[Passwords] Update Leak Detection API Proto

This change updated leak_detection_api.proto to use the LookupSingleLeak messages. Furthermore, it drops the PasswordsLeakCheckService definition, as this is not necessary for a REST API call. Bug: 986298 Change-Id: I0ad7e48ce3892cb46b8d0ed08f4a44de6b3a7212 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1738693Reviewed-by: Vasilii Sukhanov <vasilii@chromium.org> Commit-Queue: Jan Wilken Dörrie <jdoerrie@chromium.org> Cr-Commit-Position: refs/heads/master@{#684318}

[Passwords] Update Leak Detection API Proto
This change updated leak_detection_api.proto to use the LookupSingleLeak messages. Furthermore, it drops the PasswordsLeakCheckService definition, as this is not necessary for a REST API call. Bug: 986298 Change-Id: I0ad7e48ce3892cb46b8d0ed08f4a44de6b3a7212 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1738693Reviewed-by: Vasilii Sukhanov <vasilii@chromium.org> Commit-Queue: Jan Wilken Dörrie <jdoerrie@chromium.org> Cr-Commit-Position: refs/heads/master@{#684318}
4ee39504 · Jan Wilken Dörrie · Commit Bot · 101bf978 · 4ee39504
Commit 4ee39504 authored Aug 06, 2019 by Jan Wilken Dörrie Committed by Commit Bot Aug 06, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 70 deletions

components/password_manager/core/browser/leak_detection/leak_detection_api.proto ...ager/core/browser/leak_detection/leak_detection_api.proto +25 -70

No files found.
--- a/components/password_manager/core/browser/leak_detection/leak_detection_api.proto
+++ b/components/password_manager/core/browser/leak_detection/leak_detection_api.proto
 syntax = "proto3";

+// See the following for the server side definition:
+// http://google3/google/internal/identity/passwords/leak/check/v1/service.proto
 package google.internal.identity.passwords.leak.check.v1;

 option optimize_for = LITE_RUNTIME;

-// See internal/identity/passwords/leak/check/v1/service.proto for the server
-// side definition.
-service PasswordsLeakCheckService {
-  // Enables clients to privately check whether given username-password pairs
-  // are part of a leak that we collected.
-  //
-  // The protocol used here requires the client to request buckets of known
-  // leaks identified by a username-hash prefix (username_hash_prefix).
-  // In response, the server returns all the leaks (hashed username-password
-  // pairs) of the requested buckets (leak_match).
-  //
-  // In order to not leak the database of hashed username-password pairs
-  // to the client, we added the blinders protocol (go/blinders) into the mix.
-  // This allows the server to only return an encrypted version of the hashes
-  // to the clients (encrypted_leak_hash). The clients will not know the key
-  // with which the server encrypted the hashes.
-  // In order for the client to figure out if their credentials actually got
-  // leaked, they need to encrypt their username-password pair hashes with their
-  // own secret key and send the encrypted result to the server
-  // (encrypted_lookup_hash).
-  // The server will then reencrypt encrypted_lookup_hash with their own secret
-  // key and return that in the result (reencrypted_lookup_hash).
-  // The client will then reverse their own encryption on
-  // reencrypted_lookup_hash and look up if the result is in the list of
-  // returned leaks (leak_match). If so, the client has identified a leak.
-  rpc LookupLeaks(LookupLeaksRequest) returns (LookupLeaksResponse) {}
-}
-
-message LookupLeaksRequest {
+message LookupSingleLeakRequest {
  // The prefix of the username hash (algorithm: SHA-256;
  // string encoding: UTF8).
  //
@@ -44,10 +18,9 @@ message LookupLeaksRequest {
  // with 0.
  //
  // The client can request all known leaks for a given username bucket.
-  // This specifies the requested username buckets. All returned
-  // `leak_match` values will belong to one of the requested username
-  // buckets.
-  repeated bytes username_hash_prefix = 1;
+  // This specifies the requested username bucket. All returned
+  // `encrypted_leak_match_prefix` values will belong to that requested bucket.
+  bytes username_hash_prefix = 1;

  // The length of the username hash prefix in bits.
  // We only allow 24 bits at the moment.
@@ -66,45 +39,27 @@ message LookupLeaksRequest {
  // The key should be randomly generated by the client. It can choose a new one
  // per request, or even per hash. The server can't decrypt this and
  // won't know the difference.
-  repeated bytes encrypted_lookup_hash = 3;
+  bytes encrypted_lookup_hash = 3;
 }

-message LookupLeaksResponse {
+message LookupSingleLeakResponse {
  // The leaks that match the requested `username_hash_prefix`.
-  // This list is sorted by `encrypted_leak_hash` in order to enable binary
-  // search for matches.
-  repeated LeakMatch leak_match = 1;
-
-  // The reencrypted `encrypted_lookup_hash` from the request. In order for the
-  // clients to check for matches, it needs the server to reencrypt the
-  // `encrypted_lookup_hash` that they sent. The client can then reverse their
-  // own encryption and check `leak_match` for the resulting values.
-  repeated ReencryptedLookupHash reencrypted_lookup_hash = 2;
-
-  message LeakMatch {
-    // The requested username_hash_prefix that the leak matches belong to.
-    bytes username_hash_prefix = 2;
-
-    // The full hash of username and password that was discovered in a leak
-    // which was encrypted using a commutative cipher with a private key picked
-    // by the server.
-    // The hashing algorithm and cipher used are the same as defined in the
-    // request.
-    // Note: There are no guarantees that the server key stays the same between
-    // subsequent requests.
-    repeated bytes encrypted_leak_hash = 1;
-  }
+  // A prefix of the hash of username and password that was discovered in a leak
+  // which was encrypted using a commutative cipher with a private key picked
+  // by the server.
+  // The prefix length can vary depending on the response size but will be long
+  // enough in order to not cause any false positives. This is a pure bandwidth
+  // optimization measure.
+  // The hashing algorithm and cipher used are the same as defined in the
+  // request.
+  // Note: There are no guarantees that the server key stays the same between
+  // subsequent requests.
+  repeated bytes encrypted_leak_match_prefix = 1;

-  message ReencryptedLookupHash {
-    // The same as `encrypted_lookup_hash` from the request. This can be used by
-    // the client to link the reencrypted hash to the originally requested
-    // one.
-    bytes encrypted_lookup_hash = 1;
-    // The `encrypted_lookup_hash` reencrypted with the server's  private key
-    // (the same key that is used for encrypting `encrypted_leak_hash`).
-    // This enables the client to reverse their own encryption, giving the
-    // client a server-side only encrypted leak entry which it can use to check
-    // if `leak_match` contains it.
-    bytes reencrypted_lookup_hash = 2;
-  }
+  // The `encrypted_lookup_hash` reencrypted with the server's private key
+  // (the same key that is used for encrypting `encrypted_leak_match_prefix`).
+  // This enables the client to reverse their own encryption, giving the
+  // client a server-side only encrypted leak entry which it can use to check
+  // if `encrypted_leak_match_prefix` contains it.
+  bytes reencrypted_lookup_hash = 2;
 }