miscreant

package module

v0.0.0-...-4f5dc8c Latest Latest Go to latest Published: Jun 15, 2019 License: MIT Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/miscreant/miscreant-go

Links

Open Source Insights

README ¶

miscreant.go

The best crypto you've never heard of, brought to you by Phil Rogaway

Go implementation of Miscreant: Advanced symmetric encryption library which provides the AES-SIV (RFC 5297), AES-PMAC-SIV, and STREAM constructions. These algorithms are easy-to-use (or rather, hard-to-misuse) and support encryption of individual messages or message streams.

import "github.com/miscreant/miscreant.go/"

All types are designed to be thread-compatible: Methods of an instance shared between multiple threads (or goroutines) must not be accessed concurrently. Callers are responsible for implementing their own mutual exclusion.

Documentation (Wiki)
godoc

About AES-SIV and AES-PMAC-SIV

AES-SIV and AES-PMAC-SIV provide nonce-reuse misuse-resistance (NRMR): accidentally reusing a nonce with this construction is not a security catastrophe, unlike more popular AES encryption modes like AES-GCM where nonce reuse leaks both the authentication key and the XOR of both plaintexts, both of which can potentially be leveraged for full plaintext recovery attacks.

With AES-SIV, the worst outcome of reusing a nonce is an attacker can see you've sent the same plaintext twice, as opposed to almost all other AES modes where it can facilitate chosen ciphertext attacks and/or full plaintext recovery.

Help and Discussion

Have questions? Want to suggest a feature or change?

Gitter: web-based chat about miscreant projects including miscreant.go
Google Group: join via web or email (miscreant-crypto+subscribe@googlegroups.com)

Security Notice

Though this library is written by cryptographic professionals, it has not undergone a thorough security audit, and cryptographic professionals are still humans that make mistakes.

This library makes an effort to use constant time operations throughout its implementation, however actual constant time behavior has not been verified.

Use this library at your own risk.

Code of Conduct

We abide by the Contributor Covenant and ask that you do as well.

For more information, please see CODE_OF_CONDUCT.md.

Contributing

Bug reports and pull requests are welcome on GitHub at:

https://github.com/miscreant/miscreant.go

Copyright

Documentation ¶

Index ¶

Constants
Variables
func GenerateKey(length int) []byte
func GenerateNonce(c cipher.AEAD) []byte
func NewAEAD(alg string, key []byte, nonceSize int) (cipher.AEAD, error)
type Cipher
- func NewAESCMACSIV(key []byte) (c *Cipher, err error)
- func NewAESPMACSIV(key []byte) (c *Cipher, err error)
type StreamDecryptor
- func NewStreamDecryptor(alg string, key, nonce []byte) (*StreamDecryptor, error)
type StreamEncryptor
- func NewStreamEncryptor(alg string, key, nonce []byte) (*StreamEncryptor, error)

Constants ¶

View Source

const MaxAssociatedDataItems = 126

MaxAssociatedDataItems is the maximum number of associated data items

Variables ¶

View Source

var (
	// ErrKeySize indicates the given key size is not supported
	ErrKeySize = errors.New("siv: bad key size")

	// ErrNotAuthentic indicates a ciphertext is malformed or corrupt
	ErrNotAuthentic = errors.New("siv: authentication failed")

	// ErrTooManyAssociatedDataItems indicates more than MaxAssociatedDataItems were given
	ErrTooManyAssociatedDataItems = errors.New("siv: too many associated data items")
)

Functions ¶

func GenerateKey ¶

func GenerateKey(length int) []byte

GenerateKey generates a random 32-byte or 64-byte encryption key. Panics if the key size is unsupported or source of randomness fails.

func GenerateNonce ¶

func GenerateNonce(c cipher.AEAD) []byte

GenerateNonce generates a random nonce for the given `cipher.AEAD`. Panics if the configured nonce size is less than 16-bytes (128-bits)

func NewAEAD ¶

func NewAEAD(alg string, key []byte, nonceSize int) (cipher.AEAD, error)

NewAEAD returns an AES-SIV instance implementing cipher.AEAD interface, with the given cipher, nonce size, and a key which must be twice as long as an AES key, either 32 or 64 bytes to select AES-128 (AES-SIV-256) or AES-256 (AES-SIV-512).

Unless the given nonce size is less than zero, Seal and Open will panic when passed nonce of a different size.

Types ¶

type Cipher ¶

type Cipher struct {
	// contains filtered or unexported fields
}

Cipher is an instance of AES-SIV, configured with either AES-CMAC or AES-PMAC as a message authentication code.

func NewAESCMACSIV ¶

func NewAESCMACSIV(key []byte) (c *Cipher, err error)

NewAESCMACSIV returns a new AES-SIV cipher with the given key, which must be twice as long as an AES key, either 32 or 64 bytes to select AES-128 (AES-CMAC-SIV-256), or AES-256 (AES-CMAC-SIV-512).

func NewAESPMACSIV ¶

func NewAESPMACSIV(key []byte) (c *Cipher, err error)

NewAESPMACSIV returns a new AES-SIV cipher with the given key, which must be twice as long as an AES key, either 32 or 64 bytes to select AES-128 (AES-PMAC-SIV-256), or AES-256 (AES-PMAC-SIV-512).

func (*Cipher) Open ¶

func (c *Cipher) Open(dst []byte, ciphertext []byte, data ...[]byte) ([]byte, error)

Open decrypts ciphertext, authenticates the decrypted plaintext and the given associated data items and, if successful, appends the resulting plaintext to dst, returning the updated slice. The additional data items must match the items passed to Seal.

The ciphertext and dst may alias exactly or not at all.

For nonce-based encryption, the nonce should be the last associated data item.

func (*Cipher) Overhead ¶

func (c *Cipher) Overhead() int

Overhead returns the difference between plaintext and ciphertext lengths.

func (*Cipher) Seal ¶

func (c *Cipher) Seal(dst []byte, plaintext []byte, data ...[]byte) ([]byte, error)

Seal encrypts and authenticates plaintext, authenticates the given associated data items, and appends the result to dst, returning the updated slice.

The plaintext and dst may alias exactly or not at all.

For nonce-based encryption, the nonce should be the last associated data item.

type StreamDecryptor ¶

type StreamDecryptor struct {
	// contains filtered or unexported fields
}

StreamDecryptor decrypts message streams, selecting the nonces using a 32-bit counter, generalized for any cipher.AEAD algorithm

This construction corresponds to the ℰ stream encryptor object as defined in the paper Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance

func NewStreamDecryptor ¶

func NewStreamDecryptor(alg string, key, nonce []byte) (*StreamDecryptor, error)

NewStreamDecryptor returns a STREAM encryptor instance with the given cipher, nonce, and a key which must be twice as long as an AES key, either 32 or 64 bytes to select AES-128 (AES-SIV-256) or AES-256 (AES-SIV-512).

func (*StreamDecryptor) NonceSize ¶

func (d *StreamDecryptor) NonceSize() int

NonceSize returns the size of the nonce that must be passed to NewStreamDecryptor

func (*StreamDecryptor) Open ¶

func (d *StreamDecryptor) Open(dst, ciphertext, aData []byte, lastBlock bool) ([]byte, error)

Open decrypts and authenticates the next ciphertext in the STREAM, and also authenticates the additional data, ensuring it matches the value passed to Seal.

If successful, it appends the resulting plaintext to dst and returns the updated slice.

The ciphertext and dst may alias exactly or not at all. To reuse ciphertext's storage for the decrypted output, use ciphertext[:0] as dst.

Even if the function fails, the contents of dst, up to its capacity, may be overwritten.

func (*StreamDecryptor) Overhead ¶

func (d *StreamDecryptor) Overhead() int

Overhead returns the maximum difference between the lengths of a plaintext and its ciphertext, which in the case of AES-SIV modes is the size of the initialization vector

type StreamEncryptor ¶

type StreamEncryptor struct {
	// contains filtered or unexported fields
}

StreamEncryptor encrypts message streams, selecting the nonces using a 32-bit counter, generalized for any cipher.AEAD algorithm

This construction corresponds to the ℰ stream encryptor object as defined in the paper Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance

func NewStreamEncryptor ¶

func NewStreamEncryptor(alg string, key, nonce []byte) (*StreamEncryptor, error)

NewStreamEncryptor returns a STREAM encryptor instance with the given cipher, nonce, and a key which must be twice as long as an AES key, either 32 or 64 bytes to select AES-128 (AES-SIV-256) or AES-256 (AES-SIV-512).

func (*StreamEncryptor) NonceSize ¶

func (e *StreamEncryptor) NonceSize() int

NonceSize returns the size of the nonce that must be passed to NewStreamEncryptor

func (*StreamEncryptor) Overhead ¶

func (e *StreamEncryptor) Overhead() int

Overhead returns the maximum difference between the lengths of a plaintext and its ciphertext, which in the case of AES-SIV modes is the size of the initialization vector

func (*StreamEncryptor) Seal ¶

func (e *StreamEncryptor) Seal(dst, plaintext, aData []byte, lastBlock bool) []byte

Seal the next message in the STREAM, which encrypts and authenticates plaintext, authenticates the additional data and appends the result to dst, returning the updated slice.

The plaintext and dst may alias exactly or not at all. To reuse plaintext's storage for the encrypted output, use plaintext[:0] as dst.

The lastBlock argument should be set to true if this is the last message in the STREAM. No further messages can be encrypted after the last one

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
block
cmac
pmac

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL