Next: , Up: Architecture

13.1 Public-Key Architecture

Libgcrypt implements two interfaces for public key cryptography: The standard interface is PK interface using functions in the gcry_pk_ name space. The AC interface in an alternative one which is now deprecated and will not be further described. The AC interface is also disabled in FIPS mode.

Because public key cryptography is almost always used to process small amounts of data (hash values or session keys), the interface is not implemented using the open-use-close paradigm, but with single self-contained functions. Due to the wide variety of parameters required by different algorithms S-expressions, as flexible way to convey these parameters, are used. There is a set of helper functions to work with these S-expressions.

Aside of functions to register new algorithms, map algorithms names to algorithms identifiers and to lookup properties of a key, the following main functions are available:

Encrypt data using a public key.
Decrypt data using a private key.
Sign data using a private key.
Verify that a signature matches the data.
Perform a consistency over a public or private key.
Create a new public/private key pair.

With the help of the module registration system all these functions lookup the module implementing the algorithm and pass the actual work to that module. The parsing of the S-expression input and the construction of S-expression for the return values is done by the high level code (cipher/pubkey.c). Thus the internal interface between the algorithm modules and the high level functions passes data in a custom format. The interface to the modules is published (gcrypt-modules.h) so that it can used to register external implementations of algorithms with Libgcrypt. However, for some algorithms this module interface is to limited and thus for the internal modules an extra interface is sometimes used to convey more information.

By default Libgcrypt uses a blinding technique for RSA decryption to mitigate real world timing attacks over a network: Instead of using the RSA decryption directly, a blinded value y = x r^e \bmod n is decrypted and the unblinded value x' = y' r^-1 \bmod n returned. The blinding value r is a random value with the size of the modulus n and generated with GCRY_STRONG_RANDOM random level.