Demonstrate HN: Signcryption Token Proposal The dispute of Libsodium

A binary, encrypted, authenticated token format called a Sign-Cryption Token aka SCT. NOTE: This is a preliminary sketch of an idea open for public comment. You should not use this unless you understand the risks of using new and untested cryptographic software. SCT version 0x0000 SCT requires libsodium, including the additional function libraries in libsodium-xchacha20-siv…

Demonstrate HN: Signcryption Token Proposal The dispute of Libsodium

A binary, encrypted, authenticated token layout called a
Signal-Cryption Token aka SCT.

NOTE: It is a preliminary sketch of an conception start for public comment. It is best to not ever dispute this except you know the dangers of the usage of unusual and untested cryptographic software.

SCT model 0x0000

  • SCT requires libsodium, along with the additional feature
    libraries in libsodium-xchacha20-siv and

  • SCTs enjoy an encrypted payload and unencrypted authenticated
    additional details payload. Either payload, but no longer both might perchance also presumably be empty.

  • SCT does NOT pork up shared-secret encryption. All SCT token
    producers MUST enjoy a keypair consisting of public and secret

  • Token patrons without possession of the recipient secret key
    CANNOT decrypt the encrypted payload.

  • Token patrons with the final public key of the token producer can
    test the authenticity of the unencrypted piece of a token.

  • SCT gives you no different of cryptographic algorithm. SCTs MUST dispute
    XChaCha20-SIV mixed mode deterministic authenticated
    encryption with additional details the usage of

  • The shared_key outdated for encryption MUST be generated by the
    crypto_signcrypt_tbsbr_sign_* API the usage of the sender’s secret key
    and the recipient’s public key. The recipient can then recover
    this key the usage of crypto_signcrypt_tbsbr_verify_*.

  • SCT does NOT care about encodings such as JSON or any form of human
    readability. The input payloads, sender/recipient ids, and key
    pairs are binary byte arrays and the output is a incorrect64 character
    array. Encoding payloads to and from codecs hang JSON to a byte
    representation is a trivial operation and entirely up to the user.

  • The output of SCT is a byte string of 5 encoded incorrect64 sections:


    The feature sodium_bin2base64 might perchance also be outdated to encode the usage of the
    sodium_base64_VARIANT_URLSAFE_NO_PADDING variant.

Instance feature with pgsodium

It is a PostgreSQL feature that generates a token:

CREATE OR REPLACE FUNCTION crypto_signcrypt_token(
    sender       bytea,
    recipient    bytea,
    sender_sk    bytea,
    recipient_pk bytea,
    message      bytea,
    additional   bytea)
RETURNS text AS $$
    sign_before AS (
        SELECT verbalize, shared_key
        FROM crypto_signcrypt_sign_before(
    ciphertext AS (
        SELECT crypto_aead_det_encrypt(
        ) AS ciphertext
        FROM sign_before b
    signature AS (
        SELECT crypto_signcrypt_sign_after(
        ) AS signature
            sign_before b,
            ciphertext c
    SELECT layout(
        ciphertext c,
        signature s;

This is an example of a token generated from keypairs. First create
keypairs for bob and alice. In most cases this would perchance presumably be done in
separate edge processes but are shown together here for brevity:

postgres=# rob out public as pk, secret as sk from crypto_signcrypt_new_keypair () gset bob_
postgres=# rob out public as pk, secret as sk from crypto_signcrypt_new_keypair () gset alice_

Now generate a token from bob to alice. On this exasmple the sender
and recipient ids are corresponding public keys, but this is no longer
obligatory, the identification might perchance also be any abnormal identifier for a user or community:

postgres=# rob out crypto_signcrypt_token(:'bob_pk', :'alice_pk', :'bob_sk', :'alice_pk', 'this is encrypted s3kret message', 'this is unencrpyted additional details');


Rational and Comparisons

The next piece are my deepest opinions and motivations.

“Perfection is accomplished, no longer when there might be nothing more so that you can add, but
when there might be nothing left to purchase away.” – Antoine de Saint Exupery

JWT is irascible. There are never-ending weblog posts on the badness of JWT. One
of the huge baddnesses is that the token specifies the encryption
algorithm in its header, and a baddie can impact the decrypting of
the token by picking the algorithm. This is called an algorithm
confusion attack.

PASETO is more healthy in lots of suggestions, for instance by specifying specific
versions, but it also launched the the same flaw that it used to be meant to
fix with JWT, an attacker can purchase either native or public
token “capabilities” in an try to fool the server with the the same form
of algorithm confusion assaults.

So, PASETO model 3 and 4 assign a brand unusual piece of their spec about
“Algorithm Lucidity” and how every language MUST dispute without reference to form
enforcement solutions exist to safeguard in opposition to the usage of the indecent key
for the indecent reason.

SCT doesn’t allow algorithm confusion assaults as there might be one and
most efficient one algorithm that can cloak either or both capabilities that native
and public help in PASETO. SCT does NOT pork up shared secret
encryption, and so there’s no longer always any probability of Algorithm Lucidity
assaults being a distress. All SCT producers MUST enjoy a official key pair.

PASETO’s unique two “capabilities”, native and public are rather
varied, native uses shared secret encryption and its payload is
encrypted and authenticated. public does NO ENCRYPTION and beautiful
authenticates its payload details. These two very varied capabilities attain
no longer overlap.

SCT has combines both capabilities the usage of an algorithm called
signcryption. A token can enjoy encrypted payload, by which case the
the decryptor need to enjoy the recipient secret key. But a token can
even be authenticated by anyone with the sender’s public key. They
can no longer decrypt the encrypted payload, however the can test the token is
appropriate along with the unencrypted additional details.

So now, as an different of one token spec with two distinct capabilities, and
rules about algorithm lucidity and form checking, and so forth, SCT has one and
most efficient one token layout. The token can comprise an authenticated
encrypted payload, and/or it will authenticated unencrypted additional
details. Within the event it is seemingly you’ll perchance also enjoy the recipient’s secret key, it is seemingly you’ll perchance also decrypt it, but
anyone with the senders public key can authenticate it.

One closing thing I in my opinion invent no longer enjoy about JWT and PASETO is their
focal level on JSON payloads. SCT payloads are bytes, no longer JSON or protobuf nor every other specific layout. Within the event it is seemingly you’ll perchance enjoy to
encode your details into bytes, tear for it, every language on the earth
can trivially attain that. But JSON is no longer required.

Be a half of the pack! Be a half of 8000+ others registered users, and accumulate chat, make groups, put up updates and make traffic across the area!



Fill your life with experiences so you always have a great story to tell

Leave a Reply