README
¶
Used Method:
AESGCM
- AES 256 for encryption
- SHA 256 for HMAC/authentication
Process:
Encryption
- encrypt the data using aes.
- compute hash
- append the hash value with the encrypted data.
Decryption
- authenticate the data with the hash
- if data is not authentic return
- decrypt the data.
Reading materials
Language Specific Implementations are described in the {lang}-impl/README.md
Key Generation
Currently the key generation process is simple. we need 32bytes (256bits) of key to encrypt the data.
so if the key length is smaller then 32 we are appending the key in an circular approach until
the key is 32bytes. So a key of ABCD will become ABCDABCDABCDABCDABCDABCDABCDABCD.
Proposed Approach of key generation To Secure the key we can add some extra layer to the key generation process. This Could
- find hash of the provided key. possibly - sha256
- append a salt, salt could be a constant
- find the hash. possible - md5
- resize the key to 32 bytes as we are doing now.
##Nonce Generation Currently we are using the provided key as the nonce.
What is nonce?
Ans: A nonce is a number used once: a nonce should never be reused in a set of messages encrypted with the same key. keys are secrets that do not change often So, you have this vulnerability that if the keys leak, all the secrets leak so, they augment the secret with a dynamically added secret part that is supposed to be used only one for extra bit of protection.
Proposed Approach of nonce generation
To Secure the nonce we can add some extra layer to the nonce generation process. This Could
- generate a random nonce.
- add this nonce to the encrypted text.
- while decrypting find the nonce first from the data.
- use this nonce to the generate decrypted text.
Notes/Development Guide
- Encrypted bytes are converted to Base64 String before return.
- Before Decrypting use Base64 decoder to decode the string to Bytes.
- Use the test_data data to test the implementation against.
Documentation
¶
Index ¶
- type Cryptor
- type PassThroughCryptor
- func (PassThroughCryptor) Decrypt(cipherText []byte, key string) ([]byte, error)
- func (PassThroughCryptor) DecryptString(cipherText string, key string) (string, error)
- func (PassThroughCryptor) Encrypt(plainText []byte, key string) ([]byte, error)
- func (PassThroughCryptor) EncryptString(plainText string, key string) (string, error)
- type RealCryptor
- func (c RealCryptor) Decrypt(cipherText []byte, key string) ([]byte, error)
- func (c RealCryptor) DecryptString(cipherText string, key string) (string, error)
- func (c RealCryptor) Encrypt(plainText []byte, key string) ([]byte, error)
- func (c RealCryptor) EncryptString(plainText string, key string) (string, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Cryptor ¶
type Cryptor interface {
EncryptString(plainText string, key string) (string, error)
Encrypt(plainText []byte, key string) ([]byte, error)
DecryptString(cipherText string, key string) (string, error)
Decrypt(cipherText []byte, key string) ([]byte, error)
}
For background and implementation: See here: https://appscode.appscode.io/diffusion/100/
type PassThroughCryptor ¶
type PassThroughCryptor struct{}
func (PassThroughCryptor) Decrypt ¶
func (PassThroughCryptor) Decrypt(cipherText []byte, key string) ([]byte, error)
func (PassThroughCryptor) DecryptString ¶
func (PassThroughCryptor) DecryptString(cipherText string, key string) (string, error)
func (PassThroughCryptor) Encrypt ¶
func (PassThroughCryptor) Encrypt(plainText []byte, key string) ([]byte, error)
func (PassThroughCryptor) EncryptString ¶
func (PassThroughCryptor) EncryptString(plainText string, key string) (string, error)
type RealCryptor ¶
type RealCryptor struct{}
func (RealCryptor) Decrypt ¶
func (c RealCryptor) Decrypt(cipherText []byte, key string) ([]byte, error)
func (RealCryptor) DecryptString ¶
func (c RealCryptor) DecryptString(cipherText string, key string) (string, error)
func (RealCryptor) Encrypt ¶
func (c RealCryptor) Encrypt(plainText []byte, key string) ([]byte, error)
func (RealCryptor) EncryptString ¶
func (c RealCryptor) EncryptString(plainText string, key string) (string, error)
Source Files