Monocypher - data encryption and decryption
Monocypher is an open-source BSD licensed project that has great data encryption and decryption capability for embedded systems. Here is a short simple engineer view on how to make it work.
Sequence diagram
In the image is a sequence diagram that described how to securely exchange data works in one way from server to client.Explaining the keywords
secret key - a pre-shared key that needed to be exchanged between client and server in a secure manner before communication started. A secret key can also be referenced as a private client and a private server key.
client public key - the key that client has generated (calculated) from a pre-shared key that can be publicly shared. Alone it doesn't have any valuable value. It is sent to the server where the server can use it to calculate a shared key.
server public key - the key that server has generated (calculated) from a pre-shared key that can be publicly shared. Alone it doesn't have any valuable value. It is sent to the client where the client can use it to calculate a shared key.
shared key - is the only key that is used for data encryption and decryption. It is a newly generated key after the client and server exchange their public keys. The shared key is the same for both client and the server. The client will calculate it by using pre-shared and server public key while sever will do it by using pre-shared key and client public key.
mac - message authentication code that helps the client to be sure that data arrives from the server from which we received the public key in case the package was intercepted and changed. Mac is generated together with the encrypted messages. server public key - the key that server has generated (calculated) from a pre-shared key that can be publicly shared. Alone it doesn't have any valuable value. It is sent to the client where the client can use it to calculate a shared key.
shared key - is the only key that is used for data encryption and decryption. It is a newly generated key after the client and server exchange their public keys. The shared key is the same for both client and the server. The client will calculate it by using pre-shared and server public key while sever will do it by using pre-shared key and client public key.
nonce - is an arbitrary number that needs to be provided for the encryption mechanism to work. It is not necessary to be random but it is very important that each data encryption never has the same nonce value. In other words, each time using an encryption function, nonce must have a unique value. It is sent together with encrypted data and mac to the client for data decryption.
Diagram explains the order of functions to call to do a crypto key exchange so both client and server have the same shared key. The size of mac is always 16 bytes while for the nonce is always 24 bytes.
The size of data is arbitrary, and the example is used 2 bytes. The size of keys is fixed to 32 bytes.
The size of data is arbitrary, and the example is used 2 bytes. The size of keys is fixed to 32 bytes.
Comments
Post a Comment