Expand description
The Aranya Cryptography Engine.
§Overview
Instead of performing ad-hoc cryptography, Aranya’s cryptography is centralized inside of the cryptography engine. The cryptographic APIs provided by the cryptography engine are described in multiple documents, including the [IDAM crypto] spec.
While it’s generally referred to as the cryptography engine, it’s important to note that there can be multiple implementations of the cryptography engine. The cryptography engine requires a particular set of primitives, but allows users to choose their own algorithms.
§Design
As mentioned above, the cryptography engine only requires certain cryptographic primitives, not algorithms. For instance, it requires an AEAD with at least a 128-bit security level, not AES-GCM.
The set of algorithms is referred to as a cipher suite. Each algorithm has an identifier that distinguishes it from other algorithms implementing the same primitive. For example, the identifier for AES-256-GCM is different from the identifer for ChaCha20Poly1305. The identifiers for the algorithms used by a particular cipher suite are referred to as the cipher suite’s identifier, or “suite IDs.”
Every cryptographic operation performed by the engine mixes in the cipher suite’s identifier for domain separation and contextual binding purposes. Among other things, this helps prevent cross-version attacks. [IDAM crypto]: https://git.spideroak-inc.com/spideroak-inc/aranya-docs/blob/idam-crypto-apis/src/idam_crypto.md
Re-exports§
pub use engine::Engine;pub use engine::UnwrapError;pub use engine::WrapError;pub use id::Identified;pub use keystore::KeyStore;pub use keystore::KeyStoreExt;pub use policy::Cmd;pub use policy::CmdId;pub use policy::PolicyId;pub use policy::merge_cmd_id;pub use buggy;pub use spideroak_crypto::generic_array;pub use spideroak_crypto::typenum;
Modules§
- afc
afc - Cryptography code for AFC.
- apq
apq - Cryptography code for APQ.
- dangerous
- Dangerous cryptography.
- default
- Default implementations.
- engine
- The cryptography engine.
- id
- Crypto extensions and other related items for IDs.
- keystore
- Wrapped cryptographic key storage.
- policy
- Aranya policy related routines.
- subtle
- Constant time cryptographic operations.
- test_
util test_util - Utilities for testing
Engine,CipherSuite, and cryptography implementations. - tls
tls - TLS utilities.
- zeroize
- Securely zero memory.
Macros§
- assert_
ct_ eq - Like
assert_eq!, but forChoice. - assert_
ct_ ne - Like
assert_ne!, but forChoice. - custom_
id - Creates a custom ID.
- for_
each_ engine_ test - Invokes
callbackfor each Engine test. - kdf_
with_ oid - Wraps a KDF with a specific OID.
- kem_
with_ oid - Wraps a KEM with a specific OID.
- test_
ciphersuite - Tests a
CipherSuite. - test_
engine - Performs all of the tests inside this module.
- unwrapped
- Implements
UnwrappedKeyfor$name.
Structs§
- Context
- Contextual binding for
GroupKey::sealandGroupKey::open. - Encap
- An encapsulated symmetric key.
- Encrypted
Group Key - An encrypted
GroupKey. - Encryption
Key - The Device Encryption Key.
- Encryption
Public Key - The public half of
EncryptionKey - Group
Key - Key material used to derive per-event encryption keys.
- Identity
Key - The Device Identity Key.
- Identity
Verifying Key - The public half of
IdentityKey - Oids
- The OIDs used by a
CipherSuite. - PkError
- Handles Public Key errors
- Rng
- The default CSPRNG.
- Signature
- A signature created by a signing key.
- Signing
Key - The Device Signing Key.
- Verifying
Key - The public half of
SigningKey
Enums§
- Ecdh
Error - An error from an
Ecdh. - Error
- Encompasses the different errors directly returned by this crate.
- Export
Error - An error that occurs while exporting secret key material.
- Hpke
Error - An error from an
Hpke. - Import
Error - An error that occured while importing data.
- KdfError
- An error from a
Kdf. - KemError
- An error from a
Kem. - MacError
- An error from a
Mac. - Open
Error - An error from an
Aeadopen. - Seal
Error - An error from an
Aeadseal. - Signer
Error - An error from a
Signer.
Traits§
- Aead
- A marker trait for AEADs.
- Cipher
Suite - The cryptographic primitives used by the cryptography engine.
- Csprng
- A cryptographically secure pseudorandom number generator (CSPRNG).
- Hash
- A marker trait for cryptographic hash functions.
- Kdf
- A marker trait for key derivation functions.
- Kem
- A marker trait for key encapsulation mechanisms.
- Mac
- A marker trait for messaged authentication codes.
- Random
- Implemented by types that can generate random instances.
- Signer
- A marker trait for digital signatures.
Type Aliases§
- BaseId
- The base ID type.
- Device
Id - Uniquely identifies
IdentityKey. - Encryption
KeyId - Uniquely identifies
EncryptionKey. - Group
KeyId - Uniquely identifies a
GroupKey. - Signing
KeyId - Uniquely identifies
SigningKey.