secret-handshake
Advanced tools
secure-channel based on a a mutually authenticating key agreement handshake, with forward secure identity metadata.
For a full explaination of the design, read the Design Paper
This protocol derives shared keys and mutually authenticates both ends of the connection. The shared secrets are forward secure, and so is the identity metadata.
by "forward secure identity metadata" I mean:
And also:
note: a wrong number is just an accidental man in the middle.
By "confirm" I mean check a guess at the public key. By "learn" I mean that you can either extract the public key, or confirm the public key.
Also note that if the server decides not to authenticate a client, it will learn their public key. To get to this stage, the client must know the server's key, so now the client and server both know each others key. This is fair.
This protocol cannot hide your ip address. This protocol does not attempt to obscure packet boundries. If a man in the middle or wrong number later compromises the server's key, they will be able to extract the client key from the client's hello packet.
The simplest way to use secret-handshake is to use
require('secret-handshake/net'), a wrapper around net.
This makes it easy to create encrypted tcp connections.
pull-streams are used. learn about how pull-streams from these examples
sodium is required to generate key pairs.
var createNode = require('secret-handshake/net')
var sodium = require('sodium').api
var appKey = ... //32 random bytes
var aliceKey = sodium.crypto_sign_keypair() //client
var bobKey = sodium.crypto_sign_keypair() //server
var alice = createNode({
keys: aliceKey,
appKey: appKey
})
var bob = createNode({
keys: bobKey,
appKey: appKey,
//the authenticate function is required to receive calls.
authenticate: function (pub, cb) {
//decide whether to allow access to pub.
if(yes) cb(null, truthy)
else cb(new Error('reason'))
//The client WILL NOT see the unauthentication reason
}
})
//now, create a server (bob) and connect a client (alice)
bob.createServer(function (stream) {
pull(source, stream, sink)
}).listen(8978, function () {
var stream =
alice.connect({port: 8979, host: 'localhost', keys: bob.publicKey})
pull(source, stream, sink)
})
MIT
FAQs
a simple and highly private secure-channel protocol
The npm package secret-handshake receives a total of 136 weekly downloads. As such, secret-handshake popularity was classified as not popular.
We found that secret-handshake demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.