Documentation
¶
Overview ¶
Package crypto provides token encryption functionality using format-preserving encryption. The implementation uses the FAST algorithm, which processes data through multiple rounds where each round applies a mixing function with two S-box lookups and a state rotation. FAST provides strong security guarantees while preserving the format of the input data. Based on: "FAST: Secure and High Performance Format-Preserving Encryption and Tokenization" https://eprint.iacr.org/2021/1171.pdf
Index ¶
Constants ¶
const ( // MaxDataSize is the maximum size of data that can be encrypted/decrypted MaxDataSize = 1024 * 1024 // 1MB limit for safety )
Constants for FAST algorithm
Variables ¶
var (
ErrInvalidKeySize = errors.New("invalid key size: must be 16, 24, or 32 bytes")
)
Errors
Functions ¶
This section is empty.
Types ¶
type FASTCipher ¶
type FASTCipher struct {
// contains filtered or unexported fields
}
FASTCipher implements the FAST format-preserving encryption algorithm
func NewFASTCipher ¶
func NewFASTCipher(key []byte) (*FASTCipher, error)
NewFASTCipher creates a new FAST cipher instance with the given AES key. The key must be 16, 24, or 32 bytes for AES-128, AES-192, or AES-256 respectively.
func (*FASTCipher) Decrypt ¶
func (f *FASTCipher) Decrypt(data []byte, tweak []byte) []byte
Decrypt performs FAST format-preserving decryption on the input data. The output has the same length as the input. The same tweak used for encryption must be provided for successful decryption.
Returns nil if the cipher is nil or data exceeds MaxDataSize.
func (*FASTCipher) Encrypt ¶
func (f *FASTCipher) Encrypt(data []byte, tweak []byte) []byte
Encrypt performs FAST format-preserving encryption on the input data. The output has the same length as the input. The optional tweak parameter provides domain separation - different tweaks produce different ciphertexts for the same plaintext.
Returns nil if the cipher is nil or data exceeds MaxDataSize.
type TokenCrypto ¶
type TokenCrypto struct {
Enabled bool
// contains filtered or unexported fields
}
TokenCrypto handles encryption and decryption of sensitive tokens in strings. It uses format-preserving encryption (FPE) to maintain token format while ensuring they are encrypted. When Enabled is false, all operations are no-ops.
func NewTokenCrypto ¶
func NewTokenCrypto(enabled bool) (*TokenCrypto, error)
NewTokenCrypto creates a new TokenCrypto instance. If enabled is false, returns a no-op instance that passes through all strings unchanged. If enabled is true, initializes AES cipher with the global encryption key.
func (*TokenCrypto) DecryptTokensInString ¶
func (tc *TokenCrypto) DecryptTokensInString(input string) string
DecryptTokensInString finds and decrypts all encrypted tokens in the input string. It looks for tokens in [ENCRYPTED-TOKEN:...] format and decrypts them back to their original values. If decryption fails for any token, that token is left unchanged. Returns the original string if encryption is disabled.
func (*TokenCrypto) EncryptTokensInString ¶
func (tc *TokenCrypto) EncryptTokensInString(input string) string
EncryptTokensInString finds and encrypts all tokens in the input string. It identifies potential secrets using pattern matching for hex tokens (32+ chars) and base64 tokens (20+ chars with appropriate character mix). Encrypted tokens are wrapped in [ENCRYPTED-TOKEN:...] format. Returns the original string if encryption is disabled.
Source Files