| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
However if the group generator is 2, that's precisely the public key,
which is hardly secret at all.
Instead use y^x mod p, which while a little dubious in terms of
mathematical structure is probably OK after being hashed through
SHA-512 with some high resolution timestamps.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
precompute only as needed, or will want to access some other expensive
resource or etc.
Change how the secret for generating blinding is done in cases where a
PRNG isn't available. Use the operations public op to hide the secret,
for instance the seed for a DH blinding variable is 2^x mod p.
Make use of being able to mutate internal structures in the RW signer,
since that does have access to a PRNG, so use it to initialize the
blinder on first call to sign().
|
| |
|
|
|
|
| |
exponentiation algorithms.
|
| |
|
|
|
|
| |
Should help against many forms of fault attacks.
|
| |
|
| |
|
|
|
|
| |
instead of each byte once...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are multiple unsatisfactory elements to the current solution,
as compared to how blinding was previously done:
Firstly, blinding is only used in the baseline implementations; the code
using OpenSSL and GMP is not protected by blinding at all.
Secondly, at the point we need to set up blinding, there is no access
to a PRNG. Currently I am going with a quite nasty solution, of using
a private key parameter to seed a simple PRNG constructed as:
SHA-512(TS1 || private_key_param || public_key_param || TS2)
I really want to fix both of these elements but I'm not sure how to do
so easily.
|
|
|
|
|
| |
PK_Encryptor_EME and PK_Decryptor_EME; the message recovery is somewhat
implicit in the recovery of the plaintext.
|
|
|
|
|
| |
Remove use of look_pk from the source and examples, instead
instantiate classes directly.
|
|
|
|
| |
convert look_pk to simple forwarders.
|
| |
|
|
|
|
|
| |
PK_Decrypting_Key, PK_Signing_Key, PK_Verifying_with_MR_Key, and
PK_Verifying_wo_MR_Key.
|
|
|
|
| |
exponentiation that has countermeasures against side-channel attacks.
|
|
|
|
| |
support for ElGamal and NR, leaving only RSA, DSA, and DH support.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Drop support for ElGamal and NR from GMP engine, leaving just DH, DSA,
and RSA
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Note: blinding is not currently being used for RSA, RW, DH or ElGamal,
which used to have them. This should be added back before release.
|
| |
|
| |
|
| |
|
|
|
|
| |
Rename PK_Ops::KA_Operation to PK_Ops::Key_Agreement
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
by using the ops.
Add real ECDSA test vectors (two found in ANSI X9.62)
|
|
|
|
| |
might not be later)
|
| |
|
| |
|
|
|
|
|
|
| |
PK_Signing_Key, though for the moment the class remains because there
are a few pieces of code that use it to detect if signatures are
supported, or for passing to functions in look_pk
|
|
|
|
| |
so keep the curve and cofactor in ECDH op by reference instead of value.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
performed. Up until now, each key object (eg DSA_PublicKey or
ECDH_PrivateKey) had two jobs: contain the key material, and know how
to perform any operations on that key. However because of a desire to
support alternative implementations (GNU MP, hardware, whatever),
there was a notion of operations, with the key objects containing an
op that they got via engine rather than actually implementing the
underlying algorithms directly.
Now, represent the operation as an abstract interface (typically
mapping a byte string to a byte string), and pass a plain Public_Key&
or Private_Key& to the engine. The engine does any checks it wants (eg
based on name, typeid, key sizes, etc), and either returns nothing
(I'll pass) or a pointer to a new operation that represents signatures
or encryption or what-have-you using that key.
This means that plain key objects no longer contain operations. This
is a major break with the traditional interface. On the other hand,
using these 'bare' operations without padding, KDFs, etc is 99% of the
time a bad idea anyway (and if you really need them, there are options
so you get the bare op but via the pubkey.h interfaces).
Currently this change is only implemented for DH and ECDH (ie, key
agreement algorithms). Additionally the optional engines (gnump and
openssl) have not been updated. I'll probably wait to touch those
until after I can change them all in one go for all algos.
|
| |
|
| |
|
| |
|
| |
|
| |
|