A cryptography library for the
TI-84+ CE graphing calculator!
About HASHLIB

HASHLIB is a port of existing, known cryptographic implementations to a low-performance embedded system -- the TI-84+ CE graphing calculator. It began in response to my need for a cryptographic hash for another project I was developing but evolved into much more as I realized I genuinely enjoyed working on it. As of now, HASHLIB provides near industry-standard cryptography for this platform.

What's Implemented in Hashlib?
SHA-256

The SHA-2 family of cryptographic hashes are among some of the most known and reliable hashes in use. SHA-256 is relatively secure, is trivial enough to implement on this platform, and is the single cryptographic hash provided by this library. Not only is it exposed as a hashing function, it is used internally by the library for a few other purposes.

Secure Pseudorandom Generator

HASHLIB provides an entropy-based pseudorandom generator. It works by first polling the unmapped memory of the device for a floating bit with the least bias and setting an entropic-read pointer to that address. The SPRNG returns 32-bit pseudorandom numbers. Whenever a random number number is requested, the SPRNG updates a 119-byte entropy pool, each byte of which is a composite of seven (7) distinct reads from the entropic address, xored together. The entropy pool is then hashed with SHA-256, generating a 32-byte digest, which broken into 8-byte blocks, which are xored together to give us the 32-bit random number. The entropy pool is then clobbered to prevent the state from being reconstructed. The SPRNG produces approximately 96 bits of entropy per 32-bit rand, minimizes the footprint of correlation in the bit stream, withstands state compromise, and passes statistical tests regardless of the sample size.

MGF1

The mask-generation function MGF1 is an arbitary-length hashing function derived from SHA-256. It loops calls to SHA-256, passing the input data with a 4-byte counter appended to it, until it has returned a digest of length equal to the requested size. MGF1 is used as the hashing oracle in the RSA-OAEP encoding scheme also provided in this library.

Advanced Encryption Standard

HASHLIB implements the Advanced Encryption Standard (AES) for 128, 192, and 256-bit keys. The default cipher modes provided are CBC and CTR for basic encryption, and CBC-MAC for authenticated encryption (a SHA-256 hash can be used for verifying message integrity as well), although the underlying ECB-mode single-block encryptor and decryptor functions are also exposed for those who know what they are doing and want to construct one of the other cipher modes. AES is one of the two forms of encryption provided within this library.

RSA-2048

HASHLIB will provide an encryption-only implementation of the RSA public key system, up to a maximum modulus size of 2048 bits (but no less than 1024 bits). The RSA-OAEP encoding scheme is also implemented. Because this implementation is encrypt-only, you will need to rely on a remote host for generating a keypair, let the calculator generate an AES key, and then encrypt it with the server-supplied pubkey.

Once I study the techniques involved, I will also try to implement signature verification for such things as SSL/TLS certificates as well, since those also use public keys.

Miscellaneous

HASHLIB provides a number of functions that don't quite fit in another category. There are several helper functions and macros in the library. There is a function to zero out a context or memory buffer once you are done with it to prevent leaving cryptographic state information in memory. There is a buffer comparison function that is resistant to timing attacks. There is a function to malloc buffer space if stack allocation is not sufficient for your needs. There are macros to return the padded size and ciphertext size for both AES and RSA, as well as functions to add and strip padding for both encryption types. I encourage you to check out the C header file and documentation provided with the library (and linked above) for more details.

Caveats & Security Profile

I took to great care to build HASHLIB into a library with a decent security profile. Much of the library is "ported" rather than "implemented" and where this was not possible I extensively researched the topic, discussed with others the best method of implementing it, and posted the code for audit by individuals who know the hardware.

Despite this great effort, there is at least one manner of attack HASHLIB is vulnerable to. Due to the nature of the TI-84+ CE as an embedded system with mappable memory, the calculator is vulnerable to side-channel attacks such as mapping the calculator's memory while HASHLIB is running. However, it would likely be quite difficult for a bad actor to gain physical access to your calculator while you are using it in this manner.

Beyond this, HASHLIB's security comes down proper use of the provided encryption schemes as well as the security of the PRNG. AES and RSA, implemented properly, are among the most secure encryption schemes in use today. As for the SPRNG, I evaluated it both mathematically and statistically. I computed the SPRNG to have sufficient entropy (in fact, double what's required) and it passes all statistical tests that are thrown at it. Analysis is still underway to ascertain the influence of correlation in the bit stream, however, programmatical allowances have been made to offset any correlation that may exist. The SPRNG's logic and entropy is evaluated at great detail in the associated documentation, linked above.

Credits & Citations

Special thanks to the community of TI calculator developers at Cemetech for their feedback, encouragement, and assistance as I was working on this project. In addition, I would like to thank the following individuals who had a greater hand in the development of this library.

Anthony Cagliano
Lead project developer, Webpage author.
Adam "beck" Beckingham
Co project developer, Assembly rewrite of some funcs.
Zeroko
Cemetech member who contributed much information, both in forums and in IRC, about generating randomness on the TI-84+ CE (see this thread).
jacobly
Cemetech member who provided hashlib_CompareDigest() as well as corrected some coding errors in (and optimized) hashlib_SPRNGRandom().


I would also like to acknowledge the sourcing of some of the crypto in this library from the public domain repository linked here. The repository linked above has stable code with the best compatibility with my target architecture, so I used it, making minor modifications for the bit-width of the target platform, and that ported code became the backbone of this library, with anything extra building upon it.

Legal & Disclaimer

This software is provided free and open-source. You are free to download, use, distribute, modify, review, and share this software as well as any associated files so long as you provide the same license and legal notice to any possible end users.

HASHLIB is a work-in-progress and has seen very little time as the forerunning cryptography library for the TI-84+ CE calculator. This means that it has not had much time to be thoroughly analyzed, and due to some hardware constraints may never offer total security. For this reason, I strongly advise that however secure HASHLIB may be, you never use it for encrypting truly sensitive data like online banking and other accounts, credit card information, and the like over an insecure network. It is likely safe enough to be used to encrypt file transfers and account login for TI-84+ CE game servers and package managers like the ones currently under development. By using this software you release and save harmless its developer(s) from liability for data compromise that may arise should you use this software.