Skip to content

Commit

Permalink
Generate authSalt and contractSalt
Browse files Browse the repository at this point in the history
  • Loading branch information
corrideat committed Dec 7, 2024
1 parent 6a5a0d5 commit b6358a9
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 17 deletions.
12 changes: 4 additions & 8 deletions backend/zkppSalt.js
Original file line number Diff line number Diff line change
Expand Up @@ -303,21 +303,17 @@ export const updateContractSalt = async (contract: string, r: string, s: string,
}

try {
const argsObj = JSON.parse(Buffer.from(args).toString())

if (!Array.isArray(argsObj) || argsObj.length !== 3 || !argsObj.reduce((acc, cv) => acc && typeof cv === 'string', true)) {
console.error(`update: Error validating the encrypted arguments for contract ID ${contract} (${JSON.stringify({ r, s, hc })})`)
return false
}

const [hashedPassword, authSalt, contractSalt] = argsObj
const hashedPassword = Buffer.from(args).toString()

const recordId = await computeZkppSaltRecordId(contract)
if (!recordId) {
console.error(`update: Error obtaining record ID for contract ID ${contract}`)
return false
}

const authSalt = Buffer.from(hashStringArray('AUTHSALT', c)).slice(0, 18).toString('base64')
const contractSalt = Buffer.from(hashStringArray('CONTRACTSALT', c)).slice(0, 18).toString('base64')

const token = encryptSaltUpdate(
hashUpdateSecret,
recordId,
Expand Down
15 changes: 6 additions & 9 deletions shared/zkpp.js
Original file line number Diff line number Diff line change
Expand Up @@ -137,27 +137,24 @@ export const buildRegisterSaltRequest = async (publicKey: string, secretKey: Uin
}

export const buildUpdateSaltRequestEa = async (password: string, c: Uint8Array): Promise<[string, string]> => {
// TODO: Derive S_A and S_C as follows:
// -> q -< random
// -> r -< SHA-512(SHA-512('SU') + SHA-512(q))
// -> b -< SHA-512(r) // as it's now
// Then,
// -> S_T -< BASE64(SHA-512(SHA-512(T) + SHA-512(q))[0..18]) with T being
// Derive S_A and S_C as follows:
// -> S_T -< BASE64(SHA-512(SHA-512(T) + SHA-512(c))[0..18]) with T being
// `AUTHSALT` or `CONTRACTSALT`
// This way, we ensure both the server and the client contribute to the
// salts' entropy.
// When sending the encrypted data, the encrypted information would be
// `[hashedPassword, q]`, which needs to be verified server-side to verify
// `hashedPassword`, which needs to be verified server-side to verify
// it matches p and would be used to derive S_A and S_C.
const [authSalt, contractSalt] = ['a', 'b']
const authSalt = Buffer.from(hashStringArray('AUTHSALT', c)).slice(0, 18).toString('base64')
const contractSalt = Buffer.from(hashStringArray('CONTRACTSALT', c)).slice(0, 18).toString('base64')

const encryptionKey = nacl.hash(Buffer.concat([
Buffer.from('SU'), Buffer.from(c)
])).slice(0, nacl.secretbox.keyLength)
const nonce = nacl.randomBytes(nacl.secretbox.nonceLength)

const hashedPassword = await hashPassword(password, authSalt)
const encryptedArgsCiphertext = nacl.secretbox(Buffer.from(JSON.stringify([hashedPassword, authSalt, contractSalt])), nonce, encryptionKey)
const encryptedArgsCiphertext = nacl.secretbox(Buffer.from(hashedPassword), nonce, encryptionKey)

const encryptedArgs = Buffer.concat([nonce, encryptedArgsCiphertext])

Expand Down

0 comments on commit b6358a9

Please sign in to comment.