diff --git a/src/crypto/chap.c b/src/crypto/chap.c
index 6bebaca5..2f624564 100644
--- a/src/crypto/chap.c
+++ b/src/crypto/chap.c
@@ -42,7 +42,7 @@
  * eventually be freed by a call to chap_finish().
  */
 int chap_init ( struct chap_challenge *chap,
-		struct digest_algorithm *digest ) {
+		struct crypto_algorithm *digest ) {
 	size_t state_len;
 	void *state;
 
@@ -52,7 +52,7 @@ int chap_init ( struct chap_challenge *chap,
 
 	DBG ( "CHAP %p initialising with %s digest\n", chap, digest->name );
 
-	state_len = ( digest->context_len + digest->digest_len );
+	state_len = ( digest->ctxsize + digest->digestsize );
 	state = malloc ( state_len );
 	if ( ! state ) {
 		DBG ( "CHAP %p could not allocate %d bytes for state\n",
@@ -62,9 +62,9 @@ int chap_init ( struct chap_challenge *chap,
 	
 	chap->digest = digest;
 	chap->digest_context = state;
-	chap->response = ( state + digest->context_len );
-	chap->response_len = digest->digest_len;
-	chap->digest->init ( chap->digest_context );
+	chap->response = ( state + digest->ctxsize );
+	chap->response_len = digest->digestsize;
+	digest_init ( chap->digest, chap->digest_context );
 	return 0;
 }
 
@@ -83,7 +83,7 @@ void chap_update ( struct chap_challenge *chap, const void *data,
 	if ( ! chap->digest )
 		return;
 
-	chap->digest->update ( chap->digest_context, data, len );
+	digest_update ( chap->digest, chap->digest_context, data, len );
 }
 
 /**
@@ -104,7 +104,7 @@ void chap_respond ( struct chap_challenge *chap ) {
 	if ( ! chap->digest )
 		return;
 
-	chap->digest->finish ( chap->digest_context, chap->response );
+	digest_final ( chap->digest, chap->digest_context, chap->response );
 }
 
 /**
diff --git a/src/crypto/md5.c b/src/crypto/md5.c
index 182b625f..60642335 100644
--- a/src/crypto/md5.c
+++ b/src/crypto/md5.c
@@ -177,7 +177,8 @@ static void md5_init(void *context)
 	mctx->byte_count = 0;
 }
 
-static void md5_update(void *context, const void *data, size_t len)
+static void md5_update(void *context, const void *data, void *dst __unused,
+		       size_t len)
 {
 	struct md5_ctx *mctx = context;
 	const u32 avail = sizeof(mctx->block) - (mctx->byte_count & 0x3f);
@@ -207,7 +208,7 @@ static void md5_update(void *context, const void *data, size_t len)
 	memcpy(mctx->block, data, len);
 }
 
-static void md5_finish(void *context, void *out)
+static void md5_final(void *context, void *out)
 {
 	struct md5_ctx *mctx = context;
 	const unsigned int offset = mctx->byte_count & 0x3f;
@@ -233,11 +234,12 @@ static void md5_finish(void *context, void *out)
 	memset(mctx, 0, sizeof(*mctx));
 }
 
-struct digest_algorithm md5_algorithm = {
+struct crypto_algorithm md5_algorithm = {
 	.name		= "md5",
-	.context_len	= sizeof ( struct md5_ctx ),
-	.digest_len	= MD5_DIGEST_SIZE,
+	.ctxsize	= sizeof ( struct md5_ctx ),
+	.blocksize	= 1,
+	.digestsize	= MD5_DIGEST_SIZE,
 	.init		= md5_init,
-	.update		= md5_update,
-	.finish		= md5_finish,
+	.encode		= md5_update,
+	.final		= md5_final,
 };
diff --git a/src/include/gpxe/chap.h b/src/include/gpxe/chap.h
index c85d92f8..0ea7ac5c 100644
--- a/src/include/gpxe/chap.h
+++ b/src/include/gpxe/chap.h
@@ -10,12 +10,12 @@
 #include <stdint.h>
 #include <gpxe/md5.h>
 
-struct digest_algorithm;
+struct crypto_algorithm;
 
 /** A CHAP challenge/response */
 struct chap_challenge {
 	/** Digest algorithm used for the response */
-	struct digest_algorithm *digest;
+	struct crypto_algorithm *digest;
 	/** Context used by the digest algorithm */
 	uint8_t *digest_context;
 	/** CHAP response */
@@ -25,7 +25,7 @@ struct chap_challenge {
 };
 
 extern int chap_init ( struct chap_challenge *chap,
-		       struct digest_algorithm *digest );
+		       struct crypto_algorithm *digest );
 extern void chap_update ( struct chap_challenge *chap, const void *data,
 			  size_t len );
 extern void chap_respond ( struct chap_challenge *chap );
diff --git a/src/include/gpxe/crypto.h b/src/include/gpxe/crypto.h
index 023a0022..9023c354 100644
--- a/src/include/gpxe/crypto.h
+++ b/src/include/gpxe/crypto.h
@@ -9,38 +9,78 @@
 
 #include <stdint.h>
 
-/**
- * A message-digest algorithm
- *
- */
-struct digest_algorithm {
+/** A cryptographic algorithm */
+struct crypto_algorithm {
 	/** Algorithm name */
 	const char *name;
-	/** Size of a context for this algorithm */
-	size_t context_len;
-	/** Size of a message digest for this algorithm */
-	size_t digest_len;
-	/**
-	 * Initialise digest algorithm
+	/** Context size */
+	size_t ctxsize;
+	/** Block size */
+	size_t blocksize;
+	/** Final output size */
+	size_t digestsize;
+	/** Initialise algorithm
 	 *
-	 * @v context		Context for digest operations
+	 * @v ctx		Context
 	 */
-	void ( * init ) ( void *context );
-	/**
-	 * Calculate digest over data buffer
+	void ( * init ) ( void *ctx );
+	/** Set key
 	 *
-	 * @v context		Context for digest operations
-	 * @v data		Data buffer
-	 * @v len		Length of data buffer
+	 * @v ctx		Context
+	 * @v key		Key
+	 * @v keylen		Key length
+	 * @ret rc		Return status code
 	 */
-	void ( * update ) ( void *context, const void *data, size_t len );
-	/**
-	 * Finish calculating digest
+	int ( * setkey ) ( void *ctx, void *key, size_t keylen );
+	/** Encode data
 	 *
-	 * @v context		Context for digest operations
-	 * @v digest		Buffer for message digest
+	 * @v ctx		Context
+	 * @v src		Data to encode
+	 * @v dst		Encoded data, or NULL
+	 * @v len		Length of data
+	 * @ret rc		Return status code
+	 *
+	 * For a cipher algorithm, the enciphered data should be
+	 * placed in @c dst.  For a digest algorithm, only the digest
+	 * state should be updated, and @c dst will be NULL.
+	 *
+	 * @v len is guaranteed to be a multiple of @c blocksize.
 	 */
-	void ( * finish ) ( void *context, void *digest );
+	void ( * encode ) ( void *ctx, const void *src, void *dst,
+			    size_t len );
+	/** Decode data
+	 *
+	 * @v ctx		Context
+	 * @v src		Data to decode
+	 * @v dst		Decoded data
+	 * @v len		Length of data
+	 * @ret rc		Return status code
+	 *
+	 * @v len is guaranteed to be a multiple of @c blocksize.
+	 */
+	void ( * decode ) ( void *ctx, const void *src, void *dst,
+			    size_t len );
+	/** Finalise algorithm
+	 *
+	 * @v ctx		Context
+	 * @v out		Algorithm final output
+	 */
+	void ( * final ) ( void *ctx, void *out );
 };
 
+static inline void digest_init ( struct crypto_algorithm *crypto,
+				 void *ctx ) {
+	crypto->init ( ctx );
+}
+
+static inline void digest_update ( struct crypto_algorithm *crypto,
+				   void *ctx, const void *data, size_t len ) {
+	crypto->encode ( ctx, data, NULL, len );
+}
+
+static inline void digest_final ( struct crypto_algorithm *crypto,
+				  void *ctx, void *out ) {
+	crypto->final ( ctx, out );
+}
+
 #endif /* _GPXE_CRYPTO_H */
diff --git a/src/include/gpxe/md5.h b/src/include/gpxe/md5.h
index 56120ca1..f82c9462 100644
--- a/src/include/gpxe/md5.h
+++ b/src/include/gpxe/md5.h
@@ -1,8 +1,8 @@
 #ifndef _GPXE_MD5_H
 #define _GPXE_MD5_H
 
-struct digest_algorithm;
+struct crypto_algorithm;
 
-extern struct digest_algorithm md5_algorithm;
+extern struct crypto_algorithm md5_algorithm;
 
 #endif /* _GPXE_MD5_H */