HPKE Message Encryption with Caddy Module
This repo is in development, do not use it in production! HPKE Schema is still a DRAFT and used implementation from cloudflare is still not stable and audited.
Features
- Middleware for Caddy
- Decrypt payload of HPKE messages, redirect to destination from Caddyfile and encrypt response
- Suitable for environment where preceding services do not guaranty a continuous TLS Connection.
- HPKE Schema settings
- KEM using X448 Diffie-Hellman function and HKDF with SHA-512.
Because this is considered a safe curve with a high level of security.
- KDF using HKDF with SHA-512.
- AES-256 block cipher in Galois Counter Mode (GCM).
Because, this is as an authenticated encryption algorithm which is widely known and used.
CPU Penalty
First benchmarks show that this middleware take around 1.5ms in CPU time. (In this very early state with no optimization)
cpu: AMD Ryzen 7 PRO 4750U with Radeon Graphics
BenchmarkEncryptAndDecryptRoundtrip-16 778 1504594 ns/op 63845 B/op 528 allocs/op
Extention
Just add your private key in the caddyfile and all messages will be decrypted and responses encrypted.
:2019 {
reverse_proxy :2020
hpke {
# Public Key NJV4AX2S...
private_key "3473XZMGD..."
}
}
Use Case
Send a message from your Go application with the module encrypted with HPKE to a caddy server. This caddy server uses this extension to encrypt the message and acts as a reverse proxy.
So you can ensure security based on the message and not based on transport security, which can be terminated or sniffed with SSL Inspection in controlled environments.