Conversation
|
This leaks more data than necessary IMO. Because you're using AES-SIV with the same key globally, all the ciphertexts can be compared globally as well. For example, two events scheduled for the same time (or day) will have the same ciphertexts... My recommendation: encrypt on the file level using a standard cipher (mode) like the ones you mentioned. With random nonces. If you want to encrypt the JSON fields separately, consider adding a random IV/nonce field to the event from which you can derive IVs for each field using HMAC. Again, you'll then be able to encrypt using standard AES-GCM or whatever, and would not have to depend on a random ahh unverified crypto lib. I would regenerate the event IV on every change, but if you really want to keep the diff minimal, then you can just keep it static throughout the event's lifetime. If you choose to keep it static, then you could use the event ID as the IV/nonce, but make sure it is cryptographically random. |
2 participants
Why encryption?
To hide data when using a public GitHub/GitLab/Gitea/Codeberg instance as a git remote.
This PR adds a custom
MarshalJSON()andUnmarshalJSON()methods to theEventstruct, which means it implements thejson.Marshalerandjson.Unmarshalerinterfaces andjsonpackage uses those methods to encode and decode the struct.I searched for some deterministic (same input = same output) encryption algorithms. I found a few like AES-SIV, AES-GCM-SIV or XChaCha20-SIV. Even though XChaCha20-SIV might be more modern etc., I didn't find any Go package/lib for it.
So I settled for https://github.com/jedisct1/go-aes-siv, which is pretty nice i think.
JSON Event file might like this:
{ "Calendar": "8XxVlkMyM1SR4xcWePEF1QzNIJQ=", "From": "9KqMVGVrltyikGi5LTir+T8QDiypwqdaZ3Jg7mp55f29MfGK", "Repeat": { "Exceptions": "GlpnxQqP7yUfKrPpV6RAezEB", "Frequency": "nTvEFC8DTBeEA53W6M/XTIQ=", "Interval": "QQfg2dxnEJA9fK8yoCp+390=", "Until": "Cv5MSmS6LFwkMDRH25qa9rJL/QdyxELh/Si6dmqHPknjRPEq" }, "Tag": "xzSY97kqLmiMFlgqKNKm5w==", "Title": "9ph+Ab1ULLkZBFsG90RlBE9GSuMMP9gLjj75EihFxWabXX8B/ree2huI", "To": "oeXFEUZNz97ualF9cbdBUH/jh0wJJ0bOkeU3fanEOjtG0geJ" }