Crypto Module

Table of Contents

• Overview
• Backend Architecture
• Key Type
• Functions
  • Key Type Functions
  • Symmetric Encryption
  • Asymmetric Encryption
  • Signatures
  • Hashes
  • PRNG

Overview

The crypto module implements the key type and its management functions as well as functions for symmetric and asymmetric encryption, creation of signatures and hashes, and random numbers. The crypto key structure is also used by the PKI module for RSA keys in certificates. This requires that the internal RSA key format is usable in both libraries. The functionality of this module depends on the requirements of OPC UA, although some APIs provide more algorithms or variants than necessary. The exact requirements by OPC UA depend on the enabled security policies. The crypto module has to be initialized before using any of its functions.

Backend Architecture

The key type and the API is defined in the header file crypto.h. This header file must not be modified. The implementation of this API can vary depending on the used crypto library. The SDK includes two implementations: based on OpenSSL or mbedTLS. The combination of the crypto backend OpenSSL with the PKI backend mbedTSL (and the other way around) does not work because of the different internal key representations. Additional backends can be added and implementation is aided by the unit tests “asym”, “hash”, “key”, “psha”, “random”, “sign”, and “sym”.

Key Type

The structure crypto_key holds the internal representation of the key in its backend specific format as well as the type of the key. The supported key types consist of RSA keys, either private or public, AES keys, either for encryption or decryption, and HMAC keys for signature operations.

Functions

Key Type Functions

• functions for converting a key from and to the PEM format for storing and loading keys
• create an RSA key for certificate generation
• returning the length of the key in bytes
• clearing a key and initializing it with key data and type

Symmetric Encryption

Functions for encrypting and decrypting data are provided. The only supported algorithm is AES CBC with key lengths 128, 192, and 256 bits.

Asymmetric Encryption

Functions for encrypting and decrypting data are provided. The only supported algorithm is RSA with padding modes PKCS#1 v1.5 and PKCS#1 OAEP.

Signatures

Functions for signing data and verifying signatures are provided. The supported signature algorithms are HMAC SHA1 and HMAC SHA256.

Hashes

A single function for creating a hash of type SHA is provided. The supported hash lengths are 128, 224, 256, 384, and 512. Additionally, a function for creating hashes of type P-SHA1 and P-SHA256 are available.

PRNG

Besides the function for generating a pseudo random number of requested length, a function for adding additional seed data to the PRNG is available. Mind that seed data is already passed to the crypto library during initialization, but it may be necessary to add entropy at a later point in time.