coffer/Design.org at 52989eb1432d4ae2e1dcca44ce73115f0c123351

incubator/coffer

Fork 0

Armin Friedl 52989eb143

[all] Simplification

2020-02-04 21:09:09 +01:00

3 KiB

Raw Blame History

Communication
- Frame
- Message Types
Coffer
Coffer Server
Coffer Definition (TOML)
Coffer Response

Communication

Frame

Header ::: content-length: u16 | message-type: u8 ::: 3 byte, fixed Body ::: content: [u8; content-length] ::: conent-length byte, variable

Unsigned integers in network byte order.

Message Types

Ordinal	Type	Body Format	Direction	Transitions	Description
0x00	Hello	Client PK	C -> S	Link, KeyNotFound, Error	Initiates communication
0x01	Link	<empty>	S -> C	Get, Bye	Link established, communication can start
0x02	Get	<empt>	C -> S	OkGet, Error	Retrieve a secrets for the client
0x03	OkGet	Coffer (sealed)	S -> C	Bye	Send secrets to the client
0x99	Bye	Client PK	C -> S	•	Close connection
0xaa	KeyNotFound	Client PK	S -> C	•	PK unknown to server
0xff	Error	UTF-8 String	S -> C	•	Generic server error with reason

Seal is determined by communication direction: C -> S: sealed by server public key, client private key S -> C: sealed by client public key, server private key
Secrets returned as sealed cbor

Coffer

Sharded KV-Store
Keys are UTF-8 Strings
Typed values as defined by TOML: String, Integer, Float, Boolean, Date

Coffer Server

A coffer-server can support multiple clients by means of sharding the keyspace. Clients are uniquely identified by their public key.

A client can only access its shard identified by its public key
All server responses are sealed by the client's public key and server's private key. No secrets can be extracted or communication data collected except the private keys are compromised.
All server requests are sealed by the server's public and client's private key. No tampered requests can be sent or communication data collected except the private keys are compromised.

Coffer Definition (TOML)

Encrypted Authentication: SK of coffer-companion, PK of coffer-server

  # Names for ids (public keys) of clients
  [clients]
  file = "AAAA-AAAA-AAAA-AAAA"
  bin = "FFFF-FFFF-FFFF-FFFF"

  # Secrets for a named client (defined in clients)
  [file]
  secretkey = "secret value"
  secretkey2 = "secret value2"

Coffer Response

Encrypted Authentication: SK of coffer-server, PK of coffer-client Format: cbor

CofferResponse = List<CofferSecret>

CofferSecret { key: UTF-8 String, value: CofferValue }

CofferValue = String | Integer | Float | Boolean | Date

3 KiB Raw Blame History