}      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{| Safe-Inferred}~}~ Safe-Inferred The length fo a field in bytes. 5The length of a field (usually a ByteString) in bits AInitilization Vectors for BlockCipher implementations (IV k) are C used for various modes and guarrenteed to be blockSize bits long. 6 The common ways to obtain an IV are to generate one (getIV or  getIVIO8) or to use one provided with the ciphertext (using the   Serialize instance of IV). zeroIV3 also exists and is of particular use for starting ctr  mode with a fresh key. None incBS bs" inefficiently computes the value $i2bs (8 * B.length bs) (bs2i bs + 1)  i2bs bitLen i converts i to a  ByteString of bitLen! bits (must be a multiple of 8). i2bs_unsized i converts i to a  ByteString- of sufficient bytes to express the integer. J The integer must be non-negative and a zero will be encoded in one byte. >Useful utility to extract the result of a generator operation , and translate error results to exceptions. :Obtain a tagged value for a particular instantiated type. Infix   operator 9Checks two bytestrings for equality without breaches for  timing attacks. Semantically, constTimeEq = (==) . However, x == y takes less @ time when the first byte is different than when the first byte < is equal. This side channel allows an attacker to mount a $ timing attack. On the other hand,  constTimeEq always takes the ( same time regardless of the bytestrings' contents, unless they are  of difference size. You should always use  constTimeEq when comparing secrets, 5 otherwise you may leave a significant security hole  (cf.  /http://codahale.com/a-lesson-in-timing-attacks/). 3Helper function to convert bytestrings to integers zipWith xor + Pack Y As a result of rewrite rules, this should automatically be optimized (at compile time). ! to use the bytestring libraries zipWith' function.         portable betaThomas.DuBuisson@gmail.comNone5Not that it is technically correct as an instance of  , but simply because it's a reasonable engineering ; choice here is a CryptoRandomGen which streams the system  randoms. Take note: # It uses the default definition of genByteWithEntropy   will always fail!   will always fail! 1 the handle to the system random is never closed AA class of random bit generators that allows for the possibility > of failure, reseeding, providing entropy at the same time as  requesting bytes Minimum complete definition: , , ,  , , . 6Instantiate a new random bit generator. The provided : bytestring should be of length >= genSeedLength. If the 9 bytestring is shorter then the call may fail (suggested  error: !). If the bytestring is of 2 sufficent length the call should always succeed. ;Length of input entropy necessary to instantiate or reseed  a generator genBytes len g) generates a random ByteString of length  len and new generator. The MonadCryptoRandom package 6 has routines useful for converting the ByteString to  commonly needed values (but cereal or other - deserialization libraries would also work). 9This routine can fail if the generator has gone too long < without a reseed (usually this is in the ball-park of 2^48 . requests). Suggested error in this cases is " &Indicates how soon a reseed is needed EIndicates the period between reseeds (constant for most generators). genBytesWithEntropy g i entropy generates i random $ bytes and use the additional input entropy in the = generation of the requested data to increase the confidence / our generated data is a secure random stream. Some generators use entropy to perturb the state of the  generator, meaning:    (_,g2') <!- genBytesWithEntropy len g1 ent  (_,g2 ) <- genBytes len g1  g2 /= g2' But this is not required.  Default:  J genBytesWithEntropy g bytes entropy = xor entropy (genBytes g bytes) ;If the generator has produced too many random bytes on its  existing seed it will throw ". In that case, 4 reseed the generator using this function and a new  high-entropy seed of length >=  . Using 7 bytestrings that are too short can result in an error  (!). By default this uses System.Crypto.Random to obtain  entropy for . "This generator never reseeds (ex: ) &The bound is over 2^64 bytes or calls $Generator needs reseeded in X calls $Generator needs reseeded in X bytes BGenerator failures should always return the appropriate GenError.  Note 2 in an instance of exception but wether or not an A exception is thrown depends on if the selected generator (read:  if you don'&t want execptions from code that uses  then E pass in a generator that never has an error for the used functions) This generator can not be ! instantiated or reseeded with a  finite seed (ex: ) !!For instantiating new generators  (or reseeding) " Some generators cease operation " after too high a count without a  reseed (ex: NIST SP 800-90) # When using genInteger g (l,h)  and logBase 2 (h - l) > (maxBound  :: Int). $Requested more bytes than a  single pass can generate (The  maximum request is generator  dependent) %Misc Jget a random number generator based on the standard system entropy source &CWhile the safety and wisdom of a splitting function depends on the A properties of the generator being split, several arguments from E informed people indicate such a function is safe for NIST SP 800-90  generators. (see libraries@(haskell.org discussion around Sept, Oct  2010)  !"#$%&  !"#$%&%$#"! & %$#"! & portable betaThomas.DuBuisson@gmail.comNone('FA class for signing operations which inherently can not be as generic ! as asymetric ciphers (ex: DSA). -WA stream cipher class. Instance are expected to work on messages as small as one byte 9 The length of the resulting cipher text should be equal % to the length of the input message. 26Asymetric ciphers (common ones being RSA or EC based) 8;The BlockCipher class is intended as the generic interface < targeted by maintainers of Haskell cipher implementations. 5 Using this generic interface higher level functions  such as @C, and other functions from Data.Crypto.Modes, provide a useful API * for comsumers of cipher implementations. %Instances must handle unaligned data >!Electronic Cookbook (encryption) ?!Electronic Cookbook (decryption) @"Cipherblock Chaining (encryption) A"Cipherblock Chaining (decryption) BCounter (encryption) CCounter (decryption) D!Ciphertext feedback (encryption) E!Ciphertext feedback (decryption) FOutput feedback (encryption) GOutput feedback (decryption) H4The Hash class is intended as the generic interface < targeted by maintainers of Haskell digest implementations. 6 Using this generic interface, higher level functions  such as N and O provide a useful API ( for comsumers of hash implementations. <Any instantiated implementation must handle unaligned data. Minimum complete definition: I, J, K,  L, and M. N*Hash a lazy ByteString, creating a digest O,Hash a strict ByteString, creating a digest P:Obtain a lazy hash function whose result is the same type P as the given digest, which is discarded. If the type is already inferred then  consider using the N function instead. Q<Obtain a strict hash function whose result is the same type P as the given digest, which is discarded. If the type is already inferred then  consider using the O function instead. R,The number of bytes in a block cipher block SBThe number of bytes in a block cipher key (assuming it is an even  multiple of 8 bits) T4Build a symmetric key using the system entropy (see   ) $Build a symmetric key using a given  UCBuild a pair of asymmetric keys using the system random generator. Flipped 3$ for ease of use with state monads. V5Build a stream key using the system random generator 7Build a stream key using the provided random generator W6Build a signing key using the system random generator Flipped *$ for ease of use with state monads. Like > but for strict bytestrings Decryption complement to ecb' <Cipher block chaining encryption mode on strict bytestrings 8Cipher block chaining decryption for strict bytestrings ,Output feedback mode for strict bytestrings ,Output feedback mode for strict bytestrings $Counter mode for strict bytestrings $Counter mode for strict bytestrings BCiphertext feed-back encryption mode for strict bytestrings (with  s == blockSize) RCiphertext feed-back decryption mode for strict bytestrings (with s == blockSize) X Increase an , by one. This is way faster than decoding,  increasing, encoding E'()*+,-./0123build a public/.private key pair using the provided generator 4Asymetric encryption 5Asymetric decryption 6789LThe size of a single block; the smallest unit on which the cipher operates. :encrypt data of size  n*blockSize where n  [0..] (ecb encryption) ;decrypt data of size  n*blockSize where n  [0..] (ecb decryption) <.smart constructor for keys from a bytestring. = length of the cryptographic key >?@ABCDEFGHI$The size of the digest when encoded JGThe amount of data operated on in each round of the digest computation K4An initial context, provided with the first call to L LHUsed to update a context, repeatedly called until all data is exhausted ( must operate correctly for imputs of  n*blockLength bytes for n  [0..] MUFinializing a context, plus any message data less than the block size, into a digest NOPQRSTUVWX= '()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWX3HIJKLMNOPQ89:;<=>?@ABCDEFGRST-./01V234567U'()*+,WX!'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXportablebetaThomas.DuBuisson@gmail.comNoneYA key carrying phantom types c and d', forcing the key data to only be used  by particular hash algorithms. [>Message authentication code calculation for lazy bytestrings.   hmac k msg) will compute an authentication code for msg using key k \ hmac k msg) will compute an authentication code for msg using key k YZ[\YZ[\[\YZYZ[\portablebetaThomas.DuBuisson@gmail.comNone ]$PKCS5 (aka RFC1423) padding method. : This method will not work properly for pad modulos > 256 ^Ex:    putPaddedPKCS5 m bs  Will pad out bs to a byte multiple  of m# and put both the bytestring and it's padding via  : (this saves on copying if you are already using Cereal). _BPKCS5 (aka RFC1423) padding method using the BlockCipher instance  to determine the pad size.  Leverages ^# to put the bytestring and padding = of sufficient length for use by the specified block cipher. `>unpad a strict bytestring padded in the typical PKCS5 manner. E This routine verifies all pad bytes and pad length match correctly. a=unpad a strict bytestring without checking the pad bytes and ! length any more than necessary. b0Pad a bytestring to the IPSEC esp specification   padESP m payload is equivilent to:   : (msg) (padding) (length field) ) B.concat [payload, B.pack [1,2,3,4..], B.pack [padLen]] Where: ( the msg is any payload, including TFC.  the padding is <= 255  the length field is one byte. -Notice the result bytesting length remainder r equals zero. The lack  of a " next header"7 field means this function is not directly useable for  an IPSec implementation (copy/'paste the 4 line function and add in a  " next header"% field if you are making IPSec ESP). cGLike padESP but use the BlockCipher instance to determine padding size dLLike putPadESP but using the BlockCipher instance to determine padding size e6Pad a bytestring to the IPSEC ESP specification using . 2 This can reduce copying if you are already using . /A static espPad allows reuse of a single B.pack'ed pad for all calls to padESP f%unpad and return the padded message (( is returned if the padding is invalid) ]^_`abcdef ]^_`abcdef ]_^`abfcde ]^_`abcdef portable betaThomas.DuBuisson@gmail.comNone.zipWith xor + Pack 0This is written intentionally to take advantage  of the bytestring libraries zipWith' rewrite rule but at the C extra cost of the resulting lazy bytestring being more fragmented  than either of the two inputs. <Cipher block chaining encryption mode on strict bytestrings g-Cipher block chaining message authentication h-Cipher block chaining message authentication 8Cipher block chaining decryption for strict bytestrings i6Cipher block chaining encryption for lazy bytestrings j6Cipher block chaining decryption for lazy bytestrings k"Counter mode for lazy bytestrings l#Counter mode for lazy bytestrings CGenerate cmac subkeys. The usage of seq tries to force evaluation . of both keys avoiding posible timing attacks APad the string as required by the cmac algorithm. In theory this D should work at bit level but since the API works at byte level we  do the same ?Obtain the cmac with the specified subkey for lazy bytestrings m%Obtain the cmac for lazy bytestrings AObtain the cmac with the specified subkey for strict bytestrings n'Obtain the cmac for strict bytestrings AGenerate the xor stream for the last step of the CMAC* algorithm %Obtain the CMAC* on lazy bytestrings 'Obtain the CMAC* on strict bytestrings &Create the mask for SIV based ciphers o@SIV (Synthetic IV) mode for lazy bytestrings. First argument is > the optional list of bytestrings to be authenticated but not ? encrypted As required by the specification this algorithm may - return nothing when certain constraints aren't met. p@SIV (Synthetic IV) for lazy bytestrings. First argument is the E optional list of bytestrings to be authenticated but not encrypted. D As required by the specification this algorithm may return nothing  when authentication fails. qCSIV (Synthetic IV) mode for strict bytestrings. First argument is > the optional list of bytestrings to be authenticated but not A encrypted. As required by the specification this algorithm may - return nothing when certain constraints aren't met. r@SIV (Synthetic IV) for strict bytestrings First argument is the D optional list of bytestrings to be authenticated but not encrypted D As required by the specification this algorithm may return nothing  when authentication fails. #Accumulator based double operation s7Perform doubling as defined by the CMAC and SIV papers 7Perform doubling as defined by the CMAC and SIV papers 7Perform doubling as defined by the CMAC and SIV papers ,Cast a bigEndian ByteString into an Integer @Cast an Integer into a bigEndian ByteString of size k. It will E drop the MSBs in case the number is bigger than k and add 00s if it  is smaller. ,Cast a bigEndian ByteString into an Integer @Cast an Integer into a bigEndian ByteString of size k. It will E drop the MSBs in case the number is bigger than k and add 00s if it  is smaller. t Obtain an  made only of zeroes u6Cook book mode - not really a mode at all. If you don't know what you' re doing, don'!t use this mode^H^H^H^H library. vECB decrypt, complementary to >. Like > but for strict bytestrings Decryption complement to  wBCiphertext feed-back encryption mode for lazy bytestrings (with s  == blockSize) xBCiphertext feed-back decryption mode for lazy bytestrings (with s  == blockSize) BCiphertext feed-back encryption mode for strict bytestrings (with  s == blockSize) RCiphertext feed-back decryption mode for strict bytestrings (with s == blockSize) y*Output feedback mode for lazy bytestrings z*Output feedback mode for lazy bytestrings ,Output feedback mode for strict bytestrings ,Output feedback mode for strict bytestrings { Obtain an + using the provided CryptoRandomGenerator. | Obtain an  using the system entropy (see   ) 6ghijklmnopqrstuvwxyz{|ghijklmnopqrstuvwxyz{|{|tsuvijwxyzklopqrghmn6ghijklmnopqrstuvwxyz{|  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdeefghijklmnopqrsLMNOtuvwxyz{JKPQRS|}~ crypto-api-0.12.2Crypto.Classes Crypto.Types Crypto.Util Crypto.Random Crypto.HMACCrypto.Padding Crypto.Modes Crypto.CPoly System.CryptoRandomcereal-0.3.5.2Data.Serializeencode ByteLength BitLengthIVinitializationVector c_constTimeEqincBSi2bs i2bs_unsized throwLeftfor.::. constTimeEqbs2izwp' SystemRandomCryptoRandomGennewGen genSeedLengthgenBytes reseedInfo reseedPeriodgenBytesWithEntropyreseednewGenIO ReseedInfoNeverNotSoonInXCallsInXBytesGenErrorNeedsInfiniteSeedNotEnoughEntropy NeedReseed RangeInvalidRequestedTooManyBytes GenErrorOthersplitGenSigningsignverifybuildSigningPairsigningKeyLengthverifyingKeyLength StreamCipherbuildStreamKey encryptStream decryptStreamstreamKeyLength AsymCipher buildKeyPair encryptAsym decryptAsympublicKeyLengthprivateKeyLength BlockCipher blockSize encryptBlock decryptBlockbuildKey keyLengthecbunEcbcbcunCbcctrunCtrcfbunCfbofbunOfbHash outputLength blockLength initialCtx updateCtxfinalizehashhash'hashFunc hashFunc'blockSizeByteskeyLengthBytes buildKeyIObuildKeyPairIObuildStreamKeyIObuildSigningKeyPairIOincIVMacKeyhmachmac'padPKCS5putPaddedPKCS5 padBlockSizeunpadPKCS5safe unpadPKCS5padESPpadESPBlockSizeputPadESPBlockSize putPadESPunpadESPcbcMac'cbcMaccMaccMac'sivunSivsiv'unSiv'dblIVzeroIVgetIVgetIVIOPolyQTcpoly cpoly2list cpoly2revlistcpolyscpolys'base GHC.Exceptionthrow getSystemGen SysRandom$fCryptoRandomGenSystemRandom$fExceptionGenError buildKeyGenbuildKeyPairGenbuildStreamKeyGenbuildSigningKeyPairGenmodeEcb' modeUnEcb'modeCbc' modeUnCbc'modeOfb' modeUnOfb'modeCtr' modeUnCtr'modeCfb' modeUnCfb'GHC.Listelem makeBlocks buildKeyMbuildStreamKeyM chunkFor'collectData.Serialize.PutPutputPaddedBlockSizeespPad Data.MaybeNothingzwpcbc'unCbc'cMacSubkcMacPad cMacWithSubK cMacWithSubK'xorendcMacStar cMacStar'sivMaskdblwdblBdblLdecodeBencodeBdecodeLencodeLecb'unEcb'cfb'unCfb'ofb'unOfb'chunkForivProxy deIVProxyproxyOfivBlockSizeBytes $fSerializeIV