diff options
| author | Gab <24553253+gabrix73@users.noreply.github.com> | 2025-10-14 18:56:01 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-10-14 18:56:01 +0200 |
| commit | 92174734d28e2036b17e301d5150409a403f7a44 (patch) | |
| tree | 906df737e0c313f912f52c1dc7f122552cae8432 | |
| parent | eed868fdfac863a5020e7cb3f5447236b6433f68 (diff) | |
| download | nofuture-go-memguard-92174734d28e2036b17e301d5150409a403f7a44.tar.gz nofuture-go-memguard-92174734d28e2036b17e301d5150409a403f7a44.tar.xz nofuture-go-memguard-92174734d28e2036b17e301d5150409a403f7a44.zip | |
Update README.md
| -rw-r--r-- | README.md | 192 |
1 files changed, 66 insertions, 126 deletions
@@ -1,156 +1,96 @@ -# π‘οΈ nofuture.go β Ephemeral Post-Quantum Text Encryption +# π NoFuture-Memguard-PQ -[](./LICENSE) -[](https://golang.org) -[](#) -[](#) +**Ephemeral Post-Quantum Text Encryption Plugin for Mainstream Chats** -**nofuture.go** is a secure, ephemeral text encryption application designed to facilitate private communication β even across untrusted platforms β using post-quantum cryptography, memory-hard key management, and a local virtual keyboard for anti-keylogger defense. +Version 0.5.0 | Built with love and defiance | Privacy is a human right, not a feature -Its core purpose is simple but powerful: +## π― What is it? -> π¬ **Encrypt sensitive text, exchange it via any mainstream chat, and make the keys disappear forever.** +NoFuture-Memguard-PQ is a **detached external encryption plugin** for any instant messaging platform. Use it in one browser tab while your mainstream chat (WhatsApp Web, Telegram, Signal, etc.) runs in another. ---- +**Key features:** +- π‘οΈ **Memguard-protected memory** - Keys and plaintext secured against root access and memory dumps +- π **Detached architecture** - Completely isolated from mainstream chat platforms (no backdoors possible) +- π₯ **Ephemeral by design** - Total key destruction on session end (no future access) +- β‘ **Post-quantum ready** - Roadmap includes Kyber1024-90s and Dilithium5-AES +- π±οΈ **Anti-keylogger keyboard** - Virtual keyboard with randomized layout -## π¦ Project Structure +## π Quick Start -- `cmd/` β CLI and runtime entry points -- `internal/crypto` β Kyber, Dilithium, Argon2, BLAKE2b, XChaCha -- `internal/memory` β memguard-backed key handling -- `assets/` β frontend static files (keyboard UI, etc.) -- `USAGE.md` β basic usage guide +```bash +# Install +git clone <repository-url> +cd nofuture-memguard-pq +go mod download +go build -o nofuture main.go ---- +# Run +./nofuture +# Open http://localhost:8080 +``` ## π Documentation -- β
[How it works](#session-flow) -- β
[Cryptographic primitives](#cryptographic-primitives) -- β
[Memory protection](#key-generation--memory-protection) -- β
[Virtual keyboard](#virtual-keyboard-anti-keylogger) -- β
[Usage example](USAGE.md) - ---- +For complete documentation, open `README.html` in your browser. -## π Cryptographic Primitives +## β οΈ Production Deployment -- **Kyber1024-90s** (Post-Quantum Key Encapsulation - KEM) - > Used to establish a shared session key between users. +**NEVER expose the Go server directly to the internet without HTTPS.** -- **Dilithium5-AES** (Post-Quantum Digital Signature - PQDS) - > Used for optional mutual authentication and message verification. +Use a reverse proxy (nginx, Caddy) with TLS certificates: -- **BLAKE2b-512** - > Used in session binding and secure hash-based key derivation. +```nginx +server { + listen 443 ssl http2; + server_name safecomms.yourdomain.com; -- **XChaCha20-Poly1305** - > Used for symmetric encryption of the actual message content. + ssl_certificate /path/to/cert.pem; + ssl_certificate_key /path/to/key.pem; -- **argon2id** with OWASP-recommended parameters - > Memory-hard key derivation used for passphrases and session binding. + location / { + proxy_pass http://localhost:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } +} +``` ---- +## π Security Model -## π§ Key Generation & Memory Protection +1. **Memguard** (PRIMARY) - Protects keys + plaintext in RAM against dumps, swap, debuggers +2. **Detached Architecture** - Mainstream platforms never see keys or plaintext +3. **AEAD Encryption** - XChaCha20-Poly1305 prevents tampering +4. **Total Destruction** - Keys irreversibly wiped on session end -- All cryptographic keys are generated **in volatile memory (RAM)**. -- Sensitive buffers (session keys, private keys, derived secrets) are stored using [`memguard`](https://github.com/awnumar/memguard), a secure memory management library for Go. -- `memguard`: - - Locks memory pages (`mlock`) to prevent swapping. - - Encrypts memory buffers while in RAM. - - Prevents access from other users β including the root user or malware. - - Performs secure erasure when buffers are destroyed or on crash. +## π What's Fixed in v0.5.0 -> β
**No key material ever touches the disk or garbage-collected heap.** +β
Plaintext now protected by memguard (was vulnerable) +β
Real encryption (XChaCha20-Poly1305 AEAD) instead of XOR +β
Real key exchange (NaCl box) instead of XOR +β
HTTPS enforcement (reverse proxy required) +β
CORS restrictions (no wildcard) +β
Rate limiting (60 req/min per IP) +β
Request size limits (1MB max) +β
Session timeouts (24h max) +β
Authenticated encryption (prevents bit-flipping) +β
Session isolation (no cross-contamination) +β
Secure cleanup on exit ---- - -## π±οΈ Virtual Keyboard (Anti-Keylogger) - -To protect local input from keyloggers or spyware, `nofuture.go` integrates an **optional on-screen virtual keyboard** with randomized key layout. - -- Protects against keyloggers reading `/dev/input` or `stdin`. -- No physical keypress events are generated. -- Layout is randomized per session. -- Optional use, recommended for high-security environments. - ---- - -## π Session Flow - -Encrypted communication is based on shared **Session IDs**, which encapsulate the cryptographic context between two users. - -### πΈ Phase 1: Create Session - -- Generate a key pair using Kyber KEM. -- Derive a session key and unique **Session ID**. -- All key material is held in memory and locked by `memguard`. - -### πΈ Phase 2: Share Session ID - -- Copy the Session ID and send it to your contact using **any chat platform**. -- Session IDs **do not contain sensitive data**. -- Transmission over unencrypted channels (chat, email) is acceptable, but encrypted ones are recommended. - -### πΈ Phase 3: Synchronize Session - -- Your contact imports the Session ID into their instance of `nofuture.go`. -- The app performs a key agreement and mutual validation (using Dilithium signatures if enabled). -- Once both sides are synchronized, they can start exchanging encrypted text. - ---- -## π What Is the Session ID? +## πΊοΈ Roadmap -The `Session ID` is not a simple string or UUID β it's a **cryptographic descriptor** of the secure session. -It contains all the necessary public information to allow the other party to **synchronize**, encrypt, and verify the session context. - -### π Composition of a Session ID - -- π The **public key** of the sender (Kyber1024-90s) -- 𧬠A **nonce** β a unique 24-byte random seed -- π§ Optionally, a digital signature (Dilithium5-AES) for verifying the identity -- π A hashed session fingerprint using BLAKE2b - -> Think of it like a βtemporary public keyβ for a one-time encrypted channel. - -### π§© Why it matters - -Sharing this `Session ID` allows another user to: -- Derive a **shared secret** via post-quantum KEM -- Bind their session securely to yours -- Encrypt data you alone can decrypt (and vice versa) - ----- - -## π₯ End Session = Total Key Destruction - -When you end the session: - -- All keys are securely wiped using `memguard.Purge()`. -- Session memory is sanitized according to [NIST SP 800-88](https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final). -- No forensic recovery is possible β not even with root access or RAM snapshots. -- The ciphertext remains in your chat app, but **can never be decrypted again**. - -> π One conversation. One key. One chance to read. No future access. - ---- - -## π Usage Example - -See [USAGE.md](USAGE.md) for a full guide on how to use `nofuture.go` alongside a browser-based chat client. - ---- +- β
v0.5.0: Memguard + XChaCha20-Poly1305 +- π v1.0.0: Kyber1024-90s + Dilithium5-AES (true post-quantum) +- π v1.1.0: Per-message ratcheting (forward secrecy) +- π v2.0.0: Browser extension ## π License -MIT License β see [`LICENSE`](./LICENSE) - ---- - -## β Built with love and defiance -Because **privacy isnβt a feature** β itβs a human right. +MIT License +## π¬ Support +Report security issues privately. For other questions, open an issue. +--- +**One conversation. One key. One chance to read. No future access.** |
