CRYPTO

Functions for symmetrical or asymmetrical encryption using NaCL. More...

Functions

byte * pcp_box_encrypt (PCPCTX *ptx, pcp_key_t *secret, pcp_pubkey_t *pub, byte *message, size_t messagesize, size_t *csize)
 Asymmetrically encrypt a message. More...
 
byte * pcp_box_decrypt (PCPCTX *ptx, pcp_key_t *secret, pcp_pubkey_t *pub, byte *cipher, size_t ciphersize, size_t *dsize)
 Asymmetrically decrypt a message. More...
 
size_t pcp_encrypt_stream (PCPCTX *ptx, Pcpstream *in, Pcpstream *out, pcp_key_t *s, pcp_pubkey_t *p, int signcrypt, int anon)
 Asymmetrically encrypt a file or a buffer stream. More...
 
size_t pcp_encrypt_stream_sym (PCPCTX *ptx, Pcpstream *in, Pcpstream *out, byte *symkey, int havehead, pcp_rec_t *recsign)
 Symmetrically encrypt a file or a buffer stream. More...
 
size_t pcp_decrypt_stream (PCPCTX *ptx, Pcpstream *in, Pcpstream *out, pcp_key_t *s, byte *symkey, int verify, int anon)
 Asymmetrically decrypt a file or a buffer stream. More...
 
size_t pcp_decrypt_stream_sym (PCPCTX *ptx, Pcpstream *in, Pcpstream *out, byte *symkey, pcp_rec_t *recverify)
 Symmetrically decrypt a file or a buffer stream. More...
 
size_t pcp_sodium_mac (byte **cipher, byte *cleartext, size_t clearsize, byte *nonce, byte *key)
 Symmetrically encrypt a message. More...
 
int pcp_sodium_verify_mac (byte **cleartext, byte *message, size_t messagesize, byte *nonce, byte *key)
 Decrypt a symmetrically encrypted message. More...
 

Detailed Description

Functions for symmetrical or asymmetrical encryption using NaCL.

Introduction

Encryption is done 32k blockwise using an ephemeral key.

If using asymmetrical encryption the ephemeral key is encrypted asymmetrically using Curve25519 for all recipients and added to the output.

If sign+crypt is requested, a hash of the clear content plus the recipient list will be made and signed. That signature will be encrypted using the ephemeral key as well and appended to the output.

For each encryption cycle (per block) a unique nonce will be used.

Encrypted Output Format

Encrypted output will always written as binary files. No armoring supported yet. The encryption process works as this:

  • generate a random symetric 32 byte key B<S>
  • encrypt it asymetrically for each recipient using a unique nonce (B<R>)
  • encrypt the input file 32k blockwise using the symetric key

Symmetric encryption works the very same with the recipient stuff left out.

Formal format description, asymmetric encrypted files:

     +---------------------------------------------------------+
     | Field         Size      Description                     |
     +-------------+--------+----------------------------------+
     | Type        |      1 | Filetype, 5=ASYM, 23=SYM         |
     +-------------|--------|----------------------------------+
     | Len R       |      4 | Number of recipients         (*) |
     +-------------|--------|----------------------------------+
     | Recipients  |   R*72 | C(recipient)|C(recipient)... (*) |
     +-------------|--------|----------------------------------+
     | Encrypted   |      ~ | The actual encrypted data        |
     +-------------|--------|----------------------------------+

The following will be Left out when doing symetric encryption.

Recipient field format:

    +---------------------------------------------------------+
    | Field         Size      Description                     |
    +-------------+--------+----------------------------------+
    | Nonce       |     24 | Random Nonce, one per R          |
    +-------------|--------|----------------------------------+
    | Cipher      |     48 | S encrypted with PK or R         |
    +-------------|--------|----------------------------------+

R is calculated using public key encryption using the senders secret key, the recipients public key and a random nonce.

Pseudocode:

R = foreach P: N | crypto_box(S, N, P, SK)
L = len(R)
T = 5
write (T | L | R)
foreach I: write (N | crypto_secret_box(I, N, S))

where P is the public key of a recipient, SK is the senders secret key, R is the recipient list, L is the number of recipients, T is the filetype header, I is a block of input with a size of 32k, N is a nonce (new per block) and S the symmetric key.

Function Documentation

byte* pcp_box_decrypt ( PCPCTX ptx,
pcp_key_t secret,
pcp_pubkey_t pub,
byte *  cipher,
size_t  ciphersize,
size_t *  dsize 
)

Asymmetrically decrypt a message.

This function is used internally and normally a user doesn't need to use it. However, from time to time there maybe the requirement to work with raw NaCL crypto_box() output. This function adds the neccessary padding and it uses PCP key structures.

Parameters
[in]ptxpcp context.
[in]secretThe secret key structure from the sender.
[in]pubThe public key structure from the recipient.
[in]cipherThe encrypted message.
[in]ciphersizeThe size in bytes of the encrypted message.
[out]dsizeA pointer which will be set to the size of the decrypted result if successful.
Returns
Returns an allocated byte array of the size csize which contains the encrypted result. In case of an error, it returns NULL sets csize to 0. Use fatals_ifany() to check for errors.
byte* pcp_box_encrypt ( PCPCTX ptx,
pcp_key_t secret,
pcp_pubkey_t pub,
byte *  message,
size_t  messagesize,
size_t *  csize 
)

Asymmetrically encrypt a message.

This function is used internally and normally a user doesn't need to use it. However, from time to time there maybe the requirement to work with raw NaCL crypto_box() output. This function adds the neccessary padding and it uses PCP key structures.

Parameters
[in]ptxpcp context.
[in]secretThe secret key structure from the sender.
[in]pubThe public key structure from the recipient.
[in]messageThe clear unencrypted message.
[in]messagesizeThe size in bytes of the message.
[out]csizeA pointer which will be set to the size of the encrypted result if successful.
Returns
Returns an allocated byte array of the size csize which contains the encrypted result. In case of an error, it returns NULL sets csize to 0. Use fatals_ifany() to check for errors.
size_t pcp_decrypt_stream ( PCPCTX ptx,
Pcpstream in,
Pcpstream out,
pcp_key_t s,
byte *  symkey,
int  verify,
int  anon 
)

Asymmetrically decrypt a file or a buffer stream.

This function decrypts a stream 32k+16-blockwise for a number of recipients.

Calls pcp_decrypt_stream_sym() after assembling the encrypted recipient list.

FIXME: should return the pcp_rec_t structure upon successfull verification somehow.

Parameters
[in]ptxpcp context.
[in]inStream to read the data to decrypt from.
[out]outStream to write decrypted result to.
[in]sSecret key structure of the recipient.
[in]symkeyEphemeral key for symmetric decryption. Set to NULL if you call this function directly.
verifyFlag to indicate sign+crypt. If 1 it tries to verify a signature, otherwise not.
[in]anonFlag to indicate if using anonymous sender key. 0 retains std behaviour, not anon.
Returns
Returns the size of the output written to the output stream or 0 in case of errors.
size_t pcp_decrypt_stream_sym ( PCPCTX ptx,
Pcpstream in,
Pcpstream out,
byte *  symkey,
pcp_rec_t recverify 
)

Symmetrically decrypt a file or a buffer stream.

This function decrypts a stream 32k+16-blockwise using a given ephemeral key. Usually compute this key using the pcp_scrypt() function. If not called directly, the key have been extracted from the recipient list.

Uses crypto_secret_box_open() for each 32k+16-block with a random nonce for each.

Parameters
[in]ptxpcp context.
[in]inStream to read the data to decrypt from.
[out]outStream to write decrypted result to.
[in]symkeyEphemeral key to use for decryption.
recverifyFlag to indicate sign+crypt. If 1 it tries to verify a signature, otherwise not.
Returns
Returns the size of the output written to the output stream or 0 in case of errors.
size_t pcp_encrypt_stream ( PCPCTX ptx,
Pcpstream in,
Pcpstream out,
pcp_key_t s,
pcp_pubkey_t p,
int  signcrypt,
int  anon 
)

Asymmetrically encrypt a file or a buffer stream.

This function encrypts a stream 32k-blockwise for a number of recipients.

Calls pcp_encrypt_stream_sym() after assembling the encrypted recipient list.

Parameters
[in]ptxpcp context.
[in]inStream to read the data to encrypt from.
[out]outStream to write encrypted result to.
[in]sSecret key structure of the sender.
[in]pPublic key hash containing a list of the recipients.
[in]signcryptFlag to indicate sign+crypt. If 1 it adds a signature, otherwise not.
[in]anonFlag to indicate if using anonymous sender key. 0 retains std behaviour, not anon.
Returns
Returns the size of the output written to the output stream or 0 in case of errors.
size_t pcp_encrypt_stream_sym ( PCPCTX ptx,
Pcpstream in,
Pcpstream out,
byte *  symkey,
int  havehead,
pcp_rec_t recsign 
)

Symmetrically encrypt a file or a buffer stream.

This function encrypts a stream 32k-blockwise using a given ephemeral key. Usually compute this key using the pcp_scrypt() function.

Uses crypto_secret_box() for each 32k-block with a random nonce for each.

Parameters
[in]ptxpcp context.
[in]inStream to read the data to encrypt from.
[out]outStream to write encrypted result to.
[in]symkeyEphemeral key to use for encryption.
[in]haveheadFlag to indicate if the file header has already been written. Set to 0 if you call this function directly in order to do symmetrical encryption.
recsignRecipient list, set this to NULL if you call this function directly.
Returns
Returns the size of the output written to the output stream or 0 in case of errors.
size_t pcp_sodium_mac ( byte **  cipher,
byte *  cleartext,
size_t  clearsize,
byte *  nonce,
byte *  key 
)

Symmetrically encrypt a message.

This function encrypts a message symmetrically using crypto_secretbox() using the given Curve25519 raw secret key and the nonce.

It allocates apropriate memory for the result, which will be stored in cipher.

Parameters
[out]cipherEncrypted result.
[in]cleartextClear message.
[in]clearsizeSize of message.
[in]nonceA random nonce (24 Bytes).
[in]keyA Curve25519 key (32 Bytes).
Returns
Returns the size of cipher.
int pcp_sodium_verify_mac ( byte **  cleartext,
byte *  message,
size_t  messagesize,
byte *  nonce,
byte *  key 
)

Decrypt a symmetrically encrypted message.

This function decrypts a symmetrically encrypted message using crypto_secretbox_open() using the given Curve25519 raw secret key and the nonce.

It allocates apropriate memory for the result, which will be stored in cleartext.

Parameters
[out]cleartextThe decrypted result.
[in]messageThe encrypted message.
[in]messagesizeSize of message.
[in]nonceA random nonce (24 Bytes).
[in]keyA Curve25519 key (32 Bytes).
Returns
Returns 0 in case of success of -1 in case of an error. Check fatals_if_any().