Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create secure remote connection method #30

Open
timkuijsten opened this issue Feb 4, 2015 · 1 comment
Open

create secure remote connection method #30

timkuijsten opened this issue Feb 4, 2015 · 1 comment
Assignees
@timkuijsten

Comments

@timkuijsten
Copy link
Member

Unfortunately LibreSSL isn't going to be included anytime soon (see nodejs/node#428). But maybe an integrated ssh client (i.e. using https://www.npmjs.com/package/ssh2) is an easier to setup and more secure alternative then a nodejs SSL server.
@timkuijsten timkuijsten self-assigned this Feb 4, 2015
@timkuijsten
Copy link
Member Author

After some research it shows that NaCl might be the right choice [1,2,3,4]. This allows for direct encryption and authentication of both sides, using some simple, modern and fast ciphers.

By not choosing TLS we can avoid using OpenSSL, X.509 and ASN.1 code (which is a lot of code)[5] and require users to only generate one long standing Ed25519 key. These keys are faster and because of the limited size more portable than RSA keys. Furthermore this design choice shortcuts the whole CA system and all trouble and trust that comes with it.

Protocol synopsis:

  • Client connects with server over TCP port 2344
  • Server sends a cryptographically secure random nonce
  • Client generates a reply and signs this using the long term private key. The message contains:
    • the nonce received by the server
    • a newly generated public key
  • Server validates signature and uses new public key as a session key
  • further nonces for this session are simple incremental numbers, the client uses monotonically increasing odd numbers, the server uses monotonically increasing even numbers.

This simple protocol is forward secure [6] and protects against replay attacks

[1] jedisct1/libsodium.js#21
[2] http://cr.yp.to/highspeed/coolnacl-20120725.pdf
[3] http://tweetnacl.cr.yp.to/tweetnacl-20140917.pdf
[4] https://www.imperialviolet.org/2015/05/16/aeads.html
[5] http://www.daemonology.net/blog/2009-09-28-securing-https.html
[6] http://crypto.stackexchange.com/questions/16276/perfect-forward-secrecy-with-nacl

read:
https://cryptojedi.org/peter/data/span-20091204.pdf
http://lwn.net/Articles/579044/
http://engineering.bittorrent.com/2014/12/11/authentication-and-forward-secrecy-in-bleep/
http://blog.weave.works/author/awharrison/
http://rdist.root.org/2009/07/14/nacl-djbs-new-crypto-library/
http://blog.cryptographyengineering.com/2013/07/tweetnacl.html
http://www.bsdcan.org/2010/schedule/attachments/135_crypto1hr.pdf

to read:
https://threema.ch/press-files/cryptography_whitepaper.pdf
https://tools.ietf.org/html/rfc4253 The Secure Shell (SSH) Transport Layer Protocol
http://cr.yp.to/highspeed/naclcrypto-20090310.pdf
http://nacl.cr.yp.to/securing-communication.pdf
https://whispersystems.org/blog/advanced-ratcheting/
https://tlswg.github.io/tls13-spec/
https://pond.imperialviolet.org/tech.html
https://codesinchaos.wordpress.com/tag/curvecp/
https://download.libsodium.org/doc/public-key_cryptography/authenticated_encryption.html
https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly
http://www.daemonology.net/blog/2009-09-04-complexity-is-insecurity.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timkuijsten timkuijsten

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@timkuijsten