summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGab <24553253+gabrix73@users.noreply.github.com>2025-10-14 18:56:01 +0200
committerGitHub <noreply@github.com>2025-10-14 18:56:01 +0200
commit92174734d28e2036b17e301d5150409a403f7a44 (patch)
tree906df737e0c313f912f52c1dc7f122552cae8432
parenteed868fdfac863a5020e7cb3f5447236b6433f68 (diff)
downloadnofuture-go-memguard-92174734d28e2036b17e301d5150409a403f7a44.tar.gz
nofuture-go-memguard-92174734d28e2036b17e301d5150409a403f7a44.tar.xz
nofuture-go-memguard-92174734d28e2036b17e301d5150409a403f7a44.zip
Update README.md
-rw-r--r--README.md192
1 files changed, 66 insertions, 126 deletions
diff --git a/README.md b/README.md
index fd320e0..0c4e969 100644
--- a/README.md
+++ b/README.md
@@ -1,156 +1,96 @@
-# πŸ›‘οΈ nofuture.go β€” Ephemeral Post-Quantum Text Encryption
+# πŸ” NoFuture-Memguard-PQ
-[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](./LICENSE)
-[![Go Version](https://img.shields.io/badge/Go-1.21+-00ADD8.svg)](https://golang.org)
-[![Security Hardened](https://img.shields.io/badge/security-hardened-brightgreen.svg)](#)
-[![Status: Experimental](https://img.shields.io/badge/status-experimental-yellow.svg)](#)
+**Ephemeral Post-Quantum Text Encryption Plugin for Mainstream Chats**
-**nofuture.go** is a secure, ephemeral text encryption application designed to facilitate private communication β€” even across untrusted platforms β€” using post-quantum cryptography, memory-hard key management, and a local virtual keyboard for anti-keylogger defense.
+Version 0.5.0 | Built with love and defiance | Privacy is a human right, not a feature
-Its core purpose is simple but powerful:
+## 🎯 What is it?
-> πŸ’¬ **Encrypt sensitive text, exchange it via any mainstream chat, and make the keys disappear forever.**
+NoFuture-Memguard-PQ is a **detached external encryption plugin** for any instant messaging platform. Use it in one browser tab while your mainstream chat (WhatsApp Web, Telegram, Signal, etc.) runs in another.
----
+**Key features:**
+- πŸ›‘οΈ **Memguard-protected memory** - Keys and plaintext secured against root access and memory dumps
+- πŸ”’ **Detached architecture** - Completely isolated from mainstream chat platforms (no backdoors possible)
+- πŸ”₯ **Ephemeral by design** - Total key destruction on session end (no future access)
+- ⚑ **Post-quantum ready** - Roadmap includes Kyber1024-90s and Dilithium5-AES
+- πŸ–±οΈ **Anti-keylogger keyboard** - Virtual keyboard with randomized layout
-## πŸ“¦ Project Structure
+## πŸš€ Quick Start
-- `cmd/` β€” CLI and runtime entry points
-- `internal/crypto` β€” Kyber, Dilithium, Argon2, BLAKE2b, XChaCha
-- `internal/memory` β€” memguard-backed key handling
-- `assets/` β€” frontend static files (keyboard UI, etc.)
-- `USAGE.md` β€” basic usage guide
+```bash
+# Install
+git clone <repository-url>
+cd nofuture-memguard-pq
+go mod download
+go build -o nofuture main.go
----
+# Run
+./nofuture
+# Open http://localhost:8080
+```
## πŸ“– Documentation
-- βœ… [How it works](#session-flow)
-- βœ… [Cryptographic primitives](#cryptographic-primitives)
-- βœ… [Memory protection](#key-generation--memory-protection)
-- βœ… [Virtual keyboard](#virtual-keyboard-anti-keylogger)
-- βœ… [Usage example](USAGE.md)
-
----
+For complete documentation, open `README.html` in your browser.
-## πŸ” Cryptographic Primitives
+## ⚠️ Production Deployment
-- **Kyber1024-90s** (Post-Quantum Key Encapsulation - KEM)
- > Used to establish a shared session key between users.
+**NEVER expose the Go server directly to the internet without HTTPS.**
-- **Dilithium5-AES** (Post-Quantum Digital Signature - PQDS)
- > Used for optional mutual authentication and message verification.
+Use a reverse proxy (nginx, Caddy) with TLS certificates:
-- **BLAKE2b-512**
- > Used in session binding and secure hash-based key derivation.
+```nginx
+server {
+ listen 443 ssl http2;
+ server_name safecomms.yourdomain.com;
-- **XChaCha20-Poly1305**
- > Used for symmetric encryption of the actual message content.
+ ssl_certificate /path/to/cert.pem;
+ ssl_certificate_key /path/to/key.pem;
-- **argon2id** with OWASP-recommended parameters
- > Memory-hard key derivation used for passphrases and session binding.
+ location / {
+ proxy_pass http://localhost:8080;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ }
+}
+```
----
+## πŸ” Security Model
-## 🧠 Key Generation & Memory Protection
+1. **Memguard** (PRIMARY) - Protects keys + plaintext in RAM against dumps, swap, debuggers
+2. **Detached Architecture** - Mainstream platforms never see keys or plaintext
+3. **AEAD Encryption** - XChaCha20-Poly1305 prevents tampering
+4. **Total Destruction** - Keys irreversibly wiped on session end
-- All cryptographic keys are generated **in volatile memory (RAM)**.
-- Sensitive buffers (session keys, private keys, derived secrets) are stored using [`memguard`](https://github.com/awnumar/memguard), a secure memory management library for Go.
-- `memguard`:
- - Locks memory pages (`mlock`) to prevent swapping.
- - Encrypts memory buffers while in RAM.
- - Prevents access from other users β€” including the root user or malware.
- - Performs secure erasure when buffers are destroyed or on crash.
+## πŸ“Š What's Fixed in v0.5.0
-> βœ… **No key material ever touches the disk or garbage-collected heap.**
+βœ… Plaintext now protected by memguard (was vulnerable)
+βœ… Real encryption (XChaCha20-Poly1305 AEAD) instead of XOR
+βœ… Real key exchange (NaCl box) instead of XOR
+βœ… HTTPS enforcement (reverse proxy required)
+βœ… CORS restrictions (no wildcard)
+βœ… Rate limiting (60 req/min per IP)
+βœ… Request size limits (1MB max)
+βœ… Session timeouts (24h max)
+βœ… Authenticated encryption (prevents bit-flipping)
+βœ… Session isolation (no cross-contamination)
+βœ… Secure cleanup on exit
----
-
-## πŸ–±οΈ Virtual Keyboard (Anti-Keylogger)
-
-To protect local input from keyloggers or spyware, `nofuture.go` integrates an **optional on-screen virtual keyboard** with randomized key layout.
-
-- Protects against keyloggers reading `/dev/input` or `stdin`.
-- No physical keypress events are generated.
-- Layout is randomized per session.
-- Optional use, recommended for high-security environments.
-
----
-
-## πŸ” Session Flow
-
-Encrypted communication is based on shared **Session IDs**, which encapsulate the cryptographic context between two users.
-
-### πŸ”Έ Phase 1: Create Session
-
-- Generate a key pair using Kyber KEM.
-- Derive a session key and unique **Session ID**.
-- All key material is held in memory and locked by `memguard`.
-
-### πŸ”Έ Phase 2: Share Session ID
-
-- Copy the Session ID and send it to your contact using **any chat platform**.
-- Session IDs **do not contain sensitive data**.
-- Transmission over unencrypted channels (chat, email) is acceptable, but encrypted ones are recommended.
-
-### πŸ”Έ Phase 3: Synchronize Session
-
-- Your contact imports the Session ID into their instance of `nofuture.go`.
-- The app performs a key agreement and mutual validation (using Dilithium signatures if enabled).
-- Once both sides are synchronized, they can start exchanging encrypted text.
-
----
-## πŸ“Œ What Is the Session ID?
+## πŸ—ΊοΈ Roadmap
-The `Session ID` is not a simple string or UUID β€” it's a **cryptographic descriptor** of the secure session.
-It contains all the necessary public information to allow the other party to **synchronize**, encrypt, and verify the session context.
-
-### πŸ” Composition of a Session ID
-
-- πŸ”‘ The **public key** of the sender (Kyber1024-90s)
-- 🧬 A **nonce** β€” a unique 24-byte random seed
-- 🧠 Optionally, a digital signature (Dilithium5-AES) for verifying the identity
-- πŸ†” A hashed session fingerprint using BLAKE2b
-
-> Think of it like a β€œtemporary public key” for a one-time encrypted channel.
-
-### 🧩 Why it matters
-
-Sharing this `Session ID` allows another user to:
-- Derive a **shared secret** via post-quantum KEM
-- Bind their session securely to yours
-- Encrypt data you alone can decrypt (and vice versa)
-
-----
-
-## πŸ’₯ End Session = Total Key Destruction
-
-When you end the session:
-
-- All keys are securely wiped using `memguard.Purge()`.
-- Session memory is sanitized according to [NIST SP 800-88](https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final).
-- No forensic recovery is possible β€” not even with root access or RAM snapshots.
-- The ciphertext remains in your chat app, but **can never be decrypted again**.
-
-> πŸ” One conversation. One key. One chance to read. No future access.
-
----
-
-## πŸ“„ Usage Example
-
-See [USAGE.md](USAGE.md) for a full guide on how to use `nofuture.go` alongside a browser-based chat client.
-
----
+- βœ… v0.5.0: Memguard + XChaCha20-Poly1305
+- πŸ”„ v1.0.0: Kyber1024-90s + Dilithium5-AES (true post-quantum)
+- πŸ”„ v1.1.0: Per-message ratcheting (forward secrecy)
+- πŸ”„ v2.0.0: Browser extension
## πŸ“œ License
-MIT License β€” see [`LICENSE`](./LICENSE)
-
----
-
-## ✊ Built with love and defiance
-Because **privacy isn’t a feature** β€” it’s a human right.
+MIT License
+## πŸ’¬ Support
+Report security issues privately. For other questions, open an issue.
+---
+**One conversation. One key. One chance to read. No future access.**