Pages

Sunday, 5 May 2024

密钥是时候更换到curve25519

 

有关 Curve25519/Ed25519/X25519 介绍的文章已经很多,分别指的椭圆曲线加密/签名/密钥交换算法。由于 NIST 系列的不透明以及来历不明参数,被广泛怀疑。棱镜门后,25519 系列开始逐渐被大众接受。直至当下的部署情况: Things that use Curve25519

具体介绍就不多说了,以下简单说一下常用场景使用 25519 算法的过程。

TLS 自签证书

以下 tls 自签证书,可以被 curl/links 等客户端支持,可以在私有场合使用。

Firefox/Chrome 等浏览器还未支持,因为浏览器供应商联合公共信任中心组成的行业联盟规定了 X.509/WebPKI 中的可用 ECC 大部分被限于 NIST 系列。如果是架设公共服务,那么请谨慎使用。

ED25519 需要 OpenSSL 1.1.1 以及之后的版本。

ED25519 key
$ openssl genpkey -algorithm ED25519 -out server.key
PKCS#10
$ openssl req -new -out server.csr -key server.key -subj '/C=US/ST=CA/L=San Francisco/O=Internet Widgits Pty Ltd/OU=IT/CN=Self-signed ECC/emailAddress=admin@domain.com'
Sign csr
$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
查看
$ openssl req -in server.csr -text -noout
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, ST = CA, L = San Francisco, O = Internet Widgits Pty Ltd, OU = IT, CN = Self-signed ECC, emailAddress = admin@domain.com
        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    43:b5:f2:51:f0:33:df:7b:47:74:d4:b2:75:ef:77:
                    3a:cd:f0:c9:2c:ad:25:64:de:93:85:f5:bd:ad:5b:
                    2d:5f
        Attributes:
            a0:00
    Signature Algorithm: ED25519
         9a:53:53:fa:b6:d2:ca:a7:e3:db:86:5c:dc:04:78:c1:5c:ba:
         de:50:54:48:20:86:36:c3:76:64:0a:01:3e:59:49:8d:51:4c:
         46:ca:52:e9:0e:fa:18:4b:12:4d:63:b2:3d:de:f3:40:30:85:
         ec:75:2d:7e:03:b5:02:34:cd:0c

OpenSSH 密钥对

$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -C "yourname@domain.com"
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/name/.ssh/id_ed25519.
Your public key has been saved in /Users/name/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:/IzQ36S2fWk549u16/8CmZEAJ+0Niv3C5QfhB+Tg/us yourname@domain.com
The key's randomart image is:
+--[ED25519 256]--+
|        ++o      |
|       . =*      |
|       o.+.* .   |
|      .+o = =    |
|      ..S+ o.+   |
|       .o*o+=    |
|        ..B... o.|
|         . +  O.o|
|         .E .++OB|
+----[SHA256]-----+

你也可以添加 -a 100 参数增加求导函数的次数,注意:该数字越高 = 越慢的密码验证 = 更高的抗暴力密码破解。针对的是密码而非密钥本身。

GnuPG 密钥对

$ gpg --expert --full-gen-key
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card
Your selection? 9
Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Tue Jun 22 12:59:57 2023 CST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Your Name
Email address: yourname@domain.com
Comment: Your Comment
You selected this USER-ID:
    "Your Name (Your Comment) <yourname@domain.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 0x8F75F10ABACF9D18 marked as ultimately trusted
gpg: revocation certificate stored as '/Users/name/.gnupg/openpgp-revocs.d/0C2DDA1BA5738976147F17F18F75F10ABACF9D18.rev'
public and secret key created and signed.

pub   ed25519/0x8F75F10ABACF9D18 2021-06-22 [SC] [expires: 2023-06-22]
      Key fingerprint = 0C2D DA1B A573 8976 147F  17F1 8F75 F10A BACF 9D18
      Keygrip = CA2F58C28CC8A23E8A87000482236C9DCB0EB7E7
uid                              Your Name (Your Comment) <yourname@domain.com>
sub   cv25519/0xC63205BDCC95F10A 2021-06-22 [E] [expires: 2023-06-22]
      Keygrip = 08852924712C889AA1148A35F258CACCE511E908

事实上,gpg 也可以创建用于 ssh 的认证密钥对

$ gpg --expert --edit-key 0x8F75F10ABACF9D18
Secret key is available.

sec  ed25519/0x8F75F10ABACF9D18
     created: 2021-06-22  expires: 2023-06-22  usage: SC
     trust: ultimate      validity: ultimate
ssb  cv25519/0xC63205BDCC95F10A
     created: 2021-06-22  expires: 2023-06-22  usage: E
[ultimate] (1). Your Name (Your Comment) <yourname@domain.com>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 11

Possible actions for a ECDSA/EdDSA key: Sign Authenticate
Current allowed actions: Sign

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? A

Possible actions for a ECDSA/EdDSA key: Sign Authenticate
Current allowed actions: Sign Authenticate

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? Q
Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Tue Jun 22 13:14:54 2023 CST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  ed25519/0x8F75F10ABACF9D18
     created: 2021-06-22  expires: 2023-06-22  usage: SC
     trust: ultimate      validity: ultimate
ssb  cv25519/0xC63205BDCC95F10A
     created: 2021-06-22  expires: 2023-06-22  usage: E
ssb  ed25519/0x6C1FDAA711647985
     created: 2021-06-22  expires: 2023-06-22  usage: SA
[ultimate] (1). Your Name (Your Comment) <yourname@domain.com>

gpg> quit
Save changes? (y/N) y

最后按照'GnuPG 介绍' 中 作为 ssh 公钥 部分内容,配置下即可完成。

----------------------------------------------------------------------------

Things that use Curve25519

Updated: April 18, 2024

Here's a list of protocols and software that use or support the superfast, super secure Curve25519 ECDH function from Dan Bernstein. Note that Curve25519 ECDH should be referred to as X25519.

This page is organized by Protocols, Networks, Operating Systems, Hardware, Software, SSH Software, WireGuard Software, TLS Libraries, NaCl Crypto Libraries, lib25519, LibHydrogen, Libraries, Miscellaneous, Timeline notes, and Support coming soon.

You may also be interested in this list of Ed25519 deployment.

Protocols

  • DNS
    • DNSCurve — encrypted DNS between a resolver and authoritative server
    • DNSCrypt — encrypted DNS between a client and a resolver
  • Transport (loosely defined)
    • TLS — TLS
    • CurveCP — a secure transport protocol
    • QUIC — a secure transport protocol
    • Noise — a framework for crypto protocols based on Diffie-Hellman key agreement
    • CurveZMQ — Security for ZeroMQ
    • Nitro — a very fast, flexible, high-level network communication library
    • Dust — A Polymorphic Engine for Filtering-Resistant Transport Protocols
    • RAET — Reliable Asynchronous Event Transport Protocol
    • Evernym — a high-speed, privacy-enhancing, distributed public ledger engineered for self-sovereign identity
    • SSH, thanks to the curve25519-sha256@libssh.org key exchange from the libssh team, adopted by OpenSSH and TinySSH
  • Other
    • WireGuard — fast, modern, secure VPN tunnel
    • saltpack — a modern crypto messaging format
    • obfs4 — a look-like nothing obfuscation protocol
    • Riffle — an efficient communication system with strong anonymity
    • S/MIME 4.0 — Secure/Multipurpose Internet Mail Extensions
    • Chain Key Derivation — a deterministic key derivation scheme
    • OMEMO — an XMPP Extension Protocol (XEP) for secure multi-client end-to-end encryption
    • (n+1)sec — a free, end-to-end secure, synchronous protocol for group chat
  • IPsec
    • OpenIKED — IKEv2 daemon which supports non-standard Curve25519
  • ZRTP
  • Other
    • Signal Protocol — encrypted messaging protocol derivative of OTR Messaging
    • Pond — forward secure, asynchronous messaging for the discerning project in stasis
    • ZeroTier — Create flat virtual Ethernet networks of almost unlimited size
    • telehash — encrypted mesh protocol
    • Olm — A Cryptographic Ratchet
    • Apple AirPlay — stream content to HDTV/speakers

Networks

  • Tor — The Onion Router anonymity network
  • GNUnet — a framework for secure peer-to-peer networking that does not use any centralized or otherwise trusted services
  • URC — an IRC style, private, security aware, open source project
  • Serval — Mesh telecommunications
  • Nebula — open source global overlay network from Slack
  • Yggdrasil — a fully end-to-end encrypted network
  • Peergos — An end-to-end encrypted, peer-to-peer file storage, sharing and communication network
  • SAFE — A new Secure way to access a world of existing apps where the security of your data is put above all else
  • Stellar (Payment Network) — low-cost, real-time transactions on a distributed ledger
  • cjdns — encrypted ipv6 mesh networking

Operating Systems

  • OpenBSD — used in OpenSSH, LibreSSL, OpenIKED, CVS over SSH, and WireGuard
  • Apple iOS — used in the iPhone, iPad, and iPod Touch
  • Android — ships with Chrome, which supports X25519 for TLS and QUIC
  • macOS — used in multiple places
  • Linux — kernel 5.6 (or later) supports WireGuard
  • FreeBSD 13.2 supports WireGuard
  • Windows — used in OpenSSH, Microsoft Edge, and maybe others
  • OPNsense — an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform
  • All operating systems that ship with OpenSSL 1.1.0+
  • All operating systems that ship with LibreSSL from the OpenBSD Project
  • All operating systems that ship with OpenSSH from the OpenBSD Project

Hardware

  • Nitrokey Start — encrypts your emails, files, and server access
  • SC4 HSM — a fully-open USB2 HSM (hardware-secure module)
  • CEC1702 — ARM Cortex M4-based microcontroller with a complete hardware cryptography-enabled solution in a single package
  • Librem 5 — the first Matrix-powered smartphone, in the dialer and messaging app
  • Hardware-Accelerated-SigmaVPN — a VPN device design project using a Zybo Board and ZYNQ fpga

Software

  • DNS
  • Web browsers, crawlers and other clients
  • Web Servers
    • Caddy — supports X25519 in TLS and QUIC
    • Microsoft IIS 10+
    • All webservers built with LibreSSL (OpenBSD and others)
    • All webservers built with OpenSSL 1.1.0+ (Debian 9, FreeBSD 12+, etc.)
  • Password managers
    • keepassxc-browser — Chrome extension for KeePassXC with Native Messaging
    • passgo — Simple golang password manager
    • kbs2 — A secret manager backed by age
    • gopass — the team password manager
  • CurveCP related
    • CurveProtect — securing major protocols with CurveCP. Also supports DNSCurve.
    • qremote — an experimental drop-in replacement for qmail's qmail-remote with CurveCP support
    • curvevpn — based on CurveCP
    • spiral-swarm — easy local file transfer with curvecp [ author recommends another project ]
    • QuickTun — "probably the simplest VPN tunnel software ever"
    • frereth-cp — CurveCP implemented in clojure
    • jeremywohl-curvecp — "A Go CurveCP implementation I was sandboxing; non-functional."
    • curvecp — CurveCP programs, linked with TweetNaCl and built statically with Musl libc
    • curvecp.go — Go implementation of the CurveCP protocol
    • curvecp — Automatically exported from code.google.com/p/curvecp
    • urcd — the most private, secure, open source, "Internet Relay Chat" style chat network
  • MinimaLT related (all Pre-Alpha, not production ready, please contribute!)
    • The MinimaLT authors will soon release beta code. But some people are so excited about the protocol that they've written approximations based on published descriptions of it. Since I'm excited about MinimaLT as well, and since it shows serious public interest, I'm listing the following here.
    • MinimaLT-experimental — an approximation of the MinimaLT protocol, in javascript
    • safeweb — Proposition of a faster and more secure Web (MinimaLT + DNSNMC)
  • Messaging Software
    • Signal — secure text messaging (previously known as TextSecure)
    • WhatsApp — mobile messaging app for iPhone, BlackBerry, Android, Windows Phone and Nokia
    • Riot/Matrix — end-to-end encrypted messaging
    • Vuvuzela — a private chat application that hides metadata, including who you chat with and when you are chatting
    • signal-cli — a commandline and dbus interface for WhisperSystems/libsignal-service-java
    • Wire — encrypted private messaging
    • xocolatl — Trevor's & Moxie's Axolotl Ratchet + AGL's xmpp-client
    • SafeSwiss — private messaging from Switzerland
    • Facebook Messenger — although security is disabled by default
    • MicroMinion platform — a secure messaging layer with end-to-end connectivity using a variety of underlying transport mechanisms
    • SignalServiceKit — a boilerplate for Mac & iOS apps
    • textsecure-go — TextSecure client package for Go
    • Rival Messenger — Secure Decentralized Communication Built on Telehash
    • CrossClave — zero-knowledge messaging and file transfer
    • Signal-Windows — an unofficial Signal client for the Universal Windows Platform
    • mute — secure messaging
    • zkc — Zero Knowledge Communications
    • Silence — A fork of Signal with only SMS/MMS encryption
    • NanoChat — A P2P, E2E encrypted and discoverable chat application on top of nanomsg library
    • shadowfax — a simple, lightweight confidential messaging system
    • Threema — encrypted messaging app (closed source)
    • scomms — Secure Communications - One size, fits all crypto messaging tool
    • chatterbox — A chat thingy
    • Cyph — a secure communication tool designed to be extremely friendly for users of any technical skill level
    • TarsierMessenger — Tarsier Messenger is a messaging application using WiFi direct
    • Sid — secure messaging and file transfer
    • Viber — Free calls, text and picture sharing with anyone, anywhere
    • cha-cha-chat — Example of ChaCha20 encrypted chat with ECDH key exchange
    • zkm — Zero Knowledge Messaging
    • axolotl-sample-client — example of how to NuGet reference libaxolotl and curve25519 for crypto use
    • opake — Messaging with in-browser encryption using curve25519
  • Tox Software
    • Tox — Free, secure, Skype alternative
    • toxcore — an easy to use, all-in-one communication platform
    • uTox — Lightweight Tox client
    • qTox — Powerful Tox client that follows the Tox design guidelines
    • Toxy — Metro-style tox client for Windows
    • tox4go — just a collection of tools for Tox written in Go
    • WinTox — Tox port to Visual Studio
    • OneTox — Tox client for the Universal Windows Platform
    • tox-irc-sync — A bot that sync messages between Freenode IRC #tox-dev and Tox group chat
    • toxcore-vs — All necessary libs to build static toxcore using Visual Studio 2013
    • toxic — An ncurses-based Tox client
  • Other VPN and tunneling software
    • OpenIKED — IKEv2 daemon for IPsec, from the OpenBSD project
    • Libreswan — an IPsec implementation for Linux
    • curvetun — a lightweight curve25519-based IP tunnel
    • titun — Simple, fast, and cross-platform IP tunnel written in Rust. WireGuard compatible
    • strongSwan — open source IPsec-based VPN
    • sigmavpn — Light-weight, secure and modular VPN solution
    • fastd — Fast and Secure Tunneling Daemon
    • GoVPN — DPI/censorship-resistant, written on Go

SSH Software

  • SSH software with full modern crypto support (sntrup761x25519-sha512@openssh.com, X25519, Ed25519 and ChaCha20-Poly1305)
    • OpenSSH — Secure Shell from the OpenBSD project
    • TinySSH — a small SSH server with state-of-the-art cryptography
  • SSH software with full classic crypto support, lacking post-quantum security
    • Win32-OpenSSH — Win32 port of OpenSSH
    • PuTTY — a free implementation of SSH and Telnet for Windows and Unix platforms
    • KiTTY — a fork from version 0.70 of PuTTY with extra features
    • Dropbear — an SSH server and client
    • WinSCP — a popular SFTP client for Microsoft Windows
    • SecureCRT — SSH client for Windows, Mac, and Linux
    • asyncssh — an asynchronous SSH2 client and server atop asyncio
    • Termius — an SSH client that works on Desktop and Mobile
    • rlogin — Japanese rlogin, telnet, and ssh client
    • pssht — SSH server written in PHP
  • SSH software with partial modern crypto support (at least x25519)

WireGuard Software

Note: please see this WireGuard software list for more tools and things in the WireGuard ecosystem.

  • WireGuard — an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography
  • Android: WireGuard/Android
  • FreeBSD: included in release 13.2 and later
  • Go: wireguard-go
  • iOS: WireGuard/iOS
  • Linux: included in kernel 5.6 and later; backport modules available
  • macOS: WireGuard/macOS
  • NetBSD: included in release 10.0 and later; please note that Jason Donenfeld in 2020 stated that this code " simply is not a WireGuard implementation" and I don't know what has changed since then. NetBSD users may consider using the Golang userspace implementation.
  • OpenBSD: included in release 6.8 and later
  • Rust: wireguard-rs
  • Windows: WireGuard/Windows
  • Apple developers: WireGuardKit — Swift PM package for easily building macOS/iOS apps that use WireGuard tunnels
  • 3rd party: TunSafe — Experimental WireGuard Client for OSX (3rd party)
  • 3rd party: WireSep — userspace WireGuard for OpenBSD with privsep and tight pledge(2) (3rd party)
  • 3rd party: BoringTun — a userspace WireGuard implementation in Rust (3rd party)

Other Software

  • Tor — The Onion Router
  • age — an encryption tool with small keys, no config options, and UNIX-style composability
  • rage — Rust implementation of age
  • GlobaLeaks — The Open-Source Whistleblowing Software
  • reop — reasonable expectation of privacy
  • tweetnacl-tools — Tools for using TweetNaCl
  • arti — an implementation of Tor, in Rust
  • haskell-tor — A Haskell implementation of the Tor protocol
  • torch — Probably not the Tor client you are looking for
  • FalconGate — A smart gateway to stop hackers and Malware attacks (includes DNSCrypt support)
  • rdedup — Data deduplication with compression and public key encryption
  • SaltStack — automation for CloudOps, ITOps and DevOps at scale (uses ZeroMQ for transport)
  • pbp — salty privacy (provides basic functionality resembling PGP)
  • Qabel — a free, published-source cryptography platform
  • salty — A practical, compact CLI crypto system based on TweetNaCl, featuring public key sharing and zero-password peer stream encryption
  • vcrypt — Toolkit for multi-factor, multi-role encryption
  • TREES — a plugin that adds individually encrypted mail storage to the Dovecot IMAP server
  • CoCSharp — Clash of Clans library, proxy and server written in .NET
  • quic-go — A QUIC server implementation in pure go
  • urcd — URC Server
  • oppy — A Tor client (onion proxy) implementation in Python
  • DoorKeeper — An attempt to enable secure communication, authentication & authorization for my ESP8266 project
  • KinomaJS — A JavaScript runtime optimized for the applications that power IoT devices
  • tbak — Encrypted, compressed, distributed backups
  • detox-crypto — High-level utilities that combine under simple interfaces complexity of the cryptographic layer used in Detox project
  • zax — NaCl-based Cryptographic Relay
  • virgil-cli — tool to encrypt, decrypt, sign and verify any input, and key management using Virgil Keys
  • rdedup — Data deduplication engine, supporting optional compression and public key encryption
  • srlog2 — Secure Remote Log Transmission System
  • Secrete — ECIES implementation with Curve25519
  • wireproxy — Wireguard client that exposes itself as a socks5 proxy
  • Scuttlebot — a peer-to-peer log store used as a database, identity provider, and messaging system
  • OpenSSL-x25519-key_exchange — Example of key generation and shared secrets using OpenSSL and x25519
  • srndv2 — some random news daemon (version 2)
  • encryptify — encryptify encrypts files
  • clmm — An exercise in cryptographic minimlism
  • mini-tor — proof-of-concept implementation of tor protocol using Microsoft CNG/CryptoAPI
  • session-keys-rb — deterministic generation of unique UIDs and NaCl crypto keys from a username and high entropy passphrase
  • pearl — Tor relay implementation in Golang
  • fritz — a Gui to de-/encrypt messages or files using nacl-crypto
  • sodium11 — A command line toolkit for encryption and signing of files based on libsodium
  • Steganography — a file crypto which uses steganography to hide data in PNG files
  • vindicat — Mesh networking based on maintaining a graph of link objects signed by peers (WIP)
  • cordova-plugin-minisodium — A minimal cordova plugin that provides a binding to libsodium
  • locker — easy secure locker
  • lockbox — Simplified Asymmetric Encryption with NaCl
  • steady — A simple end-to-end secure logging system
  • zvault — Deduplicating backup solution
  • tlsfuzzer — SSL and TLS protocol test suite and fuzzer
  • pgsodium — Postgres extension wrapper around libsodium
  • FrankerFaceZ — The Twitch Enhancement Suite
  • pipesocks — A pipe-like SOCKS5 tunnel system
  • freedom-portacrypt — Passphrase based asymmetric crypto using scrypt and NaCl
  • gajim-omemo — Gajim plugin for OMEMO Multi-End Message and Object Encryption
  • SC4 — Strong Crypto for Mere Mortals
  • gobox — Trivial CLI wrapper around go.crypto/nacl/box
  • SodiumUE4 — An easy to use cryptography plugin for Unreal Engine 4 based on libsodium
  • quantum — A lightweight, encrypted, WAN oriented, software defined network device
  • EDHOC-C — Ephemeral Diffie-Hellman Over COSE (EDHOC)
  • Android-Sqrl2 — Android implementation of a full featured SQRL client
  • mysql-sodium — Mysql UDF bindings for LibSodium
  • qabel-core — Implementation of Qabel-Core in Java
  • Rubinius Language Platform — a modern language platform that supports a number of programming languages
  • servertail — quickly and easily see real time output of log files on your servers
  • cryptomirror — explores ways to make crypto user-friendly in non-crypto friendly environments
  • couch-box — Asymmetric encrypted CouchDB documents, powered by NaCl's curve25519-xsalsa20-poly1305
  • cubed_old — A proper open-source minecraft clone in C++
  • SQRL — Secure Quick Reliable Login
  • dOTP — Decentralized One Time Passwords
  • box — Simple file authenticated encryption/decryption
  • usermgr — a tool to turn access to production systems from a pain in the butt into ponies and rainbows
  • nacl-selective-keygen — Generate a NaCl keypair where the public key matches a certain pattern
  • cryptapult — Encrypt things off your Key ASIC dongle
  • secfileshare — Securely share files with others
  • curve-keygen — a utility to generate Curve25519 keypairs
  • confidential-publishing — Code for "A decentralized approach to publish confidential data"
  • cryptutils — Various crypto utilties based on a common NaCl/Ed25519 core
  • acceptable-security-otr — experiments in OTR stuff, PURELY for educational purposes
  • RChain Cooperative — a consesus algorithm using a proof-of-stake protocol
  • cacophony — Pipes for Noise-secured network connections
  • scrambl.is — a small web page allowing the easy composition and reading of encrypted messages
  • gr-nacl — GNU Radio module for data encryption using NaCl library
  • up — sending a file from one computer to another using the nacl library
  • cloak — A simple passphrase based file encryption tool
  • quicbench — HTTP/QUIC load test and benchmark tool
  • session25519 — Derive curve25519 key pair from email/password via scrypt
  • pcp — Pretty Curved Privacy
  • wot-crypto — Crypto utils for node-wot using libsodium
  • CurvedSalsa — encrypt/decrypt files with Salsa20 & Curve25519
  • Vanadium — create mobile and distributed applications that work even without an Internet connection
  • Enchive — encrypted personal archives
  • session-keys-js — A cryptographic tool for the deterministic generation of unique user IDs, and NaCl cryptographic keys
  • RNP — a set of OpenPGP (RFC4880) tools that works on Linux, *BSD and macOS as a replacement for GnuPG
  • Curve25519-AES — A simple program to test an idea I had, probably terrible
  • asignify — Yet another signify tool
  • nymphemeral — an ephemeral nymserver GUI client
  • hs-noise — encrypted networking in Haskell
  • cordova-plugin-curve25519 — Curve25519 plugin for Cordova/Phonegap - for iOS and Android
  • aenker — authenticated encryption on the commandline using a chunked construction similar to intermaclib
  • Key 2.0 — a Bluetooth IoT Door Lock
  • CPGB — Curve Privacy Guard B, a secure replacement for GPG using ECC
  • Simply Good Privacy — PGP-like system without web of trust
  • PoSH-Sodium — Powershell module to wrap libsodium-net methods
  • Kryptor — open source file encryption software for Windows, Linux, and macOS
  • tweetsodium — implements libsodium's sealed boxes using the tweetnacl-js and blakejs libraries
  • midgetpack — a multiplatform secure ELF packer
  • Mesh — A tool for building distributed applications
  • Osteria — secure point-to-point messenger
  • mcrypt — Message Crypto - Encrypt and sign individual messages
  • chdkripto — CHDK firmware - crypto modules (work in progress)
  • vtun-jedisct1 — A mirror of VTUN, with some changes
  • srndv2 — some random news daemon (version 2)
  • pyaxo — A python implementation of the Axolotl ratchet protocol
  • crypto-bench — Benchmarks for crypto libraries (in Rust, or with Rust bindings)
  • SUPERCOP — a cryptographic benchmarking suite

Signal Protocol Libraries

TLS Libraries

  • LibreSSL
  • Go crypto/tls
  • BoringSSL
  • GnuTLS
  • rustls
  • OpenSSL 1.1.0+
  • wolfSSL — a lightweight SSL/TLS library in ANSI C for embedded, RTOS, and resource-constrained environments
  • TabbySSL — an OpenSSL compatibility layer for the Rust SSL/TLS stack
  • Botan
  • tlslite-ng — an open source python library that implements SSL and TLS cryptographic protocols
  • BearSSL
  • mbed TLS — open source library formerly known as PolarSSL
  • NSS
  • Leto — A managed TLS library without all the baggage
  • tlspin — TLS without PKI
  • Inside Secure TLS Toolkit (formerly known as MatrixSSL) — TLS in C with minimalistic system dependencies
  • miTLS — A verified reference implementation of TLS
  • fizz — C++14 implementation of the TLS-1.3 standard, by Facebook
  • TLSe — Single C file TLS 1.3, 1.2, 1.1 and 1.0 implementation, using libtomcrypt as crypto library
  • Picotls — a TLS 1.3 implementation written in C
  • VbAsyncSocket — Sockets with pure VB6 impl of TLS encryption
  • Java 11+ — programming language
  • BoarSSL
  • Others coming soon, which is next?!

NaCl Crypto Libraries

For cryptographic libraries in the NaCl family, including NaCl itself, TweetNaCl, uNaCl, and libsodium, as well as wrappers, bindings, and ports.

lib25519

lib25519 "is a microlibrary for the X25519 encryption system and the Ed25519 signature system" that can be used directly in C or called by libraries in other languages using FFI. See the website for more information.

LibHydrogen

The Hydrogen library is designed for constrained environments like embedded devices, IoT (Internet of Things), and tiny computers.

Crypto Libraries

Other Libraries

  • Go Crypto Library — from the Go programming language
  • PHP 7.2.0+ — a popular general-purpose scripting language that is especially suited to web development
  • Java 11+ — includes x25519 support
  • Zig supports x25519 in the standard library
  • ring — Safe, fast, small crypto using Rust & BoringSSL's cryptography primitives
  • HACL* — a formally verified cryptographic library written in F*
  • titun-hacl — Rust bindings for hacl* ChaCha20Poly1305 and Curve25519
  • Orion — a cryptography library written in pure Rust
  • Nettle — a low-level cryptographic library
    • Bindings available in Haskell, Perl, Pike, PostgreSQL, R6RS Scheme, and TCL
  • libzmq — ZeroMQ core engine in C++, implements ZMTP/3.0
  • Rust-Crypto — A (mostly) pure-Rust implementation of various common cryptographic algorithms
  • ninn — An experimental implementation of nQUIC in Rust
  • LiteSpeed QUIC (LSQUIC) — implementation of QUIC and HTTP/3 functionality for servers and clients
  • Libgcrypt — a general purpose cryptographic library originally based on code from GnuPG
  • Monocypher — a small, secure, auditable, easy to use crypto library
  • phpseclib — PHP Secure Communications Library
  • o3 — Open-source implementation of the Threema protocol in Go
  • libsuola — An ENGINE gluing together OpenSSL and NaCl-derived crypto
  • tink — a small crypto library that provides a safe, simple, agile and fast way to accomplish some common crypto tasks
  • CIRCL — Cloudflare Interoperable Reusable Cryptographic Library
  • keybase-client — Keybase Go Library, Client, Service, OS X, iOS, Android, Electron
  • NewHope_X25519_XSalsa20_Poly1305 — Post Quantum Cryptography with NewHope and NaCl
  • libgodium — Pure Go implementation of cryptographic APIs found in libsodium
  • libaxolotl-crypto-node — Node.js implementation of cryptography interface for libaxolotl-javascript
  • libaxolotl-uwp — An independent implementation of the axolotl protocol, loosely based on libaxolotl-java
  • rust-ed25519-compact — Small, wasm-friendly, zero-dependencies Ed25519 and X25519 implementation for Rust
  • libaxolotl-crypto-web — WebCrypto implementation of cryptography interface for libaxolotl-javascript
  • ratchet.lisp — A Common Lisp implementation of the Signal double-ratchet using TweetNaCl as the crypto primitives
  • hc — HomeControl is an implementation of the HomeKit Accessory Protocol (HAP) in Go
  • Olm — Implementation of the olm and megolm cryptographic ratchets
  • dnscrypt — A very simple DNSCrypt client library written in Go
  • libssh — multiplatform SSH library in C
  • tweetnacl-sealed-box — libsodium's sealed box implementation for TweetNaCl
  • hs-nacl — Modern Haskell Cryptography
  • luazen — a small library with various compression, encoding and cryptographic functions for Lua
  • OpenPGP.js — an Open Source OpenPGP library in JavaScript
  • kcl — NaCl substitute of sorts in Elixir
  • librnp — C library approach to OpenPGP
  • Salt — NaCl cryptography library for PHP (not by the NaCl authors)
  • Sapient — Secure API toolkit
  • rust-crypto-decoupled — Experiment on dividing rust-crypto into several small crates
  • chloride — a Cryptography Library (Cl) for javascript enviroments
  • OpenBazaar-libsignal — Custom implementation of the signal messaging protocol in Go
  • Neuro:pil — a small messaging library which by default adds two layers of encryption
  • GopenPGP — A high-level OpenPGP library
  • libsaxolotl — axolotl based on libsodium
  • salt-channel-c — C implementation of Salt Channel
  • asn — asn implements the Apptimist Social Network Protocol
  • eddy — a steady little Ed25519 library for Elixir
  • easy-ecc — A usability wrapper for PHP ECC
  • bc-java — Bouncy Castle Java Distribution
  • x3dh — an implementation of the x3dh key agreement protocol
  • go-sphinxmixcrypto — golang sphinx mix net cryptography
  • sphinxmixcrypto — python sphinx mix net cryptography
  • aiootp — Asynchronous pseudo-one-time-pad based crypto and anonymity library
  • mipher — Mobile Cipher library written in clean TypeScript
  • amber — Cryptography library. X25519, Ed25519, ChaCha20, Blake2, Poly1305, Scrypt
  • mbedcrypto — a portable, small, easy to use and fast c++14 library for cryptography
  • nitro-python — Python bindings for nitro
  • cryptopeer-crypto — Crypto module for CryptoPeer
  • mruby-httpsclient — An http(s) web client using mruby and LibreSSL's libtls
  • dnscrypt — Very basic DNSCrypt library for Go
  • arduinolibs-Crypto — Arduino libraries and examples
  • ed25519-to-x25519.wasm — Library for Ed25519 signing key pair into X25519/Curve25519 key pair suitable for Diffie-Hellman key exchange
  • nsec — A modern and easy-to-use crypto library for .NET Core based on libsodium
  • Sequoia-PGP — a modern modular OpenPGP implementation in Rust
  • ezcrypt — Ezcrypt is intended to make it easy to work with nacl/box in a safe and secure way
  • TweetPepper — Formats, PKI using TweetNaCl as the Crypto
  • boxconn — adds encryption and authentication to a network connection
  • yowsup — The python WhatsApp library
  • Lazysodium — a complete Android implementation of the Libsodium library
  • cryptostack — cryptographic library based on Curve25519, Ed25519, blake2b, Poly1305, XSalsa20 primitives
  • eccsnacks — a simple reference implementation of Curve25519 and Curve448
  • CrunchyCrypt — Safe and Simple Cryptography
  • Glow — a reference client library for interacting with Zax
  • curve25519-go — Curve25519 signatures (and also key agreement) like in the early Axolotl, ported to Go
  • curve25519-kotlin — Curve25519 signatures (and also key agreement) like in the early Axolotl, ported to Kotlin
  • curve25519-swift — Curve25519 signatures (and also key agreement) like in the early Axolotl, ported to swift
  • nnshake — Simple ECDH handshake protocol in Rust, based on X25519 and ChaCha20-Poly1305
  • nuntius — iOS Framework for end-to-end encrypted messages
  • salt-channel — A Java implementation of Salt Channel - a simple, light-weight secure channel protocol
  • proto-quic — intended as a standalone library for QUIC
  • Neqo — an Implementation of QUIC written in Rust
  • goquic — QUIC support for Go
  • bencrypt — Encryption Abstraction Layer and Utilities for ratnet
  • asymmetric-crypto — Encryption and signing using public-key cryptography (via TweetNaCl)
  • mino — Experimental password manager core
  • cryptonite — a haskell repository of cryptographic primitives
  • NaclTest — curve25519 encryption using libsodium.js (in the browser) and decryption using kalium (java, server side)
  • cryptofamily — a heap of primitives, algorithms, etc.
  • secure_serialisation — To be used only with transient nacl key pairs Public Key authenticated encryption (box)
  • rawr-x3dh — TypeScript implementation of X3DH
  • Virgil Crypto Library — modern cryptography libraries (ECIES and RSA with Cryptographic Agility) and all the necessary infrastructure
  • ecc25519 — combine golang ed25519 and curve25519 libray in one
  • ecc-playground — Playground project for ECC with Curve25519 and AES-GCM on the JVM
  • libsignal_protocol_dart — a pure Dart/Flutter implementation of the Signal Protocol
  • saxolotl — salty axolotl ratchet
  • curve25519-js — Curve25519 Javascript Implementation
  • krb5-spake25519 — Sandbox for Curve25519 SPAKE testing for krb5
  • crypto — some additional cryptographic packages for Go
  • ara-crypto — Cryptographic functions used in various Ara modules
  • yii2-api — A Yii2 API Skeleton Framework
  • go-ecdh — Golang implementation of the elliptical curve diffie-hellman
  • rfc7748_precomputed — optimized implementations of X25519 and X448 (RFC-7748) for 64-bit architectures
  • opt-cryptobox — Optimized cryptobox self-contained library
  • raaz — Cryptographic network library for Haskell
  • curvetls — A robust framing and encryption layer for your Go network programs, based on CurveZMQ
  • prototok — RbNaCl + json/msgpack/protobuf key generation/parsing gem
  • cryptoengine — This Golang package simplifies even further the usage of NaCl crypto primitives
  • libsodium-laravel — Laravel integration for libsodium
  • shick_crypto — Crypto library showing how to use NaCl and libsodium to encrypt and decrypt message securely
  • cifra — A collection of cryptographic primitives targeted at embedded use
  • lockbox — File encryption for Ruby and Rails
  • SodiumBox — LibSodium crypto_box_seal in Go
  • sshlib — ConnectBot's SSH library
  • dat-wot — [WIP] A decentralized public key network with encryption utilities for data collaboration
  • boxtransport — encrypted communication over TCP using NaCl boxes
  • Personal-HomeKit-HAP — build HomeKit support accessories
  • fld-ecc-vec — an optimized library for computing EdDSA and the Diffie-Hellman functions X25519 and X448
  • sshj — ssh, scp and sftp for java
  • forward-secrecy — Javascript implementation of the Axolotl key-ratcheting protocol using the NaCl crypto library
  • haskell-crypto-box — An interface for authenticated public-key encryption a la NaCl
  • AeroGear — Libraries to simplify and unify mobile development across different platforms
  • threema-msgapi-sdk-php — Gateway MsgApi SDK - PHP
  • ecurvecp — based on CurveCP but has more in common with CurveZMQ
  • private-box — private message between two parties (with no `to` field)
  • plc — Pure Lua Crypto
  • ruby-jose — JSON Object Signing and Encryption (JOSE) for Ruby
  • erlang-jose — JSON Object Signing and Encryption (JOSE) for Erlang and Elixir
  • HeavyThing — x86_64 assembler library
  • ECC-25519 — using ECC with Curve25519; combines multiple libraries
  • ESP8266-Arduino-cryptolibs — Collection of strong crypto libs that can be included in Arduino-core for ESP8266
  • curve25519-java — Pure Java and JNI backed Curve25519 implementation
    • scrypto — Cryptographic primitives for Scala (includes Curve25519-Java wrapper)
  • dnscrypt-python — DNSCrypt Python Library
  • c25519 — Curve25519 and Ed25519 for low-memory systems
  • python-axolotl-curve25519 — curve25519 with ed25519 signatures, used by libaxolotl
  • proteus — Axolotl Protocol Implementation
  • python-axolotl — Python port of libaxolotl
  • python-axolotl-curve25519 — python wrapper for curve25519 library with ed25519 signatures
  • libaxolotl-php — Axolotl Library For PHP
  • libaxolotl-javascript — A JavaScript implementation of axolotl
  • libaxolotl-crypto-curve25519 — emscripten compiled version of curve25519 and ed25519
  • python-omemo — Python OMEMO Library
  • libsqrl — a library implementing the SQRL Specification
  • ecdh — A generic ECDH implementation
  • molch — An implementation of the axolotl ratchet based on libsodium
  • erlang-libdecaf — ed448goldilocks (libdecaf) NIF with timeslice reductions for Erlang and Elixir (also supports X25519)
  • SharpTox — Wrapper library for Tox core, av and dns functions
  • minicrypt — Library of crypto primitives for embedded systems
  • jnacl — Pure Java implementation of curve25519xsalsa20poly1305
  • asio_sodium_socket — Custom transport encryption using libsodium and Asio
  • libeddsa — cryptographic library for ed25519 and curve25519
  • tox4j — New and improved java wrapper for Tox
  • curve-protocol — Javascript implementation of the CurveCP protocol inspired by the ZeroMQ implementation
  • microstar-crypto — JavaScript cryptography library for Microstar, wrapping TweetNaCl
  • SharedEcc25519 — ANSI-C based cross-platform elliptic curve cryptography provider with objc api
  • secret-handshake — Javascript-based authentication
  • libquic — QUIC, a multiplexed stream transport over UDP
  • SQRL-Protocol — A helper library to handle SQRL requests and responses
  • gocusp — Go bindings (using SWIG) for the Channel-based Unidirectional Stream Protocol
  • hs-curve25519-arithmetic — Arithmetic on Curve25519 in Haskell
  • nacl.js — JavaScript implementation of curve25519xsalsa20poly1305
  • potassium — Randomized forward-secure Curve25519-AES256-CTR-HMAC-SHA512 for Pythonista
  • Ordo — Symmetric Cryptography Library, which also includes Curve25519 support
  • seconn — A simple secure socket library for Go
  • elliptic — Fast elliptic-curve cryptography in plain javascript
  • librdns — Asynchronous DNS resolver with DNSCurve support

Miscellaneous

  • Dan Bernstein: "An attacker who spends a billion dollars on special-purpose chips to attack Curve25519, using the best attacks available today, has about 1 chance in 1000000000000000000000000000 of breaking Curve25519 after a year of computation."
  • Dmitry Chestnykh: "You can write a program to generate Curve25519 private key faster than PGP generates its private key."
  • Adam Langley: "Of the concrete implementations of Diffie-Hellman, curve25519 is the fastest, common one. There are some faster primitives in eBACS, but the ones that are significantly faster are also significantly weaker."
  • Matthew Green: "Any potential 'up my sleeve' number should be looked at with derision and thoroughly examined (Schneier thinks that the suggested NIST ECC curves are probably compromised by NSA using 'up my sleeve' constants). This is why I think we all should embrace DJB's curve25519."
  • Frederic Jacobs: "It's incredible to realize that the TextSecure protocol enabled the largest end-to-end encrypted messaging deployement in history."
  • GnuPG: "For many people the NIST and also the Brainpool curves have an doubtful origin and thus the plan for GnuPG is to use Bernstein's Curve 25519 as default. GnuPG 2.1.0 already comes with support for signing keys using the Ed25519 variant of this curve. This has not yet been standardized by the IETF (i.e. there is no RFC) but we won't wait any longer and go ahead using the proposed format for this signing algorithm."
  • Ian Grigg: "In the past, things like TLS, PGP, IPSec and others encouraged you to slice and dice the various algorithms as a sort of alphabet soup mix. Disaster. What we got for that favour was code bloat, insecurity at the edges, continual arguments as to what is good & bad, focus on numbers & acronyms, distraction from user security, entire projects that rate your skills in cryptoscrabble, committeeitus, upgrade nightmares, pontification ... Cryptoplumbing shouldn't be like eating spagetti soup with a toothpick. There should be One Cipher Suite and that should do for everyone, everytime. There should be no way for users to stuff things up by tweaking a dial they read about in some slashdot tweakabit article while on the train to work... Picking curve25519xsalsa20poly1305 is good enough for that One True CipherSuite motive alone... It's an innovation! Adopt it."
  • wolfSSL: "Curve25519 so far is destroying the key agreement and generation benchmarks of previous curves, putting up numbers for both key agreement and generation that are on average 86 percent faster than those of NIST curves."
  • Adam Langley: "Current ECDSA deployments involve an ECDSA key in an X.509 certificate and ephemeral, ECDHE keys being generated by the server as needed. These ephemeral keys are signed by the ECDSA key. A similar design would have an Ed25519 key in the X.509 certificate and curve25519 used for ECDHE. I don't believe there's anything needed to get that working save for switching out the algorithms."

Timeline notes

X25519 support coming soon!

  • shibari intends to support DNSCurve
  • kage — WIP Kotlin implementation of the age file encryption format
  • identity encryption in 3GPP 5G — for protection against IMSI catchers
  • Skype is beta testing a "Private Conversations" feature, powered by Signal Protocol
  • Mastodon — "Add end-to-end encryption API"
  • WireGuard in kernel for NetBSD
  • MinimaLT — A super fast, super secure transport protocol
  • Ethos — An operating system to make it far easier to write applications that withstand attack
  • Microsoft TLS
  • Zcash — a decentralized and open source cryptocurrency using groundbreaking cryptography (details)
  • Monero — is moving to ZMTP for p2p transport, enforcing CurveZMQ only between peers
  • Upspin — "TODO(ehg) add "25519": x/crypto/curve25519, github.com/agl/ed25519"
  • dotp-crypt — dOTP library
  • Tendermint — Simple, Secure, Scalable Blockchain Platform
  • antinet-before-yedino — safe decentralized network for data and contracts
  • nnathan-noiseprotocol — Noise Protocol in Python
  • messagesodium — Patches ActiveSupport's MessageEncryptor to use libsodium
  • x25519-workshop — Pure JS ES2015 Implementaion of the Curve25519 Diffie-Hellman function
  • petmail — secure messaging, file-transfer, and directory synchronization
  • End-To-End — a Chrome extension that helps you encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP
  • curve_tun — TCP tunnels secured by Curve25519
  • pouch-box — Asymmetric encrypted PouchDB, powered by NaCl's curve25519-xsalsa20-poly1305
  • Blight — a Tox client written in Racket that utilizes libtoxcore-racket
  • GnuPG — end-to-end encrypted email. Note: Alternatives like age support Curve25519 now!

"Powered by Curve25519"

from https://ianix.com/pub/curve25519-deployment.html 

 

No comments:

Post a Comment