README
Rejewski
A TLS/SSL client/server communication tool named after Marian Rejewski who along with others helped defeat Nazi Germany by breaking the Enigma Cipher Machine.
Version
Currently alpha (v0.0.9), almost ready for beta. The current roadmap should give you a clear indicator as to the development progress.
Why?
This project aims to serve as a stop gap for mission critical data transports from machine to machine over insecure channels.
Its primary function is to provide a secondary RSA key exchange
following the initial SSL/TLS handshake,
coupled with a Diffie-Hellman secret key exchange
along with message digests
to create a stream
to emit digitally signed payloads through.
This provides greater protections in the event of the following MITM scenarios:
Features
- Implements both a
server
& aclient
mode for package simplicity. - Utilizes strong TLS/SSL mode ciphers.
- Diffie-Hellman key exchange in the event of cipher downgrades & other MITM scenarios.
- Uses both RSA signatures combined with HMAC message digests to assist in message tampering.
- Volitile memory protections in the presence of memory scraping malware. Please note that race conditions exist when volitile memory is accessed
- Event binding can be used to customize payloads for both client & server payloads.
- Process separation (separation of duties) by using separate keys per connection to isolate data streams in the event of a singular private key compromise.
- Customized storage available. By default the RSA, DH keyring data is stored in memory during runtime. This does not scale well but you can extend this quite easily following the custom store guide from the wiki.
Registration
For a better overview of how this project performs a registration process over insecure channels for new peers please review the current diagram.
Options
The option list for both methods
is the same, here is the current public
configuration options.
host
- TLS/SSL, express or connect server instancekey
- TLS/SSL private key if not using express or connectcert
- TLS/SSL certificate if not using express or connectca
- TLS/SSL CA if not using express or connectstrict
- Force CA certificate signing between client/server (recommended)store
- Key store for communications (not yet implemented)passphrase
- TLS/SSL private key passphraseclockskew
- Time (ms) before invaliation of payloadslog
- Enable or disable event loggingrequestCert
- Use client certificates (authentication)honorCipherOrder
- Force cipher negotitian requirementsrejectUnauthorized
- Force client certificate authciphers
- List of TLS/SSL ciphers (Change at your own risk)
Example
A simple example of customizing the configuration options:
var opts = {
host: 'server.example',
port: 1337,
cert: 'path/to/cert.pem',
key: 'path/to/key.pem',
ca: 'path/to/ca.pem',
passphrase: '123, easy as abc. abc, easy as 123'
}
Methods
Currently Rejewski supports two methods or modes. Both methods support listening & emitting events allowing for easy customizations.
Server
As server instance we can listen for & emit events to any connected clients.
Example
An example initialization of Rejewski
as a server:
var Marian = require('Rejewski')
, Server = Marian.Rejewski('server', opts);
Client
As a client instance we can listen & emit events to any connected servers.
Example
An example initialization of Rejewski
as a client:
var Marian = require('Rejewski')
, Client = Marian.Rejewski('client', opts);
Events
For more information regarding events
for both read-only
& writable
streams please see the wiki.