mintkey

package

v0.0.0-...-4955b9a Latest Latest Go to latest Published: May 31, 2021 License: MIT Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

README ¶

Security parameter choice

The present Bcrypt security parameter used is 12, which should take about a quarter of a second on midrange consumer hardware (see Benchmarking section below).

For some background into security parameter considerations, see here and here.

Given our security model, where an attacker would need to already have access to a victim's computer and copy the ~/.gaiacli directory (as opposed to e.g. web authentication), this parameter choice seems sufficient for the time being. Bcrypt always generates a 448-bit key, so the security in practice is determined by the length & complexity of a user's password and the time taken to generate a Bcrypt key from their password (which we can choose with the security parameter). Users would be well-advised to use difficult-to-guess passwords.

Benchmarking

To run Bcrypt benchmarks:

go test -v --bench github.com/pokt-network/pocket-core/crypto/keys/mintkey

On the test machine (midrange ThinkPad; i7 6600U), this results in:

goos: linux
goarch: amd64
pkg: github.com/pokt-network/pocket-core/crypto/keys/mintkey
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-9-4         	      50	  34609268 ns/op
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-10-4        	      20	  67874471 ns/op
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-11-4        	      10	 135515404 ns/op
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-12-4        	       5	 274824600 ns/op
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-13-4        	       2	 547012903 ns/op
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-14-4        	       1	1083685904 ns/op
BenchmarkBcryptGenerateFromPassword/benchmark-security-param-15-4        	       1	2183674041 ns/op
PASS
ok  	github.com/pokt-network/pocket-core/crypto/keys/mintkey	12.093s

Benchmark results are in nanoseconds, so security parameter 12 takes about a quarter of a second to generate the Bcrypt key, security param 13 takes half a second, and so on.

Documentation ¶

Index ¶

Variables
func ArmorInfoBytes(bz []byte) string
func ArmorPubKeyBytes(bz []byte) string
func DecryptAESGCM(key []byte, enBytes []byte) ([]byte, error)
func EncryptAESGCM(key []byte, src []byte) ([]byte, error)
func EncryptArmorPrivKey(privKey posCrypto.PrivateKey, passphrase, hint string) (string, error)
func UnarmorDecryptPrivKey(armorStr string, passphrase string) (posCrypto.PrivateKey, error)
func UnarmorInfoBytes(armorStr string) (bz []byte, err error)
func UnarmorPubKeyBytes(armorStr string) (bz []byte, err error)
type ArmoredJson
- func NewArmoredJson(kdf, salt, hint, ciphertext string) ArmoredJson

Constants ¶

This section is empty.

Variables ¶

View Source

var BcryptSecurityParameter = 12

Make bcrypt security parameter var, so it can be changed within the lcd test Making the bcrypt security parameter a var shouldn't be a security issue: One can't verify an invalid key by maliciously changing the bcrypt parameter during a runtime vulnerability. The main security threat this then exposes would be something that changes this during runtime before the user creates their key. This vulnerability must succeed to update this to that same value before every subsequent call to the keys command in future startups / or the attacker must get access to the filesystem. However, with a similar threat model (changing variables in runtime), one can cause the user to sign a different tx than what they see, which is a significantly cheaper attack then breaking a bcrypt hash. (Recall that the nonce still exists to break rainbow tables) For further notes on security parameter choice, see README.md

Functions ¶

func ArmorInfoBytes ¶

func ArmorInfoBytes(bz []byte) string

Armor the InfoBytes

func ArmorPubKeyBytes ¶

func ArmorPubKeyBytes(bz []byte) string

Armor the PubKeyBytes

func DecryptAESGCM ¶

func DecryptAESGCM(key []byte, enBytes []byte) ([]byte, error)

func EncryptAESGCM ¶

func EncryptAESGCM(key []byte, src []byte) ([]byte, error)

func EncryptArmorPrivKey ¶

func EncryptArmorPrivKey(privKey posCrypto.PrivateKey, passphrase, hint string) (string, error)

Encrypt and armor the private key.

func UnarmorDecryptPrivKey ¶

func UnarmorDecryptPrivKey(armorStr string, passphrase string) (posCrypto.PrivateKey, error)

Unarmor and decrypt the private key.

func UnarmorInfoBytes ¶

func UnarmorInfoBytes(armorStr string) (bz []byte, err error)

Unarmor the InfoBytes

func UnarmorPubKeyBytes ¶

func UnarmorPubKeyBytes(armorStr string) (bz []byte, err error)

Unarmor the PubKeyBytes

Types ¶

type ArmoredJson ¶

type ArmoredJson struct {
	Kdf        string `json:"kdf" yaml:"kdf"`
	Salt       string `json:"salt" yaml:"salt"`
	SecParam   string `json:"secparam" yaml:"secparam"`
	Hint       string `json:"hint" yaml:"hint"`
	Ciphertext string `json:"ciphertext" yaml:"ciphertext"`
}

----------------------------------------------------------------- encrypt/decrypt with armor

func NewArmoredJson ¶

func NewArmoredJson(kdf, salt, hint, ciphertext string) ArmoredJson

Source Files ¶

View all Source files

mintkey.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL