Obfuscation

Package obfuscate implements quantizing and obfuscating of tags and resources for a set of spans matching a certain criteria. This module is used in the Datadog Agent, the Go tracing client (dd-trace-go) and in the OpenTelemetry Collector Datadog exporter./ End-user behavior is stable, but there are no stability guarantees on its public Go API. Nonetheless, if editing try to avoid breaking API changes if possible and double check the API usage on all module dependents.

garble obfuscates Go code by wrapping the Go toolchain.

garble obfuscates Go code by wrapping the Go toolchain.

Package ipcrypt implements IP address encryption and obfuscation methods. It provides three encryption modes: For non-deterministic modes, passing nil as the tweak parameter will automatically generate a random tweak.

Package obfs4 provides an implementation of the Tor Project's obfs4 obfuscation protocol.

Package obfs2 provides an implementation of the Tor Project's obfs2 obfuscation protocol. This protocol is considered trivially broken by most sophisticated adversaries.

Package fn implements the traditional map/filter/reduce/each functions and an array type (A) for those who prefer a more object-oriented approach. Unlike other implementations, the array (slice) is always first preventing the first-class in-line anonymous function from obfuscating the parameter list of the functional function.

Package gqlgen contains an implementation of a gqlgen tracer, and functions to construct and configure the tracer. The tracer can be passed to the gqlgen handler (see package github.com/99designs/gqlgen/handler) Warning: Data obfuscation hasn't been implemented for graphql queries yet, any sensitive data in the query will be sent to Datadog as the resource name of the span. To ensure no sensitive data is included in your spans, always use parameterized graphql queries with sensitive data in variables.

Package obfs2 provides an implementation of the Tor Project's obfs2 obfuscation protocol. This protocol is considered trivially broken by most sophisticated adversaries.

Package obfs4 provides an implementation of the Tor Project's obfs4 obfuscation protocol.

Package presents implements a block cipher-based method of converting 64-bit unsigned integers to and from strings. The intended application is towards the obfuscation of sequential database IDs. This example show how to encode and decode IDs. This example shows how to use a custom alphabet as well as shuffling it.

Package jettyobf is a go implementation of the Jetty Password Obfuscation algorithm https://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html Note: obfuscated passwords have no security benifits. Obfuscated passwords are easily reverted to their plain-text form. THIS IS NOT A REPLACEMENT FOR PROPER PASSWORD HASHING OR ENCRYPTION.

Package gopaque implements the OPAQUE protocol. The OPAQUE protocol, described as of this writing in the RFC draft at https://tools.ietf.org/html/draft-krawczyk-cfrg-opaque-01, is a protocol that allows a user with a password to register and authenticate with a server without ever giving that server the password. It uses the OPAQUE password authenticated key exchange (PAKE) which uses derived keys for registration authentication. A high-level introduction to OPAQUE (and PAKEs in general) is available at https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/. This implementation uses the https://github.com/dedis/kyber crypto library. The implementation is intentionally very extensible and exposed, but sensible default implementations are provided for every abstraction. The registration and authentication flows are below, followed by a couple of code examples clarifying usage. This was developed by a hobbyist, not a cryptographer. The code has not been reviewed for accuracy or security. No care was taken to obfuscate the errors or prevent timing attacks. Only use after reviewing the code and understanding the implications. OPAQUE registration is a 3-message process starting with the user where a user registers with the server. The only input a user needs is the password and after registration, the server has the info to perform authentication. The steps for a user are: 1 - Create a NewUserRegister with the user ID 2 - Call Init with the password and send the resulting UserRegisterInit to the server 3 - Receive the server's ServerRegisterInit 4 - Call Complete with the server's ServerRegisterInit and send the resulting UserRegisterComplete to the server The steps for a server are: 1 - Receive the user's UserRegisterInit 2 - Create a NewServerRegister with a private key 3 - Call Init with the user's UserRegisterInit and send the resulting ServerRegisterInit to the user 4 - Receive the user's UserRegisterComplete 5 - Call Complete with the user's UserRegisterComplete and persist the resulting ServerRegisterComplete OPAQUE authentication is intended to be used in conjunction with a key exchange protocol to authenticate a user. Gopaque supports either an external key exchange protocol or one embedded into the auth process. The pure OPAQUE part of the flow is only a 2-message process, but validation with a key exchange often adds a third message. The steps below assume the key exchange is embedded in the auth process instead of being external. The steps for a user are: 1 - Create a NewUserAuth with an embedded key exchange 2 - Call Init with the password and send the resulting UserAuthInit to the server 3 - Receive the server's ServerAuthComplete 4 - Call Complete with the server's ServerAuthComplete. The resulting UserAuthFinish has user and server key information. This would be the last step if we were not using an embedded key exchange. Since we are, take the resulting UserAuthComplete and send it to the server. The steps for a server are: 1 - Receive the user's UserAuthInit 2 - Create a NewServerAuth with an embedded key exchange 3 - Call Complete with the user's UserAuthInit and persisted ServerRegisterComplete and send the resulting ServerAuthComplete to the user. This would be the last step if we were not using an embedded key exchange. 4 - Receive the user's UserAuthComplete 5 - Call Finish with the user's UserAuthComplete This simple example doesn't marshal the messages, it just sends them. This example is a more complex example showing marshalling and using separate user and server-side connections.

Package obfuscate implements quantizing and obfuscating of tags and resources for a set of spans matching a certain criteria.

Package key provides tools for generating and decoding unique, reversible string identifiers from numeric values using a custom alphabet. This package is particularly useful for creating URL-friendly identifiers, obfuscating sequential IDs, and generating human-readable unique keys. The package is built around the Locksmith type, which handles the conversion between numeric values and string keys. The conversion is bidirectional and deterministic - each numeric value maps to a unique string key, and each valid key maps back to its original numeric value. Common Use Cases: URL Shortening: Generate short, readable URLs from sequential IDs Example: ls, _ := key.New("abcdefghijklmnopqrstuvwxyz", 5) shortURL, _ := ls.Marshal(1234567) ID Obfuscation: Hide sequential database IDs in public-facing identifiers Example: ls, _ := key.New("ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", 8) publicID, _ := ls.Marshal(userID) // convert DB ID to public identifier dbID, _ := ls.Unmarshal(publicID) // recover original DB ID when needed Ticket/Coupon Generation: Create unique, readable codes Example: ls, _ := key.New("23456789ABCDEFGHJKLMNPQRSTUVWXYZ", 6) ticketCode, _ := ls.Marshal(ticketID) Resource Identifiers: Generate unique identifiers for resources Example: ls, _ := key.New("0123456789abcdef", 0) // dynamic length resourceID, _ := ls.Marshal(timestamp) Key Features: The package ensures that generated keys are unique within the possible range determined by the alphabet length and key size. For fixed-size keys, the maximum possible value is alphabet_length^key_size. For dynamic-size keys, the maximum value is uint64.MaxValue. For optimal performance and security, consider: