Encryption Subsystem Architecturen
+ at section Symmetric Encryption Subsystem Architecture
-TBD.
+The interface to work with symmetric encryption algorithms is made up
+of functions from the @code{gcry_cipher_} name space. The
+implementation follows the open-use-close paradigm and uses registered
+algorithm modules for the actual work. Unless a module implements
+optimized cipher mode implementations, the high level code
+(@file{cipher/cipher.c}) implements the modes and calls the core
+algorithm functions to process each block.
+The most important functions are:
+
+ at table @code
+
+ at item gcry_cipher_open
+Create a new instance to encrypt or decrypt using a specified
+algorithm and mode.
+
+ at item gcry_cipher_close
+Release an instance.
+
+ at item gcry_cipher_setkey
+Set a key to be used for encryption or decryption.
+
+ at item gcry_cipher_setiv
+Set an initialization vector to be used for encryption or decryption.
+
+ at item gcry_cipher_encrypt
+ at itemx gcry_cipher_decrypt
+Encrypt or decrypt data. These functions may be called with arbitrary
+amounts of data and as often as needed to encrypt or decrypt all data.
+
+ at end table
+
+There are also functions to query properties of algorithms or context,
+like block length, key length, map names or to enable features like
+padding methods.
+
+
+
@node Hashing and MACing Subsystem Architecture
@section Hashing and MACing Subsystem Architecture
-TBD.
+The interface to work with message digests and CRC algorithms is made
+up of functions from the @code{gcry_md_} name space. The
+implementation follows the open-use-close paradigm and uses registered
+algorithm modules for the actual work. Although CRC algorithms are
+not considered cryptographic hash algorithms, they share enough
+properties so that it makes sense to handle them in the same way.
+It is possible to use several algorithms at once with one context and
+thus compute them all on the same data.
+The most important functions are:
+ at table @code
+ at item gcry_md_open
+Create a new message digest instance and optionally enable one
+algorithm. A flag may be used to turn the message digest algorithm
+into a HMAC algorithm.
+
+ at item gcry_md_enable
+Enable an additional algorithm for the instance.
+
+ at item gcry_md_setkey
+Set the key for the MAC.
+
+ at item gcry_md_write
+Pass more data for computing the message digest to an instance.
+
+ at item gcry_md_putc
+Buffered version of @code{gcry_md_write} implemented as a macro.
+
+ at item gcry_md_read
+Finalize the computation of the message digest or HMAC and return the
+result.
+
+ at item gcry_md_close
+Release an instance
+
+ at item gcry_md_hash_buffer
+Convenience function to directly compute a message digest over a
+memory buffer without the need to create an instance first.
+
+ at end table
+
+There are also functions to query properties of algorithms or the
+instance, like enabled algorithms, digest length, map algorithm names.
+it is also possible to reset an instance or to copy the current state
+of an instance at any time. Debug functions to write the hashed data
+to files are available as well.
+
+
+
@node Multi-Precision-Integer Subsystem Architecture
@section Multi-Precision-Integer Subsystem Architecture
-TBD.
+The implementation of Libgcrypt's big integer computation code is
+based on an old release of GNU Multi-Precision Library (GMP). The
+decision not to use the GMP library directly was due to stalled
+development at that time and due to security requirements which could
+not be provided by the code in GMP. As GMP does, Libgcrypt provides
+high performance assembler implementations of low level code for
+several CPUS to gain much better performance than with a generic C
+implementation.
+ at noindent
+Major features of Libgcrypt's multi-precision-integer code compared to
+GMP are:
+
+ at itemize
+ at item
+Avoidance of stack based allocations to allow protection against
+swapping out of sensitive data and for easy zeroing of sensitive
+intermediate results.
+
+ at item
+Optional use of secure memory and tracking of its use so that results
+are also put into secure memory.
+
+ at item
+MPIs are identified by a handle (implemented as a pointer) to give
+better control over allocations and to augment them with extra
+properties like opaque data.
+
+ at item
+Removal of unnecessary code to reduce complexity.
+
+ at item
+Functions specialized for public key cryptography.
+
+ at end itemize
+
+
+
@node Prime-Number-Generator Subsystem Architecture
@section Prime-Number-Generator Subsystem Architecture
-TBD.
+Libgcrypt provides an interface to its prime number generator. These
+functions make use of the internal prime number generator which is
+required for the generation for public key key pairs. The plain prime
+checking function is exported as well.
+The generation of random prime numbers is based on the Lim and Lee
+algorithm to create practically save primes. at footnote{Chae Hoon Lim
+and Pil Joong Lee. A key recovery attack on discrete log-based shemes
+using a prime order subgroup. In Burton S. Kaliski Jr., editor,
+Advances in Cryptology: Crypto '97, pages 249-263, Berlin /
+Heidelberg / New York, 1997. Springer-Verlag. Described on page 260.}
+This algorithm creates a pool of smaller primes, select a few of them
+to create candidate primes of the form @math{2 * p_0 * p_1 * ... * p_n
++ 1}, tests the candidate for primality and permutates the pool until
+a prime has been found. It is possible to clamp one of the small
+primes to a certain size to help DSA style algorithms. Because most
+of the small primes in the pool are not used for the resulting prime
+number, they are saved for later use (see @code{save_pool_prime} and
+ at code{get_pool_prime} in @file{cipher/primegen.c}). The prime
+generator optionally supports the finding of an appropriate generator.
+
+ at noindent
+The primality test works in three steps:
+
+ at enumerate
+ at item
+The standard sieve algorithm using the primes up to 4999 is used as a
+quick first check.
+
+ at item
+A Fermat test filters out almost all non-primes.
+
+ at item
+A 5 round Rabin-Miller test is finally used. The first round uses a
+witness of 2, whereas the next rounds use a random witness.
+
+ at end enumerate
+
@node Random-Number Subsystem Architecture
@section Random-Number Subsystem Architecture
-TBD.
+Libgcrypt provides 3 levels or random quality: The level
+ at code{GCRY_VERY_STRONG_RANDOM} usually used for key generation, the
+level @code{GCRY_STRONG_RANDOM} for all other strong random
+requirements and the function @code{gcry_create_nonce} which is used
+for weaker usages like nonces. There is also a level
+ at code{GCRY_WEAK_RANDOM} which in general maps to
+ at code{GCRY_STRONG_RANDOM} except when used with the function
+ at code{gcry_mpi_randomize}, where it randomizes an
+multi-precision-integer using the @code{gcry_create_nonce} function.
+ at noindent
+There are two distinct random generators available:
- at node Helper Subsystems Architecture
- at section Helper Subsystems Architecture
+ at itemize
+ at item
+The Continuously Seeded Pseudo Random Number Generator (CSPRNG), which
+is based on the classic GnuPG derived big pool implementation.
+Implemented in @code{random/random-csprng.c} and used by default.
+ at item
+A FIPS approved ANSI X9.31 PRNG using AES with a 128 bit key. Implemented in
+ at code{random/random-fips.c} and used if Libgcrypt is in FIPS mode.
+ at end itemize
-There are a few smaller subsystems which are mainly used internally by
-Libgcrypt but also available to applications.
+ at noindent
+Both generators make use of so-called entropy gathering modules:
+ at table @asis
+ at item rndlinux
+Uses the operating system provided
+ at file{/dev/random} and @file{/dev/urandom} devices.
+
+ at item rndunix
+Runs several operating system commands to collect entropy from sources
+like virtual machine and process statistics. It is a kind of
+poor-man's @code{/dev/random} implementation. It is not available in
+FIPS mode.
+
+ at item rndegd
+Uses the operating system provided Entropy Gathering Daemon (EGD).
+The EGD basically uses the same algorithms as rndunix does. However
+as a system daemon it keeps on running and thus can serve several
+processes requiring entropy input and does not waste collected entropy
+if the application does not need all the collected entropy. It is not
+available in FIPS mode.
+
+ at item rndw32
+Targeted for the Microsoft Windows OS. It uses certain properties of
+that system and is the only gathering module available for that OS.
+
+ at item rndhw
+Extra module to collect additional entropy by utilizing a hardware
+random number generator. As of now the only supported hardware RNG is
+the Padlock engine of VIA (Centaur) CPUs. It is not available in FIPS
+mode.
+
+ at end table
+
+
@menu
-* S-expression Subsystem Architecture:: Details about the S-expression architecture.
-* Memory Subsystem Architecture:: Details about the memory allocation architecture.
-* Miscellaneous Subsystems Architecture:: Details about other subsystems.
+* CSPRNG Description:: Description of the CSPRNG.
+* FIPS PRNG Description:: Description of the FIPS X9.31 PRNG.
@end menu
- at node S-expression Subsystem Architecture
- at subsection S-expression Subsystem Architecture
-TBD.
+ at node CSPRNG Description
+ at subsection Description of the CSPRNG
+This random number generator is loosely modelled after the one
+described in Peter Gutmann's paper: "Software Generation of
+Practically Strong Random Numbers". at footnote{Also described in chapter
+6 of his book "Cryptographic Security Architecture", New York, 2004,
+ISBN 0-387-95387-6.}
- at node Memory Subsystem Architecture
- at subsection Memory Subsystem Architecture
+A pool of 600 bytes is used and mixed using the core RIPE-MD160 hash
+transform function. Several extra features are used to make the
+robust against a wide variety of attacks and to protect against
+failures of subsystems. The state of the generator may be saved to a
+file and initially seed form a file.
-TBD.
+Depending on how Libgcrypt was build the generator is able to select
+the best working entropy gathering module. It makes use of the slow
+and fast collection methods and requires the pool to initially seeded
+form the slow gatherer or a seed file. An entropy estimation is used
+to mix in enough data from the gather modules before returning the
+actual random output. Process fork detection and protection is
+implemented.
+ at c FIXME: The design and implementaion needs a more verbose description.
- at node Miscellaneous Subsystems Architecture
- at subsection Miscellaneous Subsystems Architecture
+The implementation of the nonce generator (for
+ at code{gcry_create_nonce}) is a straightforward repeated hash design: A
+28 byte buffer is initially seeded with the PID and the time in
+seconds in the first 20 bytes and with 8 bytes of random taken from
+the @code{GCRY_STRONG_RANDOM} generator. Random numbers are then
+created by hashing all the 28 bytes with SHA-1 and saving that again
+in the first 20 bytes. The hash is also returned as result.
-TBD.
+ at node FIPS PRNG Description
+ at subsection Description of the FIPS X9.31 PRNG
+The core of this deterministic random number generator is implemented
+according to the document ``NIST-Recommended Random Number Generator
+Based on ANSI X9.31 Appendix A.2.4 Using the 3-Key Triple DES and AES
+Algorithms'', dated 2005-01-31. This implementation uses the AES
+variant.
+The generator is based on contexts to utilize the same core functions
+for all random levels as required by the high-level interface. All
+random generators return their data in 128 bit blocks. If the caller
+requests less bits, the extra bits are not used. The key for each
+generator is only set once at the first time a generator context is
+used. The seed value is set along with the key and again after 1000
+output blocks.
+On Unix like systems the @code{GCRY_VERY_STRONG_RANDOM} and
+ at code{GCRY_STRONG_RANDOM} generators are keyed and seeded using the
+rndlinux module with the @file{/dev/radnom} device. Thus these
+generators may block until the OS kernel has collected enough entropy.
+When used with Microsoft Windows the rndw32 module is used instead.
+The generator used for @code{gcry_create_nonce} is keyed and seeded
+from the @code{GCRY_STRONG_RANDOM} generator. Thus is may also block
+if the @code{GCRY_STRONG_RANDOM} generator has not yet been used
+before and thus gets initialized on the first use by
+ at code{gcry_create_nonce}. This special treatment is justified by the
+weaker requirements for a nonce generator and to save precious kernel
+entropy for use by the ``real'' random generators.
+
+A self test facility uses a separate context to check the
+functionality of the core X9.31 functions using a known answers test.
+During runtime each output block is compared to the previous one to
+detect a stucked generator.
+
+The DT value for the generator is made up of the current time down to
+microseconds (if available) and a free running 64 bit counter. When
+used with the test context the DT value is taken from the context and
+incremented on each use.
+
+
+
+ at c @node Helper Subsystems Architecture
+ at c @section Helper Subsystems Architecture
+ at c
+ at c There are a few smaller subsystems which are mainly used internally by
+ at c Libgcrypt but also available to applications.
+ at c
+ at c @menu
+ at c * S-expression Subsystem Architecture:: Details about the S-expression architecture.
+ at c * Memory Subsystem Architecture:: Details about the memory allocation architecture.
+ at c * Miscellaneous Subsystems Architecture:: Details about other subsystems.
+ at c @end menu
+ at c
+ at c @node S-expression Subsystem Architecture
+ at c @subsection S-expression Subsystem Architecture
+ at c
+ at c Libgcrypt provides an interface to S-expression to create and parse
+ at c them. To use an S-expression with Libgcrypt it needs first be
+ at c converted into the internal representation used by Libgcrypt (the type
+ at c @code{gcry_sexp_t}). The conversion functions support a large subset
+ at c of the S-expression specification and further fature a printf like
+ at c function to convert a list of big integers or other binary data into
+ at c an S-expression.
+ at c
+ at c Libgcrypt currently implements S-expressions using a tagged linked
+ at c list. However this is not exposed to an application and may be
+ at c changed in future releases to reduce overhead when already working
+ at c with canonically encoded S-expressions. Secure memory is supported by
+ at c this S-expressions implementation.
+ at c
+ at c @node Memory Subsystem Architecture
+ at c @subsection Memory Subsystem Architecture
+ at c
+ at c TBD.
+ at c
+ at c
+ at c @node Miscellaneous Subsystems Architecture
+ at c @subsection Miscellaneous Subsystems Architecture
+ at c
+ at c TBD.
+ at c
+ at c
+
+
+
@c **********************************************************
@c ******************* Appendices *************************
@c **********************************************************
@@ -4890,7 +5244,7 @@
GCRYCTL_SET_RANDOM_DAEMON_SOCKET
GCRYCTL_USE_RANDOM_DAEMON
The random damon is still a bit experimental, thus we do not document
-them. Not ethat they should be used during initialization and that
+them. Note that they should be used during initialization and that
these functions are not really thread safe.
More information about the Gnupg-commits
mailing list