Skip to main content

Crate magic_cap_cli

Crate magic_cap_cli 

Source
Expand description

§Magic Cap

Provides low-level primitives for working with a “magic cap”, which is a small string (~70 bytes) that can be turned back into the corresponding plaintext when presented alongside the correct ciphertext.

The repository README has diagrams https://github.com/magic-cap/magic-cap

This is a release-early library that has not yet received cryptographic (or other) audits. We do appreciate feedback, but you own both pieces if you deploy to production :)

§Overview

Magic Cap turns the problem of having a lot of secret data (e.g. Sintel.mp4) into a tiny problem of only a little (fixed) amount of data (“the cap”).

The resulting (fixed, tiny) Magic Cap string can combined with the data file for the secret data; either part by itself cannot learn the secret data.

The “Magic Cap” string is short (70 bytes) and can fit in TPMs or other secure storage. Any interesting uses come when thinking about separating the Data (ciphertext + metadata) from the Magic Cap in time or space or both.

§Using the Crate

This crate contains a CLI. For the Rust library, see: https://docs.rs/magic_cap/latest/magic_cap/

Once built, you should have a binary called mcap, which will display help by default. It has several subcommands.

§mcap encrypt

General usage is mcap encrypt --plaintext <filename> <ciphertext-filename>. For example:

   $ mcap encrypt --plaintext kitten.jpeg kitten.mcap
   mcap0r-Gshm9tyvjXDnfWpLWKMgjcK0AOdC-O12vvLW5rxeV7752pj2a2uogG4RpvMFS0g

The string it spits out to stdout is the “Read Cap”. The encrypted Data will be written to kitten.mcap. Later, you may decrypt them when presented together

§mcap decrypt

Turn a Read Cap and Data back into plaintext. For example:

   $ mcap decrypt --cap mcap0r-Gshm9tyvjXDnfWpLWKMgjcK0AOdC-O12vvLW5rxeV7752pj2a2uogG4RpvMFS0g --ciphertext kitten.mcap --plaintext kitten.jpeg
   Wrote 306199 bytes of plaintext to "kitten.jpeg".

You may get an error if the Read Cap does not correspond to the given ciphertext and exit-code 2.

   $ mcap decrypt --cap mcap0rBX50S5FpIJQdu6cRr-bgGyxCzE9KHe46um1QcCfxn8PYZwX-X09Jv5I7vT1apgS6 --ciphertext kitten.mcap --plaintext kitten.jpeg
   Error: Magic Cap does not correspond to Metadata hash

§mcap reduce

Turn a Read Cap into a Verify Cap. A Verify Cap can confirm that a Data file is not corrupt and contains the correct ciphertext, but may not decrypt it. This could be used by a service provider or other third party to monitor or confirm availability of data without knowing what that data is.

   $ mcap reduce mcap0r-Gshm9tyvjXDnfWpLWKMgjcK0AOdC-O12vvLW5rxeV7752pj2a2uogG4RpvMFS0g
   mcap0v-Gshm7tyvjXDnfWpLWKMgjcK0AOdC-O12vvLW5rxeV4

§mcap verify

Uses a Verify Cap to confirm that a Data file corresponds to it (and thus could be correctly decrypted by whomever has the Read Cap).

   $ mcap verify --cap mcap0v-Gshm9tyvjXDnfWpLWKMgjcK0AOdC-O12vvLW5rxeV4 --ciphertext kitten.mcap

(No output is good). An error may be printed (with exit code 2) if the Verify Cap does not correspond.

   $ mcap verify --cap mcap0vBX50S5FpIJQdu6cRr-bgGyxCzE9KHe46um1QcCfxn8M --ciphertext kitten.mcap
   Error: Magic Cap does not correspond to Metadata hash

Functions§

main_decrypt
“mcap decrypt”
main_encrypt
Implementation of “mcap encrypt” This is the top level function for easy use of this crate by applications or other libraries. This function does not consider memory use, but instead just does the thing using all the memory.
main_reduce
“mcap reduce”
main_verify
“mcap verify”