ipcrypt

package module
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 9, 2025 License: ISC Imports: 6 Imported by: 1

README

Go Implementation of IPCrypt

This is a Go implementation of the IP address encryption and obfuscation methods specified in the ipcrypt document ("Methods for IP Address Encryption and Obfuscation").

Overview

The implementation provides three methods for IP address encryption:

  1. ipcrypt-deterministic: A deterministic mode where the same input always produces the same output for a given key.
  2. ipcrypt-nd: A non-deterministic mode that uses an 8-byte tweak for enhanced privacy.
  3. ipcrypt-ndx: An extended non-deterministic mode that uses a 32-byte key and 16-byte tweak for increased security.

Installation

go get github.com/jedisct1/go-ipcrypt

Usage

package main

import (
    "crypto/rand"
    "fmt"
    "net"
    "github.com/jedisct1/go-ipcrypt"
)

func main() {
    // Create a 16-byte key for ipcrypt-deterministic mode
    key := make([]byte, ipcrypt.KeySizeDeterministic)
    rand.Read(key)

    // Encrypt an IP address (ipcrypt-deterministic mode)
    ip := net.ParseIP("192.168.1.1")
    encrypted, err := ipcrypt.EncryptIP(key, ip)
    if err != nil {
        panic(err)
    }
    fmt.Printf("Encrypted: %s\n", encrypted)

    // Decrypt the IP address
    decrypted, err := ipcrypt.DecryptIP(key, encrypted)
    if err != nil {
        panic(err)
    }
    fmt.Printf("Decrypted: %s\n", decrypted)

    // ipcrypt-nd mode with random tweak
    ndKey := make([]byte, ipcrypt.KeySizeND)
    rand.Read(ndKey)

    encryptedND, err := ipcrypt.EncryptIPNonDeterministic(ip.String(), ndKey, nil)
    if err != nil {
        panic(err)
    }

    decryptedND, err := ipcrypt.DecryptIPNonDeterministic(encryptedND, ndKey)
    if err != nil {
        panic(err)
    }
    fmt.Printf("Non-deterministic decrypted: %s\n", decryptedND)

    // ipcrypt-ndx mode with random tweak
    xtsKey := make([]byte, ipcrypt.KeySizeNDX)
    rand.Read(xtsKey)

    encryptedX, err := ipcrypt.EncryptIPNonDeterministicX(ip.String(), xtsKey, nil)
    if err != nil {
        panic(err)
    }

    decryptedX, err := ipcrypt.DecryptIPNonDeterministicX(encryptedX, xtsKey)
    if err != nil {
        panic(err)
    }
    fmt.Printf("Extended non-deterministic decrypted: %s\n", decryptedX)
}

API Reference

Constants
  • KeySizeDeterministic: 16 bytes (ipcrypt-deterministic)
  • KeySizeND: 16 bytes (ipcrypt-nd)
  • KeySizeNDX: 32 bytes (ipcrypt-ndx)
  • TweakSize: 8 bytes (ipcrypt-nd tweak)
  • TweakSizeX: 16 bytes (ipcrypt-ndx tweak)
Functions
Deterministic Mode
  • EncryptIP(key []byte, ip net.IP) (net.IP, error) - Encrypts an IP address deterministically
  • DecryptIP(key []byte, encrypted net.IP) (net.IP, error) - Decrypts an IP address deterministically
  • EncryptIPPfx(ip net.IP, key []byte) (net.IP, error) - Encrypts an IP address with prefix preservation
  • DecryptIPPfx(encryptedIP net.IP, key []byte) (net.IP, error) - Decrypts an IP address with prefix preservation
Non-Deterministic Mode (ipcrypt-nd)
  • EncryptIPNonDeterministic(ip string, key []byte, tweak []byte) ([]byte, error) - Encrypts with 8-byte tweak
  • DecryptIPNonDeterministic(ciphertext []byte, key []byte) (string, error) - Decrypts ipcrypt-nd ciphertext
Extended Non-Deterministic Mode (ipcrypt-ndx)
  • EncryptIPNonDeterministicX(ip string, key []byte, tweak []byte) ([]byte, error) - Encrypts with 16-byte tweak
  • DecryptIPNonDeterministicX(ciphertext []byte, key []byte) (string, error) - Decrypts ipcrypt-ndx ciphertext

Documentation

Overview

Package ipcrypt implements IP address encryption and obfuscation methods. It provides three encryption modes:

  • ipcrypt-deterministic: A deterministic mode where the same input always produces the same output
  • ipcrypt-nd: A non-deterministic mode that uses an 8-byte tweak
  • ipcrypt-ndx: An extended non-deterministic mode that uses a 32-byte key and 16-byte tweak

For non-deterministic modes, passing nil as the tweak parameter will automatically generate a random tweak.

Index

Constants

View Source 
const (
	KeySizeDeterministic = 16 // Size in bytes of the key for ipcrypt-deterministic mode
	KeySizeND            = 16 // Size in bytes of the key for ipcrypt-nd mode
	KeySizeNDX           = 32 // Size in bytes of the key for ipcrypt-ndx mode
)

Key sizes for different encryption modes

View Source 
const (
	TweakSize  = 8  // Size in bytes of the tweak for ipcrypt-nd mode
	TweakSizeX = 16 // Size in bytes of the tweak for ipcrypt-ndx mode
)

Tweak sizes for different encryption modes

Variables

View Source 
var (
	ErrInvalidKeySize = errors.New("invalid key size")
	ErrInvalidIP      = errors.New("invalid IP address")
	ErrInvalidTweak   = errors.New("invalid tweak size")
)

Error definitions for the package

Functions

func DecryptIP 

func DecryptIP(key []byte, encrypted net.IP) (net.IP, error)

DecryptIP decrypts an IP address that was encrypted using ipcrypt-deterministic mode. The key must be exactly KeySizeDeterministic bytes long. Returns the decrypted IP address as a net.IP.

func DecryptIPNonDeterministic 

func DecryptIPNonDeterministic(ciphertext []byte, key []byte) (string, error)

DecryptIPNonDeterministic decrypts an IP address that was encrypted using ipcrypt-nd mode. The key must be exactly KeySizeND bytes long. Returns the decrypted IP address as a string.

func DecryptIPNonDeterministicX 

func DecryptIPNonDeterministicX(ciphertext []byte, key []byte) (string, error)

DecryptIPNonDeterministicX decrypts an IP address that was encrypted using ipcrypt-ndx mode. The key must be exactly KeySizeNDX bytes long. Returns the decrypted IP address as a string.

func DecryptIPPfx added in v0.1.1 

func DecryptIPPfx(encryptedIP net.IP, key []byte) (net.IP, error)

DecryptIPPfx decrypts an IP address that was encrypted using ipcrypt-pfx mode. The key must be exactly 32 bytes long (split into two AES-128 keys). Returns the decrypted IP address.

func EncryptIP 

func EncryptIP(key []byte, ip net.IP) (net.IP, error)

EncryptIP encrypts an IP address using ipcrypt-deterministic mode. The key must be exactly KeySizeDeterministic bytes long. Returns the encrypted IP address as a net.IP.

func EncryptIPNonDeterministic 

func EncryptIPNonDeterministic(ip string, key []byte, tweak []byte) ([]byte, error)

EncryptIPNonDeterministic encrypts an IP address using ipcrypt-nd mode. The key must be exactly KeySizeND bytes long. If tweak is nil, a random tweak will be generated. Returns a byte slice containing the tweak concatenated with the encrypted IP.

func EncryptIPNonDeterministicX 

func EncryptIPNonDeterministicX(ip string, key []byte, tweak []byte) ([]byte, error)

EncryptIPNonDeterministicX encrypts an IP address using ipcrypt-ndx mode. The key must be exactly KeySizeNDX bytes long. If tweak is nil, a random tweak will be generated. Returns a byte slice containing the tweak concatenated with the encrypted IP.

func EncryptIPPfx added in v0.1.1 

func EncryptIPPfx(ip net.IP, key []byte) (net.IP, error)

EncryptIPPfx encrypts an IP address using ipcrypt-pfx mode. The key must be exactly 32 bytes long (split into two AES-128 keys). Returns the encrypted IP address maintaining the original format (IPv4 or IPv6).

func KiasuBCDecrypt 

func KiasuBCDecrypt(key, tweak, block []byte) ([]byte, error)

KiasuBCDecrypt decrypts a 16-byte block using KIASU-BC with the given key and tweak.

func KiasuBCEncrypt 

func KiasuBCEncrypt(key, tweak, block []byte) ([]byte, error)

KiasuBCEncrypt encrypts a 16-byte block using KIASU-BC with the given key and tweak.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.