cryptoids-0.3.0.0: Reversable and secure encoding of object ids as a bytestring

LicenseBSD3
Safe HaskellNone
LanguageHaskell2010

Data.CryptoID.ByteString

Description

Given a strict ByteString we compute a cryptographic hash of the associated namespace (carried as a phantom type of kind Symbol). The payload is then encrypted using the symmetric cipher in CBC mode using the hashed namespace as an initialization vector (IV).

The probability of detecting a namespace mismatch is thus the density of valid payloads within all ByteStrings of the correct length.

Synopsis

Documentation

newtype CryptoID namespace a :: Symbol -> * -> * #

Constructors

CryptoID 

Fields

Instances

Eq a => Eq (CryptoID namespace a) 

Methods

(==) :: CryptoID namespace a -> CryptoID namespace a -> Bool #

(/=) :: CryptoID namespace a -> CryptoID namespace a -> Bool #

(Data a, KnownSymbol namespace) => Data (CryptoID namespace a) 

Methods

gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> CryptoID namespace a -> c (CryptoID namespace a) #

gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c (CryptoID namespace a) #

toConstr :: CryptoID namespace a -> Constr #

dataTypeOf :: CryptoID namespace a -> DataType #

dataCast1 :: Typeable (* -> *) t => (forall d. Data d => c (t d)) -> Maybe (c (CryptoID namespace a)) #

dataCast2 :: Typeable (* -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c (CryptoID namespace a)) #

gmapT :: (forall b. Data b => b -> b) -> CryptoID namespace a -> CryptoID namespace a #

gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> CryptoID namespace a -> r #

gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> CryptoID namespace a -> r #

gmapQ :: (forall d. Data d => d -> u) -> CryptoID namespace a -> [u] #

gmapQi :: Int -> (forall d. Data d => d -> u) -> CryptoID namespace a -> u #

gmapM :: Monad m => (forall d. Data d => d -> m d) -> CryptoID namespace a -> m (CryptoID namespace a) #

gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> CryptoID namespace a -> m (CryptoID namespace a) #

gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> CryptoID namespace a -> m (CryptoID namespace a) #

Ord a => Ord (CryptoID namespace a) 

Methods

compare :: CryptoID namespace a -> CryptoID namespace a -> Ordering #

(<) :: CryptoID namespace a -> CryptoID namespace a -> Bool #

(<=) :: CryptoID namespace a -> CryptoID namespace a -> Bool #

(>) :: CryptoID namespace a -> CryptoID namespace a -> Bool #

(>=) :: CryptoID namespace a -> CryptoID namespace a -> Bool #

max :: CryptoID namespace a -> CryptoID namespace a -> CryptoID namespace a #

min :: CryptoID namespace a -> CryptoID namespace a -> CryptoID namespace a #

Read a => Read (CryptoID namespace a) 

Methods

readsPrec :: Int -> ReadS (CryptoID namespace a) #

readList :: ReadS [CryptoID namespace a] #

readPrec :: ReadPrec (CryptoID namespace a) #

readListPrec :: ReadPrec [CryptoID namespace a] #

Show a => Show (CryptoID namespace a) 

Methods

showsPrec :: Int -> CryptoID namespace a -> ShowS #

show :: CryptoID namespace a -> String #

showList :: [CryptoID namespace a] -> ShowS #

Generic (CryptoID namespace a) 

Associated Types

type Rep (CryptoID namespace a) :: * -> * #

Methods

from :: CryptoID namespace a -> Rep (CryptoID namespace a) x #

to :: Rep (CryptoID namespace a) x -> CryptoID namespace a #

Storable a => Storable (CryptoID namespace a) 

Methods

sizeOf :: CryptoID namespace a -> Int #

alignment :: CryptoID namespace a -> Int #

peekElemOff :: Ptr (CryptoID namespace a) -> Int -> IO (CryptoID namespace a) #

pokeElemOff :: Ptr (CryptoID namespace a) -> Int -> CryptoID namespace a -> IO () #

peekByteOff :: Ptr b -> Int -> IO (CryptoID namespace a) #

pokeByteOff :: Ptr b -> Int -> CryptoID namespace a -> IO () #

peek :: Ptr (CryptoID namespace a) -> IO (CryptoID namespace a) #

poke :: Ptr (CryptoID namespace a) -> CryptoID namespace a -> IO () #

Binary a => Binary (CryptoID namespace a) 

Methods

put :: CryptoID namespace a -> Put #

get :: Get (CryptoID namespace a) #

putList :: [CryptoID namespace a] -> Put #

ToHttpApiData a => ToHttpApiData (CryptoID namespace a) 

Methods

toUrlPiece :: CryptoID namespace a -> Text #

toEncodedUrlPiece :: CryptoID namespace a -> Builder #

toHeader :: CryptoID namespace a -> ByteString #

toQueryParam :: CryptoID namespace a -> Text #

FromHttpApiData a => FromHttpApiData (CryptoID namespace a) 

Methods

parseUrlPiece :: Text -> Either Text (CryptoID namespace a) #

parseHeader :: ByteString -> Either Text (CryptoID namespace a) #

parseQueryParam :: Text -> Either Text (CryptoID namespace a) #

PathPiece a => PathPiece (CryptoID namespace a) 

Methods

fromPathPiece :: Text -> Maybe (CryptoID namespace a) #

toPathPiece :: CryptoID namespace a -> Text #

type Rep (CryptoID namespace a) 
type Rep (CryptoID namespace a) = D1 (MetaData "CryptoID" "Data.CryptoID" "cryptoids-types-0.0.0-LE8g4K8uXWZ2rFXomw7gsy" True) (C1 (MetaCons "CryptoID" PrefixI True) (S1 (MetaSel (Just Symbol "ciphertext") NoSourceUnpackedness NoSourceStrictness DecidedLazy) (Rec0 a)))

data CryptoIDKey Source #

This newtype ensures only keys of the correct length can be created

Use genKey to securely generate keys.

Use the Binary instance to save and restore values of CryptoIDKey across executions.

Instances

genKey :: MonadIO m => m CryptoIDKey Source #

Securely generate a new key using system entropy

When CryptoCipher accepts keys of varying lengths this function generates a key of the largest accepted size.

readKeyFile :: MonadIO m => FilePath -> m CryptoIDKey Source #

Try to read a CryptoIDKey from a file. If the file does not exist, securely generate a key (using genKey) and save it to the file.

encrypt :: forall m namespace. (KnownSymbol namespace, MonadThrow m) => CryptoIDKey -> ByteString -> m (CryptoID namespace ByteString) Source #

Encrypt a serialized value

decrypt :: forall m namespace. (KnownSymbol namespace, MonadThrow m) => CryptoIDKey -> CryptoID namespace ByteString -> m ByteString Source #

Decrypt a serialized value

data CryptoIDError Source #

Error cases that can be encountered during encrypt and decrypt

Care has been taken to ensure that presenting values of CryptoIDError to an attacker leaks no plaintext (it does leak information about the length of the plaintext).

Constructors

AlgorithmError CryptoError

One of the underlying cryptographic algorithms (CryptoHash or CryptoCipher) failed.

PlaintextIsWrongLength Int

The length of the plaintext is not a multiple of the block size of CryptoCipher

The length of the offending plaintext is included.

NamespaceHashIsWrongLength ByteString

The length of the digest produced by CryptoHash does not match the block size of CryptoCipher.

The offending digest is included.

This error should not occur and is included primarily for sake of totality.

CiphertextConversionFailed ByteString

The produced ByteString is the wrong length for deserialization into a ciphertext.

The offending ByteString is included.

DeserializationError

The plaintext obtained by decrypting a ciphertext with the given CryptoIDKey in the context of the namespace could not be deserialized into a value of the expected payload-type.

This is expected behaviour if the namespace or payload-type does not match the ones used during encryption or if the ciphertext was tempered with.

InvalidNamespaceDetected

We have determined that, allthough deserializion succeded, the ciphertext was likely modified during transit or created using a different namespace.

Instances

type CryptoCipher = Blowfish Source #

The symmetric cipher BlockCipher this module uses

type CryptoHash = SHAKE128 64 Source #

The cryptographic HashAlgorithm this module uses

We expect the block size of CryptoCipher to be exactly the size of the Digest generated by CryptoHash (since a Digest is used as an IV).

Violation of this expectation causes runtime errors.