The TMS team has released version 5.0.9.4 of the Cryptography Pack (TMSCP) today. This release is a new milestone for the library as it is the first major release for a full Delphi version. 

Background

TMSCP was initially released end of 2015 to include strong cryptographic algorithms, following the Snowden revelations.
The core algorithms to encrypt/decrypt, hash, sign/verify were developed in C and wrapped into Delphi classes.
This setup had the advantage to keep the C code for use on any operating system (OS), on the premise that there is a C compiler for every OS.

However, the cost of maintaining the overall code on par with RAD Studio updates was heavy and required the use of "tricks" in many cases (e.g., extra DLLs or specific assembly "glue").

It was decided at the end of 2023 to port the entire code to Delphi to reduce the overhead due to maintainance.

A Good Port Spoilt

The port from C to Delphi was not a simple walk as the tolerance of C for casts and register overflows doesn't pass the Delphi test.
We had to adapt several data structures and portions of the code to make sure the results would be identical between the 4.3.3 and 5.x.y versions.

Registered users have probably noticed that several "beta" versions have been issued since the beginning of 2024.
These versions gradually incorporated algorithms from version 4.3.3, and version 5.0.9.4 now contains all these algorithms with the following differences:

• AES ECB-CBC-OFB-CTR modes  with PKCS#7 padding only have been kept, the Cipher Text Stealing (CTS) mode has been added
• AES MAC has been kept
• AES GCM has been kept
• SPECK: 256-bit key sizes and CBC mode with PKCS#7 padding only has been kept, all other key sizes and modes have been removed
• RSA 2048, 3072 and 4096 key sizes have been kept (new properties have been added – see RSA section in documentation)
• ECDSA and EdDSA (ed25519, ed448, ed 511187, P521, P384 and P256) have been kept
• ECIES with ed25519 has been kept, other curves will be added in future releases if there is enough demand
• SALSA has been kept
• SHA1 was initially removed, and then added back to ensure compatibility with several (not so recent) RFCs
• SHA-2 with 256, 384 and 512-bit hash sizes has been kept
• SHA-3 with 256, 384 and 512-bit hash sizes has been kept
• PBKDF 2 has been kept (SHA1 support has been added for ZIP key derivation)
• HKDF has been kept
• Blake2B has been kept
• RIPEMD-160 is deprecated, not much used, and has been removed
• Argon2 has been kept
• Generation of X509 self-signed certificates has been kept and slightly improved (more field / OIDs are supported)
• Generation of X509 CSR, with support for RSA 2048 / SHA 256 only, has been kept
• XAdES has been kept and improved with predefined templates to satisfy national regulations (see XadES section for use)
• CAdES has been kept
• PAdES has been kept
• xChaCha20, a stream cipher, has been added
• TLSH (a non cryptographic hash) has been kept
• ZIP encryption services supporting the AE-2 requirements have been added

Test vectors from relevant RFCs have been used to validate the algorithms, when they exist. RFCs are usually identified in comments in .pas files.

The most important modification is that some APIs have been changed to ensure better uniformity across cryptographic interfaces. Consequently, Users may have to adjust existing code to take those changes into account, especially with the new ‘inputFormat’ property.

Compatibility is no longer ensured with public key cryptographic operations using SHA1 with a few exceptions:

• interoperability with legacy certificates (many certificates still contain SHA1 digests)
• interoperability with other cryptographic services, such as ZIP crypto or XAdES

We DO NOT encourage the use of SHA1 in new cryptographic services.

With the exception of the generation of PFX certificates, openSSL is no longer required the generate or decode PKIX objects.

On a side note, several tools have been added to the FreeTools directory. All of them demonstrate a specific feature of TMSCP.
The demo section has been updated and contains source code for most algorithms.

Future work

Version 4.3.3 will no longer be maintained. It contains a few bugs that have been fixed but not distributed in a full upgrade (the relevant .obj files are available on demand).

Version 5.x will indeed be maintained, augmented, and improved as performance issues have been noticed for some algorithms (mostly RSA).

New features are in the making and requests can be sent to Support or directly to me.

Conclusion

TMS Cryptography Pack has been out for 10 years now and has undergoned profound changes with its port to full Delphi code.
It contains all basic strong algorithms and primitives to provide up-to-date cryptographic services in Delphi applications.

TMSCP is framework agnostic and can be used in VCL, FMX and console applications.