Previous: , Up: actor-lib A standard library of sorts   [Contents]


6.4 Sealers

The (goblins actor-lib sealers) module provides a mechanism for ensuring the authenticity of data. Using sealers, data can be hidden within a wrapper and marked with a unique brand to produce a sealed object. A sealed object can be checked to verify that it has been marked with the expected brand. An authentic sealed object can then be unsealed to reveal the data within. Sealers and unsealers are analagous to public key cryptography where sealing resembles encryption, unsealing resembles decryption, and the brand check predicate resembles signature verification. However, sealers work without any cryptography at all!

Sealers are comprised of three distinct capabilities: the sealer, the unsealer, and the brand check. Using separate capabilities allows for fine-grained privilege management. For example, an actor that only has the brand check capability cannot seal or unseal data.

Imagine a scenario where we are protecting lunchtime meals using sealers and unsealers. Our rival, who wishes to sabotage us, does the same:

> (define-values (our-lunch:seal our-lunch:unseal our-can?)
    (spawn-sealer-triplet))
> (define-values (rival-lunch:seal rival-lunch:unseal rival-can?)
    (spawn-sealer-triplet))

Calling the spawn-sealer-triplet procedure returns three new actors representing the seal, unseal, and check capabilities. We give our customer the unsealer, the delivery driver the brand predicate, and we keep the sealer to ourselves so no one else can brand their lunch as ours.

A value can be sealed by sending it as a message to the sealer. Let’s put some fried rice in a can by sending a message to the sealer:

> ($ our-lunch:seal 'fried-rice)
=> #<local-object sealed-value>

The contents of sealed cans are private and cannot be seen by inspecting the sealed object.

Our customer wants some chickpea salad, so we seal some for them:

> (define chickpea-lunch ($ our-lunch:seal 'chickpea-salad))

Our truck driver is able to check that the food they are to deliver really is from us (we have a reputation to uphold!) by sending a message to the brand predicate:

> ($ our-can? chickpea-lunch)
=> #t
> ($ our-can? ($ rival-lunch:seal 'melted-ice-cream))
=> #f

The customer is able to open up their can by sending it to the unsealer:

> ($ our-lunch:unseal chickpea-lunch)
=> chickpea-salad

Previous: , Up: actor-lib A standard library of sorts   [Contents]