Install Now
crypto - Crypto Functions
Contents
Data Types
Cipherscipher() = cipher_no_iv() | cipher_iv() | cipher_aead()
cipher_no_iv() =
aes_128_ecb | aes_192_ecb | aes_256_ecb | aes_ecb |
blowfish_ecb | des_ecb | rc4
cipher_iv() =
aes_128_cbc | aes_192_cbc | aes_256_cbc | aes_cbc |
aes_128_cfb128 | aes_192_cfb128 | aes_256_cfb128 |
aes_cfb128 | aes_128_cfb8 | aes_192_cfb8 | aes_256_cfb8 |
aes_cfb8 | aes_128_ctr | aes_192_ctr | aes_256_ctr | aes_ctr |
blowfish_cbc | blowfish_cfb64 | blowfish_ofb64 | chacha20 |
des_ede3_cbc | des_ede3_cfb | des_cbc | des_cfb | rc2_cbc
cipher_aead() =
aes_128_ccm | aes_192_ccm | aes_256_ccm | aes_ccm |
aes_128_gcm | aes_192_gcm | aes_256_gcm | aes_gcm |
chacha20_poly1305
Ciphers known by the CRYPTO application.
Note that this list might be reduced if the underlying libcrypto does not support all of them.
crypto_opts() = boolean() | [crypto_opt()]
crypto_opt() = {encrypt, boolean()} | {padding, padding()}
Selects encryption ({encrypt,true}) or decryption ({encrypt,false}).
padding() = cryptolib_padding() | otp_padding()
This option handles padding in the last block. If not set, no padding is done and any bytes in the
last unfilled block is silently discarded.
cryptolib_padding() = none | pkcs_padding
The cryptolib_padding are paddings that may be present in the underlying cryptolib linked to the
Erlang/OTP crypto app.
For OpenSSL, see the OpenSSL documentation. and find EVP_CIPHER_CTX_set_padding() in cryptolib for
your linked version.
otp_padding() = zero | random
Erlang/OTP adds a either padding of zeroes or padding with random bytes.
Digestsandhashhash_algorithm() =
sha1() |
sha2() |
sha3() |
blake2() |
ripemd160 |
compatibility_only_hash()
hmac_hash_algorithm() =
sha1() | sha2() | sha3() | compatibility_only_hash()
cmac_cipher_algorithm() =
aes_128_cbc | aes_192_cbc | aes_256_cbc | aes_cbc |
aes_128_cfb128 | aes_192_cfb128 | aes_256_cfb128 |
aes_cfb128 | aes_128_cfb8 | aes_192_cfb8 | aes_256_cfb8 |
aes_cfb8 | blowfish_cbc | des_cbc | des_ede3_cbc | rc2_cbc
rsa_digest_type() = sha1() | sha2() | md5 | ripemd160
dss_digest_type() = sha1() | sha2()
ecdsa_digest_type() = sha1() | sha2()
sha1() = sha
sha2() = sha224 | sha256 | sha384 | sha512
sha3() = sha3_224 | sha3_256 | sha3_384 | sha3_512
blake2() = blake2b | blake2s
compatibility_only_hash() = md5 | md4
The compatibility_only_hash() algorithms are recommended only for compatibility with existing
applications.
EllipticCurvesec_named_curve() =
brainpoolP160r1 | brainpoolP160t1 | brainpoolP192r1 |
brainpoolP192t1 | brainpoolP224r1 | brainpoolP224t1 |
brainpoolP256r1 | brainpoolP256t1 | brainpoolP320r1 |
brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 |
brainpoolP512r1 | brainpoolP512t1 | c2pnb163v1 | c2pnb163v2 |
c2pnb163v3 | c2pnb176v1 | c2pnb208w1 | c2pnb272w1 |
c2pnb304w1 | c2pnb368w1 | c2tnb191v1 | c2tnb191v2 |
c2tnb191v3 | c2tnb239v1 | c2tnb239v2 | c2tnb239v3 |
c2tnb359v1 | c2tnb431r1 | ipsec3 | ipsec4 | prime192v1 |
prime192v2 | prime192v3 | prime239v1 | prime239v2 |
prime239v3 | prime256v1 | secp112r1 | secp112r2 | secp128r1 |
secp128r2 | secp160k1 | secp160r1 | secp160r2 | secp192k1 |
secp192r1 | secp224k1 | secp224r1 | secp256k1 | secp256r1 |
secp384r1 | secp521r1 | sect113r1 | sect113r2 | sect131r1 |
sect131r2 | sect163k1 | sect163r1 | sect163r2 | sect193r1 |
sect193r2 | sect233k1 | sect233r1 | sect239k1 | sect283k1 |
sect283r1 | sect409k1 | sect409r1 | sect571k1 | sect571r1 |
wtls1 | wtls10 | wtls11 | wtls12 | wtls3 | wtls4 | wtls5 |
wtls6 | wtls7 | wtls8 | wtls9
edwards_curve_dh() = x25519 | x448
edwards_curve_ed() = ed25519 | ed448
Note that some curves are disabled if FIPS is enabled.
ec_explicit_curve() =
{Field :: ec_field(),
Curve :: ec_curve(),
BasePoint :: binary(),
Order :: binary(),
CoFactor :: none | binary()}
ec_field() = ec_prime_field() | ec_characteristic_two_field()
ec_curve() =
{A :: binary(), B :: binary(), Seed :: none | binary()}
Parametric curve definition.
ec_prime_field() = {prime_field, Prime :: integer()}
ec_characteristic_two_field() =
{characteristic_two_field,
M :: integer(),
Basis :: ec_basis()}
ec_basis() =
{tpbasis, K :: integer() >= 0} |
{ppbasis,
K1 :: integer() >= 0,
K2 :: integer() >= 0,
K3 :: integer() >= 0} |
onbasis
Curve definition details.
Keyskey_integer() = integer() | binary()
Always binary() when used as return value
Public/PrivateKeysrsa_public() = [key_integer()]
rsa_private() = [key_integer()]
rsa_params() =
{ModulusSizeInBits :: integer(),
PublicExponent :: key_integer()}
rsa_public() = [E, N]
rsa_private() = [E, N, D] | [E, N, D, P1, P2, E1, E2, C]
Where E is the public exponent, N is public modulus and D is the private exponent. The longer key
format contains redundant information that will make the calculation faster. P1 and P2 are first
and second prime factors. E1 and E2 are first and second exponents. C is the CRT coefficient. The
terminology is taken from RFC 3447.
dss_public() = [key_integer()]
dss_private() = [key_integer()]
dss_public() = [P, Q, G, Y]
Where P, Q and G are the dss parameters and Y is the public key.
dss_private() = [P, Q, G, X]
Where P, Q and G are the dss parameters and X is the private key.
ecdsa_public() = key_integer()
ecdsa_private() = key_integer()
ecdsa_params() = ec_named_curve() | ec_explicit_curve()
eddsa_public() = key_integer()
eddsa_private() = key_integer()
eddsa_params() = edwards_curve_ed()
srp_public() = key_integer()
srp_private() = key_integer()
srp_public() = key_integer()
Where is A or B from SRP design
srp_private() = key_integer()
Where is a or b from SRP design
srp_gen_params() =
{user, srp_user_gen_params()} | {host, srp_host_gen_params()}
srp_comp_params() =
{user, srp_user_comp_params()} |
{host, srp_host_comp_params()}
srp_user_gen_params()=[DerivedKey::binary(),Prime::binary(),Generator::binary(),Version::atom()]srp_host_gen_params()=[Verifier::binary(),Prime::binary(),Version::atom()]srp_user_comp_params()=[DerivedKey::binary(),Prime::binary(),Generator::binary(),Version::atom()|ScramblerArg::list()]srp_host_comp_params()=[Verifier::binary(),Prime::binary(),Version::atom()|ScramblerArg::list()]
Where Verifier is v, Generator is g and Prime is N, DerivedKey is X, and Scrambler is u (optional
will be generated if not provided) from SRP design Version = '3' | '6' | '6a'
PublicKeyCipherspk_encrypt_decrypt_algs() = rsa
Algorithms for public key encrypt/decrypt. Only RSA is supported.
pk_encrypt_decrypt_opts() = [rsa_opt()] | rsa_compat_opts()
rsa_opt() =
{rsa_padding, rsa_padding()} |
{signature_md, atom()} |
{rsa_mgf1_md, sha} |
{rsa_oaep_label, binary()} |
{rsa_oaep_md, sha}
rsa_padding() =
rsa_pkcs1_padding | rsa_pkcs1_oaep_padding |
rsa_sslv23_padding | rsa_x931_padding | rsa_no_padding
Options for public key encrypt/decrypt. Only RSA is supported.
Warning:
The RSA options are experimental.
The exact set of options and there syntax may be changed without prior notice.
rsa_compat_opts() = [{rsa_pad, rsa_padding()}] | rsa_padding()
Those option forms are kept only for compatibility and should not be used in new code.
PublicKeySignandVerifypk_sign_verify_algs() = rsa | dss | ecdsa | eddsa
Algorithms for sign and verify.
pk_sign_verify_opts() = [rsa_sign_verify_opt()]
rsa_sign_verify_opt() =
{rsa_padding, rsa_sign_verify_padding()} |
{rsa_pss_saltlen, integer()} |
{rsa_mgf1_md, sha2()}
rsa_sign_verify_padding() =
rsa_pkcs1_padding | rsa_pkcs1_pss_padding | rsa_x931_padding |
rsa_no_padding
Options for sign and verify.
Warning:
The RSA options are experimental.
The exact set of options and there syntax may be changed without prior notice.
Diffie-HellmanKeysandparametersdh_public() = key_integer()
dh_private() = key_integer()
dh_params() = [key_integer()]
dh_params() = [P, G] | [P, G, PrivateKeyBitLength]
ecdh_public() = key_integer()
ecdh_private() = key_integer()
ecdh_params() =
ec_named_curve() | edwards_curve_dh() | ec_explicit_curve()
TypesforEnginesengine_key_ref() =
#{engine := engine_ref(),
key_id := key_id(),
password => password(),
term() => term()}
engine_ref() = term()
The result of a call to engine_load/3.
key_id() = string() | binary()
Identifies the key to be used. The format depends on the loaded engine. It is passed to the
ENGINE_load_(private|public)_key functions in libcrypto.
password() = string() | binary()
The password of the key stored in an engine.
engine_method_type() =
engine_method_rsa | engine_method_dsa | engine_method_dh |
engine_method_rand | engine_method_ecdh |
engine_method_ecdsa | engine_method_ciphers |
engine_method_digests | engine_method_store |
engine_method_pkey_meths | engine_method_pkey_asn1_meths |
engine_method_ec
engine_cmnd() = {unicode:chardata(), unicode:chardata()}
Pre and Post commands for engine_load/3 and /4.
Internaldatatypescrypto_state()hash_state()mac_state()
Contexts with an internal state that should not be manipulated but passed between function calls.
Errortypesrun_time_error() = any()
The exception error:badarg signifies that one or more arguments are of wrong data type, or are
otherwise badly formed.
The exception error:notsup signifies that the algorithm is known but is not supported by current
underlying libcrypto or explicitly disabled when building that.
For a list of supported algorithms, see supports(ciphers).
descriptive_error() = any()
This is a more developed variant of the older run_time_error().
The exception is:
{Tag, {C_FileName,LineNumber}, Description}
Tag = badarg | notsup | error
C_FileName = string()
LineNumber = integer()
Description = string()
It is like the older type an exception of the error class. In addition they contain a descriptive
text in English. That text is targeted to a developer. Examples are "Bad key size" or "Cipher id
is not an atom".
The exception tags are:
badarg:
Signifies that one or more arguments are of wrong data type or are otherwise badly formed.
notsup:
Signifies that the algorithm is known but is not supported by current underlying libcrypto or
explicitly disabled when building that one.
error:
An error condition that should not occur, for example a memory allocation failed or the
underlying cryptolib returned an error code, for example "Can't initialize context, step 1".
Those text usually needs searching the C-code to be understood.
To catch the exception, use for example:
try crypto:crypto_init(Ciph, Key, IV, true)
catch
error:{Tag, {C_FileName,LineNumber}, Description} ->
do_something(......)
.....
end
Description
This module provides a set of cryptographic functions.
Hashfunctions:SHA1,SHA2:
Secure Hash Standard [FIPS PUB 180-4]
SHA3:
SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions [FIPS PUB 202]
BLAKE2:
BLAKE2 — fast secure hashing
MD5:
The MD5 Message Digest Algorithm [RFC 1321]
MD4:
The MD4 Message Digest Algorithm [RFC 1320]
MACs-MessageAuthenticationCodes:Hmacfunctions:
Keyed-Hashing for Message Authentication [RFC 2104]
Cmacfunctions:
The AES-CMAC Algorithm [RFC 4493]
POLY1305:
ChaCha20 and Poly1305 for IETF Protocols [RFC 7539]
SymmetricCiphers:DES,3DESandAES:
Block Cipher Techniques [NIST]
Blowfish:
Fast Software Encryption, Cambridge Security Workshop Proceedings (December 1993), Springer-
Verlag, 1994, pp. 191-204.
Chacha20:
ChaCha20 and Poly1305 for IETF Protocols [RFC 7539]
Chacha20_poly1305:
ChaCha20 and Poly1305 for IETF Protocols [RFC 7539]
Modes:ECB,CBC,CFB,OFBandCTR:
Recommendation for Block Cipher Modes of Operation: Methods and Techniques [NIST SP 800-38A]
GCM:
Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC [NIST SP
800-38D]
CCM:
Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and
Confidentiality [NIST SP 800-38C]
AsymetricCiphers-PublicKeyTechniques:RSA:
PKCS #1: RSA Cryptography Specifications [RFC 3447]
DSS:
Digital Signature Standard (DSS) [FIPS 186-4]
ECDSA:
Elliptic Curve Digital Signature Algorithm [ECDSA]
SRP:
The SRP Authentication and Key Exchange System [RFC 2945]
Note:
The actual supported algorithms and features depends on their availability in the actual libcrypto used.
See the crypto (App) about dependencies.
Enabling FIPS mode will also disable algorithms and features.
The CRYPTO User's Guide has more information on FIPS, Engines and Algorithm Details like key lengths.
Engine Api
Exports
privkey_to_pubkey(Type,EnginePrivateKeyRef)->PublicKey
Types:
Type = rsa | dss
EnginePrivateKeyRef = engine_key_ref()
PublicKey = rsa_public() | dss_public()
Fetches the corresponding public key from a private key stored in an Engine. The key must be of
the type indicated by the Type parameter.
engine_get_all_methods()->Result
Types:
Result = [engine_method_type()]
Returns a list of all possible engine methods.
May raise exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
See also the chapter Engine Load in the User's Guide.
engine_load(EngineId,PreCmds,PostCmds)->Result
Types:
EngineId = unicode:chardata()
PreCmds = PostCmds = [engine_cmnd()]
Result =
{ok, Engine :: engine_ref()} | {error, Reason :: term()}
Loads the OpenSSL engine given by EngineId if it is available and then returns ok and an engine
handle. This function is the same as calling engine_load/4 with EngineMethods set to a list of all
the possible methods. An error tuple is returned if the engine can't be loaded.
The function raises a error:badarg if the parameters are in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
See also the chapter Engine Load in the User's Guide.
engine_load(EngineId,PreCmds,PostCmds,EngineMethods)->Result
Types:
EngineId = unicode:chardata()
PreCmds = PostCmds = [engine_cmnd()]
EngineMethods = [engine_method_type()]
Result =
{ok, Engine :: engine_ref()} | {error, Reason :: term()}
Loads the OpenSSL engine given by EngineId if it is available and then returns ok and an engine
handle. An error tuple is returned if the engine can't be loaded.
The function raises a error:badarg if the parameters are in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
See also the chapter Engine Load in the User's Guide.
engine_unload(Engine)->Result
Types:
Engine = engine_ref()
Result = ok | {error, Reason :: term()}
Unloads the OpenSSL engine given by Engine. An error tuple is returned if the engine can't be
unloaded.
The function raises a error:badarg if the parameter is in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
See also the chapter Engine Load in the User's Guide.
engine_by_id(EngineId)->Result
Types:
EngineId = unicode:chardata()
Result =
{ok, Engine :: engine_ref()} | {error, Reason :: term()}
Get a reference to an already loaded engine with EngineId. An error tuple is returned if the
engine can't be unloaded.
The function raises a error:badarg if the parameter is in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
See also the chapter Engine Load in the User's Guide.
engine_ctrl_cmd_string(Engine,CmdName,CmdArg)->Result
Types:
Engine = term()
CmdName = CmdArg = unicode:chardata()
Result = ok | {error, Reason :: term()}
Sends ctrl commands to the OpenSSL engine given by Engine. This function is the same as calling
engine_ctrl_cmd_string/4 with Optional set to false.
The function raises a error:badarg if the parameters are in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
engine_ctrl_cmd_string(Engine,CmdName,CmdArg,Optional)->
Result
Types:
Engine = term()
CmdName = CmdArg = unicode:chardata()
Optional = boolean()
Result = ok | {error, Reason :: term()}
Sends ctrl commands to the OpenSSL engine given by Engine. Optional is a boolean argument that can
relax the semantics of the function. If set to true it will only return failure if the ENGINE
supported the given command name but failed while executing it, if the ENGINE doesn't support the
command name it will simply return success without doing anything. In this case we assume the user
is only supplying commands specific to the given ENGINE so we set this to false.
The function raises a error:badarg if the parameters are in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
engine_add(Engine)->Result
Types:
Engine = engine_ref()
Result = ok | {error, Reason :: term()}
Add the engine to OpenSSL's internal list.
The function raises a error:badarg if the parameters are in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
engine_remove(Engine)->Result
Types:
Engine = engine_ref()
Result = ok | {error, Reason :: term()}
Remove the engine from OpenSSL's internal list.
The function raises a error:badarg if the parameters are in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
engine_get_id(Engine)->EngineId
Types:
Engine = engine_ref()
EngineId = unicode:chardata()
Return the ID for the engine, or an empty binary if there is no id set.
The function raises a error:badarg if the parameters are in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
engine_get_name(Engine)->EngineName
Types:
Engine = engine_ref()
EngineName = unicode:chardata()
Return the name (eg a description) for the engine, or an empty binary if there is no name set.
The function raises a error:badarg if the parameters are in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
engine_list()->Result
Types:
Result = [EngineId :: unicode:chardata()]
List the id's of all engines in OpenSSL's internal list.
It may also raise the exception error:notsup in case there is no engine support in the underlying
OpenSSL implementation.
See also the chapter Engine Load in the User's Guide.
May raise exception error:notsup in case engine functionality is not supported by the underlying
OpenSSL implementation.
ensure_engine_loaded(EngineId,LibPath)->Result
Types:
EngineId = LibPath = unicode:chardata()
Result =
{ok, Engine :: engine_ref()} | {error, Reason :: term()}
Loads the OpenSSL engine given by EngineId and the path to the dynamic library implementing the
engine. This function is the same as calling ensure_engine_loaded/3 with EngineMethods set to a
list of all the possible methods. An error tuple is returned if the engine can't be loaded.
The function raises a error:badarg if the parameters are in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
See also the chapter Engine Load in the User's Guide.
ensure_engine_loaded(EngineId,LibPath,EngineMethods)->Result
Types:
EngineId = LibPath = unicode:chardata()
EngineMethods = [engine_method_type()]
Result =
{ok, Engine :: engine_ref()} | {error, Reason :: term()}
Loads the OpenSSL engine given by EngineId and the path to the dynamic library implementing the
engine. This function differs from the normal engine_load in that sense it also add the engine id
to the internal list in OpenSSL. Then in the following calls to the function it just fetch the
reference to the engine instead of loading it again. An error tuple is returned if the engine
can't be loaded.
The function raises a error:badarg if the parameters are in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
See also the chapter Engine Load in the User's Guide.
ensure_engine_unloaded(Engine)->Result
Types:
Engine = engine_ref()
Result = ok | {error, Reason :: term()}
Unloads an engine loaded with the ensure_engine_loaded function. It both removes the label from
the OpenSSL internal engine list and unloads the engine. This function is the same as calling
ensure_engine_unloaded/2 with EngineMethods set to a list of all the possible methods. An error
tuple is returned if the engine can't be unloaded.
The function raises a error:badarg if the parameters are in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
See also the chapter Engine Load in the User's Guide.
ensure_engine_unloaded(Engine,EngineMethods)->Result
Types:
Engine = engine_ref()
EngineMethods = [engine_method_type()]
Result = ok | {error, Reason :: term()}
Unloads an engine loaded with the ensure_engine_loaded function. It both removes the label from
the OpenSSL internal engine list and unloads the engine. An error tuple is returned if the engine
can't be unloaded.
The function raises a error:badarg if the parameters are in wrong format. It may also raise the
exception error:notsup in case there is no engine support in the underlying OpenSSL
implementation.
See also the chapter Engine Load in the User's Guide.
pbkdf2_hmac(Digest,Pass,Salt,Iter,KeyLen)->Result
Types:
Digest = sha | sha224 | sha256 | sha384 | sha512
Pass = Salt = binary()
Iter = KeyLen = integer() >= 1
Result = binary()
PKCS #5 PBKDF2 (Password-Based Key Derivation Function 2) in combination with HMAC.
The function raises a error:badarg if the parameters are in wrong format.
Ericsson AB crypto 5.0.5 crypto(3erl)
Name
crypto - Crypto Functions
PNG Icons
Emojis
