Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages
CRYPTO(7) FreeBSD Miscellaneous Information Manual CRYPTO(7)

OpenCrypto algorithms

The in-kernel OpenCrypto framework supports several different encryption and authentication algorithms. This document describes the parameters and requirements of these algorithms. Unless otherwise noted, all sizes listed below are in bytes.

Authenticators compute a value (also known as a digest, hash, or tag) over an input of bytes. In-kernel requests can either compute the value for a given input, or verify if a given tag matches the computed tag for a given input. The following authentication algorithms are supported:
Name Nonce Key Sizes Digest Description
12 16, 24, 32 16 Authentication-only mode of AES-CCM
12 16, 24, 32 16 Galois message authentication code
0, 64 64 Blake2b
0, 32 32 Blake2s
32 16 Poly1305 authenticator
20 RIPE Message Digest-160
64 20 RIPE Message Digest-160 HMAC
20 SHA-1
64 20 SHA-1 HMAC
28 SHA-2 224
64 28 SHA-2 224 HMAC
32 SHA-2 256
64 32 SHA-2 256 HMAC
48 SHA-2 384
128 48 SHA-2 384 HMAC
64 SHA-2 512
128 64 SHA-2 512 HMAC

Block ciphers in OCF can only operate on messages whose length is an exact multiple of the cipher's block size. OCF supports the following block ciphers:
Name IV Size Block Size Key Sizes Description
16 16 16, 24, 32 AES-CBC
8 16 32, 64 AES-XTS
16 16 16, 24, 32 Camellia CBC
0 4 0-256 IPsec NULL cipher

CRYPTO_AES_XTS implements XEX Tweakable Block Cipher with Ciphertext Stealing as defined in NIST SP 800-38E. OCF consumers provide the first 8 bytes of the IV. The remaining 8 bytes are defined to be a block counter beginning at 0.

NOTE: The ciphertext stealing part is not implemented in all backends which is why this cipher requires input that is a multiple of the block size.

Stream ciphers can operate on messages with arbitrary lengths. OCF supports the following stream ciphers:
Name IV Size Key Sizes Description
16 16, 24, 32 AES Counter Mode
16 16, 32 ChaCha20

The IV for each request must be provided in crp_iv via the CRYPTO_F_IV_SEPARATE flag.

CRYPTO_AES_ICM uses the entire IV as a 128-bit big endian block counter. The IV sets the initial counter value for a message. If a consumer wishes to use an IV whose value is split into separate nonce and counter fields (e.g., IPsec), the consumer is responsible for splitting requests to handle counter rollover.

CRYPTO_CHACHA20 accepts a 16 byte IV. The first 8 bytes are used as a nonce. The last 8 bytes are used as a 64-bit little-endian block counter.

AEAD algorithms in OCF combine a stream cipher with an authentication algorithm to provide both secrecy and authentication. AEAD algorithms accept additional authentication data (AAD) in addition to the ciphertext or plaintext. AAD is passed to the authentication algorithm as input in a method defined by the specific AEAD algorithm.

AEAD algorithms in OCF accept a nonce that is combined with an algorithm-defined counter to construct the IV for the underlying stream cipher. This nonce must be provided in crp_iv via the CRYPTO_F_IV_SEPARATE flag. Some AEAD algorithms support multiple nonce sizes. The first size listed is the default nonce size.

The following AEAD algorithms are supported:

Name Nonce Key Sizes Tag Description
12 16, 24, 32 16 AES Galois/Counter Mode
12, 7-13 16, 24, 32 16 AES Counter with CBC-MAC
12, 8 32 16 ChaCha20-Poly1305

crypto(4), crypto(9)

The crypto manual page first appeared in FreeBSD 10.1.
October 6, 2021 FreeBSD 13.1-RELEASE

Search for    or go to Top of page |  Section 7 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.