--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: ITP: golang-github-gtank-cryptopasta -- copy & paste-friendly golang crypto
- From: "Michael Stapelberg" <stapelberg@debian.org>
- Date: Sun, 22 Oct 2017 21:09:38 +0200
- Message-id: <59ececf4.42a6500a.6d25.1dcd@mx.google.com>
Package: wnpp
Severity: wishlist
Owner: Michael Stapelberg <stapelberg@debian.org>
* Package name : golang-github-gtank-cryptopasta
Version : 0.0~git20170601.1f550f6-1
Upstream Author : George Tankersley
* URL : https://github.com/gtank/cryptopasta
* License : CC0-1.0
Programming Lang: Go
Description : copy & paste-friendly golang crypto
TL;DR- Copy & paste your crypto code from here instead of Stack Overflow.
.
This library demonstrates a suite of basic cryptography from the Go standard
library. To the extent possible, it tries to hide complexity and help you avoid
common mistakes. The recommendations were chosen as a compromise between
cryptographic qualities, the Go standard lib, and my existing use cases.
.
Some particular design choices I've made:
.
1. SHA-512/256 has been chosen as the default hash for the examples. It's
faster on 64-bit machines and immune to length extension. If it doesn't work
in your case, replace instances of it with ordinary SHA-256.
.
2. The specific ECDSA parameters were chosen to be compatible with RFC7518[1]
while using the best implementation of ECDSA available. Go's P-256 is
constant-time (which prevents certain types of attacks) while its P-384 and
P-521 are not.
.
3. Key parameters are arrays rather than slices so the compiler can help you
avoid mixing up the arguments. The signing and marshaling functions use the
crypto/ecdsa key types directly for the same reason.
.
4. Public/private keypairs for signing are marshaled into and out of PEM
format, making them relatively portable to other crypto software you're
likely to use (openssl, cfssl, etc).
.
5. Key generation functions will panic if they can't read enough random bytes
to generate the key. Key generation is critical, and if crypto/rand fails at
that stage then you should stop doing cryptography on that machine immediately.
.
6. The license is a CC0 public domain dedication, with the intent that you can
just copy bits of this directly into your code and never be required to
acknowledge my copyright, provide source code, or do anything else commonly
associated with open licenses.
.
.
The specific recommendations are:
.
.
Encryption - 256-bit AES-GCM with random 96-bit nonces
.
Using AES-GCM (instead of AES-CBC, AES-CFB, or AES-CTR, all of which Go also
offers) provides authentication in addition to confidentiality. This means that
the content of your data is hidden and that any modification of the encrypted
data will result in a failure to decrypt. This rules out entire classes of
possible attacks. Randomized nonces remove the choices around nonce generation
and management, which are another common source of error in crypto
implementations.
.
The interfaces in this library allow only the use of 256-bit keys.
.
.
Hashing - HMAC-SHA512/256
.
Using hash functions directly is fraught with various perils – it's common for
developers to accidentally write code that is subject to easy collision or
length extension attacks. HMAC is a function built on top of hashes and it
doesn't have those problems. Using SHA-512/256 as the underlying hash function
means the process will be faster on 64-bit machines, but the output will be the
same length as the more familiar SHA-256.
.
This interface encourages you to scope your hashes with an English-language
string (a "tag") that describes the purpose of the hash. Tagged hashes are a
common "security hygiene" measure to ensure that hashing the same data for
different purposes will produce different outputs.
.
.
Password hashing - bcrypt with work factor 14
.
Use this to store users' passwords and check them for login (e.g. in a web
backend). While they both have "hashing" in the name, password hashing is an
entirely different situation from ordinary hashing and requires its own
specialized algorithm. bcrypt is a hash function designed for password storage.
It can be made selectively slower (based on a "work factor") to increase the
difficulty of brute-force password cracking attempts.
.
As of 2016, a work factor of 14 should be well on the side of future-proofing
over performance. If it turns out to be too slow for your needs, you can try
using 13 or even 12. You should not go below work factor 12.
.
.
Symmetric Signatures / Message Authentication - HMAC-SHA512/256
.
When two parties share a secret key, they can use message authentication to
make sure that a piece of data hasn't been altered. You can think of it as a
"symmetric signature" - it proves both that the data is unchanged and that
someone who knows the shared secret key generated it. Anyone who does not know
the secret key can neither validate the data nor make valid alterations.
.
This comes up most often in the context of web stuff, such as:
.
1. Authenticating requests to your API. The most widely known example is
probably the Amazon AWS API, which requires you to sign requests with
HMAC-SHA256. In this type of use, the "secret key" is a token that the API
provider issues to authorized API users.
.
2. Validating authenticated tokens (cookies, JWTs, etc) that are issued by a
service but are stored by a user. In this case, the service wants to ensure
that a user doesn't modify the data contained in the token.
.
As with encryption, you should always use a 256-bit random key to
authenticate messages.
.
.
Asymmetric Signatures - ECDSA on P-256 with SHA-256 message digests
.
These are the classic public/private keypair signatures that you probably think
of when you hear the word "signature". The holder of a private key can sign
data that anyone who has the corresponding public key can verify.
.
Go takes very good care of us here. In particular, the Go implementation of
P-256 is constant time to protect against side-channel attacks, and the Go
implementation of ECDSA generates safe nonces to protect against the type of
repeated-nonce attack that broke the PS3.
.
In terms of JWTs, this algorithm is called "ES256". The functions
"EncodeSignatureJWT" and "DecodeSignatureJWT" will convert the basic signature
format to and from the encoding specified by RFC7515[2]
.
[1] https://tools.ietf.org/html/rfc7518#section-3.1
[2] https://tools.ietf.org/html/rfc7515#appendix-A.3
This is a build-dependency for dex.
--- End Message ---
--- Begin Message ---
- To: 879546-close@bugs.debian.org
- Subject: Bug#879546: fixed in golang-github-gtank-cryptopasta 0.0~git20170601.1f550f6-1
- From: Michael Stapelberg <stapelberg@debian.org>
- Date: Thu, 02 Nov 2017 10:00:18 +0000
- Message-id: <E1eACIM-0002YN-B9@fasolo.debian.org>
Source: golang-github-gtank-cryptopasta
Source-Version: 0.0~git20170601.1f550f6-1
We believe that the bug you reported is fixed in the latest version of
golang-github-gtank-cryptopasta, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879546@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Stapelberg <stapelberg@debian.org> (supplier of updated golang-github-gtank-cryptopasta package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Oct 2017 18:52:55 +0200
Source: golang-github-gtank-cryptopasta
Binary: golang-github-gtank-cryptopasta-dev
Architecture: source all
Version: 0.0~git20170601.1f550f6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Michael Stapelberg <stapelberg@debian.org>
Description:
golang-github-gtank-cryptopasta-dev - copy & paste-friendly golang crypto
Closes: 879546
Changes:
golang-github-gtank-cryptopasta (0.0~git20170601.1f550f6-1) unstable; urgency=medium
.
* Initial release (Closes: #879546)
Checksums-Sha1:
8f45138c4b044926ad784afa740132b61742304c 2453 golang-github-gtank-cryptopasta_0.0~git20170601.1f550f6-1.dsc
1440184928690bf196bdd3239b5b85ac78632e2d 684168 golang-github-gtank-cryptopasta_0.0~git20170601.1f550f6.orig.tar.xz
88f78c13403965b3e51dd953a71d9b1699d03259 4056 golang-github-gtank-cryptopasta_0.0~git20170601.1f550f6-1.debian.tar.xz
be04edb65eb5c6a8dcb564a23b05121419c5c1fd 684112 golang-github-gtank-cryptopasta-dev_0.0~git20170601.1f550f6-1_all.deb
0aa1b1344f33e1a709360d7b49fb866e13314a8c 6155 golang-github-gtank-cryptopasta_0.0~git20170601.1f550f6-1_amd64.buildinfo
Checksums-Sha256:
8af737b1c7f67bdf2dc3a7bae978fe7c057b4138b8578eee0da79dccaee8376f 2453 golang-github-gtank-cryptopasta_0.0~git20170601.1f550f6-1.dsc
85533c65f444e3d25f1bc5e2e71e5b9f8786ce88613433ba147ac3b5fc37ff0a 684168 golang-github-gtank-cryptopasta_0.0~git20170601.1f550f6.orig.tar.xz
2442c6da39331a3c48e311657698496b69230e25948179c9a555da41d26c8f61 4056 golang-github-gtank-cryptopasta_0.0~git20170601.1f550f6-1.debian.tar.xz
084a52485e7ff3c103555f61ba07fb0cd01c599f8d15ddc608aeda1dd27c2466 684112 golang-github-gtank-cryptopasta-dev_0.0~git20170601.1f550f6-1_all.deb
e457162b84e8c19892d44a0b67d058b1cafc3db67199c537ac06a1275bc45767 6155 golang-github-gtank-cryptopasta_0.0~git20170601.1f550f6-1_amd64.buildinfo
Files:
9e7ed187f9cf28c6138357b8606c3ac6 2453 devel extra golang-github-gtank-cryptopasta_0.0~git20170601.1f550f6-1.dsc
a56e3b48df04e926fc8c518562b19a6f 684168 devel extra golang-github-gtank-cryptopasta_0.0~git20170601.1f550f6.orig.tar.xz
a84c886479bc66fca7628ab15fe080c6 4056 devel extra golang-github-gtank-cryptopasta_0.0~git20170601.1f550f6-1.debian.tar.xz
5349f9a55c93558e79ff55ca2a5cd37d 684112 devel extra golang-github-gtank-cryptopasta-dev_0.0~git20170601.1f550f6-1_all.deb
04ed6950d79e642a6968c2724f0a1c3d 6155 devel extra golang-github-gtank-cryptopasta_0.0~git20170601.1f550f6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEQk4U1wPnxtQ9nW82TnFg7UrI7h0FAlns8SsACgkQTnFg7UrI
7h1yhw/+KRU1CnoDK9MfUxX/oQCBkApp1vXQ9991TT0lmtBIvpTB4mKk41xW8t/y
TgmT4HVAHMIV8W5T1OBeQVbZJYHl/2TRmp/ksFxcn+6d+kVwqC0AQUvxDaxv8qO1
Z+Vqz+PyU0Qx0XVg4K6dNLv8/WFoyVGsvAHRvEzXNvwDWIe73qbCf2l5hOwyf7D+
sMWqPPtXnMpHKTQST3rGviZVRXVge4LgOXlPxI5+TlDWdGUZbybWkAYhf7GQMskx
zDVQli+YDLlzhv4AZHXL0GgQ0czS13zT+Kib6DMXjz8m51CaQQHgOIX2UNrcB0l7
zvCxOlNG7m97mGCzZFyoslUvfruWwXYTZgxHSEHe2/KkItVvYfJV6EhF+TW0Hx9M
2aP/waxZTEwWgh6z9Oe+U2KvjfRELQJibYOucAaf11x3Pi4rQFtt+AesKrKEgxMi
W5oAs3AYP7PHamWhZdf4XyCMtq5rnZ9RyVW00DBttrulnrmka4muSRe5TanjsHd2
iQuF26kWfVzI3TqNn1/4wvefIXFX9+GbaU9/B1dKI40th8B4nTDJDoQmRG+Ed5mR
Ah4/J8Hq1TffIVW2sjWaxNhoIPDV0C3JdLIkrKJEHVpDBE+qc1SSDosg57qSMPAh
1ZI4mOjJS/aR6wpQ5oAutAkklON11AUFuZS2itAsMzrfxyLTkAQ=
=Kx9o
-----END PGP SIGNATURE-----
--- End Message ---