Skip to content

Commit 2aa5a52

Browse files
tomekmarchitomekmarchi
committed
Crypto Middleware updates
Clear Buffers Use prior session keys
1 parent 307c8eb commit 2aa5a52

File tree

16 files changed

+90
-41
lines changed

16 files changed

+90
-41
lines changed

profiles/profile.cert

0 Bytes
Binary file not shown.

scripts/certificates.js

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,10 @@ await profile.saveToKeychain('profile.cert', `${dirname}/../profiles`, 'password
99
const UWCertificate = await domainCertificate({
1010
entity: 'universalweb.io',
1111
// ownerHash: profile.getSignature(),
12-
signatureAlgorithm: 1,
12+
signatureAlgorithm: 3,
1313
cipherSuites: [
1414
0,
15+
1,
1516
// 1,
1617
// 2,
1718
// 3

scripts/client/connectRequest.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ console.time('Connected');
77
// Universal Web Client Socket
88
const uwClient = await client({
99
destinationCertificate: `${currentPath(import.meta)}/../../udsp/dis/cache/universalWebPublic.cert`,
10-
cipherSuite: 3,
10+
cipherSuite: 0,
1111
});
1212
const connection = await uwClient.connect();
1313
console.log(connection);

scripts/crystals-kyber.js

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@ import { randomBuffer } from '#crypto';
55
import { slh_dsa_sha2_128f as sph } from '@noble/post-quantum/slh-dsa';
66
import { x25519 } from '@noble/curves/ed25519';
77
import zlib from 'node:zlib';
8-
// TODO: Implement Kyber1024, Kyber512, Kyber768 into one option for encryption
98
const seed = randomBuffer(64);
109
async function doKyber() {
1110
// const aliceSigKeys = sph.keygen();

serverApp/certs/universalWeb.cert

1.97 KB
Binary file not shown.

serverApp/certs/universalWebPublic.cert

609 Bytes
Binary file not shown.

todo.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,3 +41,5 @@ A future feature which can take advantage of JUMBO Frames for intranet situation
4141
Add universal request type that can handle all data sections params data could be no reason to have method types or are they usefull to help determine what basic server operations
4242

4343
consider hashing all prior generated keys into new ones
44+
45+
Avoid repeated Math limit packet math to cached only

udsp/cryptoMiddleware/cipherSuite/Kyber768_xChaCha.js

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,8 @@ const {
1515
toBase64,
1616
toHex,
1717
combineKeys,
18-
clearBuffer
18+
clearBuffer,
19+
clearBuffers
1920
} = defaultCrypto;
2021
const { id: encryptionKeypairID, } = kyber768;
2122
const hash = blake3;
@@ -63,8 +64,10 @@ export const kyber768_xChaCha = {
6364
},
6465
async clientExtendedHandshake(source, destination) {
6566
console.log('TRIGGERED client ExtendedHandshake', source.transmitKey, source.sharedSecret);
66-
source.transmitKey = combineKeys(source.transmitKey, source.sharedSecret);
67+
const oldTransmitKey = source.transmitKey;
68+
source.transmitKey = combineKeys(oldTransmitKey, source.sharedSecret);
6769
source.receiveKey = source.transmitKey;
70+
clearBuffer(oldTransmitKey);
6871
clearBuffer(source.sharedSecret);
6972
clearBuffer(source.cipherData);
7073
source.sharedSecret = null;
@@ -127,8 +130,12 @@ export const kyber768_xChaCha = {
127130
async serverSetSession(source, destination) {
128131
console.log('serverSetSession');
129132
const sharedSecret = source.sharedSecret;
130-
source.transmitKey = combineKeys(source.transmitKey, sharedSecret);
133+
const oldTransmitKey = source.transmitKey;
134+
source.transmitKey = combineKeys(oldTransmitKey, sharedSecret);
131135
source.receiveKey = source.transmitKey;
136+
clearBuffer(oldTransmitKey);
137+
clearBuffer(source.sharedSecret);
138+
clearBuffer(source.cipherData);
132139
clearBuffer(source.sharedSecret);
133140
source.sharedSecret = null;
134141
source.nextSession = null;

udsp/cryptoMiddleware/cipherSuite/x25519_Kyber768Half_xChaCha.js

Lines changed: 42 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
// Closed source not for private and or corporate use.
22
import * as defaultCrypto from '#crypto';
3-
import { assign, clearBuffer, isBuffer } from '@universalweb/acid';
3+
import { assign, clear, isBuffer } from '@universalweb/acid';
44
import {
55
clientSetSession,
66
encryptionKeypair as encryptionKeypair25519,
@@ -19,7 +19,9 @@ const {
1919
combineKeys,
2020
getX25519Key,
2121
getKyberKey,
22-
get2519KeyCopy
22+
get25519KeyCopy,
23+
clearBuffers,
24+
clearBuffer
2325
} = defaultCrypto;
2426
const {
2527
generateSeed,
@@ -59,20 +61,28 @@ export const x25519_kyber768Half_xchacha20 = {
5961
publicKey: getX25519Key(source.publicKey),
6062
privateKey: getX25519Key(source.privateKey)
6163
};
62-
destination.publicKey = get2519KeyCopy(cipherData);
63-
const x25519SessionKeys = clientSetSession(sourceKeypair25519, destination, source);
64+
const {
65+
transmitKey: oldTransmitKey,
66+
receiveKey: oldReceiveKey
67+
} = source;
68+
destination.publicKey = get25519KeyCopy(cipherData);
69+
const x25519SessionKeys = clientSetSession(sourceKeypair25519, destination, sourceKeypair25519);
6470
const cipherText = getKyberKey(cipherData);
6571
const kyberPrivateKey = getKyberKey(source.privateKey);
6672
console.log(cipherText, kyberPrivateKey);
67-
const kyberSharedSecret = await decapsulate(cipherText, kyberPrivateKey);
68-
console.log('clientSetSession kyberSharedSecret', kyberSharedSecret[0], kyberSharedSecret.length);
69-
source.transmitKey = combineKeys(source.transmitKey, kyberSharedSecret);
70-
source.receiveKey = combineKeys(source.receiveKey, kyberSharedSecret);
73+
const sharedSecret = await decapsulate(cipherText, kyberPrivateKey);
74+
console.log('clientSetSession sharedSecret', sharedSecret[0], sharedSecret.length);
75+
const newTransmitKey = combineKeys(oldTransmitKey, sourceKeypair25519.transmitKey, sharedSecret);
76+
const newReceiveKey = combineKeys(oldReceiveKey, sourceKeypair25519.receiveKey, sharedSecret);
77+
clearBuffers(oldTransmitKey, x25519SessionKeys.transmitKey, sharedSecret);
78+
clearBuffers(oldReceiveKey, x25519SessionKeys.receiveKey);
79+
source.transmitKey = newTransmitKey;
80+
source.receiveKey = newReceiveKey;
7181
console.log('Keys', source.transmitKey[0], source.receiveKey[0]);
7282
},
7383
async serverInitializeSession(source, destination, cipherData) {
7484
console.log('serverInitializeSession CIPHER', toHex(cipherData));
75-
destination.publicKey = get2519KeyCopy(cipherData);
85+
destination.publicKey = get25519KeyCopy(cipherData);
7686
await serverSetSessionAttach(source, destination);
7787
source.nextSession = await kyber768Half_x25519.serverEphemeralKeypair(source, destination, cipherData);
7888
clearBuffer(cipherData);
@@ -83,24 +93,29 @@ export const x25519_kyber768Half_xchacha20 = {
8393
frame[3] = source.nextSession.publicKey;
8494
},
8595
async serverSetSession(source, destination) {
86-
console.log('serverSetSession');
87-
if (source.nextSession) {
88-
assign(source, source.nextSession);
89-
source.nextSession = null;
90-
const sourceKeypair25519 = {
91-
publicKey: getX25519Key(source.publicKey),
92-
privateKey: getX25519Key(source.privateKey)
93-
};
94-
console.log('serverSetSession nextSession', sourceKeypair25519, destination);
95-
const x25519SessionKeys = serverSetSession(sourceKeypair25519, destination, source);
96-
const sharedSecret = source.sharedSecret;
97-
source.transmitKey = combineKeys(source.transmitKey, sharedSecret);
98-
source.receiveKey = combineKeys(source.receiveKey, sharedSecret);
99-
console.log('kyberSharedSecret', sharedSecret[0]);
100-
clearBuffer(sharedSecret);
101-
source.sharedSecret = null;
102-
console.log('Keys', source.transmitKey[0], source.receiveKey[0]);
103-
}
96+
console.log('server Setting Session');
97+
const {
98+
nextSession,
99+
transmitKey: oldTransmitKey,
100+
receiveKey: oldReceiveKey
101+
} = source;
102+
const nextSessionKeypair25519 = {
103+
publicKey: getX25519Key(nextSession.publicKey),
104+
privateKey: getX25519Key(nextSession.privateKey)
105+
};
106+
console.log('serverSetSession nextSession', nextSessionKeypair25519, destination);
107+
const x25519SessionKeys = serverSetSession(nextSessionKeypair25519, destination, nextSessionKeypair25519);
108+
const sharedSecret = nextSession.sharedSecret;
109+
const newTransmitKey = combineKeys(oldTransmitKey, x25519SessionKeys.transmitKey, sharedSecret);
110+
const newReceiveKey = combineKeys(oldReceiveKey, x25519SessionKeys.receiveKey, sharedSecret);
111+
clearBuffers(oldTransmitKey, x25519SessionKeys.transmitKey, sharedSecret);
112+
clearBuffers(oldReceiveKey, x25519SessionKeys.receiveKey);
113+
source.transmitKey = newTransmitKey;
114+
source.receiveKey = newReceiveKey;
115+
console.log('sharedSecret', sharedSecret[0]);
116+
source.sharedSecret = null;
117+
source.nextSession = null;
118+
console.log('Keys', source.transmitKey[0], source.receiveKey[0]);
104119
},
105120
generateSeed,
106121
keypair,

udsp/cryptoMiddleware/cipherSuite/x25519_xChaCha.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,7 @@ export const x25519_xChaCha = {
6969
receiveKey
7070
} = source;
7171
combineSessionKeys(source, oldTransmitKey, oldReceiveKey);
72+
clearBuffers(oldTransmitKey, oldReceiveKey);
7273
},
7374
async serverEphemeralKeypair(destination) {
7475
const source = encryptionKeypair();
@@ -99,6 +100,7 @@ export const x25519_xChaCha = {
99100
}
100101
await serverSetSessionAttach(source, destination);
101102
combineSessionKeys(source, oldTransmitKey, oldReceiveKey);
103+
clearBuffers(oldTransmitKey, oldReceiveKey);
102104
},
103105
async ephemeralKeypair(destination) {
104106
const generatedKeypair = encryptionKeypair();

0 commit comments

Comments
 (0)