A Review of Selected Cryptographic Libraries

August 23, 2012 by Adrian Stolarski

Cryptography is the science that deals with the problems of concealing information by encrypting it, and contains the set of methods for achieving such secrecy. With cryptography, we can transform a normal, plain text, or other type of message in a way that it becomes unintelligible to unauthorized recipients. A competent recipient upon receipt can convert it back into readable form.

Until recently, the main consumers of cryptographic solutions were governmental, diplomatic, and military organizations. The development of digital information flow has since caused the areas of application of cryptography to significantly increase. Today cryptographic techniques are used to authenticate documents and persons, as well as the standard exchange of information. Cryptography is also used in banking and mobile phone industries. Increasingly popular are Internet shopping and online banking accounts.

It is interesting to note that the ciphers remainunbreakable for about 10 years. This situation may change, however, with usage of real quantum computers. The only safe way to encrypt information is with quantum cryptography. In quantum cryptography, the key is protected by the Heisenberg uncertainty principle. This principle (which is the basis of quantum mechanics) states that the measurement of one property could affect the measurement results of another property. In practice, this means that the intruder’s peeping stream of photons changes their status in such a way that the sender and the receiver can detect it.

Sometimes we are working on our own software and do not want some data to be available for everyone. Of course you can obfuscate your code so that nobody understands it is not normal, but this solution may also hinder our lives. I personally, if I do not have to sit on someone else’s code, I reject any type of code I do not understand. Unfortunately, sometimes I need to make a refactoring of code, written by a tip. Then the number of WTF (what the fuck man?) dangerously increases, along with both the line of code as well as per square meter …

So I prefer this leave this type of task to cryptography, which aims to not only hide the data by changing the content, but also allow reverse operations, such as reading it. For thousands of years that cryptography and cryptanalysis have been used , there have been many brilliant encryption algorithms. Brilliant course until a mathematical genius is born, who breaks them in a few days or weeks. Certainly there are also some secret encryption methods which we do not know. But the secrecy algorithm itself is not sufficient to determine that the algorithm is good. In any strong encryption method that provides security as such, are the properties of the algorithm itself, and they will ultimately decide whether the information is easy or hard to decipher, even if everyone knows how the algorithm works. I decided to briefly describe some cryptographic libraries that implement several popular cryptographic algorithms. A common feature of all the libraries presented here is that all contain the source code, which does not mean that they really are free. Remember that all licensing issues regarding cryptographic algorithms are very sensitive, and you can check the information supplied together with the sources of libraries.

If you have chosen your favorite algorithm and library, try to implement it yourself, and do not forget that introducing some modifications can not not only affect the algorithm itself, but how it will read and write data. Any modification of the encryption scheme can lead to a drastic reduction in the level of security. We simply must recognize that we do not have enough time to perform the correct implementation of the algorithm, along with the full testing of the resulting code in such a way that it significantly increases security. But also keep in mind that if you use an open source library, any changes will be far easier to implement. In addition, software that is distributed on the basis of full availability of the code and the possibility of modifying it, gives us confidence that code we delivered to the library meets the requirements of the specification, it means that it works on several different hardware platforms, and enables safe use of the mechanism of memory. Mostly open source programs provide high quality and are free from any major mistakes, a direct result of the fact these libraries are not only used by private customers, but also by many major companies, which makes the process of finding errors in them instant and very effective. This is why open source libraries typically lack a good technical documentation.

Libraries provided under the GNU have an added plus which very few people realize. Note that when using the solutions provided by commercial companies, there will always be a danger that this process is interrupted. Libraries available from open source minimize the danger just by the presence of the source code. If the library is really good, there is always someone who will develop it, however. If the library is popular, then it begins to grow as more and more people make better and more stable versions of the library. In the case of commercial companies we must always remember one thing. Perhaps the company from whom we buy today, may not have the solution tomorrow. And what then?

The first library I will write about is libmcrypt. This is a library that is adapted to multi-threaded environments. Although it was written in C, it has a really easy to use API (application programming interface). This library was created to replace the program with the mcrypt functions-a Unix crypt. Both the program and the library are really very popular, but they have one drawback: Although they support a variety of algorithms, they are all symmetrical. Note that libmcrypt can attach to the programs in two ways: static and dynamic, and it does not change the way we use the API. The most striking aspect of this library is the very low-level features that make the operations of both the data buffer and the blocks. The developer is only providing a library of data for encryption and decryption. The API of this library is a total of only two sets of functions for encryption and decryption. The type of algorithm, we decide when we initiate this module. The upside is that the library itself detects whether it has support for dynamic and static modules.

Another of these libraries is Borzoi. Borzoi also focuses only on one type of algorithm, but here the algorithms are based on elliptic curves, although the library also contains implementations of the AES symmetric algorithm and one of the algorithms to generate a digital signature, the SHA-1. The most important elements, however, remain classes and objects associated with elliptic curves, and other bonuses play a supporting role. The main advantage of this library is that it tries to be in line with international standards, which certainly enhances its quality. The author of this library also provides that it was created to improve code quality and security. So, this library allows the use of another, faster library for arithmetic operations on large numbers.

An interesting idea is the Crypto + + library. It contains the largest number of algorithms of all the libraries presented here. It also has a well-designed, custom API. That’s why it applies in many commercial and noncommercial applications. But just as everything has a bright side, it also has a dark side. Unfortunately, in order to work well with it, you need to configure it yourself. Another shortcoming of Crypto + +, or rather the same library, and algorithms for testing its operation, is that their compilation requires huge amounts of RAM, which further translates into a rate program, which will co-operate with it later. Additionally, you may fail the subsequent consolidation of programs, so that the library requires a lot of patience from the programmer These defects are, however, not found in other libraries that compile quickly, easily and pleasantly, which is strange in my opinion until you have been able to write components that can easily compile and work very hard and put them in the same issue. But hey, it’s not me writing this soft.

In spite of my minor objections to the Crypto + +, I recommend it to all those who seek a rich selection of classes and encryption algorithms and want to have a library that can be individually tailored to the needs of the application. The library is also a plus, it really does not require a powerful compiler, and . it will be compiled into virtually every possible and accessible language. Most importantly, it also has the ability to generate the hash function algorithm with a key.

Another of your object libraries is Botan. This is consistent with library systems in Unix and Linux, as well as with Windows. It also contains many algorithms, but unlike a few libraries described here, it includes coding modes and support for international standards. As a programmer, I can manipulate data at a high level with the API. Here, everything is an object or user files. Botan also allows you to encrypt data at the block level. Botan also offers a pretty good documentation, although sometimes we think it could use a little bit more, to describe all of the classes and objects. The main object of this type of library is a stream. This is what we use to perform all possible operations. With Botan, please note one more thing: the library was written in C + +, so it is used in all major programming techniques, including inheritance, interfaces, design patterns, and OO classes and methods.

Let’s move on to the next interesting library, which is libgcrypt. This library was created by subtracting from the GnuPG all functions related to cryptography, and it operates on algorithms that are based on public keys. This is the most important feature of this cryptographic library. Although it does not offer too many cryptographic algorithms, it has been fully validated in terms of multi-threaded environments. This library also has a simple to use API that is fully unified and object-oriented. During each use of the library, always apply the same set of encryption features, but when making the choice of encryption and decryption algorithm, choose only one place. Libgcrypt supports encryption algorithms using private and public keys fundamentally different from other libraries. Using the so-called S phrases, it helps to be familiar with the languages LISP and Scheme, yet for the proper use of this library it is sufficient to know only a few S expressions.

Please also note that I do not use every library. An example is the NSS. Why? Because it allows you to perform a remote attack against web servers and pages. Netscape Network Security Services (NSS) library is an implementation of Secure Sockets Layer Version 2 (SSLv2). Netscape Enterprise Server and Sun Java System Web Server are prone to error, but susceptibility can also apply to other systems using an open source library of NSS. The problem occurs when the NSS library sends a request for a new session SSLv2. The server did not check the length of the record in the first part of the communication between two systems. Hackers could use it to check the length of the record and run malicious code on vulnerable systems. Carrying out a successful attack allows access to the system with privileges of the user running the web server.

After reading this article, most of you will think: “Cool, we finally will be used to create cryptographic algorithms. But it is not cool. When using the above-mentioned libraries, remember to use them with your head and always before using the library to read materials about it, so we can avoid a really painful slip of software development at a high level. At the end of all I wish you a pleasant use of the libraries described above. Peace be with you, I really intend Peace with you.

Posted: August 23, 2012
Adrian Stolarski
View Profile

Adrian Stolarski is a freelance security tech blogger, specializing in Java, PHP, and JQuery. In his own words, he does the hard work of training the unemployed. Currently, he handles Evaluation Visualization for real-time systems with XWT and Eclipse RAP. If he sees that something works, he asks how it works and why it works, then sets out to make it work better. A researcher for InfoSec Institute, he currently lives in Poland, but plans to move to London.