# Cryptography
The `System.Crypto` unit provides a wide range of cryptographic primitives, including secure hashing, symmetric and asymmetric encryption, and cryptographic utilities.
## Hashing Algorithms
All hashing classes inherit from `HashAlgorithm` and provide `HashData` and `HMAC` methods.
| Class | Description |
| :--- | :--- |
| `HashMD5` | Legacy MD5 hashing (128-bit). |
| `HashSHA1` | Legacy SHA-1 hashing (160-bit). |
| `HashSHA256` | Standard SHA-2 256-bit hashing. |
| `HashSHA512` | Standard SHA-2 512-bit hashing. |
| `HashSHA3_256` | Modern SHA-3 256-bit hashing (Keccak). |
| `HashRIPEMD160` | RIPEMD 160-bit hashing. |
| `HashCRC32` | CRC32 checksum. |
```pascal
uses System.Crypto;
// Standard Hashing
var hash := HashSHA256.HashData('Message');
// HMAC (Keyed Hashing)
var hmac := HashSHA256.HMAC('Message', 'SecretKey');
```
## Symmetric Encryption (AES)
Authenticated encryption combining AES with hashing for integrity.
| Class | Description |
| :--- | :--- |
| `EncryptionAESSHA256Full` | AES-CTR with SHA-256 HMAC. Recommended for general use. |
| `EncryptionAESSHA3CTR` | AES-CTR with SHA3-256 HMAC. |
| `EncryptionAESnistCTR` | Low-level AES-CTR (requires manual IV management). |
| `EncryptionCryptProtect` | Windows DPAPI (Machine or User bound encryption). |
## Asymmetric Cryptography
### ECC (secp256r1)
The `ECCsecp256r1` class provides Elliptic Curve Cryptography for signatures and key exchange.
| Method | Description |
| :--- | :--- |
| `MakeKey(var pub, var priv)` | Generates a new key pair. |
| `ECDHSharedSecret(pub, priv)` | Calculates shared secret (Diffie-Hellman). |
| `ECDSASign(priv, hashHex)` | Signs a 256-bit hash. |
| `ECDSAVerify(pub, hashHex, sig)` | Verifies a signature. |
### RSA
The `TRSAKey` class supports RSA encryption and signatures.
| Method | Description |
| :--- | :--- |
| `Generate(bitSize)` | Constructor for new keys (e.g. 2048, 4096). |
| `SignHash(algo, hashHex)` | Signs a hash. |
| `VerifyHash(algo, hashHex, sig)` | Verifies a signature. |
| `Encrypt / Decrypt` | Encrypts or decrypts data using the key. |
| `ExportJSON / ImportJSON` | Serializes the key to/from JSON format. |
## Nonces & One-Time Tokens
The `Nonces` class manages unique, time-limited tokens stored in memory, useful for preventing replay attacks, CSRF protection, or managing temporary sessions.
| Method | Description |
| :--- | :--- |
| `Generate(ms)` | Generates a new nonce with no associated data. |
| `Generate(ms, data)` | Generates a new nonce with associated data string. |
| `Register(nonce, ms, data)` | Registers an existing token string with expiration. |
| `CheckAndRemove(nonce)` | True if valid and has no data. Removes it. |
| `CheckAndRemove(nonce, data)` | True if valid and matches data. Removes it. |
| `CheckAndKeep(nonce)` | True if valid and has no data. Keeps it. |
| `CheckAndKeep(nonce, data)` | True if valid and matches data. Keeps it. |
| `GetData(nonce)` | Retrieves the data string associated with a nonce (or empty if invalid). |
| `Remove(nonce)` | Manually expires a nonce. |
## Cryptographic Utilities
| Function / Method | Description |
| :--- | :--- |
| `PBKDF2_HMAC_SHA256(pass, salt, iters)` | Password-based key derivation. |
| `CryptographicToken(bits)` | Returns a random alphanumeric token. |
| `CryptographicRandom(bytes)` | Returns raw random bytes. |
| `Nonces.Generate(ms, data)` | Generates and registers a time-limited one-time token. |
Cryptography
The System.Crypto unit provides a wide range of cryptographic primitives, including secure hashing, symmetric and asymmetric encryption, and cryptographic utilities.
Hashing Algorithms
All hashing classes inherit from HashAlgorithm and provide HashData and HMAC methods.
Authenticated encryption combining AES with hashing for integrity.
Class
Description
EncryptionAESSHA256Full
AES-CTR with SHA-256 HMAC. Recommended for general use.
EncryptionAESSHA3CTR
AES-CTR with SHA3-256 HMAC.
EncryptionAESnistCTR
Low-level AES-CTR (requires manual IV management).
EncryptionCryptProtect
Windows DPAPI (Machine or User bound encryption).
Asymmetric Cryptography
ECC (secp256r1)
The ECCsecp256r1 class provides Elliptic Curve Cryptography for signatures and key exchange.
Method
Description
MakeKey(var pub, var priv)
Generates a new key pair.
ECDHSharedSecret(pub, priv)
Calculates shared secret (Diffie-Hellman).
ECDSASign(priv, hashHex)
Signs a 256-bit hash.
ECDSAVerify(pub, hashHex, sig)
Verifies a signature.
RSA
The TRSAKey class supports RSA encryption and signatures.
Method
Description
Generate(bitSize)
Constructor for new keys (e.g. 2048, 4096).
SignHash(algo, hashHex)
Signs a hash.
VerifyHash(algo, hashHex, sig)
Verifies a signature.
Encrypt / Decrypt
Encrypts or decrypts data using the key.
ExportJSON / ImportJSON
Serializes the key to/from JSON format.
Nonces & One-Time Tokens
The Nonces class manages unique, time-limited tokens stored in memory, useful for preventing replay attacks, CSRF protection, or managing temporary sessions.
Method
Description
Generate(ms)
Generates a new nonce with no associated data.
Generate(ms, data)
Generates a new nonce with associated data string.
Register(nonce, ms, data)
Registers an existing token string with expiration.
CheckAndRemove(nonce)
True if valid and has no data. Removes it.
CheckAndRemove(nonce, data)
True if valid and matches data. Removes it.
CheckAndKeep(nonce)
True if valid and has no data. Keeps it.
CheckAndKeep(nonce, data)
True if valid and matches data. Keeps it.
GetData(nonce)
Retrieves the data string associated with a nonce (or empty if invalid).
Remove(nonce)
Manually expires a nonce.
Cryptographic Utilities
Function / Method
Description
PBKDF2_HMAC_SHA256(pass, salt, iters)
Password-based key derivation.
CryptographicToken(bits)
Returns a random alphanumeric token.
CryptographicRandom(bytes)
Returns raw random bytes.
Nonces.Generate(ms, data)
Generates and registers a time-limited one-time token.