Library to take 2 inputs (lock and key) to produce a derived key using argon2id
. Useful to generate master keys and its hash signature for various use cases, such as encryption/decryption keys.
Both the lock and key will be used to generate the salt and the input for argon2id
will be HMAC.
Only the signature of the key will be stored in databases or such, the actual key never touches any datastore. This allows it to be used and discarded as needed.
lock := []byte("user@example.com")
key := []byte("hello, world!")
d, err := dk.New(lock, key)
if nil != err {
fmt.Println(err)
os.Exit(1)
}
fmt.Println(d.Key)
fmt.Println(d.Sig)
// the signature will come from a remote database or such
s, err := hex.DecodeString(d.Sig.String())
if nil != err {
fmt.Println(err)
os.Exit(1)
}
fmt.Println(d.Match(s))
Assume the lock
is the email, and key
is the password.
- Create a new instance of
blake2b
with no input key for the salt. - Write the bytes of
lock
into thisblake2b
instance. - Write the bytes of
key
into thisblake2b
instance. - Take the first 16 bytes of this result as
salt
. - Create new
hmac
instance usingsha3-384
andkey
as the key. - Write the bytes of
lock
into thishmac
instance. - The result of this will be the input to be fed into
argon2id
. - Create new
argon2id
instance with the following parameters a.memory
= 64MB (64 * 1024) b.iterations
= 3 c.parallelism
= 4 d.saltLength
= 16 e.keyLength
= 32 - Set the salt of
argon2id
with the value from step (4). - Using the value from step (7), generate the key using
argon2id
. - The signature of this key is a
sha3-256
which can be stored in a database or such.