search

starekrow / lockbox

Encrypted storage with built-in key management facilities
MIT License
95 stars 6 forks source link

Raw encryption #4

Open starekrow opened 6 years ago

starekrow commented 6 years ago

For improved interoperability, CryptoKey should have some facility for returning and accepting raw binary ciphertext and IVs.

For example, update the signature of Lock() to accept a second argument $raw. If true, return an array of [ "iv" => "...", "data" => "..." ]. Likewise, Unlock() could accept such an array.

alexmanno commented 6 years ago

You mean something like this?

return [
            'message' => $message,
            'cipher' => $this->cipher,
            'data' => $this->data,
            'options' => $options,
            'iv' => $iv
];
starekrow commented 6 years ago

Not exactly; I think the separation between the key (details of encryption) and the output of Lock (encrypted message) is fairly important. The most that Lock() should return is probably:

[
     "iv" => $iv
    ,"mac" => $hmac
    ,"data" => $ciphertext
]

The other part should probably come from an Extract() method or an optional argument to Export(), to return:

[
     "key" => $this->data
    ,"cipher" => $this->cipher
    ,"mac" => $this->mac
    ,"id" => $this->id
    ,"kdf" => "hdkf-sha-256"
]

This assumes that #5 is addressed and a configurable MAC is set up at some point in response to #11.