Let's talk about crypto library

by Jocelyn Fiat (modified: 2014 Mar 14)

This week, I will mention the crypto library, it is a recent addition in the unstable folder.

But let's quickly describe the 3 main folders for libraries shipped with EiffelStudio

  • library : stable libraries made and maintained by Eiffel Software
  • unstable/library : libraries made and maintained by Eiffel Software, but the interface may change in the future.
  • contrib/library : libraries made and maintained by Eiffel users, Eiffel Software acts mainly as a distributor here.

Typically the crypto library is part of the "unstable" set of libraries, because the author may want to redesign some interface to match future needs. However, it is pretty stable for an unstable library.

So what is this "crypto" library?

This is a simple encryption library providing common hashing, salt, and hmac components.

It was first introduced with EiffelStudio 7.3 as "message_digest" library with MD5 class, and later renamed as "crypto" in 13.11 with addition of SHA1, SHA256, HMAC, BCRYPT ...

It is built to be simple and small library for very common need in encryption.

Initially inspired by the eel library (contribution from Colin LeMahieu, see https://svn.eiffel.com/eiffelstudio/trunk/Src/contrib/library/text/encryption/eel ), but eel is not that simple to use, and has dependencies that are not needed for most hashing needs.

crypto currently includes:

  • hashing: MD5, SHA1, SHA256, BCRYPT
  • hmac: HMAC_MD5, HMAC_SHA1, HMAC_SHA256
  • salt: SALT_XOR_SHIFT_64_GENERATOR (based on xor shift 64 algo) , SALT_DEVELOPER_RANDOM_GENERATOR (based on RANDOM class)

Potential usage

  • encrypt password in database (for instance using BCRYPT)
  • hash computation (MD5, SHA1, ...)
  • to implement various protocol such as OAuth
  • ...

Quick examples

hashing computation (or message digest)

local hash: MD5 do create hash.make hash.update_from_string ("My text to be encrypted ...") print ("encrypted text=" + hash.digest_as_string hash.reset --| to reuse end

  • It is possible to call several time `update_from_string
  • It is also possible to update from a file using update_from_io_medium (a_file: FILE), and other kind of update_from_... (see https://svn.eiffel.com/eiffelstudio/trunk/Src/unstable/library/text/encryption/crypto/hashing/message_digest.e for interface)
  • See the MESSAGE_DIGEST interface for various kinds of output: digest_as_string: STRING and digest: SPECIAL [NATURAL_8]
  • For other hashing such as SHA1, SHA256, this is very similar code, just use hash: SHA256

BCRYPT code

local bcrypt: BCRYPT hashed_password: STRING_32 do create bcrypt.make -- using the default salt generator -- compute the encrypted form of the password `user_password' -- which could be store in database (never store plain text password for security) hashed_password := bcrypt.hashed_password (user_password, bcrypt.default_gensalt) -- then to check if "foo bar" is valid password if bcrypt.is_valid_password ("foo bar", hashed_password) then print ("Valid password") else print ("Valid password") end end

Note that to use the XOR_SHIFT_64 salt generator, code should be create bcrypt.make_with_salt_generator (create {SALT_XOR_SHIFT_64_GENERATOR}.make),and thus use a safer salt generator. It is possible to build your own SALT_GENERATOR as well.

HMAC code

local hmac: HMAC_SHA256 do create hmac.make_ascii_key ("key") hmac.update_from_string ("The quick brown fox jumps over the lazy dog") print ("hmac=0x" + hmac.lowercase_hexadecimal_string_digest) -- should output "hmac=0xf7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8" end

others

  • you can check the associated "tests" project to see various scenari

Where can I find this library ?

  • From the repository: https://svn.eiffel.com/eiffelstudio/trunk/Src/unstable/library/text/encryption/crypto
  • From Eiffel Studio installation: $ISE_LIBRARY/unstable/library/text/encryption/crypto

I hope you found this post interesting to discover quickly the crypto library.

Let's talk about another Eiffel library in about one week.

Comments
  • Larry Rix (3 years ago 19/3/2014)

    SHA-2 Support?

    In the link below, there is information leading one to believe that SHA-2 is now the preferred specification, where SHA-1 has been shown to have flaws.

    http://en.wikipedia.org/wiki/SHA-2

    Will there be code to support SHA-2? Also, it appears from the chart near the end of the article, there is an SHA-3 as well.

    • Jocelyn Fiat (3 years ago 19/3/2014)

      "Crypto" is providing SHA-1 and SHA-256 (whish is a SHA-2)

      Indeed SHA-1 is not very safe, however it is still used for various purpose. "Crypto" is providing SHA-1 and SHA-256 (whish is a SHA-2) And so far, no SHA-3 is planned for 'crypto', however contribution is welcome, and we'll be happy to integrate any new hashing class.

      • Larry Rix (3 years ago 19/3/2014)

        I just noticed the SHA256 is the SHA-2 in one form. Thanks for the feedback.