rejewski

A TLS/SSL client/server communication tool named after Marian Rejewski who along with others helped defeat Nazi Germany by breaking the Enigma Cipher Machine.

Rejewski

A TLS/SSL client/server communication tool named after Marian Rejewski who along with others helped defeat Nazi Germany by breaking the Enigma Cipher Machine.

Version

Currently alpha (v0.0.9), almost ready for beta. The current roadmap should give you a clear indicator as to the development progress.

Why?

This project aims to serve as a stop gap for mission critical data transports from machine to machine over insecure channels.

Its primary function is to provide a secondary RSA key exchange following the initial SSL/TLS handshake, coupled with a Diffie-Hellman secret key exchange along with message digests to create a stream to emit digitally signed payloads through.

This provides greater protections in the event of the following MITM scenarios:

Features

  • Implements both a server & a client mode for package simplicity.
  • Utilizes strong TLS/SSL mode ciphers.
  • Diffie-Hellman key exchange in the event of cipher downgrades & other MITM scenarios.
  • Uses both RSA signatures combined with HMAC message digests to assist in message tampering.
  • Volitile memory protections in the presence of memory scraping malware. Please note that race conditions exist when volitile memory is accessed
  • Event binding can be used to customize payloads for both client & server payloads.
  • Process separation (separation of duties) by using separate keys per connection to isolate data streams in the event of a singular private key compromise.
  • Customized storage available. By default the RSA, DH keyring data is stored in memory during runtime. This does not scale well but you can extend this quite easily following the custom store guide from the wiki.

Registration

For a better overview of how this project performs a registration process over insecure channels for new peers please review the current diagram.

Options

The option list for both methods is the same, here is the current public configuration options.

  • host - TLS/SSL, express or connect server instance
  • key - TLS/SSL private key if not using express or connect
  • cert - TLS/SSL certificate if not using express or connect
  • ca - TLS/SSL CA if not using express or connect
  • strict - Force CA certificate signing between client/server (recommended)
  • store - Key store for communications (not yet implemented)
  • passphrase - TLS/SSL private key passphrase
  • clockskew - Time (ms) before invaliation of payloads
  • log - Enable or disable event logging
  • requestCert - Use client certificates (authentication)
  • honorCipherOrder - Force cipher negotitian requirements
  • rejectUnauthorized - Force client certificate auth
  • ciphers - List of TLS/SSL ciphers (Change at your own risk)

A simple example of customizing the configuration options:

var opts = {
  host: 'server.example',
  port: 1337,
  cert: 'path/to/cert.pem',
  key: 'path/to/key.pem',
  ca: 'path/to/ca.pem',
  passphrase: '123, easy as abc. abc, easy as 123'
}

Methods

Currently Rejewski supports two methods or modes. Both methods support listening & emitting events allowing for easy customizations.

As server instance we can listen for & emit events to any connected clients.

An example initialization of Rejewski as a server:

var Marian = require('Rejewski')
  , Server = Marian.Rejewski('server', opts);

As a client instance we can listen & emit events to any connected servers.

An example initialization of Rejewski as a client:

var Marian = require('Rejewski')
  , Client = Marian.Rejewski('client', opts);

For more information regarding events for both read-only & writable streams please see the wiki.