diff options
| author | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-10-17 14:34:45 +0200 |
|---|---|---|
| committer | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-10-18 16:08:08 +0200 |
| commit | 540cae3561cd8823fa1a5e036d5543ca5ba2519e (patch) | |
| tree | 623a1de60af7930874187e02e5186a5fba9e16f9 /security-utils/src/main/java/com/yahoo/security/hpke/HkdfSha256.java | |
| parent | a7f1520d2a461a3f12240e665f95a84aaaeb7126 (diff) | |
Minimal implementation of RFC 9180 Hybrid Public Key Encryption (HPKE)
HPKE is a hybrid encryption scheme that builds around three primitives:
* A key encapsulation mechanism (KEM)
* A key derivation function (KDF)
* An "authenticated encryption with associated data" (AEAD) algorithm
The 3-tuple (KEM, KDF, AEAD) is known as the HPKE _ciphersuite_.
This implementation has certain (intentional) limitations:
* Only the `DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM`
ciphersuite is implemented. This is expected to be a good default
choice for any internal use of this class.
* Only the "base mode" (unauthenticated sender) is supported, i.e.
no PSK support and no secret exporting. This implementation is
only expected to be used for anonymous one-way encryption.
* The API only offers single-shot encryption to keep anyone from
being tempted to use it to build their own multi-message protocol
on top. This entirely avoids the risk of nonce reuse caused by
accidentally repeating sequence numbers.
**Deprecation notice:** once BouncyCastle (or the Java crypto API)
supports HPKE, this particular implementation can safely be deprecated
and sent off to live on a farm.
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/hpke/HkdfSha256.java')
| -rw-r--r-- | security-utils/src/main/java/com/yahoo/security/hpke/HkdfSha256.java | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/hpke/HkdfSha256.java b/security-utils/src/main/java/com/yahoo/security/hpke/HkdfSha256.java new file mode 100644 index 00000000000..a4511a2b804 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/hpke/HkdfSha256.java @@ -0,0 +1,32 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.hpke; + +import com.yahoo.security.HKDF; + +/** + * KDF implementation using HKDF-SHA256 + * + * @author vekterli + */ +final class HkdfSha256 implements Kdf { + + private static final HkdfSha256 INSTANCE = new HkdfSha256(); + + public static HkdfSha256 getInstance() { return INSTANCE; } + + @Override + public byte[] extract(byte[] salt, byte[] labeledIkm) { + return ((salt.length != 0) ? HKDF.extractedFrom(salt, labeledIkm) + : HKDF.unsaltedExtractedFrom(labeledIkm)) + .pseudoRandomKey(); + } + + @Override + public byte[] expand(byte[] prk, byte[] info, int nBytesToExpand) { + return HKDF.ofPseudoRandomKey(prk).expand(nBytesToExpand, info); + } + + @Override public short nH() { return 32; } // HMAC-SHA256 output size + @Override public short kdfId() { return 0x0001; } // HKDF-SHA256 + +} |