GordianKnot Lock

Overview

GordianKnot provide three kinds of locks that are password protected.

1. keySetLocks are provided to secure a keySet using a password. This keySet can be automatically generated or be pre-existing. It can only be unlocked by the same factory that was used to lock it.
2. factoryLocks are provided to secure a factory using a password. The factory to be locked can be automatically generated or be pre-existing. It can be unlocked by any factory running on the same machine.
3. keyPairLocks are provided to secure a randomly generated keySet using a password and a private asymmetric key. It can be unlocked using any factory and the corresponding public asymmetric key.

Password Algorithm

Creation Algorithm

1. A random 32-bit seed S and a random 128-bit initVector V are generated.
2. A seededRandom based on S and the personalisation value I₃ is created, and used to create the following items
   1. A set of three hMacs (all different) M₁, M₂ and M₃.
   2. A single secret hMac M_S with an 512-bit output.
   3. A 512-bit length digest X is selected from the same seeded Random.
3. Each of the hMacs is initialised with the password as the key
4. Each of the macs is updated with P, IV and the number of iterations L
5. Set input D_1-3 and D_S to V
6. Repeat the following loop L times
   1. Update M₁ with D₂ and D₃
   2. Update M₂ with D₁ and D₃
   3. Update M₃ with D₁ and D₂
   4. Update M_S with D_S and D_1-3
   5. Build new D_S as the result of M_S and xor the result into C_S. Repeat for other macs.
7. Update digest X with C_1-3 and calculate the digest as R_X
8. Calculate external lock as the concatenation of S||V||R_X
9. Create keys for the keySet using C_S as the secret

Derivation Algorithm

1. Extract S, V and R_X from the external lock.
2. Repeat creation algorithm with S, V and the password
3. Compare the calculated R_X with the one extracted from the hash. Only create the keySet if it matches.

keySetLock

A keySetLock can be either be used to secure an existing keySet, or it can be used to create a new random keySet.

Sample

/* Access factory */
final GordianFactory myBaseFactory = GordianGenerator.createFactory();
final GordianLockFactory myLockFactory = myBaseFactory.getLockFactory();

/* Create a lock for a new keySet */
final GordianPasswordLockSpec mySpec = new GordianPasswordLockSpec(new GordianKeySetSpec(GordianLength.LEN_256));
final char[] myPassword = ...
final GordianKeySetLock myLock = myLockFactory.newKeySetLock(mySpec, myPassword);
final GordianKeySet myKeySet = myLock.getKeySet();
final byte[] myLockBytes = myLock.getLockBytes();

/* Resolve the lock */
final GordianKeySetLock myResolved = myLockFactory.resolveKeySetLock(myLockBytes, myPassword);
                    

factoryLock

A factoryLock can either be used to secure an existing factory, or it can be used to create a new random factory.

Sample

/* Access factory */
final GordianFactory myBaseFactory = GordianGenerator.createFactory();
final GordianLockFactory myLockFactory = myBaseFactory.getLockFactory();
final GordianKeySetFactory myKeySetFactory = myKeySetFactory.getKeySetFactory();

/* Create a lock for a new factory */
final GordianPasswordLockSpecBuilder myLockBuilder = myLockFactory.newPasswordLockSpecBuilder()
final GordianKeySetSpecBuilder myKeySetBuilder = myKeySetFactory.newKeySetSpecBuilder()
final GordianPasswordLockSpec mySpec = myLockBuilder.passwordLock(myKeySetBuilder.keySet(GordianLength.LEN_256));
final char[] myPassword = ...
final GordianFactoryLock myLock = myBaseFactory.newFactoryLock(mySpec, myPassword);
final GordianFactory myFactory = myLock.getFactory();
final GordianKeySet myKeySet = myFactory.getEmbeddedKeySet();
final byte[] myLockBytes = myLock.getLockBytes();

/* Resolve the lock */
final GordianFactoryLock myResolved = myBaseFactory.resolveFactoryLock(myLockBytes, myPassword);
                    

keyPairLock

A keyPairLock can be used to create a new secured random keySet using an agreement-capable keypair.

Sample

/* Access factory */
final GordianFactory myBaseFactory = GordianGenerator.createFactory();
final GordianLockFactory myLockFactory = myBaseFactory.getLockFactory();
final GordianKeySetFactory myKeySetFactory = myBaseFactory.getKeySetFactory();
final GordianAsyncFactory myAsyncFactory = myBaseFactory.getAsyncFactory();
final GordianKeyPairFactory myKeyPairFactory = myAsyncFactory.getKeyPairFactory();
final GordianAgreementFactory myAgreementFactory = myAsyncFactory.getAgreementFactory();

/* Access keyPairGenerator and create sending/receiving pairs */
final GordianKeyPairSpecBuilder myKeyPairBuilder = myKeyPairFactory.newKeyPairkSpecBuilder()
final GordianKeyPairSpec mySpec = myKeyPairBuilder.dh(GordianDHGroup.FFDHE2048);
final GordianKeyPairGenerator myGenerator = myKeyPairFactory.getKeyPairGenerator(mySpec);
final GordianKeyPair myKeyPair = myGenerator.generateKeyPair();

/* Create a lock for a new keySet */
final GordianKeySetSpecBuilder myKeySetBuilder = myKeySetFactory.newKeySetSpecBuilder()
final GordianPasswordLockSpecBuilder myLockBuilder = myLockFactory.newPasswordLockSpecBuilder()
final GordianPasswordLockSpec mySpec = myLockBuilder.keySet(myKeySetBuilder(GordianLength.LEN_256));
final char[] myPassword = ...
final GordianKeyPairLock myLock = myLockFactory.newKeyPairLock(mySpec, myKeyPair, myPassword);
final GordianKeySet myKeySet = myLock.getKeySet();
final byte[] myLockBytes = myLock.getLockBytes();

/* Resolve the lock */
final GordianKeyPairLock myResolved = myLockFactory.resolveKeyPairLock(myLockBytes, myKeyPair, myPassword);