1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
{-# LANGUAGE OverloadedStrings, GeneralizedNewtypeDeriving, MultiParamTypeClasses, FlexibleInstances #-}
module Types where
import Types.Cost
import Entropy
import qualified Data.ByteString as B
import qualified Data.ByteString.Lazy as BL
import qualified Crypto.Argon2 as Argon2
import Data.String
-- | keysafe stores secret keys.
newtype SecretKey = SecretKey B.ByteString
-- | Objects stored on a keysafe server are (probably) a shard of an
-- encrypted secret key.
newtype StorableObject = StorableObject { fromStorableObject :: BL.ByteString }
-- | Parameters for sharding. The secret is split into
-- N objects, such that only M are needed to reconstruct it.
data ShardParams = ShardParams
{ totalObjects :: Int -- ^ N
, neededObjects :: Int -- ^ M
}
-- | keysafe stores data for a long time, and needs to be able to process
-- data from a long time ago when restoring a key. We don't want to be
-- locked into old choices of crypto primitives etc forever.
--
-- So, every parameter that can be tuned is configured in this data
-- structure. Carefully chosen parts of this are exposed at various points
-- in the data stored for a key, to allow future versions of keysafe to
-- make the right decisions when processing it.
data Tunables = Tunables
{ shardParams :: ShardParams
, objectSize :: Int
-- ^ a StorableObject is exactly this many bytes in size
, expensiveHashTunable :: ExpensiveHashTunable
, encryptionTunable :: EncryptionTunable
, decryptionPuzzleTunable :: DecryptionPuzzleTunable
}
-- | An expensive hash, used to make it hard to crack an encrypted secret key.
data ExpensiveHashTunable = UseArgon2 Argon2.HashOptions (Cost CreationOp)
-- | What encryption to use.
data EncryptionTunable = UseAES256
-- | An additional puzzle that makes decryption more expensive.
data DecryptionPuzzleTunable = KeyBlindingLeftSide (Cost DecryptionOp)
defaultTunables :: Tunables
defaultTunables = Tunables
{ shardParams = ShardParams { totalObjects = 3, neededObjects = 2 }
, objectSize = 1024*64 -- 64 kb
, expensiveHashTunable = UseArgon2 argonoptions argoncost
, encryptionTunable = UseAES256
-- AES can be calculated more efficiently by a GPU, so the
-- cost is a GPU cost.
-- This is set to only 1 minute because GPUs are quite a lot
-- faster than CPUs at AES, and so setting it higher would make
-- clients too slow at key recovery.
, decryptionPuzzleTunable = KeyBlindingLeftSide (GPUCost (Seconds 60))
}
where
argonoptions = Argon2.HashOptions
{ Argon2.hashIterations = 10000
, Argon2.hashMemory = 131072 -- 128 mebibtyes per thread
, Argon2.hashParallelism = 4 -- 4 threads
, Argon2.hashVariant = Argon2.Argon2i
}
-- argon2 is GPU and ASIC resistent, so it uses CPU time.
-- The above HashOptions were benchmarked at 661 seconds CPU time
-- on a 2 core Intel(R) Core(TM) i5-4210Y CPU @ 1.50GHz.
-- Since cost is measured per core, we double that.
argoncost = CPUCost (Seconds (2*600))
-- | Dials back cryptographic difficulty, not for production use.
testModeTunables :: Tunables
testModeTunables = Tunables
{ shardParams = ShardParams { totalObjects = 3, neededObjects = 2 }
, objectSize = 1024*64
, expensiveHashTunable = UseArgon2 Argon2.defaultHashOptions (CPUCost (Seconds (2*600)))
, encryptionTunable = UseAES256
, decryptionPuzzleTunable = KeyBlindingLeftSide (GPUCost (Seconds 60))
}
-- | The secret key, encrypted with a password.
data EncryptedSecretKey = EncryptedSecretKey B.ByteString (CostCalc BruteForceOp UnknownPassword)
instance Bruteforceable EncryptedSecretKey UnknownPassword where
getBruteCostCalc (EncryptedSecretKey _ cc) = cc
-- | A password used to encrypt a key stored in keysafe.
newtype Password = Password B.ByteString
deriving (IsString)
-- | Naive calculation of the entropy of a password.
-- Does not take common passwords and password generation patterns into
-- account, so this is an overestimation of how hard a password
-- is to crack.
passwordEntropy :: Password -> Entropy UnknownPassword
passwordEntropy (Password p) = Entropy $ floor $ totalEntropy p
-- | A name associated with a key stored in keysafe.
newtype Name = Name B.ByteString
deriving (Show)
-- | The type of the key that is stored in keysafe.
newtype KeyType = KeyType B.ByteString
deriving (Show)
gpgKey :: KeyType
gpgKey = KeyType "gpg"
-- | Enough information to uniquely identify a key stored in keysafe.
data KeyIdent = KeyIdent KeyType Name
deriving (Show)
newtype ShardNum = ShardNum Int
deriving (Show)
-- | Enough information to uniquely identify an object stored on a keysafe
-- server for a key.
data ObjectIdent = ObjectIdent ShardNum KeyIdent
deriving (Show)
data Benchmark t = Benchmark { expectedBenchmark :: t, actualBenchmark :: t }
deriving (Show)
|