dhkam

package module
v0.0.0-...-ef333c7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 15, 2013 License: ISC Imports: 7 Imported by: 0

README 

Implementation of the Diffie-Hellman Key Agreement Method using
the RFC 3526 Group 14, and with blinded key generation.

Supports both plain shared keys and generating a key-encryption key for
providing content encryption keys.

Released under the ISC license. See the LICENSE file for details.

TODO:
        - Find test vectors for keys to validate public key generation.
        - Improve unit tests.

Documentation

Overview

dhkam implements the Diffie Hellman Key Agreement Method using the RFC 3526 Group 14 modulus, and uses blinded key generation.

The package supports using the shared key as a static key, and using the shared key to compute a KEK, implementing the system described in RFC 2631.

The shared key may be retrieved using the SharedKey method. A KEK must first be initialised using the InitializeKEK function, which returns a set of KEK paramaters stored in a KEK type. This can be combined with the `CEK` method on private keys to derive an appropriate CEK.

For example, to generate a KEK for use with AES128CBC with an HMAC-SHA256 MAC: 

prv, err := dhkam.GenerateKey(rand.Reader)
if err != nil {
	// ...
}

// pub is a *dhkam.PublicKey containing the public key
// of the party for whom we share this KEK.
kek := prv.InitializeKEK(rand.Reader, pub,
	dhkam.KEKAES128CBCHMACSHA256, nil, sha256.New())
if kek == nil {
	// an error occurred while initialising the KEK.
}

We can generate a CEK from this with: 

key, err := prv.CEK(kek)
if err != nil {
	// ...
}

aesKey := key[:16]	// 16 bytes is AES-128 key length.
hmacKey := key[16:]	// the rest of the key is the HMAC key.

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrBlindingFailed    = fmt.Errorf("dhkam: blinding failed")
	ErrInvalidKEKParams  = fmt.Errorf("dhkam: invalid KEK parameters")
	ErrInvalidPrivateKey = fmt.Errorf("dhkam: invalid private key")
	ErrInvalidPublicKey  = fmt.Errorf("dhkam: invalid public key")
	ErrInvalidSharedKey  = fmt.Errorf("dhkam: invalid shared key")
)
View Source 
var (
	AES128CBC = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 1, 2}
	AES128GCM = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 1, 6}
	AES192CBC = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 1, 22}
	AES192GCM = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 1, 26}
	AES256CBC = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 1, 42}
	AES256GCM = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 1, 46}
)

ASN.1 definitions for a few algorithms

View Source 
var (
	KEKAES128CBCHMACSHA256 = KEKParams{
		KeySpecificInfo: KeySpecificInfo{
			Algorithm: AES128CBC,
		},
		SuppPubInfo: []byte{0, 0, 0, 48},
	}
	KEKAES192CBCHMACSHA384 = KEKParams{
		KeySpecificInfo: KeySpecificInfo{
			Algorithm: AES192CBC,
		},
		SuppPubInfo: []byte{0, 0, 0, 72},
	}
	KEKAES256CBCHMACSHA512 = KEKParams{
		KeySpecificInfo: KeySpecificInfo{
			Algorithm: AES256CBC,
		},
		SuppPubInfo: []byte{0, 0, 0, 32},
	}
	KEKAES256CBCHMACSHA256 = KEKParams{
		KeySpecificInfo: KeySpecificInfo{
			Algorithm: AES256CBC,
		},
		SuppPubInfo: []byte{0, 0, 0, 64},
	}
)

Pre-defined KEK parameters to make life easier when generating KEKs.

View Source 
var (
	P = new(big.Int).SetBytes(p)
)

Functions

This section is empty.

Types

type KEK 

type KEK struct {
	ZZ     []byte
	Params KEKParams
	// contains filtered or unexported fields
}

KEK represents the information needed to make use of a KEK. A KEK should correspond to a specific private - public keypair as used in the key exchange.

func (KEK) KeyLen 

func (kek KEK) KeyLen() int

KeyLen returns the shared key size this KEK should be used to generate.

type KEKParams 

type KEKParams struct {
	KeySpecificInfo KeySpecificInfo
	PartyAInfo      []byte `asn1:"optional"`
	SuppPubInfo     []byte
}

type KeySpecificInfo 

type KeySpecificInfo struct {
	Algorithm asn1.ObjectIdentifier
	// contains filtered or unexported fields
}

type PrivateKey 

type PrivateKey struct {
	PublicKey
	X *big.Int
}

func GenerateKey 

func GenerateKey(prng io.Reader) (prv *PrivateKey, err error)

GenerateKey generates a new key pair.

func ImportPrivate 

func ImportPrivate(prng io.Reader, in []byte) (prv *PrivateKey, err error)

ImportPrivate loads a byte slice into a private key and regenerates the public key for it.

func (*PrivateKey) CEK 

func (prv *PrivateKey) CEK(kek *KEK) (key []byte, err error)

Generate a new CEK from the provided KEK.

func (*PrivateKey) Export 

func (prv *PrivateKey) Export() []byte

Export returns a byte slice representation of the public key. This is not DER-encoded.

func (*PrivateKey) ExportPrivate 

func (prv *PrivateKey) ExportPrivate() []byte

ExportPrivate returns a byte slice representation of the private key.

func (*PrivateKey) InitializeKEK 

func (prv *PrivateKey) InitializeKEK(rand io.Reader, pub *PublicKey,
	params KEKParams, ainfo []byte, h hash.Hash) *KEK

Set up a new KEK; a KEK is tuned for a specific pair of sender's private key and receiver's public key.

func (*PrivateKey) SharedKey 

func (prv *PrivateKey) SharedKey(prng io.Reader, pub *PublicKey, size int) (sk []byte, err error)

SharedKey returns a shared key from a private and public key suitable for use in symmetric encryption.

type PublicKey 

type PublicKey struct {
	A *big.Int
}

func ImportPublic 

func ImportPublic(in []byte) (pub *PublicKey, err error)

ImportPublic takes a byte slice and attempts to convert it to a public key, checking to make sure it's a valid key.

func (*PublicKey) Valid 

func (pub *PublicKey) Valid() bool

Valid runs sanity checks on the public key to ensure it is valid.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.