1## Introduction {#crypto-introduction} 2 3This library provides bindings to functionality of OpenSSL that is 4related to cryptography and authentication, not necessarily involving 5connections, sockets or streams. 6 7## Design principle: Secure default algorithms {#crypto-secure-defaults} 8 9A basic design principle of this library is that its _default algorithms 10are cryptographically secure_ at the time of this writing. We will 11_change_ the default algorithms if an attack on them becomes known, and 12replace them by new defaults that are deemed appropriate at that time. 13 14This may mean, for example, that where `sha256` is currently the default 15algorithm, `blake2s256` or some other algorithm may become the default 16in the future. 17 18To preserve interoperability and compatibility and at the same time 19allow us to transparently update default algorithms of this library, the 20following conventions are used: 21 22 1. If an explicit algorithm is specified as an option, then that 23 algorithm is used. 24 2. If _no_ algorithm is specified, then a cryptographically secure 25 algorithm is used. 26 3. If an option that normally specifies an algorithm is present, 27 and a _logical variable_ appears instead of a concrete algorithm, 28 then that variable is unified with the secure default value. 29 30This allows application programmers to inspect _which_ algorithm was 31actually used, and store it for later reference. 32 33For example: 34 35== 36?- crypto_data_hash(test, Hash, [algorithm(A)]). 37Hash = '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08', 38A = sha256. 39== 40 41This shows that at the time of this writing, `sha256` was deemed 42sufficiently secure, and was used as default algorithm for hashing. 43 44You therefore must not rely on _which_ concrete algorithm is being used 45by default. However, you can rely on the fact that the default 46algorithms are secure. In other words, if they are _not_ secure, then 47this is a mistake in this library, and we ask you to please report such 48a situation as an urgent security issue. 49 50## Representing binary data {#crypto-binary-data} 51 52In the context of this library, _bytes_ can be represented as lists of 53integers between 0 and 255. Such lists can be converted to and from 54_hexadecimal notation_ with the following bidirectional relation: 55 56 * [[hex_bytes/2]] 57 58## Cryptographically secure random numbers {#crypto-random} 59 60Almost all cryptographic applications require the availability of 61numbers that are sufficiently unpredictable. Examples are the creation 62of keys, nonces and salts. With this library, you can generate 63cryptographically strong pseudo-random numbers for such use cases: 64 65 * [[crypto_n_random_bytes/2]] 66 67## Hashes {#crypto-hash} 68 69A **hash**, also called **digest**, is a way to verify the integrity of 70data. In typical cases, a hash is significantly shorter than the data 71itself, and already miniscule changes in the data lead to different 72hashes. 73 74The hash functionality of this library subsumes and extends that of 75`library(sha)`, `library(hash_stream)` and `library(md5)` by providing a 76unified interface to all available digest algorithms. 77 78The underlying OpenSSL library (`libcrypto`) is dynamically loaded if 79_either_ `library(crypto)` or `library(ssl)` are loaded. Therefore, if 80your application uses `library(ssl)`, you can use `library(crypto)` for 81hashing without increasing the memory footprint of your application. In 82other cases, the specialised hashing libraries are more lightweight but 83less general alternatives to `library(crypto)`. 84 85### Hashes of data and files {#crypto-hash-basic} 86 87The most important predicates to compute hashes are: 88 89 * [[crypto_data_hash/3]] 90 * [[crypto_file_hash/3]] 91 92### Hashes of passwords {#crypto-hash-password} 93 94For the important case of deriving hashes from _passwords_, the 95following specialised predicates are provided: 96 97 * [[crypto_password_hash/2]] 98 * [[crypto_password_hash/3]] 99 100### HMAC-based key derivation function (HKDF) {#crypto-hkdf} 101 102The following predicate implements the _Hashed Message Authentication 103Code (HMAC)-based key derivation function_, abbreviated as HKDF. It 104supports a wide range of applications and requirements by concentrating 105possibly dispersed entropy of the input keying material and then 106expanding it to the desired length. The number and lengths of the output 107keys depend on the specific cryptographic algorithms for which the keys 108are needed. 109 110 * [[crypto_data_hkdf/4]] 111 112### Hashing incrementally {#crypto-hash-incremental} 113 114The following predicates are provided for building hashes 115_incrementally_. This works by first creating a **context** with 116crypto_context_new/2, then using this context with crypto_data_context/3 117to incrementally obtain further contexts, and finally extract the 118resulting hash with crypto_context_hash/2. 119 120 * [[crypto_context_new/2]] 121 * [[crypto_data_context/3]] 122 * [[crypto_context_hash/2]] 123 124The following hashing predicates work over _streams_: 125 126 * [[crypto_open_hash_stream/3]] 127 * [[crypto_stream_hash/2]] 128 129## Digital signatures {#crypto-signatures} 130 131A digital **signature** is a relation between a key and data that only 132someone who knows the key can compute. 133 134_Signing_ uses a _private_ key, and _verifying_ a signature uses the 135corresponding _public_ key of the signing entity. This library supports 136both RSA and ECDSA signatures. You can use load_private_key/3 and 137load_public_key/2 to load keys from files and streams. 138 139In typical cases, we use this mechanism to sign the _hash_ of data. See 140[hashing](<#crypto-hash>). For this reason, the following predicates 141work on the _hexadecimal_ representation of hashes that is also used by 142crypto_data_hash/3 and related predicates. 143 144Signatures are also represented in hexadecimal notation, and you can 145use hex_bytes/2 to convert them to and from lists of bytes (integers). 146 147### ECDSA {#crypto-ECDSA} 148 149 * [[ecdsa_sign/4]] 150 * [[ecdsa_verify/4]] 151 152### RSA {#crypto-RSA} 153 154 * [[rsa_sign/4]] 155 * [[rsa_verify/4]] 156 157## Asymmetric encryption and decryption {#crypto-asymmetric} 158 159The following predicates provide _asymmetric_ RSA encryption and 160decryption. This means that the key that is used for _encryption_ is 161different from the one used to _decrypt_ the data: 162 163 * [[rsa_private_decrypt/4]] 164 165## Symmetric encryption and decryption {#crypto-symmetric} 166 167The following predicates provide _symmetric_ encryption and 168decryption. This means that the _same_ key is used in both cases. 169 170 * [[crypto_data_encrypt/6]] 171 * [[crypto_data_decrypt/6]] 172 173## Number theory {#crypto-numbertheory} 174 175This library provides operations from number theory that frequently 176arise in cryptographic applications, complementing the existing 177built-ins and GMP bindings: 178 179 * [[crypto_modular_inverse/3]] 180 * [[crypto_generate_prime/3]] 181 * [[crypto_is_prime/2]] 182 183## Elliptic curves {#crypto-ec} 184 185This library provides functionality for reasoning over _elliptic 186curves_. Elliptic curves are represented as opaque objects. You acquire 187a handle for an elliptic curve via crypto_name_curve/2. 188 189A _point_ on a curve is represented by the Prolog term =|point(X, Y)|=, 190where `X` and `Y` are integers that represent the point's affine 191coordinates. 192 193The following predicates are provided for reasoning over elliptic 194curves: 195 196 * [[crypto_name_curve/2]] 197 * [[crypto_curve_order/2]] 198 * [[crypto_curve_generator/2]] 199 * [[crypto_curve_scalar_mult/4]] 200 201## Example: Establishing a shared secret {#crypto-shared-secret} 202 203As one example that involves most predicates of this library, we explain 204a way to establish a _shared secret_ over an insecure channel. We shall 205use _elliptic curves_ for this purpose. 206 207Suppose Alice wants to establish an encrypted connection with Bob. To 208achieve this even over a channel that may be subject to eavesdrooping 209and man-in-the-middle attacks, Bob performs the following steps: 210 211 1. Choose an elliptic curve `C`, using crypto_name_curve/2. 212 2. Pick a random integer _k_ such that _k_ is greater than 0 and 213 smaller than the order of `C`. This can be done using 214 crypto_curve_order/2 and crypto_n_random_bytes/2. 215 3. Use crypto_curve_generator/2 to obtain the generator `G` of `C`, and 216 use crypto_curve_scalar_mult/4 to compute the scalar product _k*G_. 217 We call this result `R`, denoting a point on the curve. 218 4. Sign `R` (using for example rsa_sign/4 or ecdsa_sign/4) and 219 send this to Alice. 220 221This mechanism hinges on a way for Alice to establish the _authenticity_ 222of the signed message (using predicates like rsa_verify/4 and 223ecdsa_verify/4), for example by means of a public key that was 224previously exchanged or is signed by a trusted party in such a way that 225Alice can be sufficiently certain that it belongs to Bob. However, none 226of these steps require any encryption! 227 228Alice in turn performs the following steps: 229 230 1. Create a random integer _j_ such that _j_ is greater than 0 and 231 smaller than the order of C. Alice can also use 232 crypto_curve_order/2 and crypto_n_random_bytes/2 for this. 233 2. Compute the scalar product _j*G_, where `G` is again the generator 234 of `C` as obtained via crypto_curve_generator/2. 235 3. Further, compute the scalar product _j*R_, which is a point on 236 the curve that we shall call Q. We can derive a _shared secret_ 237 from `Q`, using for example crypto_data_hkdf/4, and encrypt any 238 message with it (using for example crypto_data_encrypt/6). 239 4. Send the point _j*G_ and the encrypted message to Bob. 240 241Bob receives _j*G_ in plain text and can arrive at the same shared 242secret by performing the calculation _k*(j*G)_, which is - by 243associativity and commutativity of scalar multiplication - identical to 244the point _j*(k*G)_, which is again Q from which the shared secret can 245be derived, and the message can be decrypted with crypto_data_decrypt/6. 246 247This method is known as Diffie-Hellman-Merkle key exchange over elliptic 248curves, abbreviated as ECDH. It provides forward secrecy (FS): Even if 249the private key that was used to establish the _authenticity_ of Bob is 250later compromised, the encrypted messages cannot be decrypted with it. 251 252A major attraction of using elliptic curves for this purpose is found in 253the comparatively small key size that suffices to make any attacks 254unrealistic as far as we currently know. In particular, given any point 255on the curve, we currently have no efficient way to determine by which 256scalar the generator was multiplied to obtain that point. The method 257described above relies on the hardness of this so-called _elliptic curve 258discrete logarithm problem_ (ECDLP). On the other hand, some of the 259named curves have been suspected to be chosen in such a way that they 260could be prone to attacks that are not publicly known. 261 262As an alternative to ECDH, you can use the original DH key exchange 263scheme, where the prime field GF(p) is used instead of an elliptic 264curve, and _exponentiation_ of a suitable generator is used instead of 265scalar multiplication. You can use crypto_generate_prime/3 to generate 266a sufficiently large prime for this purpose. 267