progs/cc-kem.c: Split `aead_init' into two pieces.

[catacomb] / progs / catcrypt.1

.\" -*-nroff-*-
.de VS
.sp 1
.RS
.nf
.ft B
..
.de VE
.ft R
.fi
.RE
.sp 1
..
.ie t \{\
.  if \n(.g \{\
.    fam P
.  \}
.\}
.de hP
.IP
.ft B
\h'-\w'\\$1\ 'u'\\$1\ \c
.ft P
..
.ie t .ds o \(bu
.el .ds o o
.TH catcrypt 1 "30 September 2004" "Straylight/Edgeware" "Catacomb cryptographic library"
.SH NAME
catcrypt \- encrypt and decrypt messages
.SH SYNOPSIS
.B catcrypt
.RB [ \-k
.IR keyring ]
.I command
.PP
where
.I command
is one of:
.PP
.B help
.RI [ command ...]
.br
.B show
.RI [ item ...]
.br
.B encrypt
.RB [ \-apC ]
.RB [ \-k
.IR tag ]
.RB [ \-f
.IR format ]
.RB [ \-o
.IR output ]
.RI [ file ]
.br
.B decrypt
.RB [ \-apqvC ]
.RB [ \-f
.IR format ]
.RB [ \-o
.IR output ]
.RI [ file ]
.br
.B encode
.RB [ \-p ]
.RB [ \-f
.IR format ]
.RB [ \-b
.IR boundary ]
.RB [ \-o
.IR output ]
.RI [ file ]
.br
.B decode
.RB [ \-p ]
.RB [ \-f
.IR format ]
.RB [ \-b
.IR boundary ]
.RB [ \-o
.IR output ]
.RI [ file ]
.SH "DESCRIPTION"
The
.B catcrypt
command encrypts and decrypts messages.  It also works as a simple PEM
encoder and decoder.  It provides a number of subcommands, by which the
various operations may be carried out.
.SS "Global options"
Before the command name,
.I "global options"
may be given.  The following global options are supported:
.TP
.BR "\-h, \-\-help " [ \fIcommand ...]
Writes a brief summary of
.BR catcrypt 's
various options to standard output, and returns a successful exit
status.  With command names, gives help on those commands.
.TP
.B "\-v, \-\-version"
Writes the program's version number to standard output, and returns a
successful exit status.
.TP
.B "\-u, \-\-usage"
Writes a very terse command line summary to standard output, and returns
a successful exit status.
.TP
.BI "\-k, \-\-keyring " file
Names the keyring file which
.B key
is to process.  The default keyring, used if this option doesn't specify
one, is the file named
.B keyring
in the current directory.  See
.BR key (1)
and
.BR keyring (5)
for more details about keyring files.
.SH "KEY SETUP"
Algorithms to be used with a particular key are described by attributes
on the key, or its type.  The
.B catcrypt
command deals with both signing and key-encapsulation keys.  (Note that
.B catcrypt
uses signing keys in the same way as
.BR catsign (1).)
.SS "Key-encapsulation keys"
(Key encapsulation is a means of transmitting a short, known, random
secret to a recipient.  It differs from encryption in technical ways
which are largely uninteresting at this point.)
.PP
A
.I kemalgspec
has the syntax
.IR kem \c
.RB [ / \c
.IR bulk \c
.RB [ \- \c
.IR cipher ] \c
.RB [ / \c
.IR hash ]]
or
.IR kem \c
.RB [ / \c
.IR cipher \c
.RB [ / \c
.IR hash ]].
If a
.B kem
attribute is present on the key, then it must have this form; otherwise,
the key's type must have the form
.BR cckem- \c
.IR kemalgspec .
Algorithm selections are taken from appropriately-named attributes, or,
failing that, from the
.IR kemalgspec .
.PP
The key-encapsulation mechanism is chosen according to the setting of
.I kem
as follows.  Run
.B catcrypt show kem
for a list of supported KEMs.
.TP
.B rsa
This is Shoup's RSA-KEM (formerly Simple RSA); see
.I
A proposal for an ISO standard for public key encryption (version 2.0)
available at
.BR http://eprint.iacr.org/2000/060/ .
Use the
.B rsa
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B dh
This is standard Diffie-Hellman key exchange, hashing the resulting
shared secret to form the key, as used in, e.g., DLIES (P1363a).
Use the
.B dh
algorithm of the
.B key add
command, preferably with the
.B \-LS
options, to generate the key.
.TP
.B ec
This is the elliptic-curve analogue of
.BR dh .
Use the
.B ec
algorithm of the
.BR key (1))
command to generate the key.
.TP
.B symm
This is a simple symmetric encapsulation scheme.  It works by hashing a
binary key with a randomly-generated salt.  Use the
.B binary
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B x25519
This is Bernstein's Curve25519, a fast Diffie-Hellman using a specific
elliptic curve.
Use the
.B x25519
algorithm of the
.B key add
command
(see
.BR key (1))
to generate the key.
.TP
.B x448
This is Hamburg's Curve25519, a strong Diffie-Hellman using a specific
elliptic curve.
Use the
.B x448
algorithm of the
.B key add
command
(see
.BR key (1))
to generate the key.
.PP
The bulk crypto transform is chosen based on the
.B bulk
attribute on the key, or, failing that,
from the
.I bulk
stated in the
.IR kemalgspec .
Run
.B catcrypt show bulk
for a list of supported bulk crypto transforms.
.TP
.B gencomp
A generic composition of
a cipher secure against chosen-plaintext attack,
and a message authentication code.
Makes use of
.B cipher
and
.B mac
attributes.  Run
.B catcrypt show cipher
for a list of supported symmetric encryption algorithms; the default
.I cipher
is
.BR blowfish-cbc .
This is the default transform.
.TP
.B aead
Use an `authenticated encryption with additional data' (AEAD) scheme.
The specific scheme is named by the
.B cipher
attribute.  Run
.B catcrypt show aead
for a list of supported AEAD schemes; the default is
.BR chacha20-poly1305 .
.TP
.B naclbox
Use Salsa20 or ChaCha and Poly1305 to secure the bulk data.
This is nearly the same as the NaCl
.B crypto_secretbox
construction,
except that
.B catcrypt
uses Salsa20 or ChaCha rather than XSalsa20,
because it doesn't need the latter's extended nonce.
The
.B cipher
attribute may be set to one of
.BR salsa20 ,
.BR salsa20/12 ,
.BR salsa20/8 ,
.BR chacha20 ,
.BR chacha12 ,
or
.BR chacha8 ;
the default is
.BR salsa20 .
.PP
As well as the KEM itself, a number of supporting algorithms are used.
These are taken from appropriately named attributes on the key or,
failing that, derived from other attributes as described below.
.TP
.B cipher
This is the symmetric encryption algorithm
used by the bulk data transform.
If there is no
.B cipher
attribute then the
.I bulk
in the
.I kemalgspec
is used; if that it absent, then the default depends on the bulk
transform.
.TP
.B hash
This is the hash function used to distil entropy from the shared secret
constructed by the raw KEM.  If there is no
.B hash
attribute then the
.I hash
in the
.I kemalgspec
is used; if that is absent then the default of
.B rmd160
is used.  Run
.B catcrypt show hash
for a list of supported symmetric encryption algorithms.
.TP
.B mac
This is the message authentication algorithm
used by the
.B gencomp
bulk data transform
to ensure integrity of the encrypted message and
defend against chosen-ciphertext attacks.
If there is no
.B mac
attribute then
.IB hash -hmac
is chosen as a default.  Run
.B catcrypt show mac
for a list of supported message authentication algorithms.
.TP
.B kdf
This is the key derivation function used to stretch the hashed shared
secret to a sufficient length to select symmetric encryption and
authentication keys, initialization vectors and other necessary
pseudorandom quantities.  If there is no
.B kdf
attribute then
.IB hash -mgf
is chosen as a default.  Run
.B catcrypt show kdf
for a list of supported key derivation functions.
.B Caution!
Not all supported functions have the required security features: don't
override the default choice unless you know what you're doing.
.SS "Signing keys"
A
.I sigalgspec
has the form
.IR sig \c
.RB [ / \c
.IR hash ].
If a
.B sig
attribute is present on the key, then it must have this form; otherwise,
the key's type must have the form
.BI ccsig- \c
.IR sigalgspec .
Algorithm selections are taken from appropriately-named attributes, or,
failing that, from the
.IR sigalgspec .
.PP
The signature algorithm is chosen according to the setting of
.I sig
as follows.  Run
.B catcrypt show sig
for a list of supported signature algorithms.
.TP
.B rsapkcs1
This is almost the same as the RSASSA-PKCS1-v1_5 algorithm described in
RFC3447; the difference is that the hash is left bare rather than being
wrapped in a DER-encoded
.B DigestInfo
structure.  This doesn't affect security since the key can only be used
with the one hash function anyway, and dropping the DER wrapping permits
rapid adoption of new hash functions.  Regardless, use of this algorithm
is not recommended, since the padding method has been shown vulnerable
to attack.  Use the
.B rsa
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B rsapss
This is the RSASSA-PSS algorithm described in RFC3447.  It is the
preferred RSA-based signature scheme.  Use the
.B rsa
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B dsa
This is the DSA algorithm described in FIPS180-1 and FIPS180-2.  Use the
.B dsa
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B ecdsa
This is the ECDSA algorithm described in ANSI X9.62 and FIPS180-2.  Use
the
.B ec
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B kcdsa
This is the revised KCDSA (Korean Certificate-based Digital Signature
Algorithm) described in
.I The Revised Version of KCDSA
.RB ( http://dasan.sejong.ac.kr/~chlim/pub/kcdsa1.ps ).
Use the
.B dh
algorithm of the
.B key add
command with the
.B \-LS
options (see
.BR key (1))
to generate the key.
.TP
.B eckcdsa
This is an unofficial elliptic-curve analogue of the KCDSA algorithm.
Use the
.B ec
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B ed25519
This is Bernstein, Duif, Lange, Schwabe, and Yang's Ed25519 algorithm.
More specifically, this is HashEd25519
using the selected
.B hash
algorithm \(en by default
.BR sha512 .
Use the
.B ed25519
algorithm of the
.B key add
command
(see
.BR key (1))
to generate the key.
.TP
.B ed448
This is Bernstein, Duif, Lange, Schwabe, and Yang's EdDSA algorithm,
using Hamburg's Ed448-Goldilocks elliptic curve,
as specified in RFC8032.
More specifically, this is HashEd448
using the selected
.B hash
algorithm \(en by default
.BR sha3-512 .
Use the
.B ed448
algorithm of the
.B key add
command
(see
.BR key (1))
to generate the key.
.TP
.B mac
This uses a symmetric message-authentication algorithm rather than a
digital signature.  The precise message-authentication scheme used is
determined by the
.B mac
attribute on the key, which defaults to
.IB hash -hmac
if unspecified.  Use the
.B binary
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.PP
As well as the signature algorithm itself, a hash function is used.
This is taken from the
.B hash
attribute on the key, or, failing that, from the
.I hash
specified in the
.IR sigalgspec ,
or, if that is absent, determined by the signature algorithm as follows.
.hP \*o
For
.BR rsapkcs1 ,
.BR rsapss ,
.BR dsa ,
and
.BR ecdsa ,
the default hash function is
.BR sha .
.hP \*o
For
.BR kcdsa
and
.BR eckcdsa ,
the default hash function is
.BR has160 .
For
.BR ed25519 ,
the default hash function is
.BR sha512 .
For
.BR ed448 ,
the default hash function is
.BR shake256 .
.PP
Run
.B catcrypt show hash
for a list of supported hash functions.
.SH "ENCODINGS"
Two encodings for the ciphertext are supported.
.TP
.B binary
The raw format, which has the benefit of being smaller, but needs to be
attached to mail messages and generally handled with care.
.TP
.B pem
PEM-encapsulated Base-64 encoded text.  This format can be included
directly in email and picked out again automatically; but there is a
4-to-3 data expansion as a result.
.SH "COMMAND REFERENCE"
.SS help
The
.B help
command behaves exactly as the
.B \-\-help
option.  With no arguments, it shows an overview of
.BR catcrypt 's
options; with arguments, it describes the named subcommands.
.SS show
The
.B show
command prints various lists of tokens understood by
.BR catcrypt .
With no arguments, it prints all of the lists; with arguments, it prints
just the named lists, in order.  The recognized lists can be enumerated
using the
.VS
catcrypt show list
.VE
command.  The lists are as follows.
.TP
.B list
The lists which can be enumerated by the
.B show
command.
.TP
.B kem
The key-encapsulation algorithms which can be used in a
key-encapsulation key's
.B kem
attribute.
.TP
.B cipher
The symmetric encryption algorithms which can be named in a
key-encapsulation key's
.B cipher
attribute when using the
.B gencomp
bulk transform.
.TP
.B mac
The message authentication algorithms which can be named in a
key-encapsulation key's
.B mac
attribute.
.TP
.B sig
The signature algorithms which can be named in a signing key's
.B sig
attribute.
.TP
.B hash
The hash functions which can be named in a key's
.B hash
attribute.
.TP
.B enc
The encodings which can be applied to encrypted messages; see
.B ENCODINGS
above.
.SS encrypt
The
.B encrypt
command encrypts a file and writes out the appropriately-encoded
ciphertext.  By default, it reads from standard input and writes to
standard output.  If a filename argument is given, this file is read
instead (as binary data).
.PP
The following options are recognized.
.TP
.B "\-a, \-\-armour"
Produce ASCII-armoured output.  This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
.TP
.BI "\-f, \-\-format " format
Produce output encoded according to
.IR format .
.TP
.BI "\-k, \-\-key " tag
Use the key-encapsulation key named
.I tag
in the current keyring; the default key is
.BR ccrypt .
.TP
.BI "\-p, \-\-progress"
Write a progress meter to standard error while processing large files.
.TP
.BI "\-s, \-\-sign-key " tag
Use the signature key named
.I tag
in the current keyring; the default is not to sign the ciphertext.
.TP
.BI "\-o, \-\-ouptut " file
Write output to
.I file
rather than to standard output.
.TP
.B "\-C, \-\-nocheck"
Don't check the public key for validity.  This makes encryption go much
faster, but at the risk of using a duff key.
.SS decrypt
The
.B decrypt
command decrypts a ciphertext and writes out the plaintext.  By default,
it reads from standard input and writes to standard output.  If a
filename argument is given, this file is read instead.
.PP
The following options are recognized.
.TP
.B "\-a, \-\-armour"
Read ASCII-armoured input.  This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
.TP
.B "\-b, \-\-buffer"
Buffer plaintext data until we're sure we've got it all.  This is forced
on if output is to stdout, but is always available as an option.
.TP
.BI "\-f, \-\-format " format
Read input encoded according to
.IR format .
.TP
.BI "\-p, \-\-progress"
Write a progress meter to standard error while processing large files.
.TP
.B "\-v, \-\-verbose"
Produce more verbose messages.  See below for the messages produced
during decryption.  The default verbosity level is 1.  (Currently this
is the most verbose setting.  This might not be the case always.)
.TP
.B "\-q, \-\-quiet"
Produce fewer messages.
.TP
.BI "\-o, \-\-output " file
Write output to
.I file
instead of to standard output.  The file is written in binary mode.
Fixing line-end conventions is your problem; there are lots of good
tools for dealing with it.
.TP
.B "\-C, \-\-nocheck"
Don't check the private key for validity.  This makes decryption go much
faster, but at the risk of using a duff key, and possibly leaking
information about the private key.
.PP
Output is written to standard output in a machine-readable format.
Major problems cause the program to write a diagnostic to standard error
and exit nonzero as usual.  The quantity of output varies depending on
the verbosity level and whether the plaintext is also being written to
standard output.  Output lines begin with a keyword:
.TP
.BI "FAIL " reason
An error prevented decryption.  The program will exit nonzero.
.TP
.BI "WARN " reason
.B catcrypt
encountered a situation which may or may not invalidate the decryption.
.TP
.BI "OK " message
Decryption was successful.  This is only produced if main output is
being sent somewhere other than standard output.
.TP
.B "DATA"
The plaintext follows, starting just after the next newline character or
sequence.  This is only produced if main output is also being sent to
standard output.
.TP
.BI "INFO " note
Any other information.
.PP
The information written at the various verbosity levels is as follows.
.hP 0.
No output.  Watch the exit status.
.hP 1.
All messages.
.PP
.B Warning!
All output written has been checked for authenticity.  However, output
can fail midway through for many reasons, and the resulting message may
therefore be truncated.  Don't rely on the output being complete until
.B OK
is printed or
.B catcrypt decrypt
exits successfully.
.SS "encode"
The
.B encode
command encodes an input file according to one of the encodings
described above in
.BR ENCODINGS .
The input is read from the
.I file
given on the command line, or from standard input if none is specified.
Options provided are:
.TP
.BI "\-p, \-\-progress"
Write a progress meter to standard error while processing large files.
.TP
.BI "\-f, \-\-format " format
Produce output in
.IR format .
Run
.B catcrypt show enc
for a list of encoding formats.
.TP
.BI "\-b, \-\-boundary " label
Set the PEM boundary string to
.IR label ;
i.e., assuming we're encoding in PEM format, the output will have
.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
at the top and
.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
at the bottom.  The default
.I label
is
.BR MESSAGE .
.TP
.BI "\-o, \-\-output " file
Write output to
.I file
instead of to standard output.
.SS "decode"
The
.B decode
command decodes an input file encoded according to one of the encodings
described above in
.BR ENCODINGS .
The input is read from the
.I file
given on the command line, or from standard input if none is specified.
Options provided are:
.TP
.BI "\-f, \-\-format " format
Decode input in
.IR format .
Run
.B catcrypt show enc
for a list of encoding formats.
.TP
.BI "\-b, \-\-boundary " label
Set the PEM boundary string to
.IR label ;
i.e., assuming we're encoding in PEM format, start processing input
between
.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
and
.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
lines.  Without this option,
.B catcrypt
will start reading at the first plausible boundary string, and continue
processing until it reaches the matching end boundary.
.TP
.BI "\-p, \-\-progress"
Write a progress meter to standard error while processing large files.
.TP
.BI "\-o, \-\-output " file
Write output to
.I file
instead of to standard output.
.SH "SECURITY PROPERTIES"
Assuming the security of the underlying primitive algorithms, the
following security properties of the ciphertext hold.
.hP \*o
An adversary given the public key-encapsulation key and capable of
requesting encryption of arbitrary plaintexts of his own devising is
unable to decide whether he is given ciphertexts corresponding to his
chosen plaintexts or random plaintexts of the same length.  This holds
even if the adversary is permitted to request decryption of any
ciphertext other than one produced as a result of an encryption request.
This property is called
.BR IND-CCA2 .
.hP \*o
An adversary given the public key-encapsulation and verification keys,
and capable of requesting encryption of arbitrary plaintext of his own
devising is unable to produce a new ciphertext which will be accepted as
genuine.  This property is called
.BR INT-CTXT .
.hP \*o
An adversary given the public key-encapsulation and verification keys,
and capable of requesting encryption of arbitrary plaintext of his own
devising is unable to decide whether the ciphertexts he is given are
correctly signed.  This property doesn't seem to have a name.
.PP
Not all is rosy.  If you leak intermediate values during decryption then
an adversary can construct a new correctly-signed message.  Don't do
that, then \(en leaking intermediate values often voids security
warranties.  But it does avoid the usual problem with separate signing
and encryption that a careful leak by the recipient can produce evidence
that you signed some incriminating message.
.PP
Note that
.BR catcrypt 's
signatures do
.I not
provide `non-repudiation' in any useful way.  This is deliberate: the
purpose of signing is to convince the recipient of the sender's
identity, rather than to allow the recipient to persuade anyone else.
Indeed, given an encrypted and signed message, the recipient can
straightforwardly construct a new message, apparently from the same
sender, and whose signature still verifies, but with arbitrarily chosen
content.
.SH "CRYPTOGRAPHIC THEORY"
Encryption of a message proceeds as follows.
.hP 0.
Emit a header packet containing the key-ids for the key-encapsulation
key, and signature key if any.
.hP 1.
Use the KEM to produce a public value and a shared secret the recipient
will be able to extract from the public value using his private key.
Emit a packet containing the public value.
.hP 2.
Hash the shared secret.  Use the KDF to produce a pseudorandom keystream
of indefinite length.
.hP 3.
Use the first bits of the keystream to key a symmetric encryption
scheme; use the next bits to key a message authentication code.
.hP 4.
If we're signing the message then extract 1024 bytes from the keystream,
sign the header and public value, and the keystream bytes; emit a packet
containing the signature.  The signature packet doesn't contain the
signed message, just the signature.
.hP 5.
Split the message into blocks.  For each block, pick a random IV from
the keystream, encrypt the block and emit a packet containing the
IV, ciphertext, and a MAC tag over the ciphertext and a sequence number.
.hP 6.
The last chunk is the encryption of an empty plaintext block.  No
previous plaintext block is empty.  This lets us determine the
difference between a complete file and one that's been maliciously
truncated.
.PP
That's it.  Nothing terribly controversial, really.
.SH "SEE ALSO"
.BR key (1),
.BR catsign (1),
.BR dsig (1),
.BR hashsum (1),
.BR keyring (5).
.SH AUTHOR
Mark Wooding, <mdw@distorted.org.uk>