2018-01-23 21:53:05 +00:00
|
|
|
Package herradurakex is a drop-in replacement for golang/pkg/net facilities
|
2018-01-27 00:15:39 +00:00
|
|
|
(net.Dial(), net.Listen(), net.Accept() and the net.Conn type), yielding
|
|
|
|
'secure' sockets using the experimental HerraduraKEx key exchange algorithm
|
|
|
|
first released by (Omar Elejandro Herrera Reyna's github page)[github.com/Caume/HerraduraKEx].
|
2018-01-06 15:41:23 +00:00
|
|
|
|
2018-01-12 05:32:55 +00:00
|
|
|
One can simply replace calls to net.Dial() with hkex.Dial(), and likewise
|
|
|
|
net.Listen() with hkex.Listen(), to obtain connections (hkex.Conn) conforming
|
|
|
|
to the basic net.Conn interface. Upon Dial(), the HerraduraKEx key exchange
|
|
|
|
is initiated (whereby client and server independently derive the same
|
2018-01-27 00:15:39 +00:00
|
|
|
keying material).
|
|
|
|
|
|
|
|
Above this layer, apps (such as the demo/server/ and demo/client code) can
|
|
|
|
then negotiate session settings (cipher/hmac algorithms, etc.) to be used
|
|
|
|
for further communication.
|
2018-01-06 15:41:23 +00:00
|
|
|
|
2018-01-25 02:14:21 +00:00
|
|
|
NOTE: Due to the experimental nature of the HerraduraKEx algorithm used to
|
|
|
|
derive crypto keying material on each end, this algorithm and the
|
|
|
|
demonstration remote shell client/server programs should be used with caution.
|
|
|
|
As of this time (Jan 2018) no verdict by acknowledged 'crypto experts' as to
|
|
|
|
the true security of the HerraduraKEx algorithm for purposes of session key
|
|
|
|
exchange over an insecure channel has been rendered.
|
2018-01-12 05:32:55 +00:00
|
|
|
It is hoped that such experts in the field will analyze the algorithm and
|
|
|
|
determine if it is indeed a suitable one for use in situations where
|
2018-01-25 02:14:21 +00:00
|
|
|
Diffie-Hellman and other key exchange algorithms are currently utilized.
|
|
|
|
|
|
|
|
Within the demo/ tree are client and servers implementing a simplified,
|
|
|
|
ssh-like secure shell facility and a password-setting utility using its
|
|
|
|
own user/password file separate from the system /etc/passwd, which is
|
|
|
|
used by the server to authenticate clients.
|
|
|
|
|
|
|
|
Dependencies:
|
|
|
|
github.com/mattn/go-isatty //terminal tty detection
|
|
|
|
github.com/kr/pty //unix pty control (server pty connections)
|
|
|
|
github.com/jameskeane/bcrypt //password storage/auth
|
|
|
|
|
2018-01-06 15:41:23 +00:00
|
|
|
|
2018-01-12 05:32:55 +00:00
|
|
|
To run
|
|
|
|
--
|
|
|
|
$ go get <tbd>/herradurakex.git
|
|
|
|
$ cd $GOPATH/src/<tbd>/herradurakex
|
|
|
|
$ go install .
|
2018-01-25 02:14:21 +00:00
|
|
|
$ go build demo/client/client.go && go build demo/server/server.go
|
|
|
|
$ go build demo/hkexpasswd/hkexpasswd.go
|
|
|
|
|
|
|
|
[To set accounts & passwords]
|
2018-01-27 00:15:39 +00:00
|
|
|
$ sudo echo "joebloggs:*:*:*" >/etc/hkexsh.passwd
|
2018-01-25 02:14:21 +00:00
|
|
|
$ sudo ./hkexpasswd -u joebloggs
|
2018-01-06 15:41:23 +00:00
|
|
|
|
2018-01-13 06:13:01 +00:00
|
|
|
[ in separate shells ]
|
2018-01-25 02:14:21 +00:00
|
|
|
[A]$ ./server &
|
|
|
|
[B]$ ./client -u joebloggs
|
|
|
|
|