-
Notifications
You must be signed in to change notification settings - Fork 6
/
examples_test.go
455 lines (375 loc) · 14.6 KB
/
examples_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
// SPDX-License-Identifier: MIT
//
// Copyright (C) 2020-2022 Daniel Bourdrez. All Rights Reserved.
//
// This source code is licensed under the MIT license found in the
// LICENSE file in the root directory of this source tree or at
// https://spdx.org/licenses/MIT.html
package opaque_test
import (
"bytes"
"crypto"
"encoding/hex"
"fmt"
"log"
"reflect"
"github.com/bytemare/ksf"
"github.com/bytemare/opaque"
)
var (
exampleClientRecord *opaque.ClientRecord
secretOprfSeed, serverPrivateKey, serverPublicKey []byte
)
func isSameConf(a, b *opaque.Configuration) bool {
if a.OPRF != b.OPRF ||
a.KDF != b.KDF ||
a.MAC != b.MAC ||
a.Hash != b.Hash ||
a.KSF != b.KSF ||
a.AKE != b.AKE {
return false
}
return bytes.Equal(a.Context, b.Context)
}
// Example_Configuration shows how to instantiate a configuration, which is used to initialize clients and servers from.
// Configurations MUST remain the same for a given client between sessions, or the client won't be able to execute the
// protocol. Configurations can be serialized and deserialized, if you need to save, hardcode, or transmit it.
func Example_configuration() {
// You can compose your own configuration or choose a recommended default configuration.
// The two following configuration setups are the same.
defaultConf := opaque.DefaultConfiguration()
customConf := &opaque.Configuration{
OPRF: opaque.RistrettoSha512,
KDF: crypto.SHA512,
MAC: crypto.SHA512,
Hash: crypto.SHA512,
KSF: ksf.Argon2id,
AKE: opaque.RistrettoSha512,
Context: nil,
}
if !isSameConf(defaultConf, customConf) {
// isSameConf() this is just a demo function to check equality.
log.Fatalln("Oh no! Configurations differ!")
}
// A configuration can be saved encoded and saved, and later loaded and decoded at runtime.
// Any additional 'Context' is also included.
encoded := defaultConf.Serialize()
fmt.Printf("Encoded Configuration: %s\n", hex.EncodeToString(encoded))
// This how you decode that configuration.
conf, err := opaque.DeserializeConfiguration(encoded)
if err != nil {
log.Fatalf("Oh no! Decoding the configurations failed! %v", err)
}
if !isSameConf(defaultConf, conf) {
log.Fatalln("Oh no! Something went wrong in decoding the configuration!")
}
fmt.Println("OPAQUE configuration is easy!")
// Output: Encoded Configuration: 0107070701010000
// OPAQUE configuration is easy!
}
// Example_ServerSetup shows how to set up the long term values for the OPAQUE server.
// - The secret OPRF seed can be unique for each client or the same for all, but must be
// the same for a given client between registration and all login sessions.
// - The AKE key pair can also be the same for all clients or unique, but must be
// the same for a given client between registration and all login sessions.
func Example_serverSetup() {
// This a straightforward way to use a secure and efficient configuration.
// They have to be run only once in the application's lifecycle, and the output values must be stored appropriately.
serverID := []byte("server-identity")
conf := opaque.DefaultConfiguration()
secretOprfSeed = conf.GenerateOPRFSeed()
serverPrivateKey, serverPublicKey = conf.KeyGen()
if serverPrivateKey == nil || serverPublicKey == nil || secretOprfSeed == nil {
log.Fatalf("Oh no! Something went wrong setting up the server secrets!")
}
// Server setup
server, err := conf.Server()
if err != nil {
log.Fatalln(err)
}
if err := server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed); err != nil {
log.Fatalln(err)
}
fmt.Println("OPAQUE server initialized.")
// Output: OPAQUE server initialized.
}
// Example_Deserialization demonstrates a couple of ways to deserialize OPAQUE protocol messages.
// Message interpretation depends on the configuration context it's exchanged in. Hence, we need the corresponding
// configuration. We can then directly deserialize messages from a Configuration or pass them to Client or Server
// instances which can do it as well.
// You must know in advance what message you are expecting, and call the appropriate deserialization function.
func Example_deserialization() {
// Let's say we have this RegistrationRequest message we received on the wire.
registrationMessage, _ := hex.DecodeString("9857e1694af550c515e56a9103292ad07a014b020708d3df57ac4b151f58d323")
// Pick your configuration.
conf := opaque.DefaultConfiguration()
// You can directly deserialize and test the message's validity in that configuration by getting a deserializer.
deserializer, err := conf.Deserializer()
if err != nil {
log.Fatalln(err)
}
requestD, err := deserializer.RegistrationRequest(registrationMessage)
if err != nil {
log.Fatalln(err)
}
// Or if you already have a Server instance, you can use that also.
server, err := conf.Server()
if err != nil {
log.Fatalln(err)
}
requestS, err := server.Deserialize.RegistrationRequest(registrationMessage)
if err != nil {
// The error message will tell us what's wrong.
log.Fatalln(err)
}
// Alternatively, a Client instance can do that as well.
client, err := conf.Client()
if err != nil {
// The error message will tell us what's wrong.
log.Fatalln(err)
}
requestC, err := client.Deserialize.RegistrationRequest(registrationMessage)
if err != nil {
// The error message will tell us what's wrong.
log.Fatalln(err)
}
// All these yield the same message. The following is just a test to proof that point.
{
if !reflect.DeepEqual(requestD, requestS) ||
!reflect.DeepEqual(requestD, requestC) ||
!reflect.DeepEqual(requestS, requestC) {
log.Fatalf("Unexpected divergent RegistrationMessages:\n\t- %v\n\t- %v\n\t- %v",
hex.EncodeToString(requestD.Serialize()),
hex.EncodeToString(requestS.Serialize()),
hex.EncodeToString(requestC.Serialize()))
}
fmt.Println("OPAQUE messages deserialization is easy!")
}
// Output: OPAQUE messages deserialization is easy!
}
// Example_Registration demonstrates in a single function the interactions between a client and a server for the
// registration phase. This is of course a proof-of-concept demonstration, as client and server execute separately.
// The server outputs a ClientRecord and the credential identifier. The latter is a unique identifier for a given
// client (e.g. database entry ID), and that must absolutely stay the same for the whole client existence and
// never be reused.
func Example_registration() {
// The server must have been set up with its long term values once. So we're calling this, here, for the demo.
{
Example_serverSetup()
}
// Secret client information.
password := []byte("password")
// Information shared by both client and server.
serverID := []byte("server")
clientID := []byte("username")
conf := opaque.DefaultConfiguration()
// Runtime instantiation for the client and server.
client, err := conf.Client()
if err != nil {
log.Fatalln(err)
}
server, err := conf.Server()
if err != nil {
log.Fatalln(err)
}
// These are the 3 registration messages that will be exchanged.
// The credential identifier credID is a unique identifier for a given client (e.g. database entry ID), and that
// must absolutely stay the same for the whole client existence and never be reused.
var message1, message2, message3 []byte
var credID []byte
// The client starts, serializes the message, and sends it to the server.
{
c1 := client.RegistrationInit(password)
message1 = c1.Serialize()
}
// The server receives the encoded message, decodes it, interprets it, and returns its response.
{
request, err := server.Deserialize.RegistrationRequest(message1)
if err != nil {
log.Fatalln(err)
}
// The server creates a database entry for the client and creates a credential identifier that must absolutely
// be unique among all clients.
credID = opaque.RandomBytes(64)
pks, err := server.Deserialize.DecodeAkePublicKey(serverPublicKey)
if err != nil {
log.Fatalln(err)
}
// The server uses its public key and secret OPRF seed created at the setup.
response := server.RegistrationResponse(request, pks, credID, secretOprfSeed)
// The server responds with its serialized response.
message2 = response.Serialize()
}
// The client deserializes the responses, and sends back its final client record containing the envelope.
{
response, err := client.Deserialize.RegistrationResponse(message2)
if err != nil {
log.Fatalln(err)
}
// The client produces its record and a client-only-known secret export_key, that the client can use for other purposes (e.g. encrypt
// information to store on the server, and that the server can't decrypt). We don't use in the example here.
record, _ := client.RegistrationFinalize(response, opaque.ClientRegistrationFinalizeOptions{
ClientIdentity: clientID,
ServerIdentity: serverID,
})
message3 = record.Serialize()
}
// Server registers the client record.
{
record, err := server.Deserialize.RegistrationRecord(message3)
if err != nil {
log.Fatalln(err)
}
exampleClientRecord = &opaque.ClientRecord{
CredentialIdentifier: credID,
ClientIdentity: clientID,
RegistrationRecord: record,
}
fmt.Println("OPAQUE registration is easy!")
}
// Output: OPAQUE server initialized.
// OPAQUE registration is easy!
}
// Example_LoginKeyExchange demonstrates in a single function the interactions between a client and a server for the
// login phase.
// This is of course a proof-of-concept demonstration, as client and server execute separately.
func Example_loginKeyExchange() {
// For the purpose of this demo, we consider the following registration has already happened.
{
Example_registration()
}
// Secret client information.
password := []byte("password")
// Information shared by both client and server.
serverID := []byte("server")
clientID := []byte("username")
conf := opaque.DefaultConfiguration()
// Runtime instantiation for the client and server.
client, err := conf.Client()
if err != nil {
log.Fatalln(err)
}
server, err := conf.Server()
if err != nil {
log.Fatalln(err)
}
if err := server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed); err != nil {
log.Fatalln(err)
}
// These are the 3 login messages that will be exchanged,
// and the respective sessions keys for the client and server.
var message1, message2, message3 []byte
var clientSessionKey, serverSessionKey []byte
// The client initiates the ball and sends the serialized ke1 to the server.
{
ke1 := client.GenerateKE1(password)
message1 = ke1.Serialize()
}
// The server interprets ke1, and sends back ke2.
{
ke1, err := server.Deserialize.KE1(message1)
if err != nil {
log.Fatalln(err)
}
ke2, err := server.GenerateKE2(ke1, exampleClientRecord)
if err != nil {
log.Fatalln(err)
}
message2 = ke2.Serialize()
}
// The client interprets ke2. If everything went fine, the server is considered trustworthy and the client
// can use the shared session key and secret export key.
{
ke2, err := client.Deserialize.KE2(message2)
if err != nil {
log.Fatalln(err)
}
// In this example, we don't use the secret export key. The client sends the serialized ke3 to the server.
ke3, _, err := client.GenerateKE3(ke2, opaque.GenerateKE3Options{
ClientIdentity: clientID,
ServerIdentity: serverID,
})
if err != nil {
log.Fatalln(err)
}
message3 = ke3.Serialize()
// If no error occurred, the server can be trusted, and the client can use the session key.
clientSessionKey = client.SessionKey()
}
// The server must absolutely validate this last message to authenticate the client and continue. If this message
// does not return successfully, the server must not send any secret or sensitive information and immediately cease
// the connection.
{
ke3, err := server.Deserialize.KE3(message3)
if err != nil {
log.Fatalln(err)
}
if err := server.LoginFinish(ke3); err != nil {
log.Fatalln(err)
}
// If no error occurred at this point, the server can trust the client and safely extract the shared session key.
serverSessionKey = server.SessionKey()
}
// The following test does not exist in the real world and simply proves the point that the keys match.
if !bytes.Equal(clientSessionKey, serverSessionKey) {
log.Fatalln("Oh no! Abort! The shared session keys don't match!")
}
fmt.Println("OPAQUE is much awesome!")
// Output: OPAQUE server initialized.
// OPAQUE registration is easy!
// OPAQUE is much awesome!
}
// Example_FakeResponse shows how to counter some client enumeration attacks by faking an existing client entry.
// Precompute the fake client record, and return it when no valid record was found.
// Use this with the server's GenerateKE1 function whenever a client wants to retrieve an envelope but a client
// entry does not exist. Failing to do so results in an attacker being able to enumerate users.
func Example_fakeResponse() {
// The server must have been set up with its long term values once. So we're calling this, here, for the demo.
{
Example_serverSetup()
}
// Precompute the fake client record, and return it when no valid record was found. The malicious client will
// purposefully fail, but can't determine the difference with an existing client record. Choose the same
// configuration as in your app.
conf := opaque.DefaultConfiguration()
fakeRecord, err := conf.GetFakeRecord([]byte("fake_client"))
if err != nil {
log.Fatalln(err)
}
// Later, during protocol execution, let's say this is the fraudulent login message we received,
// for which no client entry exists.
message1, _ := hex.DecodeString("b4d366645e7ae380f9d476e1319e67c1821f7a5d3dfbfc4e26c7898351979139" +
"0ea528fc609b4393b0353e85fdbb20c6067c11919f40d93d8bb229967fc2878c" +
"209786ef4b960bfbfe10481c1fd301300fc72dc4234a1e829b556c720f904d30")
// Continue as usual, using the fake record in lieu of the (non-)existing one. The server the sends
// back the serialized ke2 message message2.
var message2 []byte
{
serverID := []byte("server")
server, err := conf.Server()
if err != nil {
log.Fatalln(err)
}
if err := server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed); err != nil {
log.Fatalln(err)
}
ke1, err := server.Deserialize.KE1(message1)
if err != nil {
log.Fatalln(err)
}
ke2, err := server.GenerateKE2(ke1, fakeRecord)
if err != nil {
log.Fatalln(err)
}
message2 = ke2.Serialize()
}
// The following is just a test to check everything went fine.
{
if len(message2) == 0 {
log.Fatalln("Fake KE2 is unexpectedly empty.")
}
fmt.Println("Thwarting OPAQUE client enumeration is easy!")
}
// Output: OPAQUE server initialized.
// Thwarting OPAQUE client enumeration is easy!
}