|Jan 16, 2021||Updated|
|Dec 27, 2020||Updated|
|Dec 26, 2020||Created|
So today (Dec 26, 2020) I’m trying to write some crypto functions to encrypt/decrypt network packets. Then I realize my knowledge about network security is just too shallow. Although I know AES, SHA etc to some extent, I’m not really sure how to build them.
Some basic concepts:
- Cryptographic Hash Function
- Public Key Cryptography
TLS and SSH¶
SSH has a similar process as SSL/TLS. See Understanding the SSH Encryption and Connection Process.
DTLS for UDP) has an extra handshake protocol after a TCP or UDP port is open.
This handshake process uses asymmetric-keys (public/private) keys to exchange info (e.g., choose TLS info, send pub key etc).
They will reach a consensus on which TLS version to use, which cipher suite to use, which session key, or encryption key to use.
Finally they will start sending traffic using symmetric encryption (e.g., AES).
In addition, they will use secure hashing (e.g., SHA3) to ensure the integrity of the packets.
As I know it, it two variables controlling its variations: 1) key size, 128-bit, 192-bit, 256-bit => AES128, AES192, AES256 2) mode of chaining, for data that is larger than standard AES 128-bit block size. The modes can be CTR, CBC and so on. This is more advanced.
AES is a
block cipher. AES operates on 128-bit data block, and produces 128-bit encrypted data.
Larger data (packets) needs to specify the mode of chaining.
Key Schedule, round constant
mode of operation describes how to repeatedly apply a cipher’s single-block operation to securely transform amounts of data larger than a block
Block ciphers operate on a fixed length string of bits. The length of this bit string is the block size. Both the input (plaintext) and output (ciphertext) are the same length; the output cannot be shorter than the input – this follows logically from the pigeonhole principle and the fact that the cipher must be reversible – and it is undesirable for the output to be longer than the input.
SHA-3 has several variations, depending the hash size, it can be
SHA3-224, SHA3-256, SHA3-384, and SHA3-512.
As usual, let us look at some real world use cases and codes.
Both of them have implemented a set of cryptographic functions, collectively called
But.. these libraries have deep roots in their projects, thus using a lot project-specific macros etc,
so I think they are not that easy to read.
There are a lot simpler POC code out there.
- OpenSSL - libcrypto
- their arch page is really good: https://www.openssl.org/docs/OpenSSLStrategicArchitecture.html
- OpenSSL 3.0.0 Design
- OpenSSH - ssh/sshd/scp/etc
- Linux kernel crypto API
- Opencore SHA-3
- Opencore AES
- So I personally use this in my research project. It is clean.
- CPU has extended instructions to accelerate AES and its friends: AES inst set