[!IMPORTANT] Use only if you know what you are doing. I'm not responsible for any security issues you could be exposed if you use this library.
This is a toy I created, based on Facebook Onion PRF, I tried to extract the interesting ideas, and the mitigations in-place to build a modern password hash system.
[!IMPORTANT] Use at your own risk
Package stronghold provides a secure way to store and verify secrets.
The package provides a way to store a secret in a secure way. The secret is stored as a hash and can be verified later. The package uses a key derivation function to derive a key from the secret and a salt. The key is used to encrypt the secret using an authenticated encryption with associated data (AEAD) scheme. The encrypted secret is then hashed using a remote hardware security module (HSM).
This is inspirred by the Facebook Onion PRF service.
This section is empty.
var ( // ErrEmptySecret is returned when the secret is empty. ErrEmptySecret = errors.New("empty secret") // ErrSecretTooLong is returned when the secret is too long. ErrSecretTooLong = errors.New("secret too long") // ErrAADTooLong is returned when the additional data is too long. ErrAADTooLong = errors.New("aad too long") // ErrStoredHashTooShort is returned when the stored hash is too short. ErrStoredHashTooShort = errors.New("stored hash too short") // ErrContextMismatch is returned when the context does not match the stored context. ErrContextMismatch = errors.New("context mismatch") // ErrHashMismatch is returned when the hash does not match the stored hash. ErrHashMismatch = errors.New("hash mismatch") )
This section is empty.
type AEAD uint8
AEAD is the authenticated encryption with associated data type.
Hash is a hash implementation that uses a remote HSM to hash the password.
Seal hashes the secret and seals the context with the provided additional data. It returns the sealed context.
The AAD is the additional data that is used to seal the context. Consider to use a canonical representation of the context to prevent mismatches. The result is expected to be in the format SALT || ENCRYPTED_HASH.
Verify verifies the secret against the stored hash and additional data. It returns nil if the secret matches the stored hash, ErrHashMismatch if the hash does not match, or ErrContextMismatch if the context does not match the stored context.
The stored hash is expected to be in the format SALT || ENCRYPTED_HASH. AAD is the additional data that was used to seal the context. Consider to use a canonical representation of the context to prevent mismatches.