=2      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~  Safe-Inferred 2468 Safe-Inferred +2468The length fo a field in bytes.4The length of a field (usually a ByteString) in bitsInitilization Vectors for BlockCipher implementations (IV k) are used for various modes and guarrenteed to be blockSize bits long. The common ways to obtain an IV are to generate one (getIV or getIVIO9) or to use one provided with the ciphertext (using the  Serialize instance of IV).zeroIV3 also exists and is of particular use for starting ctr mode with a fresh key.      None 2468 incBS bs" inefficiently computes the value $i2bs (8 * B.length bs) (bs2i bs + 1)  i2bs bitLen i converts i to a  ByteString of bitLen bits (must be a multiple of 8).i2bs_unsized i converts i to a  ByteStringv of sufficient bytes to express the integer. The integer must be non-negative and a zero will be encoded in one byte.iUseful utility to extract the result of a generator operation and translate error results to exceptions.9Obtain a tagged value for a particular instantiated type.Infix  operatorIChecks two bytestrings for equality without breaches for timing attacks.Semantically, constTimeEq = (==) . However, x == y takes less time when the first byte is different than when the first byte is equal. This side channel allows an attacker to mount a timing attack. On the other hand,  constTimeEqj always takes the same time regardless of the bytestrings' contents, unless they are of difference size.You should always use  constTimeEqT when comparing secrets, otherwise you may leave a significant security hole (cf.  /http://codahale.com/a-lesson-in-timing-attacks/).2Helper function to convert bytestrings to integerszipWith xor + Pack As a result of rewrite rules, this should automatically be optimized (at compile time). to use the bytestring libraries zipWith' function.zipWith xor + PackMThis is written intentionally to take advantage of the bytestring libraries zipWith'{ rewrite rule but at the extra cost of the resulting lazy bytestring being more fragmented than either of the two inputs.     Thomas.DuBuisson@gmail.combeta portable None +24686Not that it is technically correct as an instance of , but simply because it's a reasonable engineering choice here is a CryptoRandomGen which streams the system randoms. Take note:"It uses the default definition of genByteWithEntropy will always fail! will always fail!/the handle to the system random is never closedA class of random bit generators that allows for the possibility of failure, reseeding, providing entropy at the same time as requesting bytesMinimum complete definition: , , , , , .Instantiate a new random bit generator. The provided bytestring should be of length >= genSeedLength. If the bytestring is shorter then the call may fail (suggested error: (M). If the bytestring is of sufficent length the call should always succeed.GLength of input entropy necessary to instantiate or reseed a generatorgenBytes len g* generates a random ByteString of length len and new generator. The MonadCryptoRandom package has routines useful for converting the ByteString to commonly needed values (but "cereal" or other deserialization libraries would also work).This routine can fail if the generator has gone too long without a reseed (usually this is in the ball-park of 2^48 requests). Suggested error in this cases is )%Indicates how soon a reseed is neededDIndicates the period between reseeds (constant for most generators).genBytesWithEntropy g i entropy generates i, random bytes and use the additional input entropys in the generation of the requested data to increase the confidence our generated data is a secure random stream.Some generators use entropy1 to perturb the state of the generator, meaning: [ (_,g2') <- genBytesWithEntropy len g1 ent (_,g2 ) <- genBytes len g1 g2 /= g2' But this is not required.Default: I genBytesWithEntropy g bytes entropy = xor entropy (genBytes g bytes) YIf the generator has produced too many random bytes on its existing seed it will return )e. In that case, reseed the generator using this function and a new high-entropy seed of length >= B. Using bytestrings that are too short can result in an error ((). By default this uses System.Entropy to obtain entropy for .""This generator never reseeds (ex: )#%The bound is over 2^64 bytes or calls$#Generator needs reseeded in X calls%#Generator needs reseeded in X bytes&HGenerator failures should always return the appropriate GenError. Note & in an instance of exception but wether or not an exception is thrown depends on if the selected generator (read: if you don't want execptions from code that uses J then pass in a generator that never has an error for the used functions)'MThis generator can not be instantiated or reseeded with a finite seed (ex: )(0For instantiating new generators (or reseeding))^Some generators cease operation after too high a count without a reseed (ex: NIST SP 800-90)* When using genInteger g (l,h) and &logBase 2 (h - l) > (maxBound :: Int).+dRequested more bytes than a single pass can generate (The maximum request is generator dependent),MiscIGet a random number generator based on the standard system entropy source-NWhile the safety and wisdom of a splitting function depends on the properties of the generator being split, several arguments from informed people indicate such a function is safe for NIST SP 800-90 generators. (see libraries@haskell.org discussion around Sept, Oct 2010). You can find implementations of such generators in the DRBG package. !"#$%&'()*+,- !"#$%&'()*+,- &,+*)('!%$#"- !%$#"&,+*)('-Thomas.DuBuisson@gmail.combeta portable None 2468?F.vThe BlockCipher class is intended as the generic interface targeted by maintainers of Haskell cipher implementations.]Minimum complete definition: blockSize, encryptBlock, decryptBlock, buildKey, and keyLength.$Instances must handle unaligned data/ Obtain an  made only of zeroes7fA class for signing operations which inherently can not be as generic as asymetric ciphers (ex: DSA).=A stream cipher class. Instance are expected to work on messages as small as one byte The length of the resulting cipher text should be equal to the length of the input message.B5Asymetric ciphers (common ones being RSA or EC based)M Electronic Cookbook (encryption)N Electronic Cookbook (decryption)O!Cipherblock Chaining (encryption)P!Cipherblock Chaining (decryption)QCounter (encryption)RCounter (decryption)SCounter (encryption)TCounter (decryption)U Ciphertext feedback (encryption)V Ciphertext feedback (decryption)WOutput feedback (encryption)XOutput feedback (decryption)Y5Cipher block chaining encryption for lazy bytestringsZ5Cipher block chaining decryption for lazy bytestrings[SIV (Synthetic IV) mode for lazy bytestrings. The third argument is the optional list of bytestrings to be authenticated but not encrypted As required by the specification this algorithm may return nothing when certain constraints aren't met.\SIV (Synthetic IV) for lazy bytestrings. The third argument is the optional list of bytestrings to be authenticated but not encrypted. As required by the specification this algorithm may return nothing when authentication fails.]SIV (Synthetic IV) mode for strict bytestrings. First argument is the optional list of bytestrings to be authenticated but not encrypted. As required by the specification this algorithm may return nothing when certain constraints aren't met.^SIV (Synthetic IV) for strict bytestrings First argument is the optional list of bytestrings to be authenticated but not encrypted As required by the specification this algorithm may return nothing when authentication fails._uCook book mode - not really a mode at all. If you don't know what you're doing, don't use this mode^H^H^H^H library.`ECB decrypt, complementary to M.aPCiphertext feed-back encryption mode for lazy bytestrings (with s == blockSize)bPCiphertext feed-back decryption mode for lazy bytestrings (with s == blockSize)c)Output feedback mode for lazy bytestringsd)Output feedback mode for lazy bytestringseThe Hash class is intended as the generic interface targeted by maintainers of Haskell digest implementations. Using this generic interface, higher level functions such as k and l= provide a useful API for comsumers of hash implementations.;Any instantiated implementation must handle unaligned data.Minimum complete definition: f, g, h, i, and j.k)Hash a lazy ByteString, creating a digestl+Hash a strict ByteString, creating a digestmObtain a lazy hash function whose result is the same type as the given digest, which is discarded. If the type is already inferred then consider using the k function instead.nObtain a strict hash function whose result is the same type as the given digest, which is discarded. If the type is already inferred then consider using the l function instead.)Output feedback mode for lazy bytestrings)Output feedback mode for lazy bytestringsPCiphertext feed-back encryption mode for lazy bytestrings (with s == blockSize)PCiphertext feed-back decryption mode for lazy bytestrings (with s == blockSize)o Obtain an * using the provided CryptoRandomGenerator.p Obtain an  using the system entropy (see   )uCook book mode - not really a mode at all. If you don't know what you're doing, don't use this mode^H^H^H^H library.ECB decrypt, complementary to M.SIV (Synthetic IV) mode for lazy bytestrings. The third argument is the optional list of bytestrings to be authenticated but not encrypted As required by the specification this algorithm may return nothing when certain constraints aren't met.SIV (Synthetic IV) for lazy bytestrings. The third argument is the optional list of bytestrings to be authenticated but not encrypted. As required by the specification this algorithm may return nothing when authentication fails.SIV (Synthetic IV) mode for strict bytestrings. First argument is the optional list of bytestrings to be authenticated but not encrypted. As required by the specification this algorithm may return nothing when certain constraints aren't met.SIV (Synthetic IV) for strict bytestrings First argument is the optional list of bytestrings to be authenticated but not encrypted As required by the specification this algorithm may return nothing when authentication fails.!Counter mode for lazy bytestrings"Counter mode for lazy bytestringsq+The number of bytes in a block cipher blockrVThe number of bytes in a block cipher key (assuming it is an even multiple of 8 bits)s4Build a symmetric key using the system entropy (see   )t$Build a symmetric key using a given uBBuild a pair of asymmetric keys using the system random generator.vFlipped C# for ease of use with state monads.w4Build a stream key using the system random generatorx6Build a stream key using the provided random generatory5Build a signing key using the system random generatorzFlipped :# for ease of use with state monads.Like M but for strict bytestringsDecryption complement to ecb';Cipher block chaining encryption mode on strict bytestrings7Cipher block chaining decryption for strict bytestrings+Output feedback mode for strict bytestrings+Output feedback mode for strict bytestrings#Counter mode for strict bytestrings#Counter mode for strict bytestringsRCiphertext feed-back encryption mode for strict bytestrings (with s == blockSize)QCiphertext feed-back decryption mode for strict bytestrings (with s == blockSize){ Increase an A by one. This is way faster than decoding, increasing, encoding%Create the mask for SIV based ciphersm./789:;<=>?@ABC<build a public/private key pair using the provided generatorDAsymetric encryptionEAsymetric decryptionFGHKThe size of a single block; the smallest unit on which the cipher operates.Iencrypt data of size  n*blockSize where n  [0..] (ecb encryption)Jdecrypt data of size  n*blockSize where n  [0..] (ecb decryption)K-smart constructor for keys from a bytestring.Llength of the cryptographic keyMNOPQRSTUVWXYZ[\]^_`abcdef#The size of the digest when encodedgFThe amount of data operated on in each round of the digest computationh4An initial context, provided with the first call to iipUsed to update a context, repeatedly called until all data is exhausted must operate correctly for imputs of  n*blockLength bytes for n  [0..]jTFinializing a context, plus any message data less than the block size, into a digestklmnopqrstuvwxyz{|}_ ./789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}Jefghijklnm.HIJKLMNOPQRSTUVWXYZ[\]^_`abcdqrst=>?@AwxBCDEFGuv789:;<yz/{op|};.HIJKLMNOPQRSTUVWXYZ[\]^_`abcd/789:;<=>?@ABCDEFGefghijklmnopqrstuvwxyz{|}Thomas.DuBuisson@gmail.combetaportableNone 24680&Obtain the CMAC* on strict bytestrings2&Obtain the cmac for strict bytestrings3$Obtain the cmac for lazy bytestrings4,Cipher block chaining message authentication5,Cipher block chaining message authentication66Perform doubling as defined by the CMAC and SIV papersGenerate cmac subkeys.Pad the string as required by the cmac algorithm. In theory this should work at bit level but since the API works at byte level we do the same>Obtain the cmac with the specified subkey for lazy bytestrings@Obtain the cmac with the specified subkey for strict bytestrings@Generate the xor stream for the last step of the CMAC* algorithm"Accumulator based double operation6Perform doubling as defined by the CMAC and SIV papers6Perform doubling as defined by the CMAC and SIV papers+Cast a bigEndian ByteString into an IntegerCast an Integer into a bigEndian ByteString of size k. It will drop the MSBs in case the number is bigger than k and add 00s if it is smaller.+Cast a bigEndian ByteString into an IntegerCast an Integer into a bigEndian ByteString of size k. It will drop the MSBs in case the number is bigger than k and add 00s if it is smaller.0123456012345665432100123456Thomas.DuBuisson@gmail.combetaportableNone 2468~A key carrying phantom types c and dF, forcing the key data to only be used by particular hash algorithms.?Message authentication code calculation for lazy bytestrings.  hmac k msg) will compute an authentication code for msg using key k hmac k msg) will compute an authentication code for msg using key k~~~~Thomas.DuBuisson@gmail.combetaportableNone 2468 ]PKCS5 (aka RFC1423) padding method. This method will not work properly for pad modulos > 256Ex:  putPaddedPKCS5 m bs  Will pad out bs to a byte multiple of m2 and put both the bytestring and it's padding via : (this saves on copying if you are already using Cereal).]PKCS5 (aka RFC1423) padding method using the BlockCipher instance to determine the pad size. Leverages _ to put the bytestring and padding of sufficient length for use by the specified block cipher.unpad a strict bytestring padded in the typical PKCS5 manner. This routine verifies all pad bytes and pad length match correctly.]unpad a strict bytestring without checking the pad bytes and length any more than necessary./Pad a bytestring to the IPSEC esp specification padESP m payloadis equivilent to: u (msg) (padding) (length field) B.concat [payload, B.pack [1,2,3,4..], B.pack [padLen]] Where:&the msg is any payload, including TFC.the padding is <= 255the length field is one byte.-Notice the result bytesting length remainder r equals zero. The lack of a "next header" field means this function is not directly useable for an IPSec implementation (copy/paste the 4 line function and add in a "next header" field if you are making IPSec ESP).FLike padESP but use the BlockCipher instance to determine padding sizeKLike putPadESP but using the BlockCipher instance to determine padding size6Pad a bytestring to the IPSEC ESP specification using 4. This can reduce copying if you are already using .NA static espPad allows reuse of a single B.pack'ed pad for all calls to padESP%unpad and return the padded message (' is returned if the padding is invalid) None +2468 FKey construction from raw material (typically including key expansion)#This is a wrapper that can throw a  on exception.Random  generation#This is a wrapper that can throw a  on exception.Symmetric key generation#This is a wrapper that can throw a  on exception.Asymetric key generation#This is a wrapper that can throw a  on exception.Asymmetric encryption#This is a wrapper that can throw a  on exception.Asymmetric decryption9This is a wrapper that can throw a GenError on exception.Instantiate a new random bit generator. The provided bytestring should be of length >= genSeedLength. If the bytestring is shorter then the call may fail (suggested error: NotEnoughEntropyM). If the bytestring is of sufficent length the call should always succeed.!This is a wrapper that can throw  types as exceptions.genBytes len g* generates a random ByteString of length len and new generator. The MonadCryptoRandom\ package has routines useful for converting the ByteString to commonly needed values (but cereal6 or other deserialization libraries would also work).!This is a wrapper that can throw  types as exceptions.genBytesWithEntropy g i entropy generates i, random bytes and use the additional input entropyr in the generation of the requested data to increase the confidence our generated data is a secure random stream.!This is a wrapper that can throw  types as exceptions.ZIf the generator has produced too many random bytes on its existing seed it will throw a  NeedReseedo exception. In that case, reseed the generator using this function and a new high-entropy seed of length >=  genSeedLengthE. Using bytestrings that are too short can result in an exception (NotEnoughEntropy).NWhile the safety and wisdom of a splitting function depends on the properties of the generator being split, several arguments from informed people indicate such a function is safe for NIST SP 800-90 generators. (see libraries@haskell.org discussion around Sept, Oct 2010). You can find implementations of such generators in the DRBG package.This is a wrapper for  $ which throws errors as exceptions.T !"#$%&'()*+,./79;<BFGHIJLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnpqrsu{Tefghijklnm.HIJLMNOPQRSTUVWXYZ[\]^_`abcdpqrsBFGu79;<{/ &,+*)('!%$#"  !"#$%&'()*+,-./0123456789: ;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4X|PQR'),-     crypto-api-0.13.1Crypto.Classes Crypto.Types Crypto.Util Crypto.Random Crypto.Modes Crypto.HMACCrypto.PaddingCrypto.Classes.Exceptions Crypto.CPolySystemEntropysplitGencereal-0.4.1.0Data.SerializeencodeBlockCipherErrorOtherAuthenticationFailed InputTooLong ByteLength BitLengthIVinitializationVector$fExceptionBlockCipherError c_constTimeEqincBSi2bs i2bs_unsized throwLeftfor.::. constTimeEqbs2izwp'zwpcollect SystemRandomCryptoRandomGennewGen genSeedLengthgenBytes reseedInfo reseedPeriodgenBytesWithEntropyreseednewGenIO ReseedInfoNeverNotSoonInXCallsInXBytesGenErrorNeedsInfiniteSeedNotEnoughEntropy NeedReseed RangeInvalidRequestedTooManyBytes GenErrorOther BlockCipherzeroIV cMacStar'cMacStarcMac'cMaccbcMaccbcMac'dblIVSigningsignverifybuildSigningPairsigningKeyLengthverifyingKeyLength StreamCipherbuildStreamKey encryptStream decryptStreamstreamKeyLength AsymCipher buildKeyPair encryptAsym decryptAsympublicKeyLengthprivateKeyLength blockSize encryptBlock decryptBlockbuildKey keyLengthecbunEcbcbcunCbcctrunCtrctrLazy unCtrLazycfbunCfbofbunOfbcbcLazy unCbcLazysivLazy unSivLazysivunSivecbLazy unEcbLazycfbLazy unCfbLazyofbLazy unOfbLazyHash outputLength blockLength initialCtx updateCtxfinalizehashhash'hashFunc hashFunc'getIVgetIVIOblockSizeByteskeyLengthBytes buildKeyIO buildKeyGenbuildKeyPairIObuildKeyPairGenbuildStreamKeyIObuildStreamKeyGenbuildSigningKeyPairIObuildSigningKeyPairGenincIVchunkFor chunkFor'MacKeyhmachmac'padPKCS5putPaddedPKCS5 padBlockSizeunpadPKCS5safe unpadPKCS5padESPpadESPBlockSizeputPadESPBlockSize putPadESPunpadESP CipherError KeyGenFailurePolyQTcpoly cpoly2list cpoly2revlistcpolyscpolys'base GHC.Exceptionthrow getSystemGen SysRandom$fCryptoRandomGenSystemRandom$fExceptionGenErrormodeOfb modeUnOfbmodeCfb modeUnCfbmodeEcb modeUnEcbmodeSiv modeUnSivmodeSiv' modeUnSiv'modeCtr modeUnCtrmodeEcb' modeUnEcb'modeCbc' modeUnCbc'modeOfb' modeUnOfb'modeCtr' modeUnCtr'modeCfb' modeUnCfb'sivMaskGHC.Listelem makeBlocksivProxy deIVProxymodeCbc modeUnCbc buildKeyMbuildStreamKeyMtoChunks zeroIVcwcnontruncatedChunkFornontruncatedChunkFor'ivBlockSizeBytes $fSerializeIVcMacSubkcMacPad cMacWithSubK cMacWithSubK'xorenddblwdblBdblLdecodeBencodeBdecodeLencodeLData.Serialize.PutPutputPaddedBlockSizeespPad Data.MaybeNothingmExcepteExcept$fExceptionCipherError