1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROME_BROWSER_SYNC_UTIL_NIGORI_H_ 6 #define CHROME_BROWSER_SYNC_UTIL_NIGORI_H_ 7 #pragma once 8 9 #include <string> 10 11 #include "base/memory/scoped_ptr.h" 12 #include "crypto/symmetric_key.h" 13 14 namespace browser_sync { 15 16 // A (partial) implementation of Nigori, a protocol to securely store secrets in 17 // the cloud. This implementation does not support server authentication or 18 // assisted key derivation. 19 // 20 // To store secrets securely, use the |Permute| method to derive a lookup name 21 // for your secret (basically a map key), and |Encrypt| and |Decrypt| to store 22 // and retrieve the secret. 23 // 24 // TODO: Link to doc. 25 class Nigori { 26 public: 27 enum Type { 28 Password = 1, 29 }; 30 31 Nigori(); 32 virtual ~Nigori(); 33 34 // Initialize the client with the given |hostname|, |username| and |password|. 35 bool InitByDerivation(const std::string& hostname, 36 const std::string& username, 37 const std::string& password); 38 39 // Initialize the client by importing the given keys instead of deriving new 40 // ones. 41 bool InitByImport(const std::string& user_key, 42 const std::string& encryption_key, 43 const std::string& mac_key); 44 45 // Derives a secure lookup name from |type| and |name|. If |hostname|, 46 // |username| and |password| are kept constant, a given |type| and |name| pair 47 // always yields the same |permuted| value. Note that |permuted| will be 48 // Base64 encoded. 49 bool Permute(Type type, const std::string& name, std::string* permuted) const; 50 51 // Encrypts |value|. Note that on success, |encrypted| will be Base64 52 // encoded. 53 bool Encrypt(const std::string& value, std::string* encrypted) const; 54 55 // Decrypts |value| into |decrypted|. It is assumed that |value| is Base64 56 // encoded. 57 bool Decrypt(const std::string& value, std::string* decrypted) const; 58 59 // Exports the raw derived keys. 60 bool ExportKeys(std::string* user_key, 61 std::string* encryption_key, 62 std::string* mac_key) const; 63 64 static const char kSaltSalt[]; // The salt used to derive the user salt. 65 static const size_t kSaltKeySizeInBits = 128; 66 static const size_t kDerivedKeySizeInBits = 128; 67 static const size_t kIvSize = 16; 68 static const size_t kHashSize = 32; 69 70 static const size_t kSaltIterations = 1001; 71 static const size_t kUserIterations = 1002; 72 static const size_t kEncryptionIterations = 1003; 73 static const size_t kSigningIterations = 1004; 74 75 private: 76 scoped_ptr<crypto::SymmetricKey> user_key_; 77 scoped_ptr<crypto::SymmetricKey> encryption_key_; 78 scoped_ptr<crypto::SymmetricKey> mac_key_; 79 }; 80 81 } // namespace browser_sync 82 83 #endif // CHROME_BROWSER_SYNC_UTIL_NIGORI_H_ 84