David A. McGrew, Ph.D. 

Publications 
Some of my recent publications, presentations, specifications and
standardsrelated works are available online.
Research 
D. McGrew, Impossible plaintext cryptanalysis and probableplaintext collision attacks of 64bit block cipher modes, Proceedings of the Fast Software Encryption Workshop, 2013. Preprint available at the IACR eprint archive.
The block cipher modes of operation that are widely used (CBC, CTR, CFB) are secure up to the birthday bound; that is, if w*2^w or fewer bits of data are encrypted with a wbit block cipher. However, the detailed security properties close to this bound are not widely appreciated, despite the fact that 64bit block ciphers are sometimes used in that domain. This work addresses the issue by analyzing plaintextrecovery attacks that are effective close to that bound. We describe probableplaintext attacks, which can learn unknown plaintext values that are encrypted with CBC, CFB, or OFB. We also introduce impossible plaintext cryptanalysis, which can recover information encrypted with CTR, and can improve attacks against the aforementioned modes as well. These attacks work at the birthday bound, or even slightly below that bound, when the target plaintext values are encrypted under a succession of keys.
Slides are available on the FSE 2013 website.
D. McGrew and S. Fluhrer, The Security of the Extended Codebook (XCB) Mode of Operation, Proceedings of the 14th Annual Workshop on Selected Areas in Cryptography, Springer, 2007. Preprint available at the IACR eprint archive.
The XCB mode of operation was outlined in 2004 as a contribution to the IEEE Security in Storage effort, but no security analysis was provided. In this paper, we provide a proof of security for XCB, and show that it is a secure tweakable (super) pseudorandom permutation. Our analysis makes several new contributions: it uses an algebraic property of XCBÕs internal universal hash function to simplify the proof, and it defines a nonce mode in which XCB can be securely used even when the plaintext is shorter than twice the width of the underlying block cipher. We also show minor modifications that improve the performance of XCB and make it easier to analyze. XCB is interesting because it is highly efficient in both hardware and software, it has no alignment restrictions on input lengths, it can be used in nonce mode, and it uses the internal functions of the Galois/Counter Mode (GCM) of operation, which facilitates design reuse and admits multipurpose implementations.
Hu, YihChun, David McGrew, Adrian Perrig, Brian Weis, and Dan Wendlandt. (R)Evolutionary Bootstrapping of a Global PKI for Securing BGP,
Fifth Workshop on Hot Topics in Networks (HotNetsV), by ACM SIGCOMM. Irvine, California, November 2930, 2006.Most secure routing proposals require the existence of a global publickey infrastructure (PKI) to bind a public/private keypair to a prefix, in order to authenticate route originations of that prefix. A major difficulty in secure routing deployment is the mutual dependency between the routing protocol and the establishment of a globally trusted PKI for prefixes and ASes: cryptographic mechanisms used to authenticate BGP Update messages require a PKI, but without a secure routing infrastructure in place, Internet registries and ISPs have little motivation to invest in the development and deployment of this PKI. This paper proposes a radically different mechanism to resolve this dilemma: an evolutionary GrassrootsPKI that bootstraps by letting any routing entity announce selfsigned certificates to claim their address space. Despite the simple optimistic security of this initial stage, we demonstrate how a GrassrootsPKI provides ASes with strong incentives to evolve the infrastructure into a full topdown hierarchical PKI, as proposed in secure routing protocols like SBGP. Central to the GrassrootsPKI concept is an attack recovery mechanism that by its very nature moves the system closer to a global PKI. This admittedly controversial proposal offers a rapid and incentivecompatible approach to achieving a global routing PKI.
David McGrew, Efficient Authentication of large, dynamic data sets using Galois/Counter Mode (GCM), 3rd International IEEE Security in Storage Workshop, December 13, 2005.
The Galois/Counter Mode (GCM) of operation can be used as an incremental message authentication code (MAC); in this respect, it is unique among the crypto algorithms used in practice. We show that it has this property, and show how to use it as an incremental MAC. These MACs have great utility for protecting data at rest. In particular, they can be used to protect a large, dynamic data set using only a small, constant amount of memory.
David A. McGrew and John Viega, The Security and Performance of the Galois/Counter Mode (GCM) of Operation, INDOCRYPT 2004, SpringerVerlag, 343355. Full version available at the IACR eprint archive, August 10, 2004.
The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most efficient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet traffic in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a standalone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important systemsecurity aspects.
Mingyan Li, Radha Poovendran, David A. McGrew: Minimizing center key storage in hybrid oneway function based group key management with communication constraints. Inf. Process. Lett. 93(4): 191198 (2005).
Bo Yang, Ramesh Karri, David A. McGrew: Divideandconcatenate: an architecture level optimization technique for universal hash functions. DAC 2004: 614617.
Bo Yang, Ramesh Karri, David A. McGrew: Divide and concatenate: a scalable hardware architecture for universal MAC. FPGA 2004: 258.
Top Ten Wrong Conclusions from Attacks on Additive Encryption, last slide from the SAC '00 presentation.
David A. McGrew and Scott R. Fluhrer, Attacks on Additive Encryption of Redundant Plaintext and Implications on Internet Security, The Proceedings of the Seventh Annual Workshop on Selected Areas in Cryptography (SAC 2000), SpringerVerlag, August, 2000.
Abstract: We present and analyze attacks on additive stream ciphers that rely on linear equations that hold with nontrivial probability in plaintexts that are encrypted using distinct keys. These attacks extend Biham's key collision attack and Hellman's time memory tradeoff attack, and can be applied to any additive stream cipher. We define linear redundancy to characterize the vulnerability of a plaintext source to these attacks.
We show that an additive stream cipher with an $n$bit key has an effective key size of $n\min(l, \lg M)$ against the key collision attack, and of $2n/3 + \lg (n/3) + \max(nl,0)$ against the time memory tradeoff attack, when the the attacker knows $l$ linear equations over the plaintext and has $M$ ciphertexts encrypted with $M$ distinct unknown secret keys.
Lastly, we analyze the IP, TCP, and UDP protocols and some typical protocol constructs, and show that they contain significant linear redundancy. We conclude with observations on the use of stream ciphers for Internet security.
Scott R. Fluhrer and David A. McGrew, Statistical Analysis of the Alleged RC4 Stream Cipher, The Proceedings of the Fast Software Encryption Workshop 2000, SpringerVerlag, March, 2000.
Abstract: The alleged RC4 keystream generator is examined, and a method of explicitly computing digraph probabilities is given. Using this method, we demonstrate a method for distinguishing 8bit RC4 from randomness. Our method requires less keystream output than currently published attacks, requiring only $2^{30.6}$ bytes of output. In addition, we observe that an attacker can, on occasion, determine portions of the internal state with nontrivial probability. However, we are currently unable to extend this observation to a full attack.
David A. McGrew and Alan T. Sherman, Key establishment in large dynamic groups using oneway function trees, IEEE Transactions on Software Engineering 29(5): 444458 (2003).
Abstract: We present and analyze a new algorithm for establishing shared cryptographic keys in large, dynamically changing groups. Our algorithm is based on a novel application of oneway function trees. In comparison with previously published methods, our algorithm achieves a new minimum in the number of bits that need to be broadcast to members in order to rekey after a member is added or evicted. The number of keys stored by group members, the number of keys broadcast to the group when new members are added or evicted, and the computational efforts of group members, are logarithmic in the number of group members. Our algorithm provides complete forwards and backwards security: newly admitted group members cannot read previous messages, and evicted members cannot read future messages, even with collusion by arbitrary many evicted members.
This algorithm offers a new scalable method for establishing group session keys for secure largegroup applications such as electronic conferences, multicast sessions, and military command and control.
David McGrew and Scott Fluhrer. The Extended Codebook (XCB) Mode of Operation. Prepublication draft, available on IACR Eprint Archive. October, 2004. (The published work is cited above.)
We describe a block cipher mode of operation that implements a `tweakable' (super) pseudorandom permutation with an arbitrary block length. This mode can be used to provide the best possible security in systems that cannot allow data expansion, such as diskblock encryption and some network protocols. The mode accepts an additional input, which can be used to protect against attacks that manipulate the ciphertext by rearranging the ciphertext blocks.
Our mode is similar to a fiveround LubyRackoff cipher in which the first and last rounds do not use the conventional Feistel structure, but instead use a single block cipher invocation. The third round is a Feistel structure using counter mode as a PRF. The second and fourth rounds are Feistel structures using a universal hash function; we reuse the polynomial hash over a binary field defined in the Galois/Counter Mode (GCM) of operation for block ciphers. This choice provides efficiency in both hardware and software and allows for reuse of implementation effort. XCB also has several useful properties: it accepts arbitrarilysized plaintexts and associated data, including any plaintexts with lengths that are no smaller than the width of the block cipher.
David McGrew and Scott Fluhrer. Multiple forgery attacks against Message Authentication Codes. Prepublication draft, available on IACR Eprint Archive. May, 2005.
Some message authentication codes (MACs) are vulnerable to multiple forgery attacks, in which an attacker can gain information that allows her to succeed in forging multiple message/tag pairs. This property was first noted in MACs based on universal hashing, such as the Galois/Counter Mode (GCM) of operation for block ciphers. However, we show that CBCMAC and HMAC also have this property, and for some parameters are more vulnerable than GCM. We present multipleforgery attacks against these algorithms, then analyze the security against these attacks by using the expected number of forgeries. We compare the different MACs using this measure.
There is a remarkably close parallel between the problems of the physicist and those of the cryptographer. The system on which a message is enciphered corresponds to the laws of the universe, the intercepted messages to the evidence available, the keys for a day or a message to important constants which have yet to be determined. The correspondence is very close, but the subject matter of cryptography is very easily dealt with by discrete machinery, physics not so easily. Alan Turing, "Intelligent machinery." In: Bernhard Meltzer and Donald Michie (eds), Machine Intelligence 5., p. 14.
The papers in physics below were published during graduate school while I was at the National Superconducting Cyclotron Laboratory and Michigan State University.
D.A. McGrew and W. Bauer, Constraint operator solution to quantum billiard problems, Phys. Rev. E, 54, 5809 (1996).
We introduce an additional method to solve Schrodinger's equation for a free particle in an infinite well of arbitrary shape (the Helmholtz equation with Dirichlet boundary conditions) , a problem of interest in the area of quantum chaos. We expand the wave function in a basis of products of sine functions, then use the constraint operator to contain the wave function to a region within the domain of the basis functions. In this manner, a quantum billiard problem of arbitrary shape can be solved. Several methods exist to solve problems of this sort, but as recent work reviewing these methods has shown, all have shortcomings. Our work represents a different direction in the solution of these problems. Our method is different in that it provides a means of computing an eigenbasis. It is also interesting from a physical standpoint in that it can represent the Hamiltonian of a classically chaotic system in the basis of a classically regular system.
Surajit Sen, Carl N. Hoff, Dennis E. Kuhl and David A. McGrew, Relaxation in simple s=1/2 spin chains with next nearest neighbor interactions, Physical Review B vol. 53, pp. 33983408 (1996).
Most of the existing dynamical studies in one dimension on magnetic insulators have considered the simplest spin models with nearestneighbor interactions. In real systems, however, it is possible that longer range interactions are not entirely negligible. It is expected that the inclusion of nextnearestneighbor interactions between spins in onedimensional spin models will introduce a multitude of new frequencies in addition to the ones already present in the dynamics that arises due to nearestneighbor interactions. We first present an exact solution for the dynamical xxspinpair correlations in an Ising chain with both nearest and nextnearestneighbor interactions to confirm our expectation. We next show, via an approximate analytical calculation, that the dynamical zzspinpair correlations in the nextnearestneighbor transverse Ising chain when plotted as a function of time is noticeably different with respect to the exactly solvable nearestneighbor transverse Ising chain at T> [infinity] when the nextnearestneighbor interaction is >~ 1/2 of the magnitude of the nearestneighbor interaction. The effects could be fairly subtle in the time domain representation and in the spectral function when these additional interactions are weak (i.e., <1/2 of the nearestneighbor interaction magnitude). The general conclusions reached in this work are expected to be valid for other simple quantum spin models such as the XY and XXZ models in one dimension.
W. Bauer, D. McGrew, V. Zelevinsky, and P. Schuck, Regular and Chaotic Dynamics in Giant Nuclear Oscillations, Nucl. Phys. A583, 93c (1995).
We study the problem of giant nuclear oscillations by performing selfconsistent calculations in semiclassical approximation utilizing a multipolemultipole interaction of the BohrMottelson type for quadrupole and octupole deformations. In all cases considered, we find regular motion of the collective coordinate, the multipole moment of deformation. This is in contradiction to the predictions of the wall formula and suggests that this type of onebody dissipation might not be realized in real nuclear systems. In addition, we find chaotic single particle motion in coexistence with the regular collective dynamics.
W. Bauer, D. McGrew, V. Zelevinsky, and P. Schuck, Coexistence of Regular Undamped Nuclear Dynamics with Intrinsic Chaoticity, Phys. Rev. Lett. 72, 3771 (1994).
We study the conditions under which the nucleons inside a deformed nucleus can undergo chaotic motion. To do this we perform selfconsistent calculations in semiclassical approximation utilizing a multipolemultipole interaction of the BohrMottelson type for quadrupole and octupole deformations. For the case of harmonic and nonharmonic static potentials, we find that both multipole deformations lead to regular motion of the collective coordinate, the multipole moment of deformation. However, despite this regular collective motion, we observe chaotic singleparticle dynamics.
Technical Reports 
D. Balenson, D. Branstad, P. Dinsmore, M. Heyman, and C. Scace. DCCM Cryptographic Context Negotiation Protocol. TIS Technical Report 0757, TIS labs at Network Associates, Inc., February 1999.
D. Balenson, D. Branstad, D. McGrew, and A. Sherman. DCCM architecture and system design. Technical Report TIS report 0709, TIS labs at Network Associates, Inc., June 1998.
D. Balenson, D. McGrew, and A. Sherman. Key management for large dynamic groups: Oneway function trees and amortized initialization. draftirtfsmuggroupkeymgmtoft00.txt, Internet Research Task Force, August 2000.
D. Balenson, D. Branstad, D. McGrew, J. Turner, and M. Heyman. DCCM Cryptographic Context Negotiation Template. TIS Technical Report 07452, TIS labs at Network Associates, Inc., February 1999.
Denny Branstad, David McGrew. PolicyControlled Cryptographic Key Release. DIMACS Trust Management Workshop. September, 1996.
Presentations 
Problems and Progress with Crypto Hash Functions, Presentation to IAB/Technical Plenary at IETF64, 2005.
Scalable, Efficient Cryptography for Multiple Security Services. The Center for Information Systems Security Studies and Research, Naval Postgraduate School, July, 2004.
Security without data expansion: the XCB mode of operation. CyLab Seminar, CarnegieMellon University, October, 2004.
GCM: Encryption and Authentication at 10 gbps and Beyond. Washington Area Trustworthy Systems Hour (WATSH), April 13, 2004.
The Shape of VPNs to Come. The Internet Security Conference (TISC), October, 1999.
Specifications and Standards 
M. Baugher, D. McGrew, M. Naslund, E. Carrara, K. Norrman, The Secure Realtime Transport Protocol (SRTP), IETF Request for Comments RFC 3711. March 2004. Standards Track.
This document describes the Secure Realtime Transport Protocol (SRTP), a profile of the Realtime Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Realtime Transport Control Protocol (RTCP).
libSRTP is an opensource reference implementation of Secure RTP, which is available on sourceforge.
D. McGrew, F. Andreasen, L. Dondeti, Encrypted Key Transport for Secure RTP, IETF Internet Draft draftmcgrewsrtpekt06.txt. October 2009. Informational.
SRTP Encrypted Key Transport (EKT) is an extension to SRTP that provides for the secure transport of SRTP master keys, Rollover Counters, and other information, within SRTCP. This facility enables SRTP to work for decentralized conferences with minimal control, and to handle situations caused by early media.
D. McGrew, E. Rescorla, Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Realtime Transport Protocol (SRTP), IETF Internet Draft draftietfavtdtlssrtp07.txt. Standards Track. February, 2009. (Approved for RFC.)
This document describes a Datagram Transport Layer Security (DTLS) extension to establish keys for secure RTP (SRTP) and secure RTP Control Protocol (SRTCP) flows. DTLS keying happens on the media path, independent of any outofband signalling channel present.D. McGrew. The use of AES192 and AES256 in Secure RTP, draftietfavtsrtpbigaes02.txt. Standards Track. October, 2009.
This memo describes the use of the Advanced Encryption Standard (AES) with 192 and 256 bit keys within the Secure RTP protocol. It defines Counter Mode encryption for SRTP and SRTCP and a new SRTP Key Derivation Function (KDF) for AES192 and AES256.
D. McGrew. AESGCM and AESCCM Authenticated Encryption in Secure RTP (SRTP) draftietfavtsrtpaesgcm00. Standards Track. July, 2009.This document defines how AESGCM, AESCCM, and other Authenticated Encryption with Associated Data (AEAD) algorithms, can be used to provide confidentiality and data authentication mechanisms in the SRTP protocol.
D. McGrew Synchronizing the Rollover Counter in SRTP Multiparty Sessions, March, 2006. (Sent to IETF AVT working group, but not formally published.)
David A. McGrew and John Viega, Galois/Counter Mode of Operation (GCM), Local copy of the original submission to NIST Modes of Operation process, January 15, 2004. Slightly revised on May 31, 2005 (posted on June 2, 2005).
Galois/Counter Mode (GCM) is a block cipher mode of operation that uses universal hashing over a binary Galois field to provide authenticated encryption. It can be implemented in hardware to achieve high speeds with low cost and low latency. Software implementations can achieve excellent performance by using tabledriven field operations. It uses mechanisms that are supported by a wellunderstood theoretical foundation, and its security follows from a single reasonable assumption about the security of the block cipher.
J. Viega and D. McGrew, The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP), IETF Request for Comments RFC 4106, June, 2005.
This memo describes the use of the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) as an IPsec Encapsulating Security Payload (ESP) mechanism to provide confidentiality and data origin authentication. This method can be efficiently implemented in hardware for speeds of 10 gigabits per second and above, and is also wellsuited to software implementations.
D. McGrew and J. Viega, The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH, IETF Request for Comments RFC 4543, May, 2006.
This memo describes the use of the Advanced Encryption Standard (AES) Galois Message Authentication Code (GMAC) as a mechanism to provide data origin authentication, but not confidentiality, within the IPsec Encapsulating Security Payload (ESP) and Authentication Header (AH). GMAC is based on the Galois/Counter Mode (GCM) of operation, and can be efficiently implemented in hardware for speeds of 10 gigabits per second and above, and is also wellsuited to software implementations.
D. McGrew, P. Patnala, A. Hoenes, Threshold Secret Sharing, draftmcgrewtss02.txt, March 2009. Informational.
Threshold secret sharing (TSS) provides a way to generate N shares from a value, so that any M of those shares can be used to reconstruct the original value, but any M1 shares provide no information about that value. This method can provide shared access control on key material and other secrets that must be strongly protected.This note defines a threshold secret sharing method based on polynomial interpolation in GF(256) and a format for the storage and transmission of shares. It also provides usage guidance, describes
how to test an implementation, and supplies test cases.
David A. McGrew and Scott R. Fluhrer, The Stream Cipher LEVIATHAN: Specification and Supporting Documentation, Submission to the New European Schemes for Signatures, Integrity, and Encryption (NESSIE) Standard, October 24, 2000.
Abstract: This paper specifies the synchronous stream cipher LEVIATHAN, and provides the supporting documentation for the NESSIE standardization process. The design of this cipher enables it to efficiently seek to arbitrary locations in its keystream, despite the fact that its state transition functions are nonlinear. The cipher is designed for high throughput on general purpose processors.
The package containing the specification, reference implementation, and supporting documentation for the NESSIE process is available online. This is the third version of this package; it corrects some minor errors and ambiguities. NESSIE is the New European Schemes for Signatures, Integrity, and Encryption.
Canst thou draw out leviathan with a hook? (Job 41:1) Perhaps not, but Paul Crowley and Stefan Lucks published an analysis of the Bias in the LEVIATHAN stream cipher at the April, 2001 Fast Software Encryption Workshop. This work shows that bias can be observed with 2^36 bytes of output, and presents two distinguishers.
A relatively simple addition to the cipher is believed to eliminate this bias. However, the updated specification has not yet been published.
Secure RTP defines a counter mode variant in Section 4.1.1. This mode was chosen because it provides high security, has ciphertext that is no larger than the corresponding plaintext, it does not propagate bit errors on decryption.
Counter Mode Security: Analysis and Recommendations. Unpublished draft for IETF IPsec WG.
Integer Counter Mode, draftmcgrewsaagicm00.txt. Individual submission to the IETF Security Area Advisory Group (SAAG). This draft defines a counter mode variant that is flexible enough to be applied to distinct application domains. Please note that this variant is not interoperable with that specified in the old Stream Cipher ESP document. This draft has expired and has not been resubmitted.
Segmented Integer Counter Mode: Specification and Rationale. Submitted to NIST Modes of Operation Workshop, October, 2000. This document describes how counter mode can be used for packet encryption.
TMMH Version Two is specified in draftmcgrewsaagtmmh02.txt. See the Revision History section for a list of changes from the initial version. This draft has expired and has not been resubmitted.
UST is a data transform which provides confidentiality and message authentication by using a universal hash function (such as TMMH) with a segmented stream cipher (such as AES Counter Mode). It is specified in draft draftmcgrewsaagust00.txt. This transform is well optimized for protecting packet flows, minimizing computational cost and storage requirements while providing strong security. A previous draft describing UST was called draftmcgrewsaagsst00.txt; the name was changed to avoid a potential trademark infringement.
This draft has expired and has not been resubmitted. Please see GCM, which follows the same framework and has the same benefits (though GCM is a block cipher mode, and will not work with an arbitrary pseudorandom function).
Individual submission to the IETF IPsec Working Group, draftmcgrewipsecscesp02.txt. IETF Internet Draft, November, 2000. This is joint work with Scott Fluhrer and Cheryl Madson. This draft has expired and has not been resubmitted.
Revision Historydraftmcgrewipsecscesp02.txt Added a section on Counter Mode, and a subsection on the security analysis of that cipher. Minor clarifications added.
draftmcgrewipsecscesp01.txt Changed a MAY to a MUST based on feedback from the presentation at the Pittsburgh IETF. Minor clarifications added.
draftmcgrewipsecscesp00.txt  Original version.The SEAL ESP is a specialization of SC/ESP; it is implemented in Cisco IOS. The SEAL cipher is described by a paper in the Journal of Cryptology that is also available online.
Xiaoyi Liu, Cheryl Madson, David McGrew, Andrew Nourse. Cisco Systems' Simple Certificate Enrollment Protocol (SCEP). IETF Informational Draft. Also published as a Cisco Systems, Inc. white paper.
N. CamWinget, D. McGrew, J. Salowey, H. Zhou. EAP Flexible Authentication via Secure Tunneling (EAPFAST). IETF Informational Draft, April, 2005.
Cisco Comments on the Advanced Encryption Standard. These comments reflect a perspective on the AES requirements from the viewpoint of an implementer and vendor of cryptographic systems, and are part of the Round Two feedback of NIST's AES effort.
The Kerberos Key Management Protocol, now the IETF KINK WG.
Key Management for Large Dynamic Groups, D. Balenson, D. McGrew, A. Sherman, IRTF Draft <draftirtfsmuggroupkeymgmtoft00.txt>.
Key Management for Large Dynamic Groups: OneWay Function Trees and Amortized Initialization, D. Balenson, D. McGrew, A. Sherman, Expired IETF Internet Draft <draftbalensongroupkeymgmtoft00.txt>.
Patents 
Stream cipher encryption method and apparatus that can efficiently seek to arbitrary locations in a key stream. United States Patent 6,862,354. David McGrew, Scott Fluhrer. March 1, 2005. Assigned to Cisco Systems, Inc.
Publicly verifiable key recovery. United States Patent 6,249,585. David McGrew, David Carman. June 19, 2001. Assigned to Network Associates, Inc.
Crypto Source Code 
The source code online here is unrestricted
encryption source code, as per Section 740.13(e) of the U. S. Export
Administration Regulations.
This site includes publicly available encryption source code which,
together with object code resulting from the compiling of publicly
available source code, may be exported from the United States under
License Exception "TSU" pursuant to 15 C.F.R. Section
740.13(e).
The source (and documentation) for LEVIATHAN is available as a tgz (tarred and gzipped) file.
libSRTP, an open source reference implementation of Secure RTP, is online at sourceforge.net. This work implements SRTP in a portable C library with a documented API. The libsrtp distribution is a .tgz file containing C source code. The README file describes how to build the library and run the test driver and example programs. The API is described in the document libSRTP Overview and Documentation , which is included in the distribution as doc/libsrtp.pdf and is also available online.
Links to Other Sites 
Here are links to some useful or interesting Internet sites.
The Crypto Forum Research Group (CFRG) is an Internet Research Task Force (IRTF) group for the discussion and review of cryptographic mechanisms for network security in general and for the IETF in particular. The group provides a forum where cryptographers, network security experts, and protocol designers can exchange ideas and investigate ways for using new cryptographic developments in the future Internet. 
For more information on CFRG, please see the main
web site
or the charter.
Cryptography is extensivel used on the Internet. Many IETF RFCs define or make use of cryptographic algorithms or protocols. The CFRG maintains a set of references on the Internet Cryptography pages.
The following opensource cryptography projects are all available online.
IPSEC
The OpenBSD operating system includes IPsec (and IPv6 as well).As of Linux 2.5.47, there is a native IPSec implementation in the kernel. For older versions, there is the FreeS/WAN project.
SSH
OpenSSH is a BSDlicensed SSH version developed by the OpenBSD community.GNU SSH Version 2.0 is a GPLlicensed SSH version.
PGP
GNU Privacy Guard (GPG)Kerberos
Here is the main Kerberos page at MIT.TLS/SSL
The OpenSSL project has great momentum.X.509 Certificates and Cryptographic Message Syntax (CMS)
S/MIME Freeware Library.Ciphers and Hash functions
Wei Dai’s crypto++ library is an extensive C++ crypto library.The cryptography.org website offers a good collection of cryptographic functions.
Eric Young's code has been the basis for several other opensource efforts.
Operating Systems
The OpenBSD operating system is a security conscious BSD variant that is laden with crypto.The TrustedBSD project is adding security to FreeBSD.
The SecurityEnhanced Linux kernel is a version of that operating system that is instrumented to support mandatory access controls.
The trustix operating system is a highassurance variant of linux.
The Internet Engineering Task Force (IETF) Security Area web page.
The IEEE Standard Specifications For PublicKey Cryptography (IEEE P1363 Working Group).
U. S. Federal Information Processing Standards (FIPS) on Computer Security.
The Public Key Cryptography Standards (PKCS) web page. Run by RSA, Inc.
The Standards for Efficient Cryptography Group (SECG). Run by Certicom, Inc.
The ATM Forum web page, which contains the ATM Security Framework Version 1.0 and ATM Security Specification Version 1.0.
Korean Security Standards.
Wireless LAN Security: The Bluetooth Specification. This spec contains an LFSR based cipher called `E0' (which is a variant of a summation generator) in section 14.3.4. Source code for this cipher is available online here.
The International Association for Cryptologic Research.
The Standard Cryptographic Algorithm Naming web page, maintained by the Cryptix Foundation. A good reference for cryptographic functions.
Ron Rivest's crypto page, a good resource for crypto stuff on the web.
Kevin McCurley's list of cryptographer's webpages.
Wei Dai's benchmarks of the cryptographic primitives in his crypt++ library.
The National Cryptologic Museum.
Official disclaimer: I am not related to this person.
Last updated December, 2014.