Cryptography

Jump to: navigation, search

Table of Contents >> Application Reference

Introduction

The Treck Cryptography functions are handled via a registered Crypto Engine. This engine can be one of the following:

  • Software crypto engine
  • Hifn 7951 hardware crypto engine
  • MCF5235 hardware crypto engine


Multiple engines can be registered at the same time. Treck will prefer the Software crypto engine last.


To enable the crypto engines automatically make sure to define the corresponding macro in your trsystem.h file:

  • Software crypto engine
TM_USE_SW_CRYPTOENGINE
  • Hifn 7951 hardware crypto engine
TM_USE_HF7951_CRYPTOENGINE
  • MCF5235 hardware crypto engine
TM_USE_MCF5235_CRYPTOENGINE


The modules necessary to implement the Software crypto engine are built in to the Treck code. The modules necessary to implement the Hifn 7951 and MCF 5235 engines can be found in the /source/ipsec/ folder of your distribution.



Settings in <trsystem.h>

Macro Description
TM_USE_SW_CRYPTOENGINE Define TM_USE_SW_CRYPTOENGINE if any TRECK software implementation of hashing algorithms, encryption/decryption algorithms, or public key exchange algorithms is used. If this macro is not defined, any of these algorithms must be provided by other vendor's software implementation or hardware implementation.
TM_USE_HF7951_CRYPTOENGINE Define TM_USE_HF7951_CRYPTOENGINE if IPsec hardware accelerator HIFN 7951 is used.
TM_USE_MCF5235_CRYPTOENGINE Define TM_USE_MCF5235_CRYPTOENGINE to use the Treck IPsec hardware accelerator support for the Freescale ColdFire MCF5235.
TM_USE_PKI Define this macro in order to use DSA or RSA digital signatures authentication in IKE Phase 1. Treck PKI currently includes X509v3 certificate (ASN1, PEM and DER format ), and RSA/DSA signature and verification.
TM_PKI_CERT_CHECK_ALIVE Define this macro if PKI checks if a certificate is alive before loading the certificate. TM_PKI_TIME must be also defined as the PKI start time if the TM_PKI_CERT_CHECK_ALIVE is defined, the default value of TM_PKI_TIME is "030514000000Z" that means 2003, May.14 and Z means Zulu, or Greenwich Mean Time.
TM_PKI_CERT_NOT_VERIFY Define this macro if PKI does NOT want to verify a certificate while loading it.
TM_USE_RIPEMD Define this macro to use RIPEMD160-96 hash algorithm
TM_USE_DES Define this macro to use DES algorithm
TM_USE_3DES Define this macro to use 3DES algorithm
TM_USE_BLOWFISH Define this macro to use BLOWFISH for ESP transform.
TM_USE_RC5 Define this macro to use RC5 for ESP transform. Must have patent license to run.
TM_USE_CAST128 Define this macro to use CAST128 for ESP transform
TM_USE_AES Define this macro to use AES (RIJNDAEL) for ESP transform
TM_USE_TWOFISH Define this macro to use TWOFISH for ESP transform
TM_PUBKEY_USE_DIFFIEHELLMAN Define this macro to use software implementation of Diffie-Hellman module, group 1, 2, and 5 are supported
TM_PUBKEY_USE_RSA Define this macro to use RSA module. User must also define TM_USE_PKI in order to use RSA.
TM_USE_SHAHMAC_96 Certain fields (such as the payload field of the Authentication Header) use a truncated MAC value. Each HMAC algorithm has an associated truncation length. By default, all flavors of SHA2 have a truncation length of half of their digest bits, but an earlier draft of the specification calls for 96 bits. Some implementations still use the 96-bit value, which is not interoperable with the half-digest bit length. Define this macro to use 96 bits as the truncation length for SHA256, SHA384, and SHA512.


Function Calls

PKI APIs


Hardware Accelerator APIs


Structures

Cryptography Structures


Crypto Engine Structures

ttCryptoEngine

#define trsocket.h
 
typedef struct tsCryptoEngine
{
/* The crypto engine name (ID) */
    ttUser32Bit                   ceEngineId;
 
/* Bit flags to indicate supported algorithms */
    ttUser32Bit                   ceSupportFlags;
 
/* The initialization function */
    ttCryptoEngineInitFuncPtr     ceInitFuncPtr;
 
/* The random number generator function */
    ttCryptoGetRandomWordFuncPtr  ceRandomWordFuncPtr;
 
/* The function to open a crypto session */
    ttCryptoSessionOpenFuncPtr    ceSessionOpenFuncPtr;
 
/* The function to process the crypto request for this crypto engine, which may have multiple sessions */
    ttCryptoSessionFuncPtr        ceSessionProcessFuncPtr;
 
/* The function to close a crypto session */
    ttCryptoSessionFuncPtr        ceSessionCloseFuncPtr;
} ttCryptoEngine;
 
typedef ttCryptoEngine TM_FAR * ttCryptoEnginePtr;
typedef ttCryptoEnginePtr TM_FAR * ttCryptoEnginePtrPtr;


Key Length Requirements Table

The following tables list the key length requirement for the Treck hashing algorithms and encryption algorithms.

Hashing Algorithm Keylength Minimum (bits) Keylength Maximum (bits) Keylength Default (bits)
MD5 128 128 128
SHA1 160 160 160
SHA256 256 256 256
SHA384 384 384 384
SHA512 512 512 512
Ripemd 160 160 160


Encryption/Decryption Algorithm Keylength Minimum (bits) Keylength Maximum (bits) Keylength Default (bits)
DES 64 64 64
3DES 192 192 192
Blowfish 40 448 128
Cast128 40 128 128
AES 128 256 128
TWOFISH 128 256 128


Note Note: AES and Twofish keylengths can be 128, 192 or 256 only.


Table of Contents >> Application Reference