Cryptography
Table of Contents >> Application Reference
Contents
Introduction
The Treck Cryptography functions are handled via a registered Crypto Engine. This engine can be one of the following:
- Software crypto engine
- Hifn 7951 hardware crypto engine
- MCF5235 hardware crypto engine
Multiple engines can be registered at the same time. Treck will prefer the Software crypto engine last.
To enable the crypto engines automatically make sure to define the corresponding macro in your trsystem.h file:
- Software crypto engine
- TM_USE_SW_CRYPTOENGINE
- Hifn 7951 hardware crypto engine
- TM_USE_HF7951_CRYPTOENGINE
- MCF5235 hardware crypto engine
- TM_USE_MCF5235_CRYPTOENGINE
The modules necessary to implement the Software crypto engine are built in to the Treck code. The modules necessary to implement the Hifn 7951 and MCF 5235 engines can be found in the /source/ipsec/ folder of your distribution.
Settings in <trsystem.h>
Macro | Description |
---|---|
TM_USE_SW_CRYPTOENGINE | Define TM_USE_SW_CRYPTOENGINE if any TRECK software implementation of hashing algorithms, encryption/decryption algorithms, or public key exchange algorithms is used. If this macro is not defined, any of these algorithms must be provided by other vendor's software implementation or hardware implementation. |
TM_USE_HF7951_CRYPTOENGINE | Define TM_USE_HF7951_CRYPTOENGINE if IPsec hardware accelerator HIFN 7951 is used. |
TM_USE_MCF5235_CRYPTOENGINE | Define TM_USE_MCF5235_CRYPTOENGINE to use the Treck IPsec hardware accelerator support for the Freescale ColdFire MCF5235. |
TM_USE_PKI | Define this macro in order to use DSA or RSA digital signatures authentication in IKE Phase 1. Treck PKI currently includes X509v3 certificate (ASN1, PEM and DER format ), and RSA/DSA signature and verification. |
TM_PKI_CERT_CHECK_ALIVE | Define this macro if PKI checks if a certificate is alive before loading the certificate. TM_PKI_TIME must be also defined as the PKI start time if the TM_PKI_CERT_CHECK_ALIVE is defined, the default value of TM_PKI_TIME is "030514000000Z" that means 2003, May.14 and Z means Zulu, or Greenwich Mean Time. |
TM_PKI_CERT_NOT_VERIFY | Define this macro if PKI does NOT want to verify a certificate while loading it. |
TM_USE_RIPEMD | Define this macro to use RIPEMD160-96 hash algorithm |
TM_USE_DES | Define this macro to use DES algorithm |
TM_USE_3DES | Define this macro to use 3DES algorithm |
TM_USE_BLOWFISH | Define this macro to use BLOWFISH for ESP transform. |
TM_USE_RC5 | Define this macro to use RC5 for ESP transform. Must have patent license to run. |
TM_USE_CAST128 | Define this macro to use CAST128 for ESP transform |
TM_USE_AES | Define this macro to use AES (RIJNDAEL) for ESP transform |
TM_USE_TWOFISH | Define this macro to use TWOFISH for ESP transform |
TM_PUBKEY_USE_DIFFIEHELLMAN | Define this macro to use software implementation of Diffie-Hellman module, group 1, 2, and 5 are supported |
TM_PUBKEY_USE_RSA | Define this macro to use RSA module. User must also define TM_USE_PKI in order to use RSA. |
TM_USE_SHAHMAC_96 | Certain fields (such as the payload field of the Authentication Header) use a truncated MAC value. Each HMAC algorithm has an associated truncation length. By default, all flavors of SHA2 have a truncation length of half of their digest bits, but an earlier draft of the specification calls for 96 bits. Some implementations still use the 96-bit value, which is not interoperable with the half-digest bit length. Define this macro to use 96 bits as the truncation length for SHA256, SHA384, and SHA512. |
Function Calls
PKI APIs
- tfUsePki()
- tfPkiUninitialize()
- tfPkiCertificateAdd()
- tfPkiCertificateDelete()
- tfPkiCertificateClear()
- tfPkiOwnKeyPairAdd()
- tfPkiSetOptions()
Hardware Accelerator APIs
Structures
Cryptography Structures
- ttGenericKey
- ttAhAlgorithm
- ttEspAlgorithm
- ttCryptoSessionOpenFuncPtr
- ttCryptoSessionFuncPtr
- ttCryptoEngineInitFuncPtr
- ttCryptoGetRandomWordFuncPtr
Crypto Engine Structures
ttCryptoEngine
#define trsocket.h typedef struct tsCryptoEngine { /* The crypto engine name (ID) */ ttUser32Bit ceEngineId; /* Bit flags to indicate supported algorithms */ ttUser32Bit ceSupportFlags; /* The initialization function */ ttCryptoEngineInitFuncPtr ceInitFuncPtr; /* The random number generator function */ ttCryptoGetRandomWordFuncPtr ceRandomWordFuncPtr; /* The function to open a crypto session */ ttCryptoSessionOpenFuncPtr ceSessionOpenFuncPtr; /* The function to process the crypto request for this crypto engine, which may have multiple sessions */ ttCryptoSessionFuncPtr ceSessionProcessFuncPtr; /* The function to close a crypto session */ ttCryptoSessionFuncPtr ceSessionCloseFuncPtr; } ttCryptoEngine; typedef ttCryptoEngine TM_FAR * ttCryptoEnginePtr; typedef ttCryptoEnginePtr TM_FAR * ttCryptoEnginePtrPtr;
Key Length Requirements Table
The following tables list the key length requirement for the Treck hashing algorithms and encryption algorithms.
Hashing Algorithm | Keylength Minimum (bits) | Keylength Maximum (bits) | Keylength Default (bits) |
---|---|---|---|
MD5 | 128 | 128 | 128 |
SHA1 | 160 | 160 | 160 |
SHA256 | 256 | 256 | 256 |
SHA384 | 384 | 384 | 384 |
SHA512 | 512 | 512 | 512 |
Ripemd | 160 | 160 | 160 |
Encryption/Decryption Algorithm | Keylength Minimum (bits) | Keylength Maximum (bits) | Keylength Default (bits) |
---|---|---|---|
DES | 64 | 64 | 64 |
3DES | 192 | 192 | 192 |
Blowfish | 40 | 448 | 128 |
Cast128 | 40 | 128 | 128 |
AES | 128 | 256 | 128 |
TWOFISH | 128 | 256 | 128 |
Note: | AES and Twofish keylengths can be 128, 192 or 256 only. |