śĪņ:éėm      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl Safe-InferredmnopqrstpqrmonpqrstNoneuincBS bs" inefficiently computes the value $i2bs (8 * B.length bs) (bs2i bs + 1) v i2bs bitLen i converts i to a  ByteString of bitLen! bits (must be a multiple of 8). wbs2i bs converts the  ByteString bs to an x (inverse of v) uvwuvwuvw Safe-Inferred The length fo a field in bytes. 5The length of a field (usually a ByteString) in bits  portable betaThomas.DuBuisson@gmail.comNone5Not that it is technically correct as an instance of  , but simply because it's a reasonable engineering ; choice here is a CryptoRandomGen which streams the system  randoms. Take note: # It uses the default definition of genByteWithEntropy   will always fail!    will always fail! 1 the handle to the system random is never closed AA class of random bit generators that allows for the possibility > of failure, reseeding, providing entropy at the same time as  requesting bytes Minimum complete definition: , , ,   . 6Instantiate a new random bit generator. The provided : bytestring should be of length >= genSeedLength. If the 9 bytestring is shorter then the call may fail (suggested  error:  ). If the bytestring is of 2 sufficent length the call should always succeed. ;Length of input entropy necessary to instantiate or reseed  a generator genBytes len g) generates a random ByteString of length  len and new generator. The MonadCryptoRandom package 6 has routines useful for converting the ByteString to  commonly needed values (but cereal or other - deserialization libraries would also work). 9This routine can fail if the generator has gone too long < without a reseed (usually this is in the ball-park of 2^48 . requests). Suggested error in this cases is  genBytesWithEntropy g i entropy generates i random $ bytes and use the additional input entropy in the = generation of the requested data to increase the confidence / our generated data is a secure random stream. Some generators use entropy to perturb the state of the  generator, meaning:    (_,g2') <!- genBytesWithEntropy len g1 ent  (_,g2 ) <- genBytes len g1  g2 /= g2' But this is not required.  Default:  J genBytesWithEntropy g bytes entropy = xor entropy (genBytes g bytes)  ;If the generator has produced too many random bytes on its  existing seed it will throw . In that case, 4 reseed the generator using this function and a new  high-entropy seed of length >=  . Using 7 bytestrings that are too short can result in an error  ( ). By default this uses System.Crypto.Random to obtain  entropy for . BGenerator failures should always return the appropriate GenError.  Note  2 in an instance of exception but wether or not an A exception is thrown depends on if the selected generator (read:  if you don'&t want execptions from code that uses y then E pass in a generator that never has an error for the used functions) This generator can not be ! instantiated or reseeded with a  finite seed (ex: ) !For instantiating new generators  (or reseeding)  Some generators cease operation " after too high a count without a  reseed (ex: NIST SP 800-90)  When using genInteger g (l,h)  and logBase 2 (h - l) > (maxBound  :: Int). Requested more bytes than a  single pass can generate (The  maximum request is generator  dependent) Misc zJget a random number generator based on the standard system entropy source CWhile the safety and wisdom of a splitting function depends on the A properties of the generator being split, several arguments from E informed people indicate such a function is safe for NIST SP 800-90  generators. (see libraries@(haskell.org discussion around Sept, Oct  2010) >Useful utility to extract the result of a generator operation , and translate error results to exceptions. {:Obtain a tagged value for a particular instantiated type. |3Helper function to convert bytestrings to integers }zipWith xor + Pack Y As a result of rewrite rules, this should automatically be optimized (at compile time) ! to use the bytestring libraries zipWith' function. ~ z{|}€    ~  z{|}€ portable betaThomas.DuBuisson@gmail.comNoneFA class for signing operations which inherently can not be as generic ! as asymetric ciphers (ex: DSA). WA stream cipher class. Instance are expected to work on messages as small as one byte 9 The length of the resulting cipher text should be equal % to the length of the input message. 6Asymetric ciphers (common ones being RSA or EC based) %;The BlockCipher class is intended as the generic interface < targeted by maintainers of Haskell cipher implementations. 5 Using this generic interface higher level functions  such as cbcC, and other functions from Data.Crypto.Modes, provide a useful API * for comsumers of cipher implementations. %Instances must handle unaligned data +4The Hash class is intended as the generic interface < targeted by maintainers of Haskell digest implementations. 6 Using this generic interface, higher level functions  such as 1 and 2 provide a useful API ( for comsumers of hash implementations. ;Any instantiated implementation must handle unaligned data 1*Hash a lazy ByteString, creating a digest 2,Hash a strict ByteString, creating a digest 3:Obtain a lazy hash function whose result is the same type P as the given digest, which is discarded. If the type is already inferred then  consider using the 1 function instead. 4<Obtain a strict hash function whose result is the same type P as the given digest, which is discarded. If the type is already inferred then  consider using the 2 function instead. 5,The number of bytes in a block cipher block 64Build a symmetric key using the system entropy (see   ) 7CBuild a pair of asymmetric keys using the system random generator. 85Build a stream key using the system random generator 96Build a signing key using the system random generator :'Obtain a tagged value for a given type ;Infix : operator <9Checks two bytestrings for equality without breaches for  timing attacks. Semantically, constTimeEq = (==) . However, x == y takes less @ time when the first byte is different than when the first byte < is equal. This side channel allows an attacker to mount a $ timing attack. On the other hand,  constTimeEq always takes the ( same time regardless of the bytestrings' contents, unless they are  of difference size. You should always use  constTimeEq when comparing secrets, 5 otherwise you may leave a significant security hole  (cf.  /http://codahale.com/a-lesson-in-timing-attacks/). + build a public/.private key pair using the provided generator !Asymetric encryption "Asymetric decryption #$%&LThe size of a single block; the smallest unit on which the cipher operates. 'encrypt data of size  n*blockSize where n  [0..] (ecb encryption) (decrypt data of size  n*blockSize where n  [0..] (ecb decryption) ).smart constructor for keys from a bytestring. * length of the cryptographic key +,$The size of the digest when encoded -GThe amount of data operated on in each round of the digest computation .4An initial context, provided with the first call to / /HUsed to update a context, repeatedly called until all data is exhausted ( must operate correctly for imputs of  n*blockLength bytes for n  [0..] 0UFinializing a context, plus any message data less than the block size, into a digest ‚1234ƒ56789:;<* !"#$%&'()*+,-./0123456789:;<*+,-./01234%&'()*568 !"#$79:;< !"#$%&'()*+,-./0‚1234ƒ56789:;<portablebetaThomas.DuBuisson@gmail.comNone=A key carrying phantom types c and d', forcing the key data to only be used  by particular hash algorithms. ?>Message authentication code calculation for lazy bytestrings.   hmac k msg) will compute an authentication code for msg using key k @ hmac k msg) will compute an authentication code for msg using key k =>?@=>?@?@=>=>?@ portable betaThomas.DuBuisson@gmail.comNone3AAInitilization Vectors for BlockCipher implementations (IV k) are C used for various modes and guarrenteed to be blockSize bits long. 6 The common ways to obtain an IV are to generate one (a or  b8) or to use one provided with the ciphertext (using the  „ instance of IV). T3 also exists and is of particular use for starting H  mode with a fresh key. …zipWith xor + Pack 0This is written intentionally to take advantage  of the bytestring libraries zipWith' rewrite rule but at the C extra cost of the resulting lazy bytestring being more fragmented  than either of the two inputs. †zipWith xor + Pack ;As a result of rewrite rules, this should automatically be = optimized (at compile time) to use the bytestring libraries  zipWith' function. B<Cipher block chaining encryption mode on strict bytestrings C-Cipher block chaining message authentication D-Cipher block chaining message authentication E8Cipher block chaining decryption for strict bytestrings F6Cipher block chaining encryption for lazy bytestrings G6Cipher block chaining decryption for lazy bytestrings H"Counter mode for lazy bytestrings I#Counter mode for lazy bytestrings J$Counter mode for strict bytestrings K$Counter mode for strict bytestrings ‡CGenerate cmac subkeys. The usage of seq tries to force evaluation . of both keys avoiding posible timing attacks ˆAPad the string as required by the cmac algorithm. In theory this D should work at bit level but since the API works at byte level we  do the same ‰?Obtain the cmac with the specified subkey for lazy bytestrings L%Obtain the cmac for lazy bytestrings ŠAObtain the cmac with the specified subkey for strict bytestrings M'Obtain the cmac for strict bytestrings ‹AGenerate the xor stream for the last step of the CMAC* algorithm Œ%Obtain the CMAC* on lazy bytestrings 'Obtain the CMAC* on strict bytestrings Ž&Create the mask for SIV based ciphers N@SIV (Synthetic IV) mode for lazy bytestrings. First argument is > the optional list of bytestrings to be authenticated but not ? encrypted As required by the specification this algorithm may - return nothing when certain constraints aren't met. O@SIV (Synthetic IV) for lazy bytestrings. First argument is the E optional list of bytestrings to be authenticated but not encrypted. D As required by the specification this algorithm may return nothing  when authentication fails. PCSIV (Synthetic IV) mode for strict bytestrings. First argument is > the optional list of bytestrings to be authenticated but not A encrypted. As required by the specification this algorithm may - return nothing when certain constraints aren't met. Q@SIV (Synthetic IV) for strict bytestrings First argument is the D optional list of bytestrings to be authenticated but not encrypted D As required by the specification this algorithm may return nothing  when authentication fails. R Increase an A, by one. This is way faster than decoding,  increasing, encoding #Accumulator based double operation S7Perform doubling as defined by the CMAC and SIV papers 7Perform doubling as defined by the CMAC and SIV papers ‘7Perform doubling as defined by the CMAC and SIV papers ’,Cast a bigEndian ByteString into an Integer “@Cast an Integer into a bigEndian ByteString of size k. It will E drop the MSBs in case the number is bigger than k and add 00s if it  is smaller. ”,Cast a bigEndian ByteString into an Integer •@Cast an Integer into a bigEndian ByteString of size k. It will E drop the MSBs in case the number is bigger than k and add 00s if it  is smaller. T Obtain an A made only of zeroes U6Cook book mode - not really a mode at all. If you don't know what you' re doing, don'!t use this mode^H^H^H^H library. VECB decrypt, complementary to U. WLike U but for strict bytestrings XDecryption complement to W YBCiphertext feed-back encryption mode for lazy bytestrings (with s  == blockSize) ZBCiphertext feed-back decryption mode for lazy bytestrings (with s  == blockSize) [BCiphertext feed-back encryption mode for strict bytestrings (with  s == blockSize) \RCiphertext feed-back decryption mode for strict bytestrings (with s == blockSize) ]*Output feedback mode for lazy bytestrings ^*Output feedback mode for lazy bytestrings _,Output feedback mode for strict bytestrings `,Output feedback mode for strict bytestrings a Obtain an A+ using the provided CryptoRandomGenerator. b Obtain an A using the system entropy (see   ) =A–—˜™š…†BCDEFGHIJK‡ˆ‰LŠM‹ŒŽNOPQRS‘’“”•TUVWXYZ[\]^_`ab›œžŸ"ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ab"AabTRSUVFGYZ]^WXBE[\_`HIJKNOPQCDLM;A–—˜™š…†BCDEFGHIJK‡ˆ‰LŠM‹ŒŽNOPQRS‘’“”•TUVWXYZ[\]^_`ab›œžŸportablebetaThomas.DuBuisson@gmail.comNone c$PKCS5 (aka RFC1423) padding method. : This method will not work properly for pad modulos > 256 dEx:    putPaddedPKCS5 m bs  Will pad out bs to a byte multiple  of m# and put both the bytestring and it's padding via   : (this saves on copying if you are already using Cereal). eBPKCS5 (aka RFC1423) padding method using the BlockCipher instance  to determine the pad size. ” Leverages d# to put the bytestring and padding = of sufficient length for use by the specified block cipher. f>unpad a strict bytestring padded in the typical PKCS5 manner. E This routine verifies all pad bytes and pad length match correctly. g=unpad a strict bytestring without checking the pad bytes and ! length any more than necessary. h0Pad a bytestring to the IPSEC esp specification   padESP m payload is equivilent to:   : (msg) (padding) (length field) ) B.concat [payload, B.pack [1,2,3,4..], B.pack [padLen]] Where: ( the msg is any payload, including TFC.  the padding is <= 255  the length field is one byte. -Notice the result bytesting length remainder r equals zero. The lack  of a " next header"7 field means this function is not directly useable for  an IPSec implementation (copy/'paste the 4 line function and add in a  " next header"% field if you are making IPSec ESP). iGLike padESP but use the BlockCipher instance to determine padding size jLLike putPadESP but using the BlockCipher instance to determine padding size k6Pad a bytestring to the IPSEC ESP specification using  . 2 This can reduce copying if you are already using  . ¢/A static espPad allows reuse of a single B.pack'ed pad for all calls to padESP lTunpad and return the padded message (Nothing is returned if the padding is invalid) cde”fghijk¢l cdefghijkl cedfghlijk cde”fghijk¢l£  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰ŠGƒ‹ŒŽ‡‘’ “”‹•–—˜™š›œžŸ ”¢£M¤„¦§Ø©Ŗ«¬ ­®Æ°±crypto-api-0.10.2Crypto.Classes Crypto.Types Crypto.Random Crypto.HMAC Crypto.ModesCrypto.Padding Crypto.CPoly Crypto.Util System.CryptoRandomcereal-0.3.5.2Data.Serializeencode ByteLength BitLength SystemRandomCryptoRandomGennewGen genSeedLengthgenBytesgenBytesWithEntropyreseednewGenIOGenErrorNeedsInfiniteSeedNotEnoughEntropy NeedReseed RangeInvalidRequestedTooManyBytes GenErrorOthersplitGen throwLeftSigningsignverifybuildSigningPairsigningKeyLengthverifyingKeyLength StreamCipherbuildStreamKey encryptStream decryptStreamstreamKeyLength AsymCipher buildKeyPair encryptAsym decryptAsympublicKeyLengthprivateKeyLength BlockCipher blockSize encryptBlock decryptBlockbuildKey keyLengthHash outputLength blockLength initialCtx updateCtxfinalizehashhash'hashFunc hashFunc'blockSizeBytes buildKeyIObuildKeyPairIObuildStreamKeyIObuildSigningKeyPairIOfor.::. constTimeEqMacKeyhmachmac'IVcbc'cbcMac'cbcMacunCbc'cbcunCbcctrunCtrctr'unCtr'cMaccMac'sivunSivsiv'unSiv'incIVdblIVzeroIVecbunEcbecb'unEcb'cfbunCfbcfb'unCfb'ofbunOfbofb'unOfb'getIVgetIVIOpadPKCS5putPaddedPKCS5 padBlockSizeunpadPKCS5safe unpadPKCS5padESPpadESPBlockSizeputPadESPBlockSize putPadESPunpadESPPolyQTcpoly cpoly2list cpoly2revlistcpolys cpolysArrincBSi2bsbs2i integer-gmpGHC.Integer.TypeIntegerbase GHC.Exceptionthrow getSystemGenzwp' SysRandom$fCryptoRandomGenSystemRandom$fExceptionGenErrorGHC.Listelem c_constTimeEq makeBlocks SerializezwpcMacSubkcMacPad cMacWithSubK cMacWithSubK'xorendcMacStar cMacStar'sivMaskdblwdblBdblLdecodeBencodeBdecodeLencodeLinitializationVectorcollectchunkFor chunkFor'ivProxy deIVProxyproxyOfivBlockSizeBytes $fSerializeIVData.Serialize.PutPutputPaddedBlockSizeespPad