What objective-c implementation of Blowfish would you advice to use? (Or may be I just missed some standard implementations available?)
Keep in mind that Objective-C is a superset of C, and so you don't need a specific Objective-C implementation. Blowfish written in C (like at this page, the first result of googling "C blowfish implementation") will do you just fine.
Not sure if you definitely wanted to go with blowfish, but the iPhone security framework supports the following out-of-the-box:
kCCAlgorithmAES128 - Advanced Encryption Standard, 128-bit block
kCCAlgorithmDES - Data Encryption Standard
kCCAlgorithm3DES - Triple-DES, three key, EDE configuration
kCCAlgorithmCAST - CAST
kCCAlgorithmRC4 - RC4 stream cipher
If you do decide to implement your own you may also need an arbitrary precision integer library, libtommath will compile for the iPhone will little to no changes.
Related
I am writing a parser (in C++) and I have a small list of strings (less than 100) where each one represents a valid parser tag. I need to map each such known tag to an enum value for further processing.
As all strings are known at compile time, I have been looking into using a perfect hash function for this purpose.
I am aware of existing tools and algorithms for perfect hash function generation s.a. gperf, mph, cmph. However, all such tools/implementations are under some restrictive license (such as GPL, LGPL, MPL), while due to my limitations I am looking for some code which is under a relaxed license for reuse (such as MIT license) and preferably in C/C++ or C#.
Are you aware of any such tool or code ?
Yes, here's one that seems to fit your parameters:
https://www.codeproject.com/Articles/989340/Practical-Perfect-Hashing-in-Csharp
Note it's using a license agreement that I'm not particularly familiar with. But it doesn't look like its GPL related.
I am searching for a way to encrypt a file via AES using Swift in my Cocoa Applications.
As far as I can see the common frameworks (i.e. CryptoSwift) are supposed to encrypt text only.
Is there a specific framework for this job or is there any kind of macOS built in method for this?
Thanks!
Yes, using CommonCrypto is a good start. I would not recommend using any homegrown implementations however.
Doing security right is hard, AES is no exception to this.
You need to use a proper key of the correct length ( 64 or 32 bytes preferred )
You need to use padding ( I recommend PKCS7 ) in case your data is shorter than the blocksize / keysize. AES is not secure on its own and this bit is important.
You also really want to use an initializationVector, ( either appendend or prepended to the final data stream ) since otherwise it would be possible for an attacker to draw correlations between several encrypted streams from the same key
You should also make use of a HMAC ( SHA2-256 and up, also available in commoncrypto ) in order to prevent tampering with your encrypted data and giving you unexpected and potentially harmful result data.
The list goes on, but my memory fails me at this point since It has been a while since I needed to create an implementation.
I would highly recommend googling around for a standard implementation that wraps around CommonCrypto.
I would also suggest that using anything that is written as is ( I.E. CryptoSwift ) is not recommended as the codebase isn't proven and went through proper vetting like Apple's frameworks are.
I am kinda playing with the SHA-1 algorithm. I want to find out differences and variations in the results if I change few values in the SHA-1 algorithm for a college report. I have found a piece of java code to generate hash of a text. Its done by importing
java.security.MessageDigest
class. However, I want to change the h0-4 values and edit them but I don't know where can I find them? I had a look inside the MessageDigest class but couldn't find it there. Please help me out!
Thanx in advance.
I don't believe you can do that. Java doesn't provide any API for its MessageDigest Class, which can allow you change the values.
However, there are some workarounds (none of which I've ever tried). Take a look at this answer to the question "How to edit Java Platform Package (Built-in API) source code?"
If you're playing around with tweaks to an algorithm, you shouldn't be using a built-in class implementing that algorithm. The class you mention is designed to implement standard algorithms for people who just want to use them in production; if you're using SHA-1 (or any cryptographic algorithm) instead of playing around and tweaking it, it's never a good idea to change the algorithm yourself (e.g. by changing the initial hash value), so the class does not support modifying those constants.
Just implement the algorithm yourself; from Wikipedia's pseudocode, it doesn't look like it's all that complicated. I know that "don't implement your own crypto, use a standard and well-tested implementation" is a common mantra here, but that only applies to production-type code -- if you're playing around with an algorithm to see what effect tweaking it has, you should implement it yourself, so you have more flexibility in modifying it and seeing the effect of the modifications.
Basically adding to #Rahil's answer but too much for comments:
Even without API access, if MessageDigest were the implementation you could use reflection. But it's not.
Most of the java standard library is just commonly-useful classes in the usual way, e.g. java.util.ArrayList contains the implementation of ArrayList (or ArrayList<?> since 6), java.io.FileInputStream contains the implementation of FileInputStream (although it may use other classes in that implementation), etc. Java Cryptography uses a more complicated scheme where the implementations are not in the API classes but instead in "providers" that are mostly in their own jars (in JRE/lib and JRE/lib/ext) not rt.jar and mostly(?) don't have source in src.zip.
Thus the java.security.MessageDigest class does not have the code to implement SHA1, or SHA256, or MD5, etc etc. Instead it has code to search the JVM's current list of crypto providers to find an implementation of whatever algorithm is asked for, and instantiate and use that. Normally the list of providers used is set to (the list of) those included in the JRE distribution, although an admin or program can change it.
With the normal JRE7 providers, SHA1 is implemented by sun.security.provider.SHA.
In effect the API classes like MessageDigest Signature Cipher KeyGenerator etc function more like interfaces or facades by presenting the behavior that is common to possibly multiple underlying implementations, although in Java code terms they are actual classes and not interfaces.
This was designed back in 1990 or so to cope with legal restrictions on crypto in effect then, especially on export from the US. It allowed the base Java platform to be distributed easily because by itself it did no crypto. To use it -- and even if you don't do "real" crypto on user data in Java you still need things like verification of signed code -- you need to add some providers; you might have one set of providers, with complete and strong algorithms, used in US installations, and a different set, with fewer and weaker algorithms, used elsewhere. This capability is now much less needed since the US officially relaxed and in practice basically dropped enforcement about 2000, although there are periodically calls to bring it back. There is still one residual bit, however: JCE (in Oracle JREs) contains a policy that does not allow symmetric keys over 128 bits; to enable that you must download from the Oracle website and install an additional (tiny) file "JCE Unlimited Strength Policy".
TLDR: don't try to alter the JCE implementation. As #cpast says, in this case where you want to play with something different from the standard algorithm, do write your own code.
Are there any implementations of these hashing algorithms in pure lua? I've found a couple for MD5 and SHA1 but none for these two which are the ones I'll be needing for a project. In the interests of portability, I need something in pure lua. Anyone know of anything?
Lua's lmd5 library states: A message digest library for Lua based on OpenSSL. It supports MD2, MD4, MD5, SHA1, SHA2, RIPEMD160, MDC2. Though I have never used it. But there are some libraries listed here. You might one of them useful.
Here's another library which might be what you seek.
If you use LuaJIT I have written an implementation of SHA256 here but it uses FFI ctypes: https://github.com/catwell/cw-lua/tree/master/sha256
Otherwise there's one here in pure Lua 5.2 which I have not tested: http://lua-users.org/wiki/SecureHashAlgorithm (already cited by Dream Eater).
I've written a few small programs in Objective-C (for the iPhone) but ultimately I want to write my programs mainly in C++. (I just find it a lot easier.)
If this is true, how would I:
Manage memory in C++? (Does C++ have a release-like command I need to use?)
Intermix C++ and Objective-C coding? (Or even, should I?)
Take a C++ object, like a string, and convert it into an NSString?
Thank you!
Derek
Yes. C++ has a delete keyword, but it only applies to objects you've created with new (which, for idiomatic C++ code, is not every object). C++ also doesn't have built-in reference counting, just pure ownership.
If you make a source file with a .mm extension, it compiles as Objective-C++, which lets you intermix Objective-C and C++ code.
For a string, you can call std::string::c_str() to get a string that you can pass into +[NSString stringWithUTF8String:].
My two cents: if you feel that C++ is a lot easier than Objective-C and you don't know anything about memory management in C++, you should try to spend a fair amount of time learning pure C++; it's extremely easy to shoot yourself in the foot in C++ if you don't know what you're doing.
Manage memory in C++? (Does C++ have a release-like command I need to use?)
c++ uses new and delete. specifically, c++ programs prefer to use scope-bound-resource-management (SBRM). managing dynamic allocations is dead easy when you use these containers. reference counting, however, is not currently built into the language -- you can use boost www.boost.org for more advanced pointer containers, including those which offer reference counting.
Intermix C++ and Objective-C coding? (Or even, should I?)
you can easy accomplish by using the extension .mm or .M, or by using a compiler flag. note that you should not just enable everything as objc++ -- this will hurt your build times. also note that there are a few restrictions, including the inability to subclass c++ types as objc types and vice-versa. another important flag which any sane c++ dev would enable is the one which generates c++ constructor/destructor calls when you use c++ types as variables in your objc classes. otherwise, you'll just crash, be forced to use pimpl, or have to manually construct/destruct all your c++ instances (as ivars in objc types). this means these types you use will all need default constructors. you can intermix the languages, it's fine to do this if it is your preference. there are a few more notes on mixing them in apple's docs, but those are the important ones... oh, and be careful to quarantine your exceptions (which you must also do with objc).
Take a C++ object, like a string, and convert it into an NSString?
see John Calsbeek's response
good luck