[Cryptography] Request For Usage Review

Mon Jul 27 17:10:44 EDT 2020

Would someone be so kind as to comment on my usage of cryptography in an

application I'm working on. It would be much appreciated and I'll owe you

a beer or satisfying beverage of your choice. :)

The application sends messages from one user to one or more other users.

Message recipients must be able to verify that the message is from the

alleged sender and must be able to read it. Messages will be accessible

publicly; not-intended recipients must not be able to read them.(1)

All cryptographic functions are provided by TweetNaCl.js (herein after nacl).

Below is what a message looks like, explanation follows.

//

// Version 1

//

// Recipients

// ed8d5061-bf7f-481a-a7e4-b7517ac0c53e

// JiKv6es1GLlsbh/W1KFQYSWhsI7CgjYn

// e173ZtIxksLAeAqpJgXslGp3uZaDHj02KxgPQaEUJCiH4wrWDNBfwpdr8zI2yLxn

// ea72e2a53-1b48-4861-b17d-40fd8453bfea

// CS9aCq12Q7S4vHeaH5L3SFOwvroX9CXt

// TwFk875v92bIVe12IhzXFoZu8LYAqKyhBpONYCEOovMq3+KXr7S4hXmh6WBRln

//

// Content

// 5YKDLW3BRo5znN1ReqCatE3WhWf4OMq5

// Wo/uU1/badQDLYEuAH6d+xlSV+i/KeCyKgYa6C4pzaj8YdxuEkZtALi8eAB+oQBv

// gCNztP15gV6w0otezjCwuYI+g0Fe8tMorZvvsxzQnpA7JztHLpQ=

//

// Signature

// 4IyI2L3EEXEG2nWw0bIWsJtyjH/ob6QjtUZKzbcZlAvV3aN4jgRnqYlVOvnhSu7/

// 1LASIDllHV1b1SYwvDbYDA==

//

Each message consists of four sections:

Version

Just because it seems like a good idea.

Recipients

A list of recipients, each consisting of three lines. The first line

is the recipient's id. The second line is a nonce; provided by

nacl.randomBytes(nacl.box.nonceLength). The third line is a secret key

encrypted with nacl.box using the nonce and the recipients public key.

Content

The first line is a nonce. The following lines are the message which

has been encrypted using nacl.secretbox(message,nonce,secret). The value
of secret is nacl.box.keyPair().publicKey.(2) This is the key encrypted
with each recipient's public key.

Signature

The signature covers everything from the first line to the last line

of Content inclusive, excluding the final line-terminator. The

signature is generated by nacl.sign(message, secretKey) where secretKey

is the sender's signing key.

Additional Information

Each user, sender or receiver, has two key-pairs: one for encryption

and the other for signing. These are generated by nacl.box.keyPair and

nacl.sign.keyPair.

Nonces are used only once.

There is no "roll your own" encryption, hashing, or similar; nacl

handles everything.

It occurred to me that someone could snip the signature off of a message

replacing it with another, thereby spoofing the creator. The encrypted

messages will at times be exposed to such tampering. While it is true that

only a spoofer known to the recipient could pull that off, the application

embeds the sender id in the content and verifies that the signer is actually

the sender.

Now that I've written this it all seems rather simple. But I've not done this
before, the decades are littered with almost-got-that-right encryption
and, well, littering is against the law, so if there is the slightest question,
comment, or suggestion, tia!

Zane

(1) A recipient who knows the sender's public key can verify the message

but cannot read it if not in the Recipients list.

(2) I created a shared key for the secretbox using nacl.box.keyPair().publicKey;
secretKey is not used.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200727/143468b5/attachment.htm>