Check-in [ae70f6a3f5]
Not logged in

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:A threefish-based approach at vault key storage
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: ae70f6a3f5689108fb28b4eddc6b955f1938aa8c
User & Date: bernd 2019-06-04 23:30:43
Context
2019-06-05
22:15
Add new method for vault key exchange check-in: 211b96e714 user: bernd tags: trunk
2019-06-04
23:30
A threefish-based approach at vault key storage check-in: ae70f6a3f5 user: bernd tags: trunk
00:42
Scale down check-in: 45f34d2267 user: bernd tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to crypt.fs.

    45     45       $100      uvar vaultkey \ buffers for vault
    46     46       $100      uvar keydump-buf  \ buffer for dumping keys
    47     47       state2#   uvar vkey \ maximum size for session key
    48     48       state2#   uvar voutkey \ for keydump
    49     49       keysize   uvar keygendh
    50     50       keysize   uvar vpk
    51     51       keysize   uvar vsk
           52  +    tf_ctx_256 uvar tf-key
           53  +    keysize   uvar tf-in
           54  +    keysize   uvar tf-out
           55  +    $10       uvar tf-hashout
    52     56       1 64s     uvar last-mykey
    53     57       cell      uvar keytmp-up
    54     58   end-class keytmp-c
    55     59   
    56     60   user-o keybuf \ storage for secure permanent keys
    57     61   
    58     62   object uclass keybuf
................................................................................
   616    620   : +sig$ ( addr u -- hostaddr host-u ) [: type .sig ;] $tmp ;
   617    621   : gen-host ( addr u -- addr' u' )
   618    622       gen>host +sig$ ;
   619    623   : >delete ( addr u type u2 -- addr u )
   620    624       "delete" >keyed-hash ;
   621    625   : gen-host-del ( addr u -- addr' u' )
   622    626       gen>host "host" >delete +sig$ ;
          627  +
          628  +\ Vault support code (generic and more compact)
          629  +
          630  +\ principle: use Threefish_256.
          631  +\ block layout:
          632  +\ 1. 32 byte ephemeral key -> use for DHE.
          633  +\ 2. 16 byte IV, used for all blocks as tweak
          634  +\ 3. 16 byte hash, to check for success
          635  +\ 4. 32 byte each blocks, decrypted by DHE+tweak
          636  +
          637  +: >vdhe ( addr -- )  sk@ drop swap tf-key tf_ctx_256-key ed-dh 2drop ;
          638  +: >viv  ( addr -- )  tf-key tf_ctx_256-tweak $10 move ;
          639  +: v-dec-loop ( addr u -- session-key u / 0 0 )
          640  +    over { chk } $10 /string  $C { mode }
          641  +    bounds U+DO
          642  +	tf-key I tf-out mode tf_decrypt_256
          643  +	c:0key tf-out keysize c:hash tf-hashout $10 c:hash@
          644  +	tf-hashout $10 chk over str= IF
          645  +	    tf-out keysize  unloop  EXIT  THEN
          646  +	0 to mode
          647  +    keysize +LOOP  0 0 ;
          648  +: v-dec$ ( addr u -- session-key u / 0 0 )
          649  +    over >vdhe keysize /string
          650  +    over >viv  $10 /string
          651  +    v-dec-loop ;
          652  +
          653  +: vdhe ( -- )  vsk vpk ed-keypair  vpk keysize type ;
          654  +: viv  ( -- )  $10 rng$ 2dup type  tf-key tf_ctx_256-tweak swap move ;
          655  +: vsessionkey ( -- )
          656  +    keysize rng$ tf-in swap move
          657  +    c:0key tf-in keysize c:hash tf-hashout $10 2dup c:hash@ type ;
          658  +: v-enc-loop ( keylist -- )
          659  +    [:  drop vsk swap tf-key tf_ctx_256-key ed-dh 2drop
          660  +	tf-key tf-in tf-out $C tf_encrypt_256
          661  +	tf-out keysize type
          662  +    ;] $[]map ;
          663  +: v-enc-gen ( keylist -- )
          664  +    vdhe viv vsessionkey v-enc-loop ;
          665  +: v-enc$ ( keylist -- addr u )
          666  +    ['] v-enc-gen $tmp ;
   623    667   
   624    668   \\\
   625    669   Local Variables:
   626    670   forth-local-words:
   627    671       (
   628    672        (("event:") definition-starter (font-lock-keyword-face . 1)
   629    673         "[ \t\n]" t name (font-lock-function-name-face . 3))