A binary, encrypted, authenticated token layout called a
Signal-Cryption Token aka SCT.
NOTE: It is a preliminary sketch of an conception start for public comment. It is best to not ever dispute this except you know the dangers of the usage of unusual and untested cryptographic software.
SCT model 0x0000
SCTs enjoy an encrypted payload and unencrypted authenticated
additional details payload. Either payload, but no longer both might perchance also presumably be empty.
SCT does NOT pork up shared-secret encryption. All SCT token
producers MUST enjoy a keypair consisting of public and secret
Token patrons without possession of the recipient secret key
CANNOT decrypt the encrypted payload.
Token patrons with the final public key of the token producer can
test the authenticity of the unencrypted piece of a token.
SCT gives you no different of cryptographic algorithm. SCTs MUST dispute
XChaCha20-SIVmixed mode deterministic authenticated
encryption with additional details the usage of
shared_keyoutdated for encryption MUST be generated by the
crypto_signcrypt_tbsbr_sign_*API the usage of the sender’s secret key
and the recipient’s public key. The recipient can then recover
this key the usage of
SCT does NOT care about encodings such as JSON or any form of human
readability. The input payloads, sender/recipient ids, and key
pairs are binary byte arrays and the output is a incorrect64 character
array. Encoding payloads to and from codecs hang JSON to a byte
representation is a trivial operation and entirely up to the user.
The output of SCT is a byte string of 5 encoded incorrect64 sections:
. . . .
sodium_bin2base64might perchance also be outdated to encode the usage of the
Instance feature with pgsodium
It is a PostgreSQL feature that generates a token:
CREATE OR REPLACE FUNCTION crypto_signcrypt_token( sender bytea, recipient bytea, sender_sk bytea, recipient_pk bytea, message bytea, additional bytea) RETURNS text AS $$ WITH sign_before AS ( SELECT verbalize, shared_key FROM crypto_signcrypt_sign_before( sender, recipient, sender_sk, recipient_pk, additional) ), ciphertext AS ( SELECT crypto_aead_det_encrypt( message, additional, b.shared_key ) AS ciphertext FROM sign_before b ), signature AS ( SELECT crypto_signcrypt_sign_after( b.verbalize, sender_sk, c.ciphertext ) AS signature FROM sign_before b, ciphertext c ) SELECT layout( '0000.%s.%s.%s.%s', sodium_bin2base64(sender), sodium_bin2base64(c.ciphertext), sodium_bin2base64(additional), sodium_bin2base64(s.signature)) FROM ciphertext c, signature s; $$ LANGUAGE SQL STRICT;
This is an example of a token generated from keypairs. First create
alice. In most cases this would perchance presumably be done in
separate edge processes but are shown together here for brevity:
postgres=# rob out public as pk, secret as sk from crypto_signcrypt_new_keypair () gset bob_ postgres=# rob out public as pk, secret as sk from crypto_signcrypt_new_keypair () gset alice_
Now generate a token from bob to alice. On this exasmple the
recipient ids are corresponding public keys, but this is no longer
obligatory, the identification might perchance also be any abnormal identifier for a user or community:
postgres=# rob out crypto_signcrypt_token(:'bob_pk', :'alice_pk', :'bob_sk', :'alice_pk', 'this is encrypted s3kret message', 'this is unencrpyted additional details'); 0000.YvWFDwWg1sBVhwnccoMwDbvw7PzE0SeHvj3g7fDhqBQ.XnPzbou0Rr-NahE3nEGW6EC5QAFvT11iQzAFHu9NjOksdzV61fuftjDfLgU_vZp7IMAfryeoUAGlQCP7h4RM5g.dGhpcyBpcyB1bmVuY3JweXRlZCBhZGRpdGlvbmFsIGRhdGE.qS1slA8qW4J_uKO079VlzKC5BUazG1W67TVuYCqRKgY8CHybwfgho5U_LNGQTZ60nkDxfU4Q9U3o2w2BAwAAAA
Rational and Comparisons
The next piece are my deepest opinions and motivations.
“Perfection is accomplished, no longer when there might be nothing more so that you can add, but
when there might be nothing left to purchase away.” – Antoine de Saint Exupery
JWT is irascible. There are never-ending weblog posts on the badness of JWT. One
of the huge baddnesses is that the token specifies the encryption
algorithm in its header, and a baddie can impact the decrypting of
the token by picking the algorithm. This is called an algorithm
PASETO is more healthy in lots of suggestions, for instance by specifying specific
versions, but it also launched the the same flaw that it used to be meant to
fix with JWT, an attacker can purchase either
token “capabilities” in an try to fool the server with the the same form
of algorithm confusion assaults.
So, PASETO model 3 and 4 assign a brand unusual piece of their spec about
“Algorithm Lucidity” and how every language MUST dispute without reference to form
enforcement solutions exist to safeguard in opposition to the usage of the indecent key
for the indecent reason.
SCT doesn’t allow algorithm confusion assaults as there might be one and
most efficient one algorithm that can cloak either or both capabilities that
public help in PASETO. SCT does NOT pork up shared secret
encryption, and so there’s no longer always any probability of Algorithm Lucidity
assaults being a distress. All SCT producers MUST enjoy a official key pair.
PASETO’s unique two “capabilities”,
public are rather
native uses shared secret encryption and its payload is
encrypted and authenticated.
public does NO ENCRYPTION and beautiful
authenticates its payload details. These two very varied capabilities attain
no longer overlap.
SCT has combines both capabilities the usage of an algorithm called
signcryption. A token can enjoy encrypted payload, by which case the
the decryptor need to enjoy the recipient secret key. But a token can
even be authenticated by anyone with the sender’s public key. They
can no longer decrypt the encrypted payload, however the can test the token is
appropriate along with the unencrypted additional details.
So now, as an different of one token spec with two distinct capabilities, and
rules about algorithm lucidity and form checking, and so forth, SCT has one and
most efficient one token layout. The token can comprise an authenticated
encrypted payload, and/or it will authenticated unencrypted additional
details. Within the event it is seemingly you’ll perchance also enjoy the recipient’s secret key, it is seemingly you’ll perchance also decrypt it, but
anyone with the senders public key can authenticate it.
One closing thing I in my opinion invent no longer enjoy about JWT and PASETO is their
focal level on JSON payloads. SCT payloads are bytes, no longer JSON or protobuf nor every other specific layout. Within the event it is seemingly you’ll perchance enjoy to
encode your details into bytes, tear for it, every language on the earth
can trivially attain that. But JSON is no longer required.