phe

package module
v1.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 8, 2019 License: BSD-3-Clause Imports: 13 Imported by: 9

README

Simple Password-Hardened Encryption Services

Build Status GitHub license

Virgil Security introduces an implementation of the Password-Hardened Encryption (PHE) protocol that provides developers with a technology to protect users passwords from offline attacks and make stolen passwords useless even if your database has been compromised.

PHE is a new, more secure mechanism that protects user passwords and lessens the security risks associated with weak passwords. Neither Virgil nor attackers know anything about user's password.

Authors: Russell W. F. Lai, Christoph Egger, Manuel Reinert, Sherman S. M. Chow, Matteo Maffei and Dominique Schroder

WhitePaper: https://virgilsecurity.com/wp-content/uploads/2018/11/PHE-Whitepaper-2018.pdf

Go implementation by Alexey Ermishkin VirgilSecurty.com.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Decrypt 

func Decrypt(ciphertext, key []byte) ([]byte, error)

Decrypt extracts 32 byte salt, derives key & nonce and decrypts ciphertext

func Encrypt 

func Encrypt(data, key []byte) ([]byte, error)

Encrypt generates 32 byte salt, uses master key & salt to generate per-data key & nonce with the help of HKDF Salt is concatenated to the ciphertext

func GenerateClientKey 

func GenerateClientKey() []byte

GenerateClientKey creates a new random key used on the Client side

func GenerateServerKeypair 

func GenerateServerKeypair() ([]byte, error)

GenerateServerKeypair creates a new random Nist p-256 keypair

func GetEnrollment 

func GetEnrollment(serverKeypair []byte) ([]byte, error)

GetEnrollment generates a new random enrollment record and a proof

func GetPublicKey 

func GetPublicKey(serverKeypair []byte) ([]byte, error)

GetPublicKey returns server public key

func Rotate 

func Rotate(serverKeypair []byte) (token []byte, newServerKeypair []byte, err error)

Rotate updates server's private and public keys and issues an update token for use on client's side

func RotateClientKeys 

func RotateClientKeys(serverPublic, clientPrivate, tokenBytes []byte) (newClientPrivate, newServerPublic []byte, err error)

RotateClientKeys returns a new pair of keys given old keys and an update token

func UpdateRecord 

func UpdateRecord(recBytes []byte, tokenBytes []byte) (updRec []byte, err error)

UpdateRecord needs to be applied to every database record to correspond to new private and public keys

func VerifyPassword 

func VerifyPassword(serverKeypair []byte, reqBytes []byte) (response []byte, err error)

VerifyPassword compares password attempt to the one server would calculate itself using its private key and returns a zero knowledge proof of ether success or failure

Types

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is responsible for protecting & checking passwords at the client (website) side

func NewClient 

func NewClient(serverPublicKey []byte, privateKey []byte) (*Client, error)

NewClient creates new client instance using client's private key and server's public key used for verification

func (*Client) CheckResponseAndDecrypt 

func (c *Client) CheckResponseAndDecrypt(password []byte, recBytes []byte, respBytes []byte) (key []byte, err error)

CheckResponseAndDecrypt verifies server's answer and extracts data encryption key on success

func (*Client) CreateVerifyPasswordRequest 

func (c *Client) CreateVerifyPasswordRequest(password []byte, recBytes []byte) (req []byte, err error)

CreateVerifyPasswordRequest creates a request in a form of elliptic curve point which is then need to be validated at the server side

func (*Client) EnrollAccount 

func (c *Client) EnrollAccount(password []byte, respBytes []byte) (rec []byte, key []byte, err error)

EnrollAccount uses fresh Enrollment Response and user's password (or its hash) to create a new Enrollment Record which is then supposed to be stored in a database it also generates a random encryption key which can be used to protect user's data

func (*Client) Rotate 

func (c *Client) Rotate(tokenBytes []byte) error

Rotate updates client's secret key and server's public key with server's update token

type EnrollmentRecord 

type EnrollmentRecord struct {
	Ns                   []byte   `protobuf:"bytes,1,opt,name=ns,proto3" json:"ns,omitempty"`
	Nc                   []byte   `protobuf:"bytes,2,opt,name=nc,proto3" json:"nc,omitempty"`
	T0                   []byte   `protobuf:"bytes,3,opt,name=t0,proto3" json:"t0,omitempty"`
	T1                   []byte   `protobuf:"bytes,4,opt,name=t1,proto3" json:"t1,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*EnrollmentRecord) Descriptor 

func (*EnrollmentRecord) Descriptor() ([]byte, []int)

func (*EnrollmentRecord) GetNc 

func (m *EnrollmentRecord) GetNc() []byte

func (*EnrollmentRecord) GetNs 

func (m *EnrollmentRecord) GetNs() []byte

func (*EnrollmentRecord) GetT0 

func (m *EnrollmentRecord) GetT0() []byte

func (*EnrollmentRecord) GetT1 

func (m *EnrollmentRecord) GetT1() []byte

func (*EnrollmentRecord) ProtoMessage 

func (*EnrollmentRecord) ProtoMessage()

func (*EnrollmentRecord) Reset 

func (m *EnrollmentRecord) Reset()

func (*EnrollmentRecord) String 

func (m *EnrollmentRecord) String() string

func (*EnrollmentRecord) XXX_DiscardUnknown 

func (m *EnrollmentRecord) XXX_DiscardUnknown()

func (*EnrollmentRecord) XXX_Marshal 

func (m *EnrollmentRecord) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*EnrollmentRecord) XXX_Merge 

func (m *EnrollmentRecord) XXX_Merge(src proto.Message)

func (*EnrollmentRecord) XXX_Size 

func (m *EnrollmentRecord) XXX_Size() int

func (*EnrollmentRecord) XXX_Unmarshal 

func (m *EnrollmentRecord) XXX_Unmarshal(b []byte) error

type EnrollmentResponse 

type EnrollmentResponse struct {
	Ns                   []byte          `protobuf:"bytes,1,opt,name=ns,proto3" json:"ns,omitempty"`
	C0                   []byte          `protobuf:"bytes,2,opt,name=c0,proto3" json:"c0,omitempty"`
	C1                   []byte          `protobuf:"bytes,3,opt,name=c1,proto3" json:"c1,omitempty"`
	Proof                *ProofOfSuccess `protobuf:"bytes,4,opt,name=proof,proto3" json:"proof,omitempty"`
	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
	XXX_unrecognized     []byte          `json:"-"`
	XXX_sizecache        int32           `json:"-"`
}

func (*EnrollmentResponse) Descriptor 

func (*EnrollmentResponse) Descriptor() ([]byte, []int)

func (*EnrollmentResponse) GetC0 

func (m *EnrollmentResponse) GetC0() []byte

func (*EnrollmentResponse) GetC1 

func (m *EnrollmentResponse) GetC1() []byte

func (*EnrollmentResponse) GetNs 

func (m *EnrollmentResponse) GetNs() []byte

func (*EnrollmentResponse) GetProof 

func (m *EnrollmentResponse) GetProof() *ProofOfSuccess

func (*EnrollmentResponse) ProtoMessage 

func (*EnrollmentResponse) ProtoMessage()

func (*EnrollmentResponse) Reset 

func (m *EnrollmentResponse) Reset()

func (*EnrollmentResponse) String 

func (m *EnrollmentResponse) String() string

func (*EnrollmentResponse) XXX_DiscardUnknown 

func (m *EnrollmentResponse) XXX_DiscardUnknown()

func (*EnrollmentResponse) XXX_Marshal 

func (m *EnrollmentResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*EnrollmentResponse) XXX_Merge 

func (m *EnrollmentResponse) XXX_Merge(src proto.Message)

func (*EnrollmentResponse) XXX_Size 

func (m *EnrollmentResponse) XXX_Size() int

func (*EnrollmentResponse) XXX_Unmarshal 

func (m *EnrollmentResponse) XXX_Unmarshal(b []byte) error

type Keypair 

type Keypair struct {
	PublicKey            []byte   `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
	PrivateKey           []byte   `protobuf:"bytes,2,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*Keypair) Descriptor 

func (*Keypair) Descriptor() ([]byte, []int)

func (*Keypair) GetPrivateKey 

func (m *Keypair) GetPrivateKey() []byte

func (*Keypair) GetPublicKey 

func (m *Keypair) GetPublicKey() []byte

func (*Keypair) ProtoMessage 

func (*Keypair) ProtoMessage()

func (*Keypair) Reset 

func (m *Keypair) Reset()

func (*Keypair) String 

func (m *Keypair) String() string

func (*Keypair) XXX_DiscardUnknown 

func (m *Keypair) XXX_DiscardUnknown()

func (*Keypair) XXX_Marshal 

func (m *Keypair) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Keypair) XXX_Merge 

func (m *Keypair) XXX_Merge(src proto.Message)

func (*Keypair) XXX_Size 

func (m *Keypair) XXX_Size() int

func (*Keypair) XXX_Unmarshal 

func (m *Keypair) XXX_Unmarshal(b []byte) error

type Point 

type Point struct {
	X, Y *big.Int
}

Point represents an elliptic curve point

func PointUnmarshal 

func PointUnmarshal(data []byte) (*Point, error)

PointUnmarshal validates & converts byte array to an elliptic curve point object

func (*Point) Add 

func (p *Point) Add(a *Point) *Point

Add adds two points

func (*Point) Equal 

func (p *Point) Equal(other *Point) bool

Equal checks two points for equality

func (*Point) Marshal 

func (p *Point) Marshal() []byte

Marshal converts point to an array of bytes

func (*Point) Neg 

func (p *Point) Neg() *Point

Neg inverts point's Y coordinate

func (*Point) ScalarBaseMult 

func (p *Point) ScalarBaseMult(b []byte) *Point

ScalarBaseMult multiplies base point to a number

func (*Point) ScalarBaseMultInt 

func (p *Point) ScalarBaseMultInt(b *big.Int) *Point

ScalarBaseMultInt multiplies base point to a number

func (*Point) ScalarMult 

func (p *Point) ScalarMult(b []byte) *Point

ScalarMult multiplies point to a number

func (*Point) ScalarMultInt 

func (p *Point) ScalarMultInt(b *big.Int) *Point

ScalarMultInt multiplies point to a number

type ProofOfFail 

type ProofOfFail struct {
	Term1                []byte   `protobuf:"bytes,1,opt,name=term1,proto3" json:"term1,omitempty"`
	Term2                []byte   `protobuf:"bytes,2,opt,name=term2,proto3" json:"term2,omitempty"`
	Term3                []byte   `protobuf:"bytes,3,opt,name=term3,proto3" json:"term3,omitempty"`
	Term4                []byte   `protobuf:"bytes,4,opt,name=term4,proto3" json:"term4,omitempty"`
	BlindA               []byte   `protobuf:"bytes,5,opt,name=blind_a,json=blindA,proto3" json:"blind_a,omitempty"`
	BlindB               []byte   `protobuf:"bytes,6,opt,name=blind_b,json=blindB,proto3" json:"blind_b,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*ProofOfFail) Descriptor 

func (*ProofOfFail) Descriptor() ([]byte, []int)

func (*ProofOfFail) GetBlindA 

func (m *ProofOfFail) GetBlindA() []byte

func (*ProofOfFail) GetBlindB 

func (m *ProofOfFail) GetBlindB() []byte

func (*ProofOfFail) GetTerm1 

func (m *ProofOfFail) GetTerm1() []byte

func (*ProofOfFail) GetTerm2 

func (m *ProofOfFail) GetTerm2() []byte

func (*ProofOfFail) GetTerm3 

func (m *ProofOfFail) GetTerm3() []byte

func (*ProofOfFail) GetTerm4 

func (m *ProofOfFail) GetTerm4() []byte

func (*ProofOfFail) ProtoMessage 

func (*ProofOfFail) ProtoMessage()

func (*ProofOfFail) Reset 

func (m *ProofOfFail) Reset()

func (*ProofOfFail) String 

func (m *ProofOfFail) String() string

func (*ProofOfFail) XXX_DiscardUnknown 

func (m *ProofOfFail) XXX_DiscardUnknown()

func (*ProofOfFail) XXX_Marshal 

func (m *ProofOfFail) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ProofOfFail) XXX_Merge 

func (m *ProofOfFail) XXX_Merge(src proto.Message)

func (*ProofOfFail) XXX_Size 

func (m *ProofOfFail) XXX_Size() int

func (*ProofOfFail) XXX_Unmarshal 

func (m *ProofOfFail) XXX_Unmarshal(b []byte) error

type ProofOfSuccess 

type ProofOfSuccess struct {
	Term1                []byte   `protobuf:"bytes,1,opt,name=term1,proto3" json:"term1,omitempty"`
	Term2                []byte   `protobuf:"bytes,2,opt,name=term2,proto3" json:"term2,omitempty"`
	Term3                []byte   `protobuf:"bytes,3,opt,name=term3,proto3" json:"term3,omitempty"`
	BlindX               []byte   `protobuf:"bytes,4,opt,name=blind_x,json=blindX,proto3" json:"blind_x,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*ProofOfSuccess) Descriptor 

func (*ProofOfSuccess) Descriptor() ([]byte, []int)

func (*ProofOfSuccess) GetBlindX 

func (m *ProofOfSuccess) GetBlindX() []byte

func (*ProofOfSuccess) GetTerm1 

func (m *ProofOfSuccess) GetTerm1() []byte

func (*ProofOfSuccess) GetTerm2 

func (m *ProofOfSuccess) GetTerm2() []byte

func (*ProofOfSuccess) GetTerm3 

func (m *ProofOfSuccess) GetTerm3() []byte

func (*ProofOfSuccess) ProtoMessage 

func (*ProofOfSuccess) ProtoMessage()

func (*ProofOfSuccess) Reset 

func (m *ProofOfSuccess) Reset()

func (*ProofOfSuccess) String 

func (m *ProofOfSuccess) String() string

func (*ProofOfSuccess) XXX_DiscardUnknown 

func (m *ProofOfSuccess) XXX_DiscardUnknown()

func (*ProofOfSuccess) XXX_Marshal 

func (m *ProofOfSuccess) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ProofOfSuccess) XXX_Merge 

func (m *ProofOfSuccess) XXX_Merge(src proto.Message)

func (*ProofOfSuccess) XXX_Size 

func (m *ProofOfSuccess) XXX_Size() int

func (*ProofOfSuccess) XXX_Unmarshal 

func (m *ProofOfSuccess) XXX_Unmarshal(b []byte) error

type UpdateToken 

type UpdateToken struct {
	A                    []byte   `protobuf:"bytes,1,opt,name=a,proto3" json:"a,omitempty"`
	B                    []byte   `protobuf:"bytes,2,opt,name=b,proto3" json:"b,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*UpdateToken) Descriptor 

func (*UpdateToken) Descriptor() ([]byte, []int)

func (*UpdateToken) GetA 

func (m *UpdateToken) GetA() []byte

func (*UpdateToken) GetB 

func (m *UpdateToken) GetB() []byte

func (*UpdateToken) ProtoMessage 

func (*UpdateToken) ProtoMessage()

func (*UpdateToken) Reset 

func (m *UpdateToken) Reset()

func (*UpdateToken) String 

func (m *UpdateToken) String() string

func (*UpdateToken) XXX_DiscardUnknown 

func (m *UpdateToken) XXX_DiscardUnknown()

func (*UpdateToken) XXX_Marshal 

func (m *UpdateToken) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*UpdateToken) XXX_Merge 

func (m *UpdateToken) XXX_Merge(src proto.Message)

func (*UpdateToken) XXX_Size 

func (m *UpdateToken) XXX_Size() int

func (*UpdateToken) XXX_Unmarshal 

func (m *UpdateToken) XXX_Unmarshal(b []byte) error

type VerifyPasswordRequest 

type VerifyPasswordRequest struct {
	Ns                   []byte   `protobuf:"bytes,1,opt,name=ns,proto3" json:"ns,omitempty"`
	C0                   []byte   `protobuf:"bytes,2,opt,name=c0,proto3" json:"c0,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*VerifyPasswordRequest) Descriptor 

func (*VerifyPasswordRequest) Descriptor() ([]byte, []int)

func (*VerifyPasswordRequest) GetC0 

func (m *VerifyPasswordRequest) GetC0() []byte

func (*VerifyPasswordRequest) GetNs 

func (m *VerifyPasswordRequest) GetNs() []byte

func (*VerifyPasswordRequest) ProtoMessage 

func (*VerifyPasswordRequest) ProtoMessage()

func (*VerifyPasswordRequest) Reset 

func (m *VerifyPasswordRequest) Reset()

func (*VerifyPasswordRequest) String 

func (m *VerifyPasswordRequest) String() string

func (*VerifyPasswordRequest) XXX_DiscardUnknown 

func (m *VerifyPasswordRequest) XXX_DiscardUnknown()

func (*VerifyPasswordRequest) XXX_Marshal 

func (m *VerifyPasswordRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*VerifyPasswordRequest) XXX_Merge 

func (m *VerifyPasswordRequest) XXX_Merge(src proto.Message)

func (*VerifyPasswordRequest) XXX_Size 

func (m *VerifyPasswordRequest) XXX_Size() int

func (*VerifyPasswordRequest) XXX_Unmarshal 

func (m *VerifyPasswordRequest) XXX_Unmarshal(b []byte) error

type VerifyPasswordResponse 

type VerifyPasswordResponse struct {
	Res bool   `protobuf:"varint,1,opt,name=res,proto3" json:"res,omitempty"`
	C1  []byte `protobuf:"bytes,2,opt,name=c1,proto3" json:"c1,omitempty"`
	// Types that are valid to be assigned to Proof:
	//	*VerifyPasswordResponse_Success
	//	*VerifyPasswordResponse_Fail
	Proof                isVerifyPasswordResponse_Proof `protobuf_oneof:"proof"`
	XXX_NoUnkeyedLiteral struct{}                       `json:"-"`
	XXX_unrecognized     []byte                         `json:"-"`
	XXX_sizecache        int32                          `json:"-"`
}

func (*VerifyPasswordResponse) Descriptor 

func (*VerifyPasswordResponse) Descriptor() ([]byte, []int)

func (*VerifyPasswordResponse) GetC1 

func (m *VerifyPasswordResponse) GetC1() []byte

func (*VerifyPasswordResponse) GetFail 

func (m *VerifyPasswordResponse) GetFail() *ProofOfFail

func (*VerifyPasswordResponse) GetProof 

func (m *VerifyPasswordResponse) GetProof() isVerifyPasswordResponse_Proof

func (*VerifyPasswordResponse) GetRes 

func (m *VerifyPasswordResponse) GetRes() bool

func (*VerifyPasswordResponse) GetSuccess 

func (m *VerifyPasswordResponse) GetSuccess() *ProofOfSuccess

func (*VerifyPasswordResponse) ProtoMessage 

func (*VerifyPasswordResponse) ProtoMessage()

func (*VerifyPasswordResponse) Reset 

func (m *VerifyPasswordResponse) Reset()

func (*VerifyPasswordResponse) String 

func (m *VerifyPasswordResponse) String() string

func (*VerifyPasswordResponse) XXX_DiscardUnknown 

func (m *VerifyPasswordResponse) XXX_DiscardUnknown()

func (*VerifyPasswordResponse) XXX_Marshal 

func (m *VerifyPasswordResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*VerifyPasswordResponse) XXX_Merge 

func (m *VerifyPasswordResponse) XXX_Merge(src proto.Message)

func (*VerifyPasswordResponse) XXX_OneofWrappers 

func (*VerifyPasswordResponse) XXX_OneofWrappers() []interface{}

XXX_OneofWrappers is for the internal use of the proto package.

func (*VerifyPasswordResponse) XXX_Size 

func (m *VerifyPasswordResponse) XXX_Size() int

func (*VerifyPasswordResponse) XXX_Unmarshal 

func (m *VerifyPasswordResponse) XXX_Unmarshal(b []byte) error

type VerifyPasswordResponse_Fail 

type VerifyPasswordResponse_Fail struct {
	Fail *ProofOfFail `protobuf:"bytes,4,opt,name=fail,proto3,oneof"`
}

type VerifyPasswordResponse_Success 

type VerifyPasswordResponse_Success struct {
	Success *ProofOfSuccess `protobuf:"bytes,3,opt,name=success,proto3,oneof"`
}

type VerifyPasswordResult added in v1.0.2 

type VerifyPasswordResult struct {
	Res  bool
	Salt []byte
}

VerifyPasswordResult contains info about verification process result

func VerifyPasswordExtended added in v1.0.2 

func VerifyPasswordExtended(serverKeypair []byte, reqBytes []byte) (response []byte, state *VerifyPasswordResult, err error)

VerifyPasswordExtended compares password attempt to the one server would calculate itself using its private key and returns a zero knowledge proof of ether success or failure and an object containing verify result & salt used for verification

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.