cryptography api
Sponsored Links
Sponsored Links
Secleted [ 0 ] software to compare
Results 1 - 15 of about 1743
Flux 0.10.0
Flux is an easy-to-use crypto, compression, I/O, and memory management library. more>>
Flux is an easy-to-use crypto, compression, I/O, and memory management library.
Flux consists of utility APIs that apply compression and strong cryptography to I/O channels (file or network), do strong hashing, and exchange C structs in an architecture-independent fashion.
It also provides n-ary trees whose contents can be serialized to human-readable files or network streams, along with some related utilities. It is written in C and integrates with the GLib main loop.
<<lessFlux consists of utility APIs that apply compression and strong cryptography to I/O channels (file or network), do strong hashing, and exchange C structs in an architecture-independent fashion.
It also provides n-ary trees whose contents can be serialized to human-readable files or network streams, along with some related utilities. It is written in C and integrates with the GLib main loop.
Download (0.13MB)
Added: 2006-03-21 License: GPL (GNU General Public License) Price:
1863 downloads
Ajisai 0.4.0
Ajisai is a C++ SSL/TLS library. more>>
Ajisai is a SSL/TLS implementation written entirely from scratch in C++. It uses Botan for performing the cryptography and X.509 handling.
This is an alpha release, it is virtually certain that incompatible API changes will be made in the future. Suggestions on weak points in the API are most welcome. As of now, Ajisai is somewhat fragile, and does not make available many of the features TLS offers.
Currently only SSLv3 and TLS 1.0 are supported; TLS 1.1 and DLTS will be supported in future releases. At this point is can be built only on Unix and Unix-like systems, but that will change eventually.
TODO:
Bugs:
- We assume one recordone handshake message, this is not true for IIS/IE, probably lots of other stuff.
- No support for client authentication on either end (currently some code for it, but disabled as its completely broken).
Protocol:
- TLS 1.1
- TLS extensions
- DTLS
- Reading a SSLv2 client hello
- Session caching
- Compression support
- Anonymous Diffie-Hellman, maybe. Its useful in some contexts.
- OpenPGP key support
Server:
- We want to be able to multiplex multiple Server objects at once (multiple clients). This will probably be based on a Socket* select(2) wrapper, but I might end up leaving it to the application.
Sockets:
- IPv6 support
- IPv4 + IPv6 UDP sockets (for DTLS)
- Write a select() wrapper
- Support Win32 sockets (IPv4/IPv6)
<<lessThis is an alpha release, it is virtually certain that incompatible API changes will be made in the future. Suggestions on weak points in the API are most welcome. As of now, Ajisai is somewhat fragile, and does not make available many of the features TLS offers.
Currently only SSLv3 and TLS 1.0 are supported; TLS 1.1 and DLTS will be supported in future releases. At this point is can be built only on Unix and Unix-like systems, but that will change eventually.
TODO:
Bugs:
- We assume one recordone handshake message, this is not true for IIS/IE, probably lots of other stuff.
- No support for client authentication on either end (currently some code for it, but disabled as its completely broken).
Protocol:
- TLS 1.1
- TLS extensions
- DTLS
- Reading a SSLv2 client hello
- Session caching
- Compression support
- Anonymous Diffie-Hellman, maybe. Its useful in some contexts.
- OpenPGP key support
Server:
- We want to be able to multiplex multiple Server objects at once (multiple clients). This will probably be based on a Socket* select(2) wrapper, but I might end up leaving it to the application.
Sockets:
- IPv6 support
- IPv4 + IPv6 UDP sockets (for DTLS)
- Write a select() wrapper
- Support Win32 sockets (IPv4/IPv6)
Download (0.14MB)
Added: 2005-10-06 License: GPL (GNU General Public License) Price:
1478 downloads
Cyfer 0.6.0
Cyfer is a portable modular low-level cryptographic library. more>>
Cyfer is a portable low-level cryptographic library with support for several programming languages. Cyfer provides implementations of many message digest (hash), block and stream cipher, and public-key algorithms.
The library is extremely modular, providing easy way to add or modify algorithm implementations, or even separating the particular algorithm from the library physically (suitable for embedded environments).
The generic API provides a consistent way to use the library algorithms, and allows for algorithm selection at either the compile time or at runtime, so the application which uses Cyfer can be completely unaware of the algorithm specifics.
Cyfer is a low-level library. It deals only with various algorithms, and completely avoids the problems of data representation.
This is most evident in public-key sections; cyfer completely avoids the existing Public Key Infrastructure (PKI) standards. If you need this functionality, use the excellent and free OpenSSL, or some similar library.
The library design concept emphasises on simplicity and elegance (of both the algorithm implementations (if possible:) and the support library code), not maximizing performance or minimizing memory footprint.
The algorithm implementations are straightforward, so they can be used for educational purposes.
Cyfer is portable to any platform with sane C development environment, the only requirement being the availability of the GMP (GNU Multiple Precision arithmetic) library.
As the GMP is used only for public-key cryptography, hash or symmetric cipher components should work everywhere.
Enhancements:
- moved wrappers to separate packages
- unbundled win32 support gmp library
- polished the documentation
- polished the build process and package creation
<<lessThe library is extremely modular, providing easy way to add or modify algorithm implementations, or even separating the particular algorithm from the library physically (suitable for embedded environments).
The generic API provides a consistent way to use the library algorithms, and allows for algorithm selection at either the compile time or at runtime, so the application which uses Cyfer can be completely unaware of the algorithm specifics.
Cyfer is a low-level library. It deals only with various algorithms, and completely avoids the problems of data representation.
This is most evident in public-key sections; cyfer completely avoids the existing Public Key Infrastructure (PKI) standards. If you need this functionality, use the excellent and free OpenSSL, or some similar library.
The library design concept emphasises on simplicity and elegance (of both the algorithm implementations (if possible:) and the support library code), not maximizing performance or minimizing memory footprint.
The algorithm implementations are straightforward, so they can be used for educational purposes.
Cyfer is portable to any platform with sane C development environment, the only requirement being the availability of the GMP (GNU Multiple Precision arithmetic) library.
As the GMP is used only for public-key cryptography, hash or symmetric cipher components should work everywhere.
Enhancements:
- moved wrappers to separate packages
- unbundled win32 support gmp library
- polished the documentation
- polished the build process and package creation
Download (0.33MB)
Added: 2005-10-08 License: BSD License Price:
1476 downloads
CryptoServer 1.0
Community CryptoServer is server-side cryptography tool that runs as a daemon. more>>
CryptoServer is OpenSource Server-side cryptography tool and run as daemon.
It is already tested in very busy environment and can support over one million transaction an hour.
CryptoServer accept the GPL License and can use it for any purpose as is.
<<lessIt is already tested in very busy environment and can support over one million transaction an hour.
CryptoServer accept the GPL License and can use it for any purpose as is.
Download (0.063MB)
Added: 2005-10-31 License: GPL (GNU General Public License) Price:
1453 downloads
Linvpn 3.0
Linvpn is a secure socket layer for pppd. more>>
Linvpn is a secure socket layer for pppd. Linvpn project allows creation of virtual private networks by using an IP routing system between PPP network interfaces.
Cryptography is done by libgcrypts 3DES or blowfish, and Initialization Vector (IV) is changed in each packet transmission.
As linvpn works as client and server, and communication is a single TCP connection, it allows creation of secure tunnels even in complex network layouts, when one or both endpoints are behind a firewall or NAT, with or without dynamic IP addresses.
Linvpn has been tested under Linux, FreeBSD, NetBSD and OpenBSD.
<<lessCryptography is done by libgcrypts 3DES or blowfish, and Initialization Vector (IV) is changed in each packet transmission.
As linvpn works as client and server, and communication is a single TCP connection, it allows creation of secure tunnels even in complex network layouts, when one or both endpoints are behind a firewall or NAT, with or without dynamic IP addresses.
Linvpn has been tested under Linux, FreeBSD, NetBSD and OpenBSD.
Download (0.13MB)
Added: 2006-01-09 License: GPL (GNU General Public License) Price:
1383 downloads
borZoi 1.0.2
borZoi is a C++ Elliptic Curve Cryptography Library. more>>
borZoi is a C++ Elliptic Curve Cryptography Library. borZoi implements the following algorithms using elliptic curves defined over finite fields of characteristic 2 (GF2m):
ECDSA (Elliptic Curve Digital Signature Algorithm)
As specified in ANSI X9.62, FIPS 186-2 and IEEE P1363.
ECIES (Elliptic Curve Integrated Encryption Scheme)
As specified in ANSI X9.63 and the IEEE P1363a Draft.
Elliptic Curve Diffie-Hellman Key Agreement Scheme
As specified in ANSI X9.63 and IEEE P1363.
The AES symmetric encryption scheme (NIST AES draft) and SHA-1 hash algorithm (FIPS 180-1) are also included.
Installation:
borZoi can be built using either an internal math library or Victor Shoups NTL number theory library which provides better performance. If NTL is used, it must be first downloaded from http://www.shoup.net and installed.
GNU Development Tools:
1) (If NTL is not installed) ./configure
(If NTL is installed) ./configure --enable-ntl
2) make
3) make install
Enhancements:
- Fixed a bug in the KDF2 function which caused the effective key length to be limited to a maximum of 160 bits.
- This problem did not affect the security of ECKAS_DH1 because the key length is set to 128 bits, however the security of the 256 bit symmetric key used in ECIES was reduced to an effective key length of 160 bits.
- Corrected the section on KDF2 in the manual so that the oLen parameter refers to the length of the key in bytes not bits.
<<lessECDSA (Elliptic Curve Digital Signature Algorithm)
As specified in ANSI X9.62, FIPS 186-2 and IEEE P1363.
ECIES (Elliptic Curve Integrated Encryption Scheme)
As specified in ANSI X9.63 and the IEEE P1363a Draft.
Elliptic Curve Diffie-Hellman Key Agreement Scheme
As specified in ANSI X9.63 and IEEE P1363.
The AES symmetric encryption scheme (NIST AES draft) and SHA-1 hash algorithm (FIPS 180-1) are also included.
Installation:
borZoi can be built using either an internal math library or Victor Shoups NTL number theory library which provides better performance. If NTL is used, it must be first downloaded from http://www.shoup.net and installed.
GNU Development Tools:
1) (If NTL is not installed) ./configure
(If NTL is installed) ./configure --enable-ntl
2) make
3) make install
Enhancements:
- Fixed a bug in the KDF2 function which caused the effective key length to be limited to a maximum of 160 bits.
- This problem did not affect the security of ECKAS_DH1 because the key length is set to 128 bits, however the security of the 256 bit symmetric key used in ECIES was reduced to an effective key length of 160 bits.
- Corrected the section on KDF2 in the manual so that the oLen parameter refers to the length of the key in bytes not bits.
Download (0.59MB)
Added: 2006-03-15 License: GPL (GNU General Public License) Price:
1374 downloads
jBorZoi 0.90
jBorZoi is a Java Elliptic Curve Cryptography Library. more>>
jBorZoi is a Java Elliptic Curve Cryptography Library. jBorZoi implements the following algorithms using elliptic curves defined over finite fields of characteristic 2 (GF2m):
- ECDSA (Elliptic Curve Digital Signature Algorithm)
As specified in ANSI X9.62, FIPS 186-2 and IEEE P1363.
- ECIES (Elliptic Curve Integrated Encryption Scheme)
As specified in ANSI X9.63 and the IEEE P1363a Draft.
- Elliptic Curve Diffie-Hellman Key Agreement Scheme
As specified in ANSI X9.63 and IEEE P1363.
The AES symmetric encryption scheme is also included.
Quick Start
javac jBorZoi_Examples.java
java jBorZoi_Examples
Future Development
Only bug fixes and changes required for compatibility with cryptographic standards will be added between now and the 1.0.0 release.
Comments and Bug Reports
We welcome any comments or bug reports which you may have, however please note that we cannot accept any patches for legal reasons, because the borZoi code is also used in our commercial products.
Enhancements:
- Changed Fq.compareTo(Fq) and Fq.isZero() to public methods.
- Implemented ECDomainParameters.isValid()
- Changed the ECIES.decrypt() RuntimeException to an Exception
- Changed the ECDSA.initSignature(ECPrivKey) Exception to NoSuchAlgorithmException
- Changed the ECDSA.initVerify(ECPubKey) Exception to NoSuchAlgorithmException
<<less- ECDSA (Elliptic Curve Digital Signature Algorithm)
As specified in ANSI X9.62, FIPS 186-2 and IEEE P1363.
- ECIES (Elliptic Curve Integrated Encryption Scheme)
As specified in ANSI X9.63 and the IEEE P1363a Draft.
- Elliptic Curve Diffie-Hellman Key Agreement Scheme
As specified in ANSI X9.63 and IEEE P1363.
The AES symmetric encryption scheme is also included.
Quick Start
javac jBorZoi_Examples.java
java jBorZoi_Examples
Future Development
Only bug fixes and changes required for compatibility with cryptographic standards will be added between now and the 1.0.0 release.
Comments and Bug Reports
We welcome any comments or bug reports which you may have, however please note that we cannot accept any patches for legal reasons, because the borZoi code is also used in our commercial products.
Enhancements:
- Changed Fq.compareTo(Fq) and Fq.isZero() to public methods.
- Implemented ECDomainParameters.isValid()
- Changed the ECIES.decrypt() RuntimeException to an Exception
- Changed the ECDSA.initSignature(ECPrivKey) Exception to NoSuchAlgorithmException
- Changed the ECDSA.initVerify(ECPubKey) Exception to NoSuchAlgorithmException
Download (0.37MB)
Added: 2006-03-15 License: GPL (GNU General Public License) Price:
1373 downloads
Amazon API Search 1.0.0
Amazon API Search is a script to search Amazon. more>>
Amazon API Search is the beginnings of a perl script to search Amazon.
It interfaces with Amazons API interface and performs whatever search the user desires, it then parses the data returned and inserts it in to an MySQL table.
Currently the script only deals with basic returned data, and does not have a user interface. In future releases I hope to correct this.
The script is certainly worth a look for anyone interested in using Amazons API interface.
<<lessIt interfaces with Amazons API interface and performs whatever search the user desires, it then parses the data returned and inserts it in to an MySQL table.
Currently the script only deals with basic returned data, and does not have a user interface. In future releases I hope to correct this.
The script is certainly worth a look for anyone interested in using Amazons API interface.
Download (0.002MB)
Added: 2006-02-27 License: GPL (GNU General Public License) Price:
1341 downloads
jSaluki 0.82
jSaluki is a small easy to use Java Hyperelliptic Curve Cryptography Library. more>>
jSaluki is a small easy to use Java Hyperelliptic Curve Cryptography Library.
Hyperelliptic Curve Cryptography is still an experimental area so this library is only recommended for research and educational purposes.
Real life cryptosystems should use a more proven method such as Elliptic Curve Cryptography.
Quick Start:
javac jSaluki_Example.java
java jSaluki_Example
<<lessHyperelliptic Curve Cryptography is still an experimental area so this library is only recommended for research and educational purposes.
Real life cryptosystems should use a more proven method such as Elliptic Curve Cryptography.
Quick Start:
javac jSaluki_Example.java
java jSaluki_Example
Download (0.12MB)
Added: 2006-03-13 License: GPL (GNU General Public License) Price:
1323 downloads
JBooleanExpression 1.2
JBooleanExpression is a simple Java API to evaluate a Boolean String Expression. more>>
JBooleanExpression is a simple Java API to evaluate a Boolean String Expression like "!true&&false||true" (parse a Boolean String Expression to a boolean primitive type).
Enhancements:
- Bugs were fixed.
- A demo class was added.
<<lessEnhancements:
- Bugs were fixed.
- A demo class was added.
Download (0.014MB)
Added: 2006-03-14 License: Other/Proprietary License with Source Price:
1322 downloads
GROU.PS Web 2.0 API 0.1
GROU.PS Web is a general purpose PHP API, created for use in Web 2.0 sites. more>>
GROU.PS Web is a general purpose PHP API, created for use in Web 2.0 sites. It includes frequently used design patterns of well known web 2.0 sites. For a correct definiton of Web 2.0, you may want to check http://en.wikipedia.org/wiki/Web_2.0
Our API currently has 2 classes:
1) TagCloud?.class.php
Feed the class with your own data, and create Web 2.0 style tag clouds
2) Utility.class.php
General purpose functions. For instance getStyledDateDiff gives nicely formatted date differences that are in use in digg.com and grou.ps
The APIs are not complete yet. We are open to any ideas, wished coming from you.
Usage:
Tag Cloud Example
< ?php
require_once(/path/to/TagCloud.class.php);
$tc = new TagCloud();
$tc->setMinFontSize(8);
$tc->setMaxFontSize(20);
$tc->setDistributionType(TC_RANDOM_DISTRIBUTION);
$tc->setDataClass(tags);
$tc->addData(love,10);
$tc->addData(sex,20);
$tc->addData(food,5);
$tc->addData(business,1);
$tc->addData(PHP,2);
$res = $tc->generate();
echo $res;
? >
Utility Example:
< ?php
require_once(/path/to/Utility.class.php);
$start_date = "September 21, 1999";
$end_date = "yesterday";
$u = new Utility();
$datediff = $u->getStyledDateDiff($start_date,$end_date);
$birthday = "11 January 1978";
$zodiacsign = $u->getZodiacSign($birthday);
echo $datediff;
echo "
";
echo $zodiacsign;
? >
<<lessOur API currently has 2 classes:
1) TagCloud?.class.php
Feed the class with your own data, and create Web 2.0 style tag clouds
2) Utility.class.php
General purpose functions. For instance getStyledDateDiff gives nicely formatted date differences that are in use in digg.com and grou.ps
The APIs are not complete yet. We are open to any ideas, wished coming from you.
Usage:
Tag Cloud Example
< ?php
require_once(/path/to/TagCloud.class.php);
$tc = new TagCloud();
$tc->setMinFontSize(8);
$tc->setMaxFontSize(20);
$tc->setDistributionType(TC_RANDOM_DISTRIBUTION);
$tc->setDataClass(tags);
$tc->addData(love,10);
$tc->addData(sex,20);
$tc->addData(food,5);
$tc->addData(business,1);
$tc->addData(PHP,2);
$res = $tc->generate();
echo $res;
? >
Utility Example:
< ?php
require_once(/path/to/Utility.class.php);
$start_date = "September 21, 1999";
$end_date = "yesterday";
$u = new Utility();
$datediff = $u->getStyledDateDiff($start_date,$end_date);
$birthday = "11 January 1978";
$zodiacsign = $u->getZodiacSign($birthday);
echo $datediff;
echo "
";
echo $zodiacsign;
? >
Download (0.007MB)
Added: 2006-04-13 License: MIT/X Consortium License Price:
1292 downloads
DBD-InterBase 0.44
DBD-InterBase is a Perl-DBI driver for the Firebird and InterBase Databases, written using the InterBase C API. more>>
DBD-InterBase is a Perl-DBI driver for the InterBase Databases and Firebird, written using the InterBase C API.
<<less Download (0.082MB)
Added: 2006-04-28 License: GPL (GNU General Public License) Price:
1278 downloads
WaMCom 1.3.1
WaMCom is an open source software project, providing modified versions of Mozilla client software. more>>
WaMCom is an open source software project, providing modified versions of Mozilla client software. WaMCom comes from Web and Mail Communicator.
End users are looking for stable software. But the Mozilla organization makes it clear to say: "We make binary versions of Mozilla available for testing purposes only!"
The intention of WaMCom.org is to produce web browser and mail client software that is more stable and more correct than the test releases produced by the Mozilla.org organization, in the hope it is suitable for end users. In order to achieve that, stable Mozilla releases are extended with correctness fixes.
In addition it contains some security and cryptography enhancements.
WaMCom releases consist of:
95% official Mozilla milestone release
4% carefully selected fixes, official Mozilla code from ongoing development
1% other modifications the WaMCom maintainer(s) want to include
<<lessEnd users are looking for stable software. But the Mozilla organization makes it clear to say: "We make binary versions of Mozilla available for testing purposes only!"
The intention of WaMCom.org is to produce web browser and mail client software that is more stable and more correct than the test releases produced by the Mozilla.org organization, in the hope it is suitable for end users. In order to achieve that, stable Mozilla releases are extended with correctness fixes.
In addition it contains some security and cryptography enhancements.
WaMCom releases consist of:
95% official Mozilla milestone release
4% carefully selected fixes, official Mozilla code from ongoing development
1% other modifications the WaMCom maintainer(s) want to include
Download (27.2MB)
Added: 2006-05-16 License: GPL (GNU General Public License) Price:
1265 downloads
seppl 0.4
seppl is both a protocol definition and a software implementation of a new encryption layer for IPv4. more>>
seppl is both a protocol definition and a software implementation of a new encryption layer for IPv4. seppl project makes use of symmetric cryptography for encrypting the whole traffic on a network. Its implementation is designed around Linux netfilter/iptables.
seppl introduces two new netfilter targets: CRYPT and DECRYPT. A firewall rule may thus be used for encrypting/decrypting the incoming and outgoing network traffic. This makes seppl extraordinarily easy to use, since no daemons need to run for secure communication.
seppl uses the encryption engine of the Linux Cryptographic API which is available in kernel 2.4.22 and newer.
seppl is primarily intended for encrypting wireless LANs (as secure replacement of the broken WEP encryption) and local ethernet networks but may be used for large scale VPN solutions as well.
The protocol seppl relies on is not compatible with any other software. The protocol is open and well defined but there is no implementation other than this reference software.
Why SEPPL, there are already IPSEC, CIPE,...?
CIPE may be used for point-to-point connections only. It has tunnel structure and thus introduces new IP addresses. This is not always desirable. It requires a user space daemon.
IPSEC/FreeSwan is extremely complicated to use. Due to its strange routing scheme it is nearly impossible to use together with routing daemons. IPSEC is heavyweight.
seppl is truely peer-to-peer. It encrypts seamlessly all outgoing traffic and it thus compatible with routing daemons. It is extremely easy to use as well, as it makes no change to the normal routing behaviour. seppl is extremely lightweight.
The Implementation
The implementation consists of three Linux kernel modules: seppl.o, ipt_CRYPT.o and ipt_DECRYPT.o. The former is the in-kernel key manager, the latter are the two new netfilter targets. Both depend on seppl.o.
seppl.o must be inserted into kernel in first place. The key manager may be accessed with the file /proc/net/seppl_keyring. It contains binary key data, and is initially empty. You may add a new key by writing it to that file.
The two Python scripts seppl-ls and seppl-gen-key me be used for key management. seppl-ls may be used for converting seppl keys between the binary format used by /proc/net/seppl_keyring and a human readable XML based format. Simply call seppl-ls for a list of all currently active keys. seppl-gen-key generates a new key from /dev/urandom. By default it will use the XML format. The parameter -x forces binary mode. You may generate and activate two keys "linus" and "alan" by issuing the following command lines:
seppl-gen-key -n linus -x > /proc/net/seppl_keyring
seppl-gen-key -n alan -x > /proc/net/seppl_keyring
seppl-ls without argument lists the new keys saved in the kernel keyring. You may remove all (currently unused) keys by issuing:
echo clear > /proc/net/seppl_keyring
Since seppl is based on symmetric cryptography using shared keys you have to copy newly generated keys to every host you want to connect to your seppl infrastructure. (preferably via SSH or any other secure file transfer) You get a binary copy of your current keyring by issuing:
cat /proc/net/seppl_keyring > keyring.save
Now copy that file keyring.save to all other hosts and issue the following command there:
cat keyring.save > /proc/net/seppl_keyring
That is simple, isnt it?
After doing so you may configure your firewall settings on each host:
iptables -t mangle -A POSTROUTING -o eth0 -j CRYPT --key linus
iptables -t mangle -A PREROUTING -i eth0 -j DECRYPT
This will encrypt all outgoing traffic on eth0 with the key "linus". All incoming traffic is decrypted with either "linus" or "alan", depending on the key name specified in the specific network packet. Unencrypted incoming packets are silently dropped. Use
iptables -t mangle -A PREROUTING -p 177 -i eth0 -j DECRYPT
for allowing both crypted and unencrypted incoming traffic.
Thats it. Youre done. All your traffic on the local subnet is now crypted with seppl.
The default cipher is AES-128. If you dont specify the name of the used key it defaults to "def".
An SysV init script /etc/init.d/seppl is provided. It will load seppls kernel modules and write all keys from the directory /etc/seppl to the kernel keyring. It will not add any firewall rules, however.
Performance issues
The network packets are increased in size when they are crypted, since two new headers and the IV are added. (36 bytes in average) This conflicts on some way with the MTU management of the Linux kernel and results in having all large packets (that is: package size near MTU) fragmented in one large and another very small package. This will hurt network performance. A work-around of this limitation is using the TCPMSS target of netfilter to adjust the MSS value in the TCP header to smaller values. This will increase TCP perfomance, since TCP packets of the size of the MTU are no longer generated. Thus no fragmentation is needed. However, TCPMSS is TCP specific, it wont help on UDP or other IP protocols.
Add the following line before encryption to your firewall setup:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --set-mss $((1500-40-8-16-6-15))
The Protocol
For encryption every single unencrypted packet is taken and converted to a crypted one. Not a single further packet is ever sent.
Original SEPPL counterpart
+------------+ +-----------------------+
| IP-Header | | Modified IP-Header | |
+------------+ +-----------------------+ |
| Payload | | SEPPL-Header | > Unencrypted
+------------+ +-----------------------+ |
| Initialization Vector | |
+-----------------------+ /
| SEPPL-Header |
+-----------------------+ | Crypted
| Payload | |
+-----------------------+ /
The original IP header is kept as far as possible. Only three fields are replaced with new values. The protocol number is set to 177, the fragment offset is set to 0 and the total length is corrected to the new length. All other fields are kept as is, including IP options.
The unencrypted seppl header consists of a one-byte cipher number and a key name. Currently only 0 and 1 are defined as cipher numbers for AES with 128bit key, resp. AES with 192bit key. The key name (7 bytes) may be used to select a specific key in a larger keyring.
The IV is used for CBC coding of the cipher used. It differs from packet to packet, but is not randomly generated. Due to perfomance reasons, only the initial IV on system startup is randomized, all following IVs are generated by incrementing the previous ones.
The crypted seppl header consists of three saved fields of the original IP header (protocol number, fragment offset, total length) and a byte which is always 0 for detecting unmatching keys.
The payload is the original IP-playload, from the TCP/UDP/other header to the end.
Version restrictions:
- seppl interferes with netfilters connection tracking in some way. Thus you will not be able to use NAT in conjunction with seppl. If you use connection tracking in some other way together with seppl your mileage may vary.
- seppl is tested with Linux 2.6.1. Use version 0.3 for Linux 2.4.
<<lessseppl introduces two new netfilter targets: CRYPT and DECRYPT. A firewall rule may thus be used for encrypting/decrypting the incoming and outgoing network traffic. This makes seppl extraordinarily easy to use, since no daemons need to run for secure communication.
seppl uses the encryption engine of the Linux Cryptographic API which is available in kernel 2.4.22 and newer.
seppl is primarily intended for encrypting wireless LANs (as secure replacement of the broken WEP encryption) and local ethernet networks but may be used for large scale VPN solutions as well.
The protocol seppl relies on is not compatible with any other software. The protocol is open and well defined but there is no implementation other than this reference software.
Why SEPPL, there are already IPSEC, CIPE,...?
CIPE may be used for point-to-point connections only. It has tunnel structure and thus introduces new IP addresses. This is not always desirable. It requires a user space daemon.
IPSEC/FreeSwan is extremely complicated to use. Due to its strange routing scheme it is nearly impossible to use together with routing daemons. IPSEC is heavyweight.
seppl is truely peer-to-peer. It encrypts seamlessly all outgoing traffic and it thus compatible with routing daemons. It is extremely easy to use as well, as it makes no change to the normal routing behaviour. seppl is extremely lightweight.
The Implementation
The implementation consists of three Linux kernel modules: seppl.o, ipt_CRYPT.o and ipt_DECRYPT.o. The former is the in-kernel key manager, the latter are the two new netfilter targets. Both depend on seppl.o.
seppl.o must be inserted into kernel in first place. The key manager may be accessed with the file /proc/net/seppl_keyring. It contains binary key data, and is initially empty. You may add a new key by writing it to that file.
The two Python scripts seppl-ls and seppl-gen-key me be used for key management. seppl-ls may be used for converting seppl keys between the binary format used by /proc/net/seppl_keyring and a human readable XML based format. Simply call seppl-ls for a list of all currently active keys. seppl-gen-key generates a new key from /dev/urandom. By default it will use the XML format. The parameter -x forces binary mode. You may generate and activate two keys "linus" and "alan" by issuing the following command lines:
seppl-gen-key -n linus -x > /proc/net/seppl_keyring
seppl-gen-key -n alan -x > /proc/net/seppl_keyring
seppl-ls without argument lists the new keys saved in the kernel keyring. You may remove all (currently unused) keys by issuing:
echo clear > /proc/net/seppl_keyring
Since seppl is based on symmetric cryptography using shared keys you have to copy newly generated keys to every host you want to connect to your seppl infrastructure. (preferably via SSH or any other secure file transfer) You get a binary copy of your current keyring by issuing:
cat /proc/net/seppl_keyring > keyring.save
Now copy that file keyring.save to all other hosts and issue the following command there:
cat keyring.save > /proc/net/seppl_keyring
That is simple, isnt it?
After doing so you may configure your firewall settings on each host:
iptables -t mangle -A POSTROUTING -o eth0 -j CRYPT --key linus
iptables -t mangle -A PREROUTING -i eth0 -j DECRYPT
This will encrypt all outgoing traffic on eth0 with the key "linus". All incoming traffic is decrypted with either "linus" or "alan", depending on the key name specified in the specific network packet. Unencrypted incoming packets are silently dropped. Use
iptables -t mangle -A PREROUTING -p 177 -i eth0 -j DECRYPT
for allowing both crypted and unencrypted incoming traffic.
Thats it. Youre done. All your traffic on the local subnet is now crypted with seppl.
The default cipher is AES-128. If you dont specify the name of the used key it defaults to "def".
An SysV init script /etc/init.d/seppl is provided. It will load seppls kernel modules and write all keys from the directory /etc/seppl to the kernel keyring. It will not add any firewall rules, however.
Performance issues
The network packets are increased in size when they are crypted, since two new headers and the IV are added. (36 bytes in average) This conflicts on some way with the MTU management of the Linux kernel and results in having all large packets (that is: package size near MTU) fragmented in one large and another very small package. This will hurt network performance. A work-around of this limitation is using the TCPMSS target of netfilter to adjust the MSS value in the TCP header to smaller values. This will increase TCP perfomance, since TCP packets of the size of the MTU are no longer generated. Thus no fragmentation is needed. However, TCPMSS is TCP specific, it wont help on UDP or other IP protocols.
Add the following line before encryption to your firewall setup:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --set-mss $((1500-40-8-16-6-15))
The Protocol
For encryption every single unencrypted packet is taken and converted to a crypted one. Not a single further packet is ever sent.
Original SEPPL counterpart
+------------+ +-----------------------+
| IP-Header | | Modified IP-Header | |
+------------+ +-----------------------+ |
| Payload | | SEPPL-Header | > Unencrypted
+------------+ +-----------------------+ |
| Initialization Vector | |
+-----------------------+ /
| SEPPL-Header |
+-----------------------+ | Crypted
| Payload | |
+-----------------------+ /
The original IP header is kept as far as possible. Only three fields are replaced with new values. The protocol number is set to 177, the fragment offset is set to 0 and the total length is corrected to the new length. All other fields are kept as is, including IP options.
The unencrypted seppl header consists of a one-byte cipher number and a key name. Currently only 0 and 1 are defined as cipher numbers for AES with 128bit key, resp. AES with 192bit key. The key name (7 bytes) may be used to select a specific key in a larger keyring.
The IV is used for CBC coding of the cipher used. It differs from packet to packet, but is not randomly generated. Due to perfomance reasons, only the initial IV on system startup is randomized, all following IVs are generated by incrementing the previous ones.
The crypted seppl header consists of three saved fields of the original IP header (protocol number, fragment offset, total length) and a byte which is always 0 for detecting unmatching keys.
The payload is the original IP-playload, from the TCP/UDP/other header to the end.
Version restrictions:
- seppl interferes with netfilters connection tracking in some way. Thus you will not be able to use NAT in conjunction with seppl. If you use connection tracking in some other way together with seppl your mileage may vary.
- seppl is tested with Linux 2.6.1. Use version 0.3 for Linux 2.4.
Download (0.32MB)
Added: 2006-05-17 License: GPL (GNU General Public License) Price:
1255 downloads
Cryptonit 0.9.7
Cryptonit is a client side cryptographic tool which allows you to encrypt/decrypt and sign/verify files with PKI certificates. more>>
Cryptonit project is a client side cryptographic tool which allows you to encrypt/decrypt and sign/verify files with PKI (Public Key Infrastructure) certificates.
Main features:
- Encryption/decryption based on highly reliable algorithms
- Signature/verification procedures ensuring tamper-proof documents
- Use of passwords, certificates & smart (chip) cards for file encryption
- Address book for saving and organizing contacts
- Ability to import contacts and their certificates from the corporate directory (LDAP import)
- Multiple user account management
- Interfaces in both English and French
- CRL download
- RSA cryptography (public key cryptography standard)
<<lessMain features:
- Encryption/decryption based on highly reliable algorithms
- Signature/verification procedures ensuring tamper-proof documents
- Use of passwords, certificates & smart (chip) cards for file encryption
- Address book for saving and organizing contacts
- Ability to import contacts and their certificates from the corporate directory (LDAP import)
- Multiple user account management
- Interfaces in both English and French
- CRL download
- RSA cryptography (public key cryptography standard)
Download (2.4MB)
Added: 2006-05-23 License: GPL (GNU General Public License) Price:
1252 downloads
Secleted [ 0 ] software to compare
Copyright Notice:
Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future software development. The above cryptography api search only lists software in full, demo and trial versions for free download. Download links are directly from our mirror sites or publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed
