sshcrypt: a proof-of-concept stopgap sshcrypt is a proof-of-concept sketch, written in Go, of a stopgap system to replace PGP. The issue is that PGP is built on finite-field cryptography, i.e. RSA, and there is growing evidence pointing to the weakness of this type of cryptography. Secure modern systems should begin to switch over to elliptic curve cryptography; sshcrypt does just that. It uses SSH keys, something many users already have, and avoids potential downgrade attacks and user confusion over cipher selection by providing just one choice: ECDSA with 521-bit keys. While the pieces of sshcrypt are all solid, it is the user interface that represents the "sketched" portion. It certainly needs more work, starting with the development of a consistent set of flags. Further fleshing out of this idea should see graphical applications to facilitate their use. The tools provided are: sshcrypt: provides message encryption, both signed and unsigned sealed messages. sshsign: provides message signatures without encryption. HISTORY sshcrypt is born of two major Go components stitched together. The first is the sshkey[1] package I wrote. This package parses and serialises SSH keys into standard cryptographic forms that can be used with the Go standard library. The sshkeygen[2] tool is a frontend to this library, allowing for the generation of new keys (that are compatible with OpenSSH) and fingerprinting existing keys. The original prototype to sshcrypt was sshbox[3], which uses both RSA and ECDSA keys. It was another proof-of-concept and test of the sshkey package's ability to successfully use SSH keys as general-purpose cryptographic keys. sshkey provides the key interface to sshcrypt. The second component is Cryptobox[4]. This is a project to build a set of easy-to-use cryptographic modules for use in new projects built on standard ciphers and elliptic curve cryptography. Cryptobox supplies the cryptography for sshcrypt. These two components are mated using the cbecdsa[5] package, which converts SSH keys into Cryptobox keys and vice versa. DESIGN CHOICES There are a few important design choices that were made with sshcrypt: first, only one cipher each for encryption and signatures is permitted. This allays a number of problems, including downgrade attacks (in which the attacker tricks the communicating parties into using weaker ciphers) and general user confusion as to the most appropriate cipher to use. SSH keys were chosen due to their prevelance in the world. Enough users have SSH keys that it makes sense to leverage these keys, instead of requiring a new set of keys with a different format to be generated (which would require users to keep track of the security of another set of keys). 521-bit ECDSA keys are chosen due to their security and the fact that, even on embedded hardware, they still remain performant. (In fact, every systems tested, the stoutbox encryption outperformed RSA encryption with a weaker key.) While the NSA recommends 384-bit elliptic curve keys, the additional security provided by the stronger 521-bit keys comes with a very low cost. Finally, prebuilt and verified systems are used to compose the larger programs; these pieces are independently verified and can be validated within the context of the larger program. CRYPTOGRAPHY The stoutbox module used by the package employs ECDSA over the secp521r1 curve for digital signatures, and ECIES using ephemeral secp521r1 keys for the key exchange, and AES-256 in CTR mode with HMAC-SHA-384 message tags for the underlying symmetric cipher. The Cryptobox specifications[6] have the full specification of the Cryptobox module, including the formats for messages. LICENSE sshcrypt is released under the ISC license. Copyright (c) 2013 Kyle Isom <kyle@tyrfingr.is> Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. [1] https://github.com/gokyle/sshkey/ or http://hg.tyrfingr.is/kyle/sshkey [2] https://github.com/gokyle/sshkeygen or http://hg.tyrfingr.is/kyle/sshkeygen [3] https://github.com/gokyle/sshbox or http://hg.tyrfingr.is/kyle/sshbox [4] http://cryptobox.tyrfingr.is [5] https://github.com/cryptobox/cbecdsa or http://hg.tyrfingr.is/kyle/cbecdsa [6] http://cryptobox.tyrfingr.is/files/cryptobox_spec.pdf