timkuijsten
commented
9 years ago After some research it shows that NaCl might be the right choice [1,2,3,4]. This allows for direct encryption and authentication of both sides, using some simple, modern and fast ciphers.
By not choosing TLS we can avoid using OpenSSL, X.509 and ASN.1 code (which is a lot of code)[5] and require users to only generate one long standing Ed25519 key. These keys are faster and because of the limited size more portable than RSA keys. Furthermore this design choice shortcuts the whole CA system and all trouble and trust that comes with it.
Protocol synopsis:
- Client connects with server over TCP port 2344
- Server sends a cryptographically secure random nonce
- Client generates a reply and signs this using the long term private key. The message contains:
- the nonce received by the server
- a newly generated public key
- Server validates signature and uses new public key as a session key
- further nonces for this session are simple incremental numbers, the client uses monotonically increasing odd numbers, the server uses monotonically increasing even numbers.
This simple protocol is forward secure [6] and protects against replay attacks
[1] https://github.com/jedisct1/libsodium.js/issues/21 [2] http://cr.yp.to/highspeed/coolnacl-20120725.pdf [3] http://tweetnacl.cr.yp.to/tweetnacl-20140917.pdf [4] https://www.imperialviolet.org/2015/05/16/aeads.html [5] http://www.daemonology.net/blog/2009-09-28-securing-https.html [6] http://crypto.stackexchange.com/questions/16276/perfect-forward-secrecy-with-nacl
read: https://cryptojedi.org/peter/data/span-20091204.pdf http://lwn.net/Articles/579044/ http://engineering.bittorrent.com/2014/12/11/authentication-and-forward-secrecy-in-bleep/ http://blog.weave.works/author/awharrison/ http://rdist.root.org/2009/07/14/nacl-djbs-new-crypto-library/ http://blog.cryptographyengineering.com/2013/07/tweetnacl.html http://www.bsdcan.org/2010/schedule/attachments/135_crypto1hr.pdf
to read: https://threema.ch/press-files/cryptography_whitepaper.pdf https://tools.ietf.org/html/rfc4253 The Secure Shell (SSH) Transport Layer Protocol http://cr.yp.to/highspeed/naclcrypto-20090310.pdf http://nacl.cr.yp.to/securing-communication.pdf https://whispersystems.org/blog/advanced-ratcheting/ https://tlswg.github.io/tls13-spec/ https://pond.imperialviolet.org/tech.html https://codesinchaos.wordpress.com/tag/curvecp/ https://download.libsodium.org/doc/public-key_cryptography/authenticated_encryption.html https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly http://www.daemonology.net/blog/2009-09-04-complexity-is-insecurity.html
Unfortunately LibreSSL isn't going to be included anytime soon (see https://github.com/iojs/io.js/issues/428). But maybe an integrated ssh client (i.e. using https://www.npmjs.com/package/ssh2) is an easier to setup and more secure alternative then a nodejs SSL server.