Free crypto software for linux

M2Crypto project is a crypto and SSL toolkit for Python.
Main features:
- RSA, DSA, DH, HMACs, message digests, symmetric ciphers (including AES).
- SSL functionality to implement clients and servers.
- HTTPS extensions to Pythons httplib, urllib, and xmlrpclib.
- Unforgeable HMACing AuthCookies for web session management.
- FTP/TLS client and server.
- S/MIME.
- ZServerSSL: A HTTPS server for Zope.
- ZSmime: An S/MIME messenger for Zope.

Filter::Crypto is a Perl module that can create runnable Perl files encrypted with OpenSSL libcrypto.

SYNOPSIS

# Encrypt a Perl script using the crypt_file script; run it as usual:
$ crypt_file --in-place hello.pl
$ hello.pl

# Create a PAR archive containing an encrypted Perl script; run it as usual:
# (This example assumes that you also have PAR installed)
$ pp -f Crypto -M Filter::Crypto::Decrypt -o hello hello.pl
$ hello

# Display the Filter-Crypto distribution version number:
use Filter::Crypto;
print "This is Filter-Crypto $Filter::Crypto::VERSIONn";

The Filter-Crypto distribution provides the means to convert your Perl files into an encrypted, yet still runnable, format to hide the source code from casual prying eyes.

This is achieved using a Perl source code filter. The encrypted files, produced using the Filter::Crypto::CryptFile module, automatically have one (unencrypted) line added to the start of them that loads the Filter::Crypto::Decrypt module. The latter is a Perl source code filter that decrypts the remaining (encrypted) part of the Perl file on the fly when it is run. See perlfilter if you want to know more about how Perl source code filters work.

Encrypted files can also be produced more conveniently using the crypt_file script, or (if you also have the PAR module available) using the PAR::Filter::Crypto module. The latter can be utilized by the standard PAR tools to produce PAR archives in which your Perl files are encrypted.

The actual encryption and decryption is performed using one of the symmetric cipher algorithms provided by the OpenSSL libcrypto library. The EVP library high-level interface functions to the various cipher algorithms themselves are used so that your choice of algorithm (and also what password or key to use) is made simply by answering some questions when building this distribution. See the INSTALL file for more details.

This module itself only contains this documentation and the version number of the Filter-Crypto distribution as a whole.

dm-crypt is a device-mapper crypto target.

Device-mapper is a new infrastructure in the Linux 2.6 kernel that provides a generic way to create virtual layers of block devices that can do different things on top of real block devices like striping, concatenation, mirroring, snapshotting, etc... The device-mapper is used by the LVM2 and EVMS 2.x tools.

dm-crypt is such a device-mapper target that provides transparent encryption of block devices using the new Linux 2.6 cryptoapi. The user can basically specify one of the symmetric ciphers, a key (of any allowed size), an iv generation mode and then he can create a new block device in /dev. Writes to this device will be encrypted and reads decrypted. You can mount your filesystem on it as usual. But without the key you cant access your data.

It does basically the same as cryptoloop only that its a much cleaner code and better suits the need of a block device and has a more flexible configuration interface. The on-disk format is also compatible. In the future you will be able to specify other iv generation modes for enhanced security (youll have to reencrypt your filesystem though).

There is support for dm-crypt in the latest official kernel 2.6.4 which you can find on kernel.org. Please use the mirrors for downloads.

There is a HIGHMEM cryptoapi bug in kernels before 2.6.4-rc2, please upgrade if you were using such a kernel.

Crypt::PBC is a OO interface for the Stanford PBC library.

SYNOPSIS

use Crypt::PBC;

my $pairing = new Crypt::PBC("params_d.txt");
my $G1 = $pairing->init_G1->random;
my $G2 = $pairing->init_G2->random->double->square;
my $GT = $pairing->init_GT->pairing_apply( $G1, $G2 );

The PBC library is a free portable C library designed to make it easy to implement pairing-based cryptosystems. It provides an abstract interface to a cyclic group with a bilinear pairing, and the programmer does not need to worry about, or even know about elliptic curves.

It is built on top of GMP, another C library which performs arbitrary precision arithmetic on integers, rationals and floats with strong emphasis on portability and speed.

Perl Module Methods

The Perl Module methods implement an OO interface that the author (Paul) highly recommends using. The only Perl Module OO function in the Crypt::PBC package is new(). Please see Crypt::PBC::Pairing and Crypt::PBC::Element for the guts of the intended OO interface.

Crypt::PBC::new()

Returns a new PBC pairing object. new() takes, as arguments, either the name of a file, a file stream (e.g., new Crypt::PBC(*STDIN)), or the params for a curve as a string. Ben Lynn provides a zip file of d-type curves:

MNT curve parameters for embedding degree 6 (which I
call type D curves), for all D less than a million, and
for subgroup sizes at least 80 bits and less than 300
bits long. Generated using test programs bundled with
PBC library.

http://crypto.stanford.edu/pbc/download.html

XS Loaded Functions

This section is basically a listing of the PBC functions as they are imported. You can use them directly if youre already comfortable with the layout of PBC. If youre starting from scratch and arent much of a C coder, youll have an easier time using the Perl Module methods because they implement a little type-safety to protect perl coders from segfaults.

Mixing and matching direct calls with the Perl Module methods is a sure way to run into trouble, since the Perl Module methods tag the PBC elements with a type.

+++ NOTE +++
You can use these functions successfully, but the intended interface was described above. Crypt::PBC::Element describes that interface in detail.
+++ /NOTE +++

Pairing Functions

# Initialize a pairing from an open file handle
my $pairing = &Crypt::PBC::pairing_init_stream(*STDIN);

# Initialize a pairing from a a $string
my $pairing = &Crypt::PBC::pairing_init_str($string);

# Clear the memory malloced for the pairing
&Crypt::PBC::pairing_clear($pairing);

# Apply the pairing. Be careful here. If you pass the wrong type of
# elements, GT = apply(G1, G2), this will segmentation fault! Please
# see the PBC documentation for further information:
# http://crypto.stanford.edu/pbc/manual/
&Crypt::PBC::pairing_apply($LHS, $RHS1, $RHS2, $pairing);

Element Initializer and Assignment Functions

my $element_in_G1 = &Crypt::PBC::element_init_G1($pairing);
my $element_in_G2 = &Crypt::PBC::element_init_G2($pairing);
my $element_in_GT = &Crypt::PBC::element_init_GT($pairing);
my $element_in_Zr = &Crypt::PBC::element_init_Zr($pairing);

# Do not forget to clear your memory!
&Crypt::PBC::element_clear( $element ); # in any group

# assign some random to $element
# (uses /dev/urandom if possible, or rand() if necessary)
&Crypt::PBC::element_random( $element );
&Crypt::PBC::element_set0( $element ); # set to 0
&Crypt::PBC::element_set1( $element ); # set to 1
&Crypt::PBC::element_set( $a, $b ); # a=b
&Crypt::PBC::element_set_si( $a, 5 ); # a=5

&Crypt::PBC::element_set_mpz( $a, $bigint );
# For this one, construct a Math::BigInt::GMP and pass that for
# $bigint. Alternatively, you can construct a $i=Math::BigInt and
# pass the $i->{value}. (That interface is probably not well
# supported but is the only one of which the author is aware.)

&Crypt::PBC::element_from_hash( $element, $hash );
# Set $element based on the bytes in $hash. You must use some kind
# of hashing algorithm (e.g., Digest::SHA1) to map data to an
# element:
#
# "In general you cannot feed it plaintext. You should only give it
# short strings of bytes (e.g. 160 bits if G1 has order around 2^160,
# which is the case for most of the bundled pairing parameters)."
# -- Lynn

&Crypt::PBC::element_from_bytes( $element, $bytes );
# Set $element based on the bytes in $bytes. this probably isnt useful
# unless $bytes is like $spewed_result from element_export() below.

Arithmetic Functions

# lhs=rhs1+rhs2 -- make sure these are all the same type ...
&Crypt::PBC::element_add($lhs, $rhs1, $rhs2);
&Crypt::PBC::element_sub($lhs, $rhs1, $rhs2); # lhs=rhs1-rhs2
&Crypt::PBC::element_mul($lhs, $rhs1, $rhs2);
&Crypt::PBC::element_div($lhs, $rhs1, $rhs2);

# (whatever these mean is in the context of the $pairing)
&Crypt::PBC::element_double($lhs, $rhs); # lhs = 2*rhs
&Crypt::PBC::element_halve( $lhs, $rhs); # lhs = rhs/2
&Crypt::PBC::element_square($lhs, $rhs); # lhs = rhs^2
&Crypt::PBC::element_neg( $lhs, $rhs); # (please see the PBC docs)
&Crypt::PBC::element_invert($lhs, $rhs); # lhs = 1/rhs

# Heres a few other choices for mul
&Crypt::PBC::element_mul_zn( $lhs, $rhs1, $rhs2 );
# $rhs1 and $lhs should be of the same type, but here $rhs2 should be
# in Zr instead of being in the same group like in element_mul()
# above

&Crypt::PBC::element_mul_mpz( $lhs, $rhs1, $rhs2 );
# For this one, construct a Math::BigInt::GMP and pass that for
# $rhs2 or pass $i->{value} from a Math::BigInt.

&Crypt::PBC::element_mul_si( $lhs, $rhs1, $rhs2 );
# Here, $rhs2 is a regular old integer...

&Crypt::PBC::element_pow_zn( $lhs, $a, $n); # lhs = a^n
&Crypt::PBC::element_pow2_zn($lhs, $a1, $n1, $a2, $n2); # a1^n1 * a2^n2
&Crypt::PBC::element_pow3_zn($lhs, $a1, $n1, $a2, $n2, $a3, $n3);
# in the above, the lhs and ad+ should be in the same group, nd+ in Zr

&Crypt::PBC::element_pow_mpz( $lhs, $a, $n);
&Crypt::PBC::element_pow2_mpz($lhs, $a1, $n1, $a2, $n2);
&Crypt::PBC::element_pow3_mpz($lhs, $a1, $n1, $a2, $n2, $a3, $n3);
# like the _zn functions, but nd+ should be Math::BigInt::GMP
# or pass $i->{value} from a Math::BigInt.

Comparison Functions

&Crypt::PBC::element_is0( $a ); # 1 when $a is 0
&Crypt::PBC::element_is1( $a ); # 1 when $a is 1
&Crypt::PBC::element_cmp( $a,$b ); # paradoxically, false when $a == $b
&Crypt::PBC::element_is_sqr( $a ); # 1 when $a is a perfect square ...
# see the PBC docs for words like "residue"

Export and Output

# Please check the PBC docs ...
&Crypt::PBC::element_fprintf(*OUTFILE, $format, $element);
&Crypt::PBC::element_fprintf(*STDOUT, "example element=%Bn", $element);
# (You may be surprised how many bigints are in these group elements.)

my $spewed_result = &Crypt::PBC::export_element($element);
# These are bytes, dumped from the $element, that can be used to
# reconstruct the element or used for interacting with real life data.

# Example:
my $cipher = new Crypt::CBC({
header => "randomiv",
key => &Crypt::PBC::export_element($element),
cipher => Blowfish, # hehe
});

my $big = &Crypt::PBC::element_to_mpz( $element );
# Returns a Math::BigInt::GMP, not a Math::BigInt! WARNING: the
# DESTROY() method from Math::BigInt::GMP will be missing unless you
# require that package into your program. Youll want to do that or youll
# have a memory leak... Lastly, this is really only useful for elements in
# Zr -- element_fprintf() to see what I mean.

CIPE is a Crypto IP Encapsulation.
This is an ongoing project to build encrypting IP routers. It works by tunneling IP packets in encrypted UDP packets. The protocol is designed to be lightweight and simple. Special care has been taken to make this work over dynamic addresses, NAT and SOCKS proxies.
Implementations are currently available for Linux and Windows.
Enhancements:
- This supports Linux 2.6 and the kernel crypto API.

CLIP is a Clipper/XBase compatible compiler with initial support other xBase dialects. CLIP project features support for international languages and character sets.
It also features OOP, a multiplatform GUI based on GTK/GTKextra, all SIX/Comix features (including hypertext indexing), SQL and ODBC drivers, a C-API for third-party developers, a few wrappers for popular libraries (such as BZIP, GZIP, GD, Crypto, and Fcgi), a multitasking client and application server based on TCP/IP sockets, object data base utilities, and a functions library.
Main features:
- Preprocessor
- Fully compatible CA-Clipper with with some new possibilities.
- Compiler
- slight incompability with CA-Clipper, which may be resolved easily, using the "search and replace" method. In addition it can compile to C program, byte-code, dynamic library and mixed C+byte-code.
- Very fast and efficient OO-model
- Difference from CA-Clipper reveals itself in part of descriptions and making an object, but in part of using the ready objects syntax and logic of functioning is completely the same.
- It is possible to write programs on CLIP, without using other syntax excepting OOP.
- Initial support syntax from FS,CAVO,FoxPro.
- C-API
- has much more possibilities than CA-Clipper.
- Full international support
- Including adjustment on any code page of any language on any keyboard (with stelnet emulator only or on consoles), substitution of string constants during execution and changing a logic of functioning with strings, given for functions alpha, digit, lower, upper, subscripted weight factors etc.
- Support two-bytes charsets BIG5,GB , may be Korean,Japan too.
- GUI, based on GTK
- Provides using of all widgets and processing the events
- Using of dynamic libraries,
- loading and execution of the byte-code from external files ( in run-time, too ).
- Compatibility
- up to Clipper 5.3 (support of objects menu, button, check and other get-objects), as well as standard classes tbrowse,get,error.
- Are implemented a lot of CA_Tools functions, including all functions for processing the lines, dates, files, mathematicians.
- support all SIX functions and features
- MEM,DBF,DBT,FPT,NTX,CTX,CDX,NSX...
- VFP data types: datetime,currency
- RDD allows to use your own drivers, as well as use a driver, combined from several different drivers.
- RDD also allows to use only OO-style, without using of aliases
- Multitask support
- CODB - CLIP Object Data Base
- SQL
- libraries and classes for direct access to SQL-servers (PG,MySql,Oracle,Interbase)
- ODBC and ODBC bridge to Windows drivers.
- SQL-interpreter and commands, compatible with FoxPro
- Other possibilities
- Overloading operators for objects.
- Support of regular expressions.
- function for TCP/IP sockets connections
- COM_() functions
- Rushmore like technology, but more fast and efficient.
- Support of very-large-scale numbers with unlimited accuracy.
- Support of graphic files PNG,GD,JPEG and primitives like lines, rectangles, firing ranges, circumferences etc.
- Several common classes for word processorses, html/cgi programms.
- Several utilities for interpreting the patterns of the documents, www_sql,clip_bl, clip_blank, clip_sql, clip_hindex, clip_hseek etc.
- multiwindows interactive debugger.
- Supported OSes
- linux, freebsd, openBsd, SPARC & x86 solaris, IBM mainframe with TurboLinux, Win32 ( with CYGWIN development tools)
- TODO list
- Windows support
- FiveWin compatiblies.
- FoxPro compatiblies.
Enhancements:
- This release added fixes to support UTF environments, GCC 4.x, and newer Linux distributions.
- Some new utilities, functions, and documentation were added.

Tools like ssh and lsh are great for allowing secure remote access to your system. They offer essentially full, flexible remote control of a machine, in an ecrypted and authenticated manner. But they are complex pieces of software; theres no way to do what they do without being complex. And with complexity comes bugs. Tools like ssh and lsh, and VPNs like CIPE, PPTP, and more have all had serious flaws that would allow an attacker to get full control over your system.
If you leave such programs running all the time, you take the risk that someone is going to use an exploit on you before you have a chance to apply a patch. For some purposes, this is an acceptable - even necessary - tradeoff, but it would be nice to enable them only when actually needed, to minimize the risk. And for other purposes, ssh et. al. are overkill. Perhaps you only really need to remotely initiate a limited set of operations. In this case, you dont need a shell prompt, just a way to securely kick off scripts from elsewhere.
Enter Ostiary. It is designed to allow you to run a fixed set of commands remotely, without giving everyone else access to the same commands. Ostiary is designed to do exactly and only what is necessary for this, and no more. The only argument given to the command is the IP address of the client, and only if the authentication is successful.
Main features:
- "First, do no harm." It should not be possible to use the Ostiary system itself to damage the host its running on. In particular, its willing to accept false negatives (denying access to legitimate users) in order to prevent false positives (allowing access to invalid users).
- Insofar as possible, eliminate any possibility of bugs causing undesired operations. Buffer overflows, timing attacks, etc. should be impossible for an external attacker to execute. Theres no point in installing security software if it makes you less secure.
- Be extremely modest in memory and CPU requirements. I want to be able to fire off commands on my webserver (running on a Mac SE/30, a 16MHz 68030 machine) from my Palm Pilot (a 16MHz 68000 machine). Things like ssh already take 30 seconds or more to start up - I cant afford anything too fancy.
- Keep things simple. Im no crypto expert; I know Im not capable of coming up with an ssh replacement. So I need to keep things so utterly simple that I can be sure Im not missing anything important.
Enhancements:
- Several non-security-related bugfixes, including some clarified log messages and an update to the TCP-wrappers autoconf macros.
- Debian packages have been added.