search

aidantwoods / go-paseto

Platform-Agnostic Security Tokens implementation in Golang.
https://pkg.go.dev/aidanwoods.dev/go-paseto
MIT License
284 stars 16 forks source link

Add v3.public support #1

Closed aidantwoods closed 2 years ago

aidantwoods commented 2 years ago

No Go language support for RFC 6979 (as suggested by the PASETO spec). However, the Go crypto library does address CSPRNG failures:

https://pkg.go.dev/crypto/ecdsa#pkg-overview

Package ecdsa implements the Elliptic Curve Digital Signature Algorithm, as defined in FIPS 186-4 and SEC 1, Version 2.0.

Signatures generated by this package are not deterministic, but entropy is mixed with the private key and the message, achieving the same level of security in case of randomness source failure.

This should be sufficient to meet the spec recommendations, but open to feedback on how to improve this. My preference is to defer to the Go crypto library where possible here, rather than writing a custom implementation of RFC 6979.

paragonie-security commented 2 years ago

Signatures generated by this package are not deterministic, but entropy is mixed with the private key and the message, achieving the same level of security in case of randomness source failure.

That's sufficient. From step 4 in the Version 3 spec (emphasis added):

  1. Sign m2 using ECDSA over P-384 and SHA-384 with the private key sk. We'll call this sig. The output of sig MUST be in the format r || s (where ||means concatenate), for a total length of 96 bytes.
    • Signatures SHOULD use deterministic nonces (RFC 6979) if possible, to mitigate the risk of k-value reuse.
    • If RFC 6979 is not available in your programming language, ECDSA MUST use a CSPRNG to generate the k-value.
    • Hedged signatures (RFC 6979 + additional randomness to provide resilience to fault attacks) are allowed. 
      sig = crypto_sign_ecdsa_p384(
message = m2,
private_key = sk
);
aidantwoods commented 2 years ago

Really appreciate you taking a look. Thanks for confirming! 😃