aead

package
v0.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 4, 2021 License: Apache-2.0 Imports: 4 Imported by: 0

README

Used Method:

AESGCM

  • AES 256 for encryption
  • SHA 256 for HMAC/authentication

Process:

Encryption
- encrypt the data using aes.
- compute hash
- append the hash value with the encrypted data.

Decryption
- authenticate the data with the hash
- if data is not authentic return
- decrypt the data.

Reading materials

  1. StackExchange
  2. GCM
  3. RFC5288 AES_GCM
  4. RFC4106 GCM ESP
  5. csrc
  6. AEAD
  7. Proposal
  8. 4guysfromrolla

Language Specific Implementations are described in the {lang}-impl/README.md

Key Generation

Currently the key generation process is simple. we need 32bytes (256bits) of key to encrypt the data. so if the key length is smaller then 32 we are appending the key in an circular approach until the key is 32bytes. So a key of ABCD will become ABCDABCDABCDABCDABCDABCDABCDABCD.

Proposed Approach of key generation To Secure the key we can add some extra layer to the key generation process. This Could

  • find hash of the provided key. possibly - sha256
  • append a salt, salt could be a constant
  • find the hash. possible - md5
  • resize the key to 32 bytes as we are doing now.

##Nonce Generation Currently we are using the provided key as the nonce.

What is nonce?

Ans: A nonce is a number used once: a nonce should never be reused in a set of messages encrypted with the same key. keys are secrets that do not change often So, you have this vulnerability that if the keys leak, all the secrets leak so, they augment the secret with a dynamically added secret part that is supposed to be used only one for extra bit of protection.

Proposed Approach of nonce generation

To Secure the nonce we can add some extra layer to the nonce generation process. This Could

  • generate a random nonce.
  • add this nonce to the encrypted text.
  • while decrypting find the nonce first from the data.
  • use this nonce to the generate decrypted text.

Notes/Development Guide

  • Encrypted bytes are converted to Base64 String before return.
  • Before Decrypting use Base64 decoder to decode the string to Bytes.
  • Use the test_data data to test the implementation against.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Cryptor

type Cryptor interface {
	EncryptString(plainText string, key string) (string, error)
	Encrypt(plainText []byte, key string) ([]byte, error)
	DecryptString(cipherText string, key string) (string, error)
	Decrypt(cipherText []byte, key string) ([]byte, error)
}

For background and implementation: See here: https://appscode.appscode.io/diffusion/100/

type PassThroughCryptor

type PassThroughCryptor struct{}

func (PassThroughCryptor) Decrypt

func (PassThroughCryptor) Decrypt(cipherText []byte, key string) ([]byte, error)

func (PassThroughCryptor) DecryptString

func (PassThroughCryptor) DecryptString(cipherText string, key string) (string, error)

func (PassThroughCryptor) Encrypt

func (PassThroughCryptor) Encrypt(plainText []byte, key string) ([]byte, error)

func (PassThroughCryptor) EncryptString

func (PassThroughCryptor) EncryptString(plainText string, key string) (string, error)

type RealCryptor

type RealCryptor struct{}

func (RealCryptor) Decrypt

func (c RealCryptor) Decrypt(cipherText []byte, key string) ([]byte, error)

func (RealCryptor) DecryptString

func (c RealCryptor) DecryptString(cipherText string, key string) (string, error)

func (RealCryptor) Encrypt

func (c RealCryptor) Encrypt(plainText []byte, key string) ([]byte, error)

func (RealCryptor) EncryptString

func (c RealCryptor) EncryptString(plainText string, key string) (string, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL