mirror of
https://github.com/DNSCrypt/dnscrypt-proxy.git
synced 2025-04-04 21:57:44 +03:00
2d1dd7eaab
This works over DNSCrypt and DoH, but requires a specifically configured server. Instead of sending the actual DNS queries, the SH-T system works as follows: Step 1: the client query is evaluated through Argon2id, a military-grade, memory-hard, CPU-hard stretching function. This makes it very expensive for an attacker to find the original query, even using GPUs and ASICs. For post-quantum resistance, we use it to generate a 1024-bit key. Step 2: in case the Argon2id algorithm has a vulnerability, or, since this is a popular function used for hashing passwords and for cryptocurrencices, and people may have built rainbow tables already, we use a hash function over the result of the previous function. This immediately defeats rainbow tables. Step 3: the output of the hash function is truncated to 64-bit. Due to a property of this operation known as collision-misresistance, and even if the previous steps fail due to a nation-state actor, it is impossible for a server operator to prove what exact query was originally sent by a client. This feature is experimental.
32 lines
611 B
Go
32 lines
611 B
Go
// Copyright 2017 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// +build go1.9
|
|
|
|
package blake2b
|
|
|
|
import (
|
|
"crypto"
|
|
"hash"
|
|
)
|
|
|
|
func init() {
|
|
newHash256 := func() hash.Hash {
|
|
h, _ := New256(nil)
|
|
return h
|
|
}
|
|
newHash384 := func() hash.Hash {
|
|
h, _ := New384(nil)
|
|
return h
|
|
}
|
|
|
|
newHash512 := func() hash.Hash {
|
|
h, _ := New512(nil)
|
|
return h
|
|
}
|
|
|
|
crypto.RegisterHash(crypto.BLAKE2b_256, newHash256)
|
|
crypto.RegisterHash(crypto.BLAKE2b_384, newHash384)
|
|
crypto.RegisterHash(crypto.BLAKE2b_512, newHash512)
|
|
}
|