gosmartkeyboard/security/Authentication.md

124 lines
2.9 KiB
Markdown
Raw Normal View History

# Keyboard connection authentication
Keyboarding is a very sensitive activity, so this app naturally needs to encrypt and authenticate connections.
All connections are encrypted using an external TLS proxy (e.g. [Caddy](https://caddyserver.com)) outside the
scope of this project.
We perform application level authentication using the system random device. @{token generation}
We hash the 32 byte token using sha3-256 to avoid accidentally exposing the token to a
readonly attacker. Since the token is very high entropy, we do not need a salt or
KDF.
``` go
--- token generation
authToken := [32]byte{}
rand.Read(authToken[:])
2022-09-16 05:42:29 +00:00
2023-01-02 07:24:35 +00:00
authTokenString = base64.StdEncoding.EncodeToString(authToken[:])
hashedID := sha3.Sum256(authToken[:])
---
```
## Authentication token file
We store the token in a file, which is set
by the environment variable `KEYBOARD_AUTH_TOKEN_FILE`, but defaults to
'XDG_CONFIG_HOME/smartkeyboard/auth-token.'
The following is used when we need to get the token file path:
``` go
--- define authentication token file
@{get authTokenFile from environment}
if authTokenFileIsSet == false {
authTokenFile = filepath.Join(xdg.ConfigHome, "smartkeyboard", "auth-token")
}
---
```
## Checking authentication
2023-01-01 01:23:52 +00:00
When a client connects, the [websocket endpoint](Server.md) checks the token they send against the stored token.
2023-01-01 01:23:52 +00:00
We use a constant time comparison to avoid timing attacks, although it is not clear if this is necessary in this case.
2022-09-16 05:42:29 +00:00
``` go
2022-09-16 05:42:29 +00:00
--- check token function
func CheckAuthToken(token string) error {
@{define authentication token file}
// compare sha3_256 hash to hash in file
tokenBytes, err := base64.StdEncoding.DecodeString(token)
hashedToken := sha3.Sum256(tokenBytes)
storedToken, err := os.ReadFile(authTokenFile)
if err != nil {
return err
}
if subtle.ConstantTimeCompare(hashedToken[:], storedToken) != 1 {
return errors.New("invalid token")
}
return nil
}
---
2022-09-16 05:42:29 +00:00
--- provision token function
2023-01-02 07:24:35 +00:00
func ProvisionToken() (authTokenString string, failed error){
@{define authentication token file}
if _, err := os.Stat(authTokenFile); err == nil {
return "", nil
}
@{token generation}
2022-09-16 05:42:29 +00:00
// create directories if they don't exist
os.MkdirAll(filepath.Dir(authTokenFile), 0700)
fo, err := os.Create(authTokenFile)
2022-09-16 05:42:29 +00:00
defer fo.Close()
if err != nil {
panic(err)
}
fo.Write(hashedID[:])
2023-01-02 07:24:35 +00:00
return authTokenString, nil
}
2022-09-16 05:42:29 +00:00
---
## Putting it all together
The following is the structure of the authentication package.
Both CheckAuthToken and ProvisionToken are exported.
The former is used by the server on client connect and the latter is called on startup.
--- /auth/auth.go
package auth
import(
"os"
"path/filepath"
"fmt"
"errors"
"encoding/base64"
"crypto/rand"
2022-09-16 05:42:29 +00:00
"crypto/subtle"
@{sha3 import string}
@{xdg import string}
)
//var authToken = ""
2022-09-16 05:42:29 +00:00
@{provision token function}
2022-09-16 05:42:29 +00:00
@{check token function}
---
```