Currently alpha (v0.0.9), almost ready for beta. The current roadmap should give you a clear indicator as to the development progress.
This project aims to serve as a stop gap for mission critical data transports from machine to machine over insecure channels.
Its primary function is to provide a secondary RSA key exchange
following the initial SSL/TLS handshake,
coupled with a Diffie-Hellman secret key exchange
along with message digests
to create a
stream to emit digitally signed payloads through.
This provides greater protections in the event of the following MITM scenarios:
- Implements both a
clientmode for package simplicity.
- Utilizes strong TLS/SSL mode ciphers.
- Diffie-Hellman key exchange in the event of cipher downgrades & other MITM scenarios.
- Uses both RSA signatures combined with HMAC message digests to assist in message tampering.
- Volitile memory protections in the presence of memory scraping malware. Please note that race conditions exist when volitile memory is accessed
- Event binding can be used to customize payloads for both client & server payloads.
- Process separation (separation of duties) by using separate keys per connection to isolate data streams in the event of a singular private key compromise.
- Customized storage available. By default the RSA, DH keyring data is stored in memory during runtime. This does not scale well but you can extend this quite easily following the custom store guide from the wiki.
For a better overview of how this project performs a registration process over insecure channels for new peers please review the current diagram.
The option list for both
methods is the same, here is the current public
host- TLS/SSL, express or connect server instance
key- TLS/SSL private key if not using express or connect
cert- TLS/SSL certificate if not using express or connect
ca- TLS/SSL CA if not using express or connect
strict- Force CA certificate signing between client/server (recommended)
store- Key store for communications (not yet implemented)
passphrase- TLS/SSL private key passphrase
clockskew- Time (ms) before invaliation of payloads
log- Enable or disable event logging
requestCert- Use client certificates (authentication)
honorCipherOrder- Force cipher negotitian requirements
rejectUnauthorized- Force client certificate auth
ciphers- List of TLS/SSL ciphers (Change at your own risk)
A simple example of customizing the configuration options:
var opts =host: 'server.example'port: 1337cert: 'path/to/cert.pem'key: 'path/to/key.pem'ca: 'path/to/ca.pem'passphrase: '123, easy as abc. abc, easy as 123'
Currently Rejewski supports two methods or modes. Both methods support listening & emitting events allowing for easy customizations.
As server instance we can listen for & emit events to any connected clients.
An example initialization of
Rejewski as a server:
var Marian = require'Rejewski'Server = MarianRejewski'server' opts;
As a client instance we can listen & emit events to any connected servers.
An example initialization of
Rejewski as a client:
var Marian = require'Rejewski'Client = MarianRejewski'client' opts;
For more information regarding
events for both
streams please see the wiki.