Documentation ¶
Overview ¶
*
- decrypter
- The decrypter chunks out the cipher text into its relevant parts per the encryption
- implementation and attempts to decrypt the secrets it contains. *
- Once the parts of the cipherText have been identified, the decrypter loops through the
- repeating perUserPayload portion until it finds the fingerprint of the current user's public
- key in the first 20 bytes of the block. When found, it attempts to decrypt the payload using
- NaCl, thus learning the key necessary to decrypt the main cipher text.
*
- encrypter *
- The encrypter utilizes two different forms of authenticated encryption to protect data:
- AES256-GCM and NaCl *
- TWO TYPES OF ENCRYPTION!?
- Yes, but they are NOT used on top of one another. Each technology is used independently and
- their outputs are combined into a large cipher text blob which provides secure data sharing
- among many individuals without requiring out of band passphrase sharing, something
- neither encryption technology is able of achieving on its own. *
- WHAT IS GCM USED FOR?
- GCM is used to secure the actual plain text which is passed into the Encrypt method.
- The required 32 byte AES key is generated randomly, as is the 12 byte nonce. *
- WHAT IS NaCl USED FOR?
- NaCl is used to allow the "owner" of the secret data to secure the random 32 byte key used
- in AES256-GCM by encrypting it with each authorized user's public key. *
- HOW IS THE CIPHER TEXT BLOB CONSTRUCTED?
- The beginning of the cipher text blob contains all of the GCM encryption information along with
- the public key of the secret creator: *
- gcmNonce(12 bytes) cipherTextLength(10 bytes) cipherText(? bytes) pubKeyOfSecretCreator(32 bytes) *
- The remainder of the blob is made up of repeating 92 byte chunks containing the
- NaCl encrypted AES256-GCM key prefixed with the fingerprint of the public key used for encryption
- and a unique nonce: *
- usersPubKeyFingerprint(20 bytes) NaClNonce(24 bytes) NaClSecret(48 bytes)
*
- entropy
- The entropy module provides a simple wrapper around the rand reader and ReadFull
- to ensure the returned buffer is completely filled with cryptographically sound random
- data. Helper methods are also provided to cast byte array data to proper nonce types
- so it can be used in the necessary cryptographic method calls.
*
- keys
- This module handles all the key generation logic for NaCl and AES.
- It passes off reading from the rand reader to the entropy module to
- limit code duplication. It also provides helper methods to turn byte
- array data into the proper key types so they can be used in the crypto
- methods where they are needed, and read and write key files to disk.
Index ¶
- Constants
- func BytesToNACLKey(bytes []byte) *[32]byte
- func BytesToNACLNonce(bytes []byte) *[24]byte
- func Decrypt(blob []byte, selfPubKey, selfPrivKey *[32]byte) (plainText []byte, err error)
- func Encrypt(plainText []byte, authorizedPubKeys []*[32]byte, ...) []byte
- func GenAES256Key() []byte
- func GenerateGCMNonce() []byte
- func GenerateNACLKeyPair() (pubKey, privKey *[32]byte)
- func GenerateNACLNonce() *[24]byte
- func GetNACLKeyFingerprint(key *[32]byte) []byte
- func NACLKeyFromFile(filePath string) *[32]byte
- func ReadFromRand(numBytes int) []byte
- func ReadNACLKeyFile(keyFilePath string) string
- func StringToNACLKey(encodedKeyString string) *[32]byte
- func WriteNACLKeyFile(keyFilePath string, key *[32]byte, keyComment string, perms os.FileMode)
Constants ¶
const CTLENGTH_BLOCK_END = CTLENGTH_BLOCK_START + CTLENGTH_BLOCK_SIZE
const CTLENGTH_BLOCK_SIZE = 16
Always store ctLength in a fixed size block. This should be large enough to capture the ctLength for VERY large files. GCM should be capable of securing terrabytes of data without the need for a key change. This block size must be fixed in order for us to predictably chop up the cipher text when we try to decrypt
const CTLENGTH_BLOCK_START = GCM_NONCE_END
const ENCRYPTED_GCM_KEY_BYTES = 48
const GCM_NONCE_BYTES = 12
gcm nonce size is 12 bytes (96 bits) Since the nonce length and space is large enough, and a new key is used every time Encrypt is called enforcing nonce uniqueness should not be necessary
const GCM_NONCE_END = 12
const GCM_NONCE_START = 0
Constants which store magic numbers related to how the encrypted blob is constructed
const NACL_FINGERPRINT_BYTES = 20
Include getters to make it clear other modules within cryptoUtils are using these constants
const NACL_KEY_BYTES = 32
const NACL_NONCE_BYTES = 24
NaCl nonce size is 24 bytes per spec
const PBKDF2_CYCLES = 5000
const PBKDF2_KEY_BYTES = 32
const PBKDF2_PASSWORD_BYTES = 32
const PBKDF2_SALT_BYTES = 32
Consts used in this module
Variables ¶
This section is empty.
Functions ¶
func BytesToNACLKey ¶
*
- BytesToNACLKey
- Helper that takes in a byte array and casts it to *[32]byte so it can be used
- as an NACL key. This is used by ReadNACLKeyFile.
func BytesToNACLNonce ¶
*
- BytesToNACLNonce
- Read in a byte array and attempt to cast it to *[24]byte for use with
- NACL as a Nonce.
func Encrypt ¶
func Encrypt(plainText []byte, authorizedPubKeys []*[32]byte, selfPubKey, selfPrivKey *[32]byte) []byte
*
- Encrypt returns a byte array which is constructed per the header comments
func GenAES256Key ¶
func GenAES256Key() []byte
*
- GenAES256Key
- Generate a completley random 32 byte key using PBKDF2 with a completely random
- "passphrase" and salt. sha256 is being used as the hashing function.
func GenerateGCMNonce ¶
func GenerateGCMNonce() []byte
*
- GenerateGCMNonce
- Generate a random nonce for use with AES GCM
func GenerateNACLKeyPair ¶
func GenerateNACLKeyPair() (pubKey, privKey *[32]byte)
*
- GenerateNACLKeyPair
- Helper method that wraps NaCl's built in key generation function.
func GenerateNACLNonce ¶
func GenerateNACLNonce() *[24]byte
*
- GenerateNACLNonce
- Generate a random nonce for use with NaCl
func GetNACLKeyFingerprint ¶
*
- GetNACLKeyFingerprint
- Generates 20 byte fingerprints for NaCl Keys using sha1
- This is only meant to be used with PUBLIC keys.
func NACLKeyFromFile ¶
*
- NACLKeyFromFile
- Helper method that reads files containing an NaCl key string and returns an NaCl key.
func ReadFromRand ¶
*
- ReadFromRand
- Return a byte array of size numBytes that is completely full of cryptographically
- sound random data.
func ReadNACLKeyFile ¶
*
- ReadNACLKeyFile
- Helper method to read NACL key files that were written to disk with WriteNACLKeyFile.
func StringToNACLKey ¶
*
- StringToNACLKey
- Helper method to read encoded NACL key data strings and return an NACL key.
- Because this is a helper method, we assume the string passed in is encoded
- as base64.
Types ¶
This section is empty.