rhs

package module

v0.0.0-...-5d5300e Latest Latest Go to latest Published: Feb 11, 2015 License: MIT Imports: 18 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/JesusIslam/rhs

Links

Open Source Insights

README ¶

rhs

Headache free encryption suite for golang

What?

You want to send encrypted message or saving password into your database without having to bother to understand about how they works? Then this package is for you.

Installation

go get github.com/JesusIslam/rhs

Dependencies

github.com/agl/ed25519
go get golang.org/x/crypto/nacl
go get golang.org/x/crypto/scrypt

Usage

If you want to store data, use *Store() methods. If not, use *Send() methods. Also do not ever forget to save your salt. Also, use different salt for key generation and encryption. You need PKCS1 private key for RSA and prime256v1 EC for ECDSA private key in PEM format.

And just open test/sample.go

Benchmark

Using i3-3217U @1.8GHz with go test -bench . -cpu 4 -benchtime=5s -benchmem:

BBenchmarkEncPGP-4         50000            173015 ns/op            6666 B/op         49 allocs/op
BenchmarkEncStoreNACL-4       50         121961218 ns/op        17117676 B/op         27 allocs/op
BenchmarkEncNACL-4        100000            118769 ns/op             336 B/op          5 allocs/op
BenchmarkEncStoreRSA-4        50         145076528 ns/op        18412665 B/op       9516 allocs/op
BenchmarkEncRSA-4            200          28223672 ns/op         1153243 B/op       7931 allocs/op
BenchmarkEncStoreECDSA-4      50         123162064 ns/op        17137053 B/op        412 allocs/op
BenchmarkEncECDSA-4         5000           1750764 ns/op           23321 B/op        392 allocs/op

Yes, scrypt is slow (default N r p are 1 << 14, 8, and 1.) That's what makes it a better hashing algorithm.

License

See LICENSE file, it is MIT

Documentation ¶

Index ¶

Constants
Variables
func EncryptNACLStore(data, salt []byte, ecpk [64]byte) ([]byte, [64]byte, [24]byte, error)
func ExchangeAESKeyRSADecrypt(oaep bool, encrypted, label []byte, hasher *hash.Hash, pk *rsa.PrivateKey) error
func ExchangeAESKeyRSAEncrypt(oaep bool, label []byte, hasher *hash.Hash, pub *rsa.PublicKey) ([]byte, error)
func GenEdDSAKeyPair() ([32]byte, [64]byte, error)
func GenSalt() ([]byte, error)
func LoadPkECDSA(path string) (*ecdsa.PrivateKey, error)
func LoadPkRSA(path string) (*rsa.PrivateKey, error)
func LoadPubECDSA(path string) (*ecdsa.PublicKey, error)
func LoadPubRSA(path string) (*rsa.PublicKey, error)
func PGPStyleCreateKeypairs(bit int) ([]byte, []byte, []byte, []byte, error)
func PGPStyleDecrypt(encrypted, h, nonce, additionalData, ekey []byte, pk *rsa.PrivateKey) ([]byte, error)
func PGPStyleEncrypt(data []byte, pub *rsa.PublicKey) ([]byte, []byte, []byte, []byte, []byte, error)
func PGPStyleLoadPrivateKey(pemPk []byte) (*rsa.PrivateKey, error)
func PGPStyleLoadPublicKey(pemPub []byte) (*rsa.PublicKey, error)
func SetData(data []byte)
func SetKey(key, salt []byte) error
func ValidateNACL(password, salt, encrypted []byte, sign [64]byte, nonce [24]byte, pub [32]byte, ...) error
type ENC
- func New() (*ENC, error)
- func (b *ENC) DecryptECDSA(encrypted, rb, sb, nonce []byte, pub *ecdsa.PublicKey) ([]byte, error)
- func (b *ENC) DecryptRSA(encrypted, s, nonce []byte, pub *rsa.PublicKey) ([]byte, error)
- func (b *ENC) EncryptECDSASend(data []byte, pk *ecdsa.PrivateKey) ([]byte, []byte, []byte, []byte, error)
- func (b *ENC) EncryptECDSAStore(data, salt []byte, pk *ecdsa.PrivateKey) ([]byte, []byte, []byte, []byte, error)
- func (b *ENC) EncryptRSASend(data []byte, pk *rsa.PrivateKey) ([]byte, []byte, []byte, error)
- func (b *ENC) EncryptRSAStore(data, salt []byte, pk *rsa.PrivateKey) ([]byte, []byte, []byte, error)
- func (b *ENC) ValidateECDSA(password, salt, encrypted, rb, sb, nonce []byte, pub *ecdsa.PublicKey) error
- func (b *ENC) ValidateRSA(password, salt, encrypted, s, nonce []byte, pub *rsa.PublicKey) error
type NACL
- func NewNACL() (*NACL, error)
- func (n *NACL) Decrypt(encrypted, h, salt []byte, nonce *[24]byte, ppub *[32]byte) ([]byte, bool)
- func (n *NACL) DecryptSK(encrypted, h, salt []byte, nonce *[24]byte) ([]byte, bool)
- func (n *NACL) Encrypt(msg, salt []byte, ppub *[32]byte) ([]byte, []byte, [24]byte, error)
- func (n *NACL) EncryptSK(msg, salt []byte) ([]byte, []byte, [24]byte, error)
- func (n *NACL) GenSharedKey(ppub *[32]byte)

Constants ¶

View Source

const (
	VERSION = "0.0.3"
)

Variables ¶

View Source

var DATA []byte = []byte("additional data")

Additional data for AEAD

View Source

var KEY []byte = []byte("change me from this 2 other byte")

AES key, length must be 32 bytes to use AES256

Functions ¶

func EncryptNACLStore ¶

func EncryptNACLStore(data, salt []byte, ecpk [64]byte) ([]byte, [64]byte, [24]byte, error)

Encrypt data to be stored using NaCL-EdDSA, be sure to do SetKey() beforehand. Please don't forget to store the salt. Returns encrypted data, signature, and nonce.

func ExchangeAESKeyRSADecrypt ¶

func ExchangeAESKeyRSADecrypt(oaep bool, encrypted, label []byte, hasher *hash.Hash, pk *rsa.PrivateKey) error

Decrypt AES key from server to be used using RSA, pk is client's (or us if we are the client) private key. ( You should only do this once to exchange AES key. This automatically set KEY variable, after that you can use New()

func ExchangeAESKeyRSAEncrypt ¶

func ExchangeAESKeyRSAEncrypt(oaep bool, label []byte, hasher *hash.Hash, pub *rsa.PublicKey) ([]byte, error)

These two functions are created to support PGP style encryption Encrypt AES key to be sent to client using RSA. pub is client's (or us if we are the client) public key. You preferably should use SetKey() first before using this, because this function get the key to be encrypted from package's KEY variable For JS, see https://github.com/travist/jsencrypt (The lib is using PKCS1) Returns encrypted key

func GenEdDSAKeyPair ¶

func GenEdDSAKeyPair() ([32]byte, [64]byte, error)

Returns 32 byte pub and 64 byte pk for EdDSA (Ed25519)

func GenSalt ¶

func GenSalt() ([]byte, error)

Salt must be the same when you encrypt and verify. Forgot to save salt means your data would be lost forever.

func LoadPkECDSA ¶

func LoadPkECDSA(path string) (*ecdsa.PrivateKey, error)

Load ECDSA private key, pk's EC must be prime256v1

func LoadPkRSA ¶

func LoadPkRSA(path string) (*rsa.PrivateKey, error)

Load RSA private key, pk must be PKCS1 and at least 2048 bits

func LoadPubECDSA ¶

func LoadPubECDSA(path string) (*ecdsa.PublicKey, error)

Load ECDSA public key

func LoadPubRSA ¶

func LoadPubRSA(path string) (*rsa.PublicKey, error)

Load RSA public key

func PGPStyleCreateKeypairs ¶

func PGPStyleCreateKeypairs(bit int) ([]byte, []byte, []byte, []byte, error)

These PGPStyle* functions purposefully created for secure messaging from Go server to JS clients PGP style But you should not ever consider using it, at least for now create a pair of bit RSA keypair in PEM format Returns client pk, server pk, client pub, and server pub

func PGPStyleDecrypt ¶

func PGPStyleDecrypt(encrypted, h, nonce, additionalData, ekey []byte, pk *rsa.PrivateKey) ([]byte, error)

Returns decrypted message

func PGPStyleEncrypt ¶

func PGPStyleEncrypt(data []byte, pub *rsa.PublicKey) ([]byte, []byte, []byte, []byte, []byte, error)

Returns encrypted message, hash, nonce, additionalData, and encrypted key

func PGPStyleLoadPrivateKey ¶

func PGPStyleLoadPrivateKey(pemPk []byte) (*rsa.PrivateKey, error)

Load key in PEM format and return as *rsa.PrivateKey

func PGPStyleLoadPublicKey ¶

func PGPStyleLoadPublicKey(pemPub []byte) (*rsa.PublicKey, error)

Load key in PEM format and return as *rsa.PublicKey

func SetData ¶

func SetData(data []byte)

Set additional data for AEAD

func SetKey ¶

func SetKey(key, salt []byte) error

It is recommended if you set the key via this function rather than changing KEY directly. Please do not remember to save the salt.

func ValidateNACL ¶

func ValidateNACL(password, salt, encrypted []byte, sign [64]byte, nonce [24]byte, pub [32]byte, key []byte) error

Decrypt stored data using NaCL-EdDSA to be validated.

Types ¶

type ENC ¶

type ENC struct {
	GCM cipher.AEAD
}

func New ¶

func New() (*ENC, error)

Create new encrypter

func (*ENC) DecryptECDSA ¶

func (b *ENC) DecryptECDSA(encrypted, rb, sb, nonce []byte, pub *ecdsa.PublicKey) ([]byte, error)

Decrypt the encrypted data Returns the decrypted data

func (*ENC) DecryptRSA ¶

func (b *ENC) DecryptRSA(encrypted, s, nonce []byte, pub *rsa.PublicKey) ([]byte, error)

Decrypt the encrypted data Returns the decrypted data

func (*ENC) EncryptECDSASend ¶

func (b *ENC) EncryptECDSASend(data []byte, pk *ecdsa.PrivateKey) ([]byte, []byte, []byte, []byte, error)

Encrypt data to be send using ECDSA-AES256GCM-AEAD For JS, see http://bitwiseshiftleft.github.io/sjcl/doc/symbols/sjcl.mode.gcm.html and https://github.com/cryptocoinjs/ecdsa just remember to use prime256v1 (secp256r1) Returns encrypted data, r, s, and nonce

func (*ENC) EncryptECDSAStore ¶

func (b *ENC) EncryptECDSAStore(data, salt []byte, pk *ecdsa.PrivateKey) ([]byte, []byte, []byte, []byte, error)

Encrypt data using scrypt -> ECDSA-AES256GCM-AEAD to be stored returns encrypted, r, s, and nonce. Preferably store them each in different databases (or machines) if you can

func (*ENC) EncryptRSASend ¶

func (b *ENC) EncryptRSASend(data []byte, pk *rsa.PrivateKey) ([]byte, []byte, []byte, error)

Encrypt data to be send using RSA-AES256GCM-AEAD For JS, see http://bitwiseshiftleft.github.io/sjcl/doc/symbols/sjcl.mode.gcm.html and https://github.com/travist/jsencrypt Returns encrypted data, sign, and nonce

func (*ENC) EncryptRSAStore ¶

func (b *ENC) EncryptRSAStore(data, salt []byte, pk *rsa.PrivateKey) ([]byte, []byte, []byte, error)

Encrypt data using scrypt -> RSA-AES256GCM-AEAD to be stored returns encrypted, sign, and nonce. Preferably store them each in different databases (or machines) if you can

func (*ENC) ValidateECDSA ¶

func (b *ENC) ValidateECDSA(password, salt, encrypted, rb, sb, nonce []byte, pub *ecdsa.PublicKey) error

Validate data

func (*ENC) ValidateRSA ¶

func (b *ENC) ValidateRSA(password, salt, encrypted, s, nonce []byte, pub *rsa.PublicKey) error

Validate data

type NACL ¶

type NACL struct {
	Pub  [32]byte
	Priv [32]byte
	SK   [32]byte
}

func NewNACL ¶

func NewNACL() (*NACL, error)

Create new NACL struct

func (*NACL) Decrypt ¶

func (n *NACL) Decrypt(encrypted, h, salt []byte, nonce *[24]byte, ppub *[32]byte) ([]byte, bool)

Decrypt the message, returns decrypted data

func (*NACL) DecryptSK ¶

func (n *NACL) DecryptSK(encrypted, h, salt []byte, nonce *[24]byte) ([]byte, bool)

Decrypt the message using shared key, returns decrypted data

func (*NACL) Encrypt ¶

func (n *NACL) Encrypt(msg, salt []byte, ppub *[32]byte) ([]byte, []byte, [24]byte, error)

Encrypt the message, returns encrypted data, hash, and nonce

func (*NACL) EncryptSK ¶

func (n *NACL) EncryptSK(msg, salt []byte) ([]byte, []byte, [24]byte, error)

Encrypt the message using shared key, returns encrypted data, hash, and nonce

func (*NACL) GenSharedKey ¶

func (n *NACL) GenSharedKey(ppub *[32]byte)

Generate SK from other party's public key

Source Files ¶

View all Source files

rhs.go

Directories ¶

Path	Synopsis
test

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL