Copyright | (c) Joseph Abrahamson 2013 |
---|---|
License | MIT |
Maintainer | me@jspha.com |
Stability | experimental |
Portability | non-portable |
Safe Haskell | None |
Language | Haskell2010 |
Secret-key encryption: Crypto.Saltine.Core.Stream
The stream
function produces a sized stream ByteString
as a
function of a secret key and a nonce. The xor
function encrypts a
message ByteString
using a secret key and a nonce. The xor
function guarantees that the ciphertext has the same length as the
plaintext, and is the plaintext
. Consequently
xor
stream k nxor
can also be used to decrypt.
The stream
function, viewed as a function of the nonce for a
uniform random key, is designed to meet the standard notion of
unpredictability ("PRF"). For a formal definition see, e.g.,
Section 2.3 of Bellare, Kilian, and Rogaway, "The security of the
cipher block chaining message authentication code," Journal of
Computer and System Sciences 61 (2000), 362–399;
http://www-cse.ucsd.edu/~mihir/papers/cbc.html. This means that
an attacker cannot distinguish this function from a uniform random
function. Consequently, if a series of messages is encrypted by
xor
with a different nonce for each message, the ciphertexts
are indistinguishable from uniform random strings of the same
length.
Note that the length is not hidden. Note also that it is the caller's responsibility to ensure the uniqueness of nonces—for example, by using nonce 1 for the first message, nonce 2 for the second message, etc. Nonces are long enough that randomly generated nonces have negligible risk of collision.
Saltine does not make any promises regarding the resistance of crypto_stream to "related-key attacks." It is the caller's responsibility to use proper key-derivation functions.
Crypto.Saltine.Core.Stream is crypto_stream_xsalsa20
, a
particular cipher specified in "Cryptography in NaCl"
(http://nacl.cr.yp.to/valid.html), Section 7. This cipher is
conjectured to meet the standard notion of unpredictability.
This is version 2010.08.30 of the stream.html web page.
Documentation
An opaque stream
cryptographic key.
Instances
Eq Key Source # | |
Data Key Source # | |
Defined in Crypto.Saltine.Core.Stream gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> Key -> c Key # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c Key # dataTypeOf :: Key -> DataType # dataCast1 :: Typeable t => (forall d. Data d => c (t d)) -> Maybe (c Key) # dataCast2 :: Typeable t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c Key) # gmapT :: (forall b. Data b => b -> b) -> Key -> Key # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> Key -> r # gmapQr :: forall r r'. (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> Key -> r # gmapQ :: (forall d. Data d => d -> u) -> Key -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> Key -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> Key -> m Key # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> Key -> m Key # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> Key -> m Key # | |
Ord Key Source # | |
Generic Key Source # | |
Hashable Key Source # | |
Defined in Crypto.Saltine.Core.Stream | |
IsEncoding Key Source # | |
Defined in Crypto.Saltine.Core.Stream encode :: Key -> ByteString Source # decode :: ByteString -> Maybe Key Source # encoded :: (Choice p, Applicative f) => p Key (f Key) -> p ByteString (f ByteString) Source # | |
type Rep Key Source # | |
Defined in Crypto.Saltine.Core.Stream type Rep Key = D1 ('MetaData "Key" "Crypto.Saltine.Core.Stream" "saltine-0.1.1.1-KbVmRAcWBV25w8Dlelbdig" 'True) (C1 ('MetaCons "Key" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 ByteString))) |
An opaque stream
nonce.
Instances
Eq Nonce Source # | |
Data Nonce Source # | |
Defined in Crypto.Saltine.Core.Stream gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> Nonce -> c Nonce # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c Nonce # dataTypeOf :: Nonce -> DataType # dataCast1 :: Typeable t => (forall d. Data d => c (t d)) -> Maybe (c Nonce) # dataCast2 :: Typeable t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c Nonce) # gmapT :: (forall b. Data b => b -> b) -> Nonce -> Nonce # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> Nonce -> r # gmapQr :: forall r r'. (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> Nonce -> r # gmapQ :: (forall d. Data d => d -> u) -> Nonce -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> Nonce -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> Nonce -> m Nonce # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> Nonce -> m Nonce # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> Nonce -> m Nonce # | |
Ord Nonce Source # | |
Generic Nonce Source # | |
Hashable Nonce Source # | |
Defined in Crypto.Saltine.Core.Stream | |
IsNonce Nonce Source # | |
IsEncoding Nonce Source # | |
Defined in Crypto.Saltine.Core.Stream encode :: Nonce -> ByteString Source # decode :: ByteString -> Maybe Nonce Source # encoded :: (Choice p, Applicative f) => p Nonce (f Nonce) -> p ByteString (f ByteString) Source # | |
type Rep Nonce Source # | |
Defined in Crypto.Saltine.Core.Stream type Rep Nonce = D1 ('MetaData "Nonce" "Crypto.Saltine.Core.Stream" "saltine-0.1.1.1-KbVmRAcWBV25w8Dlelbdig" 'True) (C1 ('MetaCons "Nonce" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 ByteString))) |
:: Key | |
-> Nonce | |
-> Int | |
-> ByteString | Cryptographic stream |
:: Key | |
-> Nonce | |
-> ByteString | Message |
-> ByteString | Ciphertext |
Computes the exclusive-or between a message and a cryptographic
random stream indexed by the Key
and the Nonce
. This renders
the output indistinguishable from random noise so long as the
Nonce
is not used more than once. Note: while this can be used
for encryption and decryption, it is possible for an attacker to
manipulate the message in transit without detection. USE AT YOUR
OWN RISK.