session_keys 0.1.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7b74b3a502d1899a68ff8b16541ea362382c8669
-  data.tar.gz: 52dda96d9ce724e94029fb0cd721dc60a5cf0b20
+  metadata.gz: e0173c199f8a44a3f43f5ddb65c1252e30ceeeb6
+  data.tar.gz: 4685fc8e3585592c591ca82e2cbcce91b40c9aa7
 SHA512:
-  metadata.gz: 00fea5dc09be245cd39b32f8cc836ba2610384911730c5e32eed10e4c87368530d753bc35fde5a6b13ad751de9a21e8414c9801d9849be38f55ec4f107634b54
-  data.tar.gz: f5a9b84aea86470d7a2cc1d0613bf409d3285d3911487b25a2d41fe4345323d48a29fd0e3c4a928f87c27f67bf61c4c91b8c0336f9dca118f5fd0fd71da49ab2
+  metadata.gz: a169ab65770b8c88d64e3ab03fd7d1060e22233fe036e353b52d35bf993201ddcf508c9040d0c2fb8a68374d6ea3fb14a0f01647cdab1c208928ec591196e2a8
+  data.tar.gz: ddadf6ca0160a531406c98f8b9ca9af1c1b5acf41ba12244e0540f56dd4c8cf77ea6e98f824cc79bc8a41d649d8804eadc74e048987802faca70efacfea2ff72

data/.travis.yml

@@ -1,7 +1,5 @@
 language: ruby
 rvm:
-  - 2.1.0
-  - 2.2.4
+  - 2.2.5
   - 2.3.1
-  - jruby-9.0.5.0
 before_install: gem install bundler -v 1.12.1

data/CHANGELOG.md

@@ -0,0 +1,12 @@
+# CHANGELOG
+
+## v1.0.0 (9/8/2016)
+
+- Major refactor and simplification
+- Compatible with grempe/session-keys-js
+
+## v0.1.0 (4/30/2016)
+
+This is the initial ALPHA quality release.
+
+It is for review only and should not yet be used in production.

data/Gemfile

@@ -2,8 +2,3 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in session_keys.gemspec
 gemspec
-
-# FIXME : remove when @bascule publishes new rbnacl release
-# including commit : dc1e8d10b8fc4784130b0864d45b9275a9e979dc
-# https://github.com/cryptosphere/rbnacl/pull/135
-gem 'rbnacl', git: 'https://github.com/cryptosphere/rbnacl.git'

data/README.md

@@ -1,35 +1,25 @@
-# SessionKeys
+# sessionKeys (Ruby)
 
-[![Gem Version](https://badge.fury.io/rb/session-keys-rb.svg)](https://badge.fury.io/rb/session-keys-rb)
+[![Gem Version](https://badge.fury.io/rb/session_keys.svg)](https://badge.fury.io/rb/session_keys)
 [![Dependency Status](https://gemnasium.com/badges/github.com/grempe/session-keys-rb.svg)](https://gemnasium.com/github.com/grempe/session-keys-rb)
 [![Build Status](https://travis-ci.org/grempe/session-keys-rb.svg?branch=master)](https://travis-ci.org/grempe/session-keys-rb)
 [![Coverage Status](https://coveralls.io/repos/github/grempe/session-keys-rb/badge.svg?branch=master)](https://coveralls.io/github/grempe/session-keys-rb?branch=master)
 [![Code Climate](https://codeclimate.com/github/grempe/session-keys-rb/badges/gpa.svg)](https://codeclimate.com/github/grempe/session-keys-rb)
 [![Inline docs](http://inch-ci.org/github/grempe/session-keys-rb.svg?branch=master)](http://inch-ci.org/github/grempe/session-keys-rb)
 
-SessionKeys is a cryptographic tool for the deterministic generation of
-NaCl compatible [Curve25519](https://cr.yp.to/ecdh.html) encryption and
-[Ed25519](http://ed25519.cr.yp.to) digital signature keys.
+`sessionKeys` is a cryptographic tool for the generation of unique user IDs,
+and NaCl compatible [Curve25519](https://cr.yp.to/ecdh.html) encryption, and
+[Ed25519](http://ed25519.cr.yp.to) digital signature keys using Ruby.
 
-The strength of the system lies in the fact that the keypairs are derived from
-passing an identifier, such as a username or email address, and a high-entropy
-passphrase through the `SHA256` hash and the `scrypt` key derivation
-functions. This means that no private key material need ever be stored to disk.
-The generated keys are deterministic; for any given ID, password, and
-strength combination the same keys will always be returned.
+It is compatible with [grempe/session-keys-js](https://github.com/grempe/session-keys-js)
+which can generates identical IDs and crypto keys using Javascript when given the
+same username and passphrase values. Both libraries have extensive tests to
+ensure they remain interoperable.
 
-The generated ID is passed through `SHA256` and `scrypt` and is derived from
-only the ID parameter your provide and a common salt.
+The strength of the system lies in the fact that the keypairs are derived from passing an identifier such as a username or email address, and a high-entropy passphrase through the SHA256 cryptographic one-way hash function, and then 'stretching' that username/password into strong key material using the scrypt key derivation function.
 
-The password is also passed through `SHA256` and `scrypt` and NaCl encryption
-and signing keypairs are derived from the combination of the stretched ID,
-your password, and a common salt.
-
-## WARNING : BETA CODE
-
-This code is new and has not yet been tested in production. Use at your own risk.
-The interface should be fairly stable now but should not be considered fully
-stable until v1.0.0 is released.
+For an overview of the security design, please see the README for the companion
+project [grempe/session-keys-js](https://github.com/grempe/session-keys-js)
 
 ## Installation
 
@@ -51,6 +41,40 @@ Or install it yourself as:
 $ gem install session_keys
 ```
 
+## Usage
+
+``` ruby
+SessionKeys.generate('user@example.com', 'my strong passphrase')
+
+{
+  id: '...',
+  byte_keys: [...],
+  hex_keys: [...],
+  nacl_encryption_key_pairs: [...],
+  nacl_encryption_key_pairs_base64: [...],
+  nacl_signing_key_pairs: [...],
+  nacl_signing_key_pairs_base64: [...],
+  process_time: 250
+}
+
+```
+
+Security Note : Each Array will contain eight values. Since each value at a
+particular Array index is derived from the same key material it is recommended
+to choose the different key types you need from different Array indexes. This
+ensures that each key type was not derived from the same value.
+
+```
+# uuid : array index 0
+output.hex_keys[0]
+
+# encryption keypair : array index 1
+output.nacl_encryption_key_pairs[1]
+
+# signing keypair : array index 2
+output.nacl_signing_key_pairs[2]
+```
+
 ### Installation Security : Signed Ruby Gem
 
 The SessionKeys gem is cryptographically signed. To be sure the gem you install hasn’t
@@ -58,7 +82,7 @@ been tampered with you can install it using the following method:
 
 Add required public keys (if you haven’t already) as trusted certificates
 
-``` text
+```
 # Caveat: Gem certificates are trusted globally, such that adding a
 # cert.pem for one gem automatically trusts all gems signed by that cert.
 gem cert --add <(curl -Ls https://raw.githubusercontent.com/cryptosphere/rbnacl/master/bascule.cert)
@@ -101,13 +125,6 @@ You can also clone the repository and verify the signatures locally using your
 own GnuPG installation. You can find my certificates and read about how to conduct
 this verification at [https://www.rempe.us/keys/](https://www.rempe.us/keys/).
 
-## Usage
-
-``` ruby
-keys = SessionKeys.generate('user@example.com', 'my strong passphrase')
-#=> {...}
-```
-
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then,

data/RELEASE.md

@@ -0,0 +1,113 @@
+# Gem Release Process
+
+Don't use the `bundle exec rake release` task. It is more convenient,
+but it skips the process of signing the version release task.
+
+## Run Tests
+
+```sh
+$ bundle exec rake test
+$ rake wwtd
+```
+
+## Git Push
+
+```sh
+$ git push
+```
+
+Check for regressions in automated tests:
+
+* [https://travis-ci.org/grempe/session-keys-rb](https://travis-ci.org/grempe/session-keys-rb)
+* [https://coveralls.io/github/grempe/session-keys-rb?branch=master](https://coveralls.io/github/grempe/session-keys-rb?branch=master)
+* [https://codeclimate.com/github/grempe/session-keys-rb](https://codeclimate.com/github/grempe/session-keys-rb)
+* [http://inch-ci.org/github/grempe/session-keys-rb](http://inch-ci.org/github/grempe/session-keys-rb)
+
+## Bump Version Number and edit CHANGELOG.md
+
+```sh
+$ vi lib/session_keys/version.rb
+$ git add lib/session_keys/version.rb
+$ vi CHANGELOG.md
+$ git add CHANGELOG.md
+```
+
+## Local Build and Install w/ Signed Gem
+
+The `build` step should ask for PEM passphrase to sign gem. If it does
+not ask it means that the signing cert is not present.
+
+Add certs:
+
+```sh
+gem cert --add <(curl -Ls https://raw.github.com/grempe/session-keys-rb/master/certs/gem-public_cert_grempe.pem)
+gem cert --add <(curl -Ls https://raw.githubusercontent.com/cryptosphere/rbnacl/master/bascule.cert)
+```
+
+Build:
+
+```sh
+$ rake build
+Enter PEM pass phrase:
+session_keys 0.1.0 built to pkg/session_keys-0.1.0.gem.
+```
+
+Install locally w/ Cert:
+
+```sh
+$ gem uninstall session_keys
+$ rbenv rehash
+$ gem install pkg/session_keys-0.1.0.gem -P MediumSecurity
+Successfully installed session_keys-0.1.0.gem
+1 gem installed
+```
+
+## Git Commit Version and CHANGELOG Changes, Tag and push to Github
+
+```sh
+$ git add lib/session_keys/version.rb
+$ git add CHANGELOG.md
+$ git commit -m 'Bump version v0.1.1'
+$ git tag -s v0.1.1 -m "v0.1.1" SHA1_OF_COMMIT
+```
+
+Verify last commit and last tag are GPG signed:
+
+```
+$ git tag -v v0.1.0
+...
+gpg: Good signature from "Glenn Rempe (Code Signing Key) <glenn@rempe.us>" [ultimate]
+...
+```
+
+```
+$ git log --show-signature
+...
+gpg: Good signature from "Glenn Rempe (Code Signing Key) <glenn@rempe.us>" [ultimate]
+...
+```
+
+Push code and tags to GitHub:
+
+```
+$ git push
+$ git push --tags
+```
+
+## Push gem to Rubygems.org
+
+```sh
+$ gem push pkg/session_keys-0.1.0.gem
+```
+
+Verify Gem Push at [https://rubygems.org/gems/session_keys](https://rubygems.org/gems/session_keys)
+
+## Create a GitHub Release
+
+Specify the tag we just pushed to attach release to. Copy notes from CHANGELOG.md
+
+[https://github.com/grempe/session-keys-rb/releases](https://github.com/grempe/session-keys-rb/releases)
+
+## Announce Release on Twitter
+
+The normal blah, blah, blah.

data/lib/session_keys.rb

@@ -6,75 +6,31 @@ require 'base64'
 
 # SessionKeys deterministic cryptographic key generation.
 module SessionKeys
-  # Opslimit represents a maximum amount of computations to perform.
-  # Raising this number will make the function require more CPU cycles to
-  # compute a key.
-  #
-  # Number of scrypt computations for scrypt to perform for interactive security setting.
-  # Set to SCRYPT_MEMLIMIT_INTERACTIVE / 32
-  #
-  # For interactive, online operations, `SCRYPT_OPSLIMIT_INTERACTIVE` and
-  # `SCRYPT_MEMLIMIT_INTERACTIVE` provide a safe base line for these two parameters.
-  # However, using higher values may improve security.
-  #
-  # See : https://download.libsodium.org/doc/password_hashing/scrypt.html
-  SCRYPT_OPSLIMIT_INTERACTIVE = 2**19
-
-  # Memlimit is the maximum amount of RAM that the function will use, in
-  # bytes. It is highly recommended to allow the function to use at least 16
-  # megabytes.
-  #
-  # Max RAM in Bytes to be used by scrypt for interactive security setting.
-  SCRYPT_MEMLIMIT_INTERACTIVE = 2**24
-
-  # Number of scrypt computations for scrypt to perform for sensitive security setting.
-  # Set to SCRYPT_MEMLIMIT_SENSITIVE / 32
-  #
-  # For highly sensitive data, `SCRYPT_OPSLIMIT_SENSITIVE` and `SCRYPT_MEMLIMIT_SENSITIVE` can
-  # be used as an alternative. But with these parameters, deriving a key takes
-  # about 2 seconds on a 2.8 Ghz Core i7 CPU and requires up to 1 gigabyte of
-  # dedicated RAM.
-  SCRYPT_OPSLIMIT_SENSITIVE = 2**25
-
-  # Max RAM in Bytes to be used by scrypt for sensitive security setting.
-  SCRYPT_MEMLIMIT_SENSITIVE = 2**30
-
-  # Size in Bytes of the scrypt derived output for the id
-  SCRYPT_DIGEST_SIZE_ID = 32
-
-  # Size in Bytes of the scrypt derived output for the password
-  SCRYPT_DIGEST_SIZE_PASSWORD = 256
-
-  # A site-wide 32 Byte common random value that will be concatenated with a value
-  # being hashed for some additional measure of security against dictionary
-  # style attacks. This value was randomly chosen but must be the same across
-  # implementations and is assumed public.
-  PEPPER = 'f01f0a0c44a2d1e7e5b00d7dc78941d404474a90ce7f4ae9d1432bf76fa169e7'.freeze
+  # Size in bytes of the scrypt derived output
+  SCRYPT_DIGEST_SIZE = 256
 
   # Deterministically generates a collection of derived encryption key material from
-  # a provided id and password. Uses SHA256 and scrypt for key derivation.
+  # a provided id and password/passphrase. Uses SHA256 and scrypt for key derivation.
   #
-  # @param id [String] a unique UTF-8 String identifier such as a username or
+  # @param id [String] a unique US-ASCII or UTF-8 encoded String identifier such as a username or
   #   email address. Max length 256 characters.
-  # @param password [String] a cryptographically strong UTF-8 password or
+  # @param password [String] a cryptographically strong US-ASCII or UTF-8 encoded password or
   #   passphrase. Max length 256 characters.
-  # @param strength [Symbol] the desired strength of the key derivation. Can be
-  #   the symbols :interactive or (:sensitive).
   # @param min_password_entropy [Integer] the minimum (75) estimated entropy allowed
   #   for the password. This will be measured with Zxcvbn.
   # @return [Hash] returns a Hash of keys and derived key material.
   # @raise [ArgumentError] if invalid arguments are provided.
-  def self.generate(id, password, strength = :sensitive, min_password_entropy = 75)
-    unless id.is_a?(String) && id.encoding.name == 'UTF-8'
-      raise ArgumentError, 'invalid id, not a UTF-8 string'
+  def self.generate(id, password, min_password_entropy = 75)
+    unless id.is_a?(String) && ['US-ASCII', 'UTF-8'].include?(id.encoding.name)
+      raise ArgumentError, 'invalid id, not a US-ASCII or UTF-8 string'
     end
 
     unless id.length.between?(1,256)
       raise ArgumentError, 'invalid id, must be between 1 and 256 characters in length'
     end
 
-    unless password.is_a?(String) && password.encoding.name == 'UTF-8'
-      raise ArgumentError, 'invalid password, not a UTF-8 string'
+    unless password.is_a?(String) && ['US-ASCII', 'UTF-8'].include?(password.encoding.name)
+      raise ArgumentError, 'invalid password, not a US-ASCII or UTF-8 string'
     end
 
     # Enforce max length only due to Zxcvbn taking a *long* time to
@@ -92,32 +48,10 @@ module SessionKeys
       raise ArgumentError, "invalid password, must be at least #{min_password_entropy} bits of estimated entropy"
     end
 
-    unless [:interactive, :sensitive].include?(strength)
-      raise ArgumentError, 'invalid strength, must be :interactive (min), or :sensitive (strong)'
-    end
-
     start_processing_time = Time.now
 
-    # Run the ID and a 'pepper' (an app common salt) through scrypt. This will be
-    # the system ID for this user. This processing is done to prevent knowledge
-    # of the user on the server side and prevent the ability to reverse this
-    # ID back into a username or email. Using scrypt instead of a SHA256 Hash
-    # is so that it will also take unreasonable effort for someone with a list
-    # of user identifiers from looking up users on the system quickly even if
-    # provided with a local copy of the DB.
     id_sha256_bytes = RbNaCl::Hash.sha256(id.bytes.pack('C*'))
-
-    id_sha256_pepper_bytes = RbNaCl::Hash.sha256(
-      "#{id}#{id.length}#{PEPPER}#{PEPPER.length}".bytes.pack('C*')
-    )
-
-    id_scrypt_hex = RbNaCl::PasswordHash.scrypt(
-      id_sha256_bytes,
-      id_sha256_pepper_bytes,
-      SCRYPT_OPSLIMIT_INTERACTIVE,
-      SCRYPT_MEMLIMIT_INTERACTIVE,
-      SCRYPT_DIGEST_SIZE_ID
-    ).bytes.map { |byte| '%02x' % byte }.join
+    id_sha256_hex = id_sha256_bytes.bytes.map { |byte| '%02x' % byte }.join
 
     # libsodium : By design, a password whose length is 65 bytes or more is
     # reduced to SHA-256(password). This can have security implications if the
@@ -125,63 +59,67 @@ module SessionKeys
     # SHA-256. Or when upgrading passwords previously hashed with unsalted
     # SHA-256 to scrypt. If this is a concern, passwords should be pre-hashed
     # before being hashed using scrypt.
-    password_sha256_bytes = RbNaCl::Hash.sha256(password.bytes.pack('C*'))
+    scrypt_key = RbNaCl::Hash.sha256(password.bytes.pack('C*'))
 
-    password_sha256_pepper_bytes = RbNaCl::Hash.sha256(
-      "#{id_scrypt_hex}#{id_scrypt_hex.length}#{PEPPER}#{PEPPER.length}".bytes.pack('C*')
-    )
+    # Tie the sycrypt password bytes to the ID they are associate with by
+    # utilizing the ID as the salt. Include the ID length and an additional
+    # string to harden the salt.
+    scrypt_salt = RbNaCl::Hash.sha256([id_sha256_hex,
+                                       id_sha256_hex.length,
+                                       'session_keys'].join('').bytes.pack('C*'))
 
-    # Derive SCRYPT_DIGEST_SIZE_PASSWORD secret bytes. They will be split
-    # into 32 Byte chunks to serve as deterministic seeds for ID or key
-    # generation. Some derived bytes are reserved for future use.
+    # Derive SCRYPT_DIGEST_SIZE secret bytes
     password_digest = RbNaCl::PasswordHash.scrypt(
-      password_sha256_bytes,
-      password_sha256_pepper_bytes,
-      strength == :interactive ? SCRYPT_OPSLIMIT_INTERACTIVE : SCRYPT_OPSLIMIT_SENSITIVE,
-      strength == :interactive ? SCRYPT_MEMLIMIT_INTERACTIVE : SCRYPT_MEMLIMIT_SENSITIVE,
-      SCRYPT_DIGEST_SIZE_PASSWORD
+      scrypt_key,
+      scrypt_salt,
+      16384 * 32,
+      16384 * 32 * 32,
+      SCRYPT_DIGEST_SIZE
     ).bytes
 
-    # Break up the scrypt digest into 32 Byte seeds.
-    secret_bytes = []
-    (SCRYPT_DIGEST_SIZE_PASSWORD/32).times { secret_bytes << password_digest.shift(32) }
-
-    # Seed 0 : RbNaCl::SimpleBox
-    # The seed bytes are used as a 32 Byte key suitable for
-    # simple symetric key encryption using `RbNaCl::SimpleBox`. SimpleBox is
-    # a wrapper around NaCl SecretBox construct with automated nonce management.
-    #
-    # To encrypt/decreypt with this object try:
-    #  ciphertext = nacl_simple_box.encrypt('foobar')
-    #  plaintext = nacl_simple_box.decrypt(ciphertext)
-    nacl_simple_box_key = secret_bytes[0].pack('C*').force_encoding('ASCII-8BIT')
-    nacl_simple_box = RbNaCl::SimpleBox.from_secret_key(nacl_simple_box_key)
-
-    # Seed 1 : NaCl Box Keypair
-    nacl_enc_sec_seed = secret_bytes[1].pack('C*').force_encoding('ASCII-8BIT')
-    nacl_enc_sec_key = RbNaCl::PrivateKey.new(nacl_enc_sec_seed)
-    nacl_enc_pub_key = nacl_enc_sec_key.public_key
-
-    # Seed 2 : NaCl Signing Keypair
-    nacl_sig_sec_seed = secret_bytes[2].pack('C*').force_encoding('ASCII-8BIT')
-    nacl_sig_sec_key = RbNaCl::SigningKey.new(nacl_sig_sec_seed)
-    nacl_sig_pub_key = nacl_sig_sec_key.verify_key
-
-    # Seed 3 : Reserved for future use.
-    # Seed 4 : Reserved for future use.
-    # Seed 5 : Reserved for future use.
-    # Seed 6 : Reserved for future use.
-    # Seed 7 : Reserved for future use.
+    num_keys = SCRYPT_DIGEST_SIZE / 32
+
+    byte_keys = []
+    num_keys.times { byte_keys << password_digest.shift(32) }
+
+    hex_keys = byte_keys.map { |key|
+      key.map { |byte| '%02x' % byte }.join
+    }
+
+    nacl_encryption_key_pairs = byte_keys.map { |key|
+      seed = key.pack('C*').force_encoding('ASCII-8BIT')
+      sec_key = RbNaCl::PrivateKey.new(seed)
+      pub_key = sec_key.public_key
+      {secret_key: sec_key, public_key: pub_key}
+    }
+
+    nacl_encryption_key_pairs_base64 = nacl_encryption_key_pairs.map { |keypair|
+      pub_key = Base64.strict_encode64(keypair[:public_key].to_bytes)
+      sec_key = Base64.strict_encode64(keypair[:secret_key].to_bytes)
+      {secret_key: sec_key, public_key: pub_key}
+    }
+
+    nacl_signing_key_pairs = byte_keys.map { |key|
+      seed = key.pack('C*').force_encoding('ASCII-8BIT')
+      sec_key = RbNaCl::SigningKey.new(seed)
+      pub_key = sec_key.verify_key
+      {secret_key: sec_key, public_key: pub_key}
+    }
+
+    nacl_signing_key_pairs_base64 = nacl_signing_key_pairs.map { |keypair|
+      pub_key = Base64.strict_encode64(keypair[:public_key].to_bytes)
+      sec_key = Base64.strict_encode64(keypair[:secret_key].to_bytes)
+      {secret_key: sec_key, public_key: pub_key}
+    }
 
     {
-      id: id_scrypt_hex,
-      nacl_simple_box: nacl_simple_box,
-      nacl_enc_pub_key: nacl_enc_pub_key,
-      nacl_enc_sec_key: nacl_enc_sec_key,
-      nacl_sig_pub_key: nacl_sig_pub_key,
-      nacl_sig_sec_key: nacl_sig_sec_key,
-      nacl_enc_pub_key_b64: Base64.strict_encode64(nacl_enc_pub_key.to_bytes),
-      nacl_sig_pub_key_b64: Base64.strict_encode64(nacl_sig_pub_key.to_bytes),
+      id: id_sha256_hex,
+      byte_keys: byte_keys,
+      hex_keys: hex_keys,
+      nacl_encryption_key_pairs: nacl_encryption_key_pairs,
+      nacl_encryption_key_pairs_base64: nacl_encryption_key_pairs_base64,
+      nacl_signing_key_pairs: nacl_signing_key_pairs,
+      nacl_signing_key_pairs_base64: nacl_signing_key_pairs_base64,
       process_time: ((Time.now - start_processing_time)*1000).round(2)
     }
   end

data/lib/session_keys/version.rb

@@ -1,3 +1,3 @@
 module SessionKeys
-  VERSION = '0.1.0'.freeze
+  VERSION = '1.0.0'.freeze
 end

data/session_keys.gemspec

@@ -18,29 +18,21 @@ Gem::Specification.new do |spec|
   end
 
   spec.summary = <<-EOF
-    SessionKeys generates a deterministic user ID and NaCl encryption/signing
+    SessionKeys generates deterministic user IDs and NaCl encryption/signing
     keypairs from an identifier, such as a username or email address, a
     password, and a strength value.
   EOF
 
   spec.description = <<-EOF
     SessionKeys is a cryptographic tool for the deterministic generation of
-    NaCl compatible [Curve25519](https://cr.yp.to/ecdh.html) encryption and
-    [Ed25519](http://ed25519.cr.yp.to) digital signature keys.
+    NaCl compatible Curve25519 encryption and Ed25519 digital signature keys.
 
-    The strength of the system lies in the fact that the keypairs are derived from
+    The strength of the system is rooted in the fact that the keypairs are derived from
     passing an identifier, such as a username or email address, and a high-entropy
-    passphrase through the `SHA256` hash and the `scrypt` key derivation
-    functions. This means that no private key material need ever be stored to disk.
-    The generated keys are deterministic; for any given ID, password, and
-    strength combination the same keys will always be returned.
-
-    The generated ID is passed through `SHA256` and `scrypt` and is derived from
-    only the ID parameter your provide and a common salt.
-
-    The password is also passed through `SHA256` and `scrypt` and NaCl encryption
-    and signing keypairs are derived from the combination of the stretched ID,
-    your password, and a common salt.
+    passphrase through the SHA256 one-way hash and the scrypt key derivation
+    functions. This means that no private key material need ever be writter to
+    disk or transmitted. The generated keys are deterministic; for any given ID,
+    password, and strength combination the same keys will always be returned.
   EOF
 
   spec.homepage      = 'https://github.com/grempe/session-keys-rb'
@@ -51,10 +43,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  # FIXME : uncomment when @bascule publishes new rbnacl release
-  # and remove from Gemfile.
-  # https://github.com/cryptosphere/rbnacl/pull/135
-  # spec.add_dependency 'rbnacl', '~> 3.3.0'
+  spec.add_dependency 'rbnacl', '~> 3.4.0'
   spec.add_dependency 'rbnacl-libsodium', '~> 1.0'
   spec.add_dependency 'zxcvbn-ruby', '~> 0.1'
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: session_keys
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Glenn Rempe
@@ -30,8 +30,22 @@ cert_chain:
   zieXiXZSAojfFx9g91fKdIrlPbInHU/BaCxXSLBwvOM0drE+c2ue9X8gB55XAhzX
   37oBiw==
   -----END CERTIFICATE-----
-date: 2016-05-01 00:00:00.000000000 Z
+date: 2016-09-08 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.4.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.4.0
 - !ruby/object:Gem::Dependency
   name: rbnacl-libsodium
   requirement: !ruby/object:Gem::Requirement
@@ -160,22 +174,14 @@ dependencies:
         version: '1.3'
 description: |2
       SessionKeys is a cryptographic tool for the deterministic generation of
-      NaCl compatible [Curve25519](https://cr.yp.to/ecdh.html) encryption and
-      [Ed25519](http://ed25519.cr.yp.to) digital signature keys.
+      NaCl compatible Curve25519 encryption and Ed25519 digital signature keys.
 
-      The strength of the system lies in the fact that the keypairs are derived from
+      The strength of the system is rooted in the fact that the keypairs are derived from
       passing an identifier, such as a username or email address, and a high-entropy
-      passphrase through the `SHA256` hash and the `scrypt` key derivation
-      functions. This means that no private key material need ever be stored to disk.
-      The generated keys are deterministic; for any given ID, password, and
-      strength combination the same keys will always be returned.
-
-      The generated ID is passed through `SHA256` and `scrypt` and is derived from
-      only the ID parameter your provide and a common salt.
-
-      The password is also passed through `SHA256` and `scrypt` and NaCl encryption
-      and signing keypairs are derived from the combination of the stretched ID,
-      your password, and a common salt.
+      passphrase through the SHA256 one-way hash and the scrypt key derivation
+      functions. This means that no private key material need ever be writter to
+      disk or transmitted. The generated keys are deterministic; for any given ID,
+      password, and strength combination the same keys will always be returned.
 email:
 - glenn@rempe.us
 executables: []
@@ -188,10 +194,12 @@ files:
 - ".ruby-version"
 - ".travis.yml"
 - ".yardopts"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE.txt
 - README.md
+- RELEASE.md
 - Rakefile
 - bin/console
 - bin/setup
@@ -222,8 +230,7 @@ rubyforge_project:
 rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
-summary: SessionKeys generates a deterministic user ID and NaCl encryption/signing
+summary: SessionKeys generates deterministic user IDs and NaCl encryption/signing
   keypairs from an identifier, such as a username or email address, a password, and
   a strength value.
 test_files: []
-has_rdoc: 

metadata.gz.sig

@@ -1,3 +1 @@
-�Q^�Ő`�:�
-�gcO����ب�g�f$���È��W˷[���e M���U��cOK��zZj��4ɺ��L�9�|m��85CgE�o�H%��0���~yl�"�I'�>̼���HjX�N�`�/
T�D�ۤ��7/
�o��Γ��%�H�kӕ���3I���ox��e̟2+��6[��5�q<N�>TW�$^0�;8U�dW�.����k[�E]��v��I��R����8�3B������߹A
-��Ÿk?
+S�g{��˟��{��ۂHY���:M���J���UU-�M?ǭ�F��@�W9�� �	���h��x�r}�C����N�Ǚ�6�k3�����֞������y����s��\�$i��]=��,P��������h)�