class Sodium::Kdf

Overview

Key derivation function

Usage:

kdf = KDF.new
subkey_id = 0
output_size = 16
subkey = kdf.derive "8bytectx", subkey_id, output_size

Memory for this class is held in a sodium guarded page with noaccess.
Readonly access is temporarily enabled when deriving keys.
Calling #to_slice marks the page readonly permanently.

Included Modules

Defined in:

sodium/kdf.cr

Constant Summary

CONTEXT_SIZE = LibSodium.crypto_kdf_contextbytes
KEY_SIZE = LibSodium.crypto_kdf_keybytes.to_i

Constructors

Instance Method Summary

Instance methods inherited from module Sodium::Wipe

close close, finalize finalize

Constructor Detail

def self.new(bytes : Bytes, erase = false) #

Use an existing KDF key.

  • Copies key to a new SecureBuffer
  • Optionally erases bytes after copying if erase is set

[View source]
def self.new(sbuf : SecureBuffer) #

Use an existing KDF SecureBuffer key.


[View source]
def self.new #

Generate a new random KDF key.

Make sure to save kdf.to_slice before kdf goes out of scope.


[View source]

Instance Method Detail

def derive(context, subkey_id, subkey_size) : SecureBuffer #

Derive a consistent subkey based on context and subkey_id.

context and subkey don't need to be secret

  • context must be 8 bytes
  • subkey_size must be 16..64 bytes as of libsodium 1.0.17

Returns a SecureBuffer. May transfer ownership to SecretBox or SecretKey without copying.


[View source]
def derive_cryptobox(context, subkey_id) : CryptoBox::SecretKey #

Convenience method to create a new CryptoBox::Secret without handling the key.

See derive() for further information on context and subkey_id.


[View source]
def derive_secretbox(context, subkey_id) : SecretBox #

Convenience method to create a new SecretBox without handling the key.

See derive() for further information on context and subkey_id.


[View source]
def derive_sign(context, subkey_id) : Sign::SecretKey #

Convenience method to create a new Sign::Secret without handling the key.

See derive() for further information on context and subkey_id.


[View source]
def to_slice : Bytes #

Returns key


[View source]