OLD | NEW |
| (Empty) |
1 // Copyright 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef SYNC_UTIL_NIGORI_H_ | |
6 #define SYNC_UTIL_NIGORI_H_ | |
7 | |
8 #include <stddef.h> | |
9 | |
10 #include <memory> | |
11 #include <string> | |
12 | |
13 #include "sync/base/sync_export.h" | |
14 | |
15 namespace crypto { | |
16 class SymmetricKey; | |
17 } // namespace crypto | |
18 | |
19 namespace syncer { | |
20 | |
21 // A (partial) implementation of Nigori, a protocol to securely store secrets in | |
22 // the cloud. This implementation does not support server authentication or | |
23 // assisted key derivation. | |
24 // | |
25 // To store secrets securely, use the |Permute| method to derive a lookup name | |
26 // for your secret (basically a map key), and |Encrypt| and |Decrypt| to store | |
27 // and retrieve the secret. | |
28 // | |
29 // https://www.cl.cam.ac.uk/~drt24/nigori/nigori-overview.pdf | |
30 class SYNC_EXPORT Nigori { | |
31 public: | |
32 enum Type { | |
33 Password = 1, | |
34 }; | |
35 | |
36 Nigori(); | |
37 virtual ~Nigori(); | |
38 | |
39 // Initialize the client with the given |hostname|, |username| and |password|. | |
40 bool InitByDerivation(const std::string& hostname, | |
41 const std::string& username, | |
42 const std::string& password); | |
43 | |
44 // Initialize the client by importing the given keys instead of deriving new | |
45 // ones. | |
46 bool InitByImport(const std::string& user_key, | |
47 const std::string& encryption_key, | |
48 const std::string& mac_key); | |
49 | |
50 // Derives a secure lookup name from |type| and |name|. If |hostname|, | |
51 // |username| and |password| are kept constant, a given |type| and |name| pair | |
52 // always yields the same |permuted| value. Note that |permuted| will be | |
53 // Base64 encoded. | |
54 bool Permute(Type type, const std::string& name, std::string* permuted) const; | |
55 | |
56 // Encrypts |value|. Note that on success, |encrypted| will be Base64 | |
57 // encoded. | |
58 bool Encrypt(const std::string& value, std::string* encrypted) const; | |
59 | |
60 // Decrypts |value| into |decrypted|. It is assumed that |value| is Base64 | |
61 // encoded. | |
62 bool Decrypt(const std::string& value, std::string* decrypted) const; | |
63 | |
64 // Exports the raw derived keys. | |
65 bool ExportKeys(std::string* user_key, | |
66 std::string* encryption_key, | |
67 std::string* mac_key) const; | |
68 | |
69 static const char kSaltSalt[]; // The salt used to derive the user salt. | |
70 static const size_t kSaltKeySizeInBits = 128; | |
71 static const size_t kDerivedKeySizeInBits = 128; | |
72 static const size_t kIvSize = 16; | |
73 static const size_t kHashSize = 32; | |
74 | |
75 static const size_t kSaltIterations = 1001; | |
76 static const size_t kUserIterations = 1002; | |
77 static const size_t kEncryptionIterations = 1003; | |
78 static const size_t kSigningIterations = 1004; | |
79 | |
80 private: | |
81 std::unique_ptr<crypto::SymmetricKey> user_key_; | |
82 std::unique_ptr<crypto::SymmetricKey> encryption_key_; | |
83 std::unique_ptr<crypto::SymmetricKey> mac_key_; | |
84 }; | |
85 | |
86 } // namespace syncer | |
87 | |
88 #endif // SYNC_UTIL_NIGORI_H_ | |
OLD | NEW |