Subject Crypto: Transform Library
Author Jim Starkey
As I mentioned last week, I've been auditioning crypto libraries. The
one that is the clear leader is Tom's Crypt Library:

/* LibTomCrypt, modular cryptographic library -- Tom St Denis
* LibTomCrypt is a library that provides various cryptographic
* algorithms in a highly modular and flexible manner.
* The library is free for all purposes without any express
* guarantee it works.
* Tom St Denis, tomstdenis@...,

It's written in C conditionalized for C++, well commented, and highly
modular. I report more as I actually get it working.

In the process of working through various crypto libraries, self defense
has forced me to develop my Transformation Library concept. The basic
idea is that Transforms are C++ classes derived from a single abstract
class that do things. The base class is:

class Transform
virtual int get (int bufferLength, UCHAR *buffer) = 0;
virtual int getLength() = 0;

Transform classes are designed to daisy chain together to do interesting
things. A typical example is taking a SHA digest of a file. This
involves three transforms, a FileTransform to fetch data from a named
file, the SHATransform to perform the hash, and a HexTransform to mutate
the hash gook into Ascii. The code might look like this:

FileTransform file ("something.txt");
SHATransform sha (0, &file); // encryption Transforms
except a mode; sha doesn't
HexTransform hex (true, &sha); // boolean says "encode"
UCHAR hash[20];
int len = hex.get(sizeof(hash), hash);

To simplify things, I added some templates (yes, Virginia, it's true) to
automate the process:

EncodeTransform<FileTransform,SHATransform,HexTranform> transform
UCHAR hash[20];
int len = transform .get(sizeof(hash), hash);

EncodeTransform, the template, is itself a Transform.

A slightly more interest example is a function to validate a site
password. The password is hash with SHA encoded in base64:

bool checkPassword (const char *password)
DecodeTransform<StringTransform,SHATransform> passwd (password);
DecodeTransform<FileTransform,Base64Transform> file
UCHAR hash1[20], hash2[25];
int len1 = passwd.get(sizeof(hash1), hash1);
int len2 = file.get(sizeof(hash2), hash2);

return len1 == len2 && memcmp(hash1, hash2, len1) == 0;

Transform can also be used to fetch, decode, and prepare keys in the
same manner as encryptions; key are normally provided to encryption
Transforms as a pointer to a transform from which it sucks the key. I
also have a BER decoded that, surprise, takes a transform for input.

I now have a good number of handy dandy transforms: StringTransform and
FileTransform for data sources, HexTransform and Base64Transform for
converting between binary and Ascii, a SHATransform, a DESKeyTransform
to generate keys, a DESTransform (undevelopment w/ Tom's Crypto), an
RSATransform to SSLeay and another underway for Tom's, and a
NullTransform for who knows what. Finally, there are the template
transforms EncodeTransform, DecodeTransform, EncryptTransform, and

My intention with the Transform Library is to produce an abstract layer
to simplify and hide the differences between crypto libraries. None of
the transform classes give a hoot how other transforms work, just that
they can make a given transform for an upper bound on the number of
bytes to be delivered and later, get the bytes in convenient sized hunks
for any purpose.

Firebird has always had a little crypto. When we begin the process of
serious end to end security, we'll have a lot more. Rather than code in
dependencies on specific crypto library APIs, I suggest we take a good
long hard look at adopting the Transform Library as an abstract formalism.

[Non-text portions of this message have been removed]