Crate cellar_core[−][src]
Cellar is a simple password generation / retrival tool inspired by Technology Preview for secure value recovery. The main algorithm is (a little bit tweak against original one):
salt = Secure-Random(output_length=32)
stretched_key = Argon2(passphrase=user_passphrase, salt=salt)
auth_key = HMAC-BLAKE2s(key=stretched_key, "Auth Key")
c1 = HMAC-BLAKE2s(key=stretched_key, "Master Key")
c2 = Secure-Random(output_length=32)
encrypted_c2 = ChaCha20(c2, key=auth_key, nonce=salt[0..CHACHA20_NONCE_LENGTH])
master_key = HMAC-BLAKE2s(key=c1, c2)
application_key = HMAC-BLAKE2s(key=master_key, "app info, e.g. yourname@gmail.com")
The main purpose of cellar is to allow people to just remember a single password, and by using the above algorithm, one can create as many application passwords which is cryptographically strong. A user just need to store the randomly gnerated salt and encrypted_c2 in local disk and the cloud so when she wants to generate or retrieve an application password, she could use her passphrase, plus the salt and encrypted_c2 to recover the master key, and then derive the application password. As long as user kept the passphrase secret in her mind, all the application passwords are secure. Even if the salt and encrypted_c2 are leaked, a hacker still need to brute force the master key. By using Cellar, you don’t need to trust the cloud provider to store your passwords, and you don’t need to bother to remember a large number of passwords for different sites / applications.
Usage
let passphrase = "hello"; let aux = cellar_core::init(passphrase).unwrap(); let app_key = cellar_core::generate_app_key(passphrase, &aux, b"user@gmail.com", Default::default()).unwrap();
You can also use the CLI version of the tool, which could be found in the repository.
Structs
AuxiliaryData | |
CertificatePem | |
Keypair | An ed25519 keypair. |
PublicKey | An ed25519 public key. |
SecretKey | An EdDSA secret key. |
Signature | Ed25519 signature. |
Enums
CellarError | contains all the errors used in cellar-core. |
KeyType |
Constants
KEY_SIZE |
Traits
Signer | Sign the provided message bytestring using |
Verifier | Verify the provided message bytestring using |
Functions
as_parent_key | covert the generated application key to a parent key which could be used to derive other keys |
generate_app_key | generate application key based on user’s passphrase, auxilliary data (salt and seed), as well as the app info as an entropy. |
generate_app_key_by_path | generate application key based on parent key and path. e.g. |
generate_master_key | generate master key from the passphrase and entropy |
init | initialize a cellar. Return the salt and encrypted seed that user shall store them for future password generation and retrieval. |
Type Definitions
Key | |
SignatureError | Errors which may occur while processing signatures and keypairs. |