CryptGuard Syntax Overhaul & Updates

CryptGuard Syntax Overhaul & Updates

M's photo
M
·

5 min read

Table of contents

CryptGuard - Post Quantum Cryptographic Crate

Overview

CryptGuard is a versatile cryptographic crate that provides encryption capabilities using AES or XChaCha20, along with Kyber key encapsulation. It supports key sizes of 512, 768, and 1024 bits and offers options for manual encryption to fully utilize the crate's capabilities. Users have the flexibility to select sha256 instead of the default HMAC, which employs sha512. Additionally, it includes functionalities for signing messages and creating detached signatures with falcon512, falcon1024, dilithium2, dilithium3, and dilithium5.

How It Works

The encryption process is streamlined once the desired algorithm is selected. It involves using a public key, a passphrase for HMAC, and the target data. The data is deliberately segmented into files and messages for user convenience. Upon encryption, the public key encapsulates the key details to generate a shared secret, which then serves as the final encryption key. The ciphertext, along with the shared secret, is provided to the recipient who decrypts it using their passphrase and secret key, and for XChaCha20, a nonce is required.

Encryption Syntax

// Creating a new key pair
let (public_key, secret_key) = KeyControlKyber1024::keypair().expect("Failed to generate keypair");

// Instantiating a new encryption object
let mut encryptor = Kyber::<Encryption, Kyber1024, File, AES>::new(public_key.clone(), None)?;

// Encrypting a message
let (encrypted_message, cipher) = encryptor.encrypt_msg(message.clone(), passphrase.clone())?;

// Encrypting a file
let (encrypted_message, cipher) = encryptor.encrypt_file(enc_path.clone(), passphrase.clone())?;

// Decrypting a message
let mut decryptor = Kyber::<Decryption, Kyber768, File, AES>::new(secret_key, None)?;
let decrypted_message = decryptor.decrypt_msg(encrypted_message.clone(), passphrase.clone(), cipher)?;

// Decrypting a file
let decrypted_file = decryptor.decrypt_file(enc_path.clone(), passphrase.clone(), cipher)?;

Signed Messages and Detached Signatures

Using Falcon1024 and Dilithium5, we have introduced robust post-quantum algorithms for key generation and signing processes. To create a signed message, the secret key is used along with the data to generate a verifiable signed version. Detached signatures serve to authenticate the creator of downloadable content. The verification process involves matching the public key, the signed data, and the original data.

Syntax for Signed Messages and Detached Signatures

// Creating a Falcon1024 key pair
let (public_key, secret_key) = Falcon1024::keypair().unwrap();

// Deciding between a signed message or a detached signature
let sign = Signature::<Falcon1024, Message>::new(); // For signed message
let sign = Signature::<Falcon1024, Detached>::new(); // For detached signature

// Using the signature function
let signature = sign.signature(data.clone(), secret_key)?;

// Opening a signed message
let opened_message = sign.open(signed_message, public_key)?;

// Verifying a detached signature
let is_valid = sign.verify(data, signature, public_key)?;

Logging

Logging Capabilities of CryptGuard

CryptGuard now features logging capabilities, designed to provide detailed tracking of encryption and decryption activities, thereby ensuring both security and transparency. The logging functionality does not compromise safety; instead, it documents which algorithm performed which action, including the specific date and time. For example, it records when a user initiates the generation of a new keypair, and when this process is completed, or notes when encryption of a file or message using AES begins, such as at 10:52 AM on 04/25/202X.

To enable logging, use the function activate_log("log.txt"). This command specifies the path to the log file and simultaneously creates a log folder in the same directory as the log file. This folder contains split logs related to different processes, providing a focused overview of actions without revealing any sensitive data. Rest assured, encrypted information, data prior to encryption, keys, and file locations are not disclosed in the logs.

The logging mechanism is implemented using a custom macro that interacts with our lazy static logging structure, LOGGER. This structure features a function to add log entries, which activates only when logging is enabled, as indicated by a boolean within the structure. Once active, the function continuously writes to the main log file, appending each new entry. Each time we invoke another macro, it clears the string in our structure that stores process-related log messages, allowing us to complete and close out the current process log file stored in the log folder.

Manual Encryption with AES or XChaCha20

For those seeking in-depth control over the cryptographic processes, manual encryption using AES or XChaCha20 is available. This advanced method requires a good understanding of the cryptographic constructs involved.

// Start implementing CrytographicInformation struct
// But since it needs the CryptographicMetadata struct
// we start whith that one
let crypt_meta = CryptographicMetadata::from(
    process: Process, // (enum)
    encryption_type: CryptographicMechanism, // (enum)
    key_type: KeyEncapMechanism, // (enum)
    content_type: ContentType // (enum)
);

// If you want to encrypt a file add to CryptographicInformation, a filemetada at the last attribute and turn the boolean to true.
let file = FileMetadata::from(
    location: PathBuf,
    file_type: FileTypes, // (enum) 
    file_state: FileState // (enum)
);

// Finally implement the CryptographicInformation struct
let crypt_info = CryptographicInformation::from(
    content: Vec<u8>,
    passphrase: Vec<u8>,
    metadata: crypt_meta, // CryptographicMetadata struct
    safe: bool,
    location: Some(file), // Option<FileMetadata> 
)

// Now you can start encryption
// new(infos: CryptographicInformation)
let cipher = CipherAES::new(crypt_info); 
let (data, ciphertext) = cipher.encrypt(public_key: Vec<u8>);

Enhancing Security Through Combined Techniques

For increased safety, the cryptographic algorithms provided allow for a combination of Key Encapsulation based encryption and Key Derivation for signature capabilities. Specifically, you can enhance security by signing the data in the same manner as creating signed messages before the encryption process. After signing, this data can be written into a file. Following this, the file is encrypted, and both the encrypted data and the ciphertext are converted to hex format and then concatenated. This concatenated format, containing both the encrypted data and the ciphertext, can be secured further by employing the method used for signing messages, adding an additional layer of security.

This approach eliminates the need to send ciphertext and encrypted data separately to the recipient of a message, thereby integrating robust security measures against potential interference by unauthorized entities.

Moreover, you can extend the use of these cryptographic techniques by encrypting data in segments using multiple encryption algorithms layered over each other. This stratified encryption enhances security further. While detailed instructions and examples are provided in the README.md and previous explanations, it is crucial to handle your data with care and ensure its integrity remains uncompromised. Always be vigilant about the security practices you implement to protect your information.

Did you find this article valuable?

Support M by becoming a sponsor. Any amount is appreciated!

falcon1024falcon512kyber768kyber512dilithium5dilithium3dilithium2RustPost-Quantum CryptographyKyber1024aesxchacha20encryptionCryptographydigital-signature