The generic block cipher functions allow the block cipher algorithm and mode to specified either by a strAlgAndMode string or by using the nOptions flags, but not both. The algorithm-and-mode parameter string combines the name of the block cipher algorithm and the mode.
Valid algorithm names are:
| Value | Algorithm | Option |
|---|---|---|
| tdea | Triple DES, a.k.a. 3DES, des-ede3 | PKI_BC_TDEA |
| 3des | Alternate for Triple DES | PKI_BC_3DES |
| des-ede3 | Another alternate for Triple DES | PKI_BC_DESEDE3 |
| aes128 | AES-128 | PKI_BC_AES128 |
| aes192 | AES-192 | PKI_BC_AES192 |
| aes256 | AES-256 | PKI_BC_AES256 |
We have used "TDEA" consistently in CryptoSys products to refer to the Triple DES algorithm (as in its official name "Triple Data Encryption Algorithm"). In this case, we have given you the alternative ways of expressing the algorithm as any one of "tdea", "3des" or "des-ede3". These are all equivalent and all yield identical results.
Valid mode names are:
| Value | Mode | Option |
|---|---|---|
| ecb | Electronic Code Book mode (default) | PKI_MODE_ECB |
| cbc | Cipher Block Chaining mode | PKI_MODE_CBC |
| ofb | Output Feedback mode | PKI_MODE_OFB |
| cfb | 64-bit Cipher Feedback mode | PKI_MODE_CFB |
| ctr | Counter mode | PKI_MODE_CTR |
Some examples of valid string values for the strAlgAndMode parameter are:
| strAlgAndMode | Description | Alternative Option value |
|---|---|---|
| tdea-cbc | Triple DES in CBC mode | PKI_BC_TDEA+PKI_MODE_CBC |
| 3des-cbc | ditto (alternate name) | PKI_BC_3DES+PKI_MODE_CBC |
| des-ede3-cbc | ditto (alternate name) | PKI_BC_DESEDE3+PKI_MODE_CBC |
| tdea-ecb | Triple DES in ECB mode | PKI_BC_TDEA+PKI_MODE_ECB |
| tdea | ditto (ECB is default mode) | PKI_BC_TDEA |
| aes128-cbc | AES-128 in CBC mode | PKI_BC_AES128+PKI_MODE_CBC |
| aes256-ctr | AES-256 in Counter mode | PKI_BC_AES2568+PKI_MODE_CTR |
Punctuation and space characters and upper- and lower-case are ignored in the strAlgAndMode string, so
"tdea-cbc",
"TDeA---cBc",
"tdea cbc", and
"TDEACBC" are equivalent
(as indeed is
"t*D$e^A c@b!C!!")
It is an error to use both the strAlgAndMode and nOptions parameters to specify the algorithm and mode. The algorithm must be explicitly specified. There is no default algorithm. The default cipher mode is ECB mode, which is not recommended because of security issues. It is recommended to use either CBC or CTR mode with a IV value that is unique each time it is used with a given key.