summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGab <24553253+gabrix73@users.noreply.github.com>2025-02-13 15:08:10 +0100
committerGitHub <noreply@github.com>2025-02-13 15:08:10 +0100
commitdc1f5a14c58d2b098a35db7b073f48137dd1c13d (patch)
treed7ec42dafd47abccd7277a0c401524c038f30987
parent3069c554969aa0c129b5279192163fa6121a0607 (diff)
downloadnofuture-go-memguard-dc1f5a14c58d2b098a35db7b073f48137dd1c13d.tar.gz
nofuture-go-memguard-dc1f5a14c58d2b098a35db7b073f48137dd1c13d.tar.xz
nofuture-go-memguard-dc1f5a14c58d2b098a35db7b073f48137dd1c13d.zip
Update README.md
-rw-r--r--README.md171
1 files changed, 101 insertions, 70 deletions
diff --git a/README.md b/README.md
index a05cb6f..9a2b9d1 100644
--- a/README.md
+++ b/README.md
@@ -1,78 +1,109 @@
-# Nofuture-Buddy-Go-Memguard
-Web application for ephemeral encryption of texts. Paring the sessions with an interlocutor permets encryption/decryption of conversations via an external realtime communication applications.
+<head>
+ <meta charset="UTF-8">
+ <title>Nofuture.go - Post-Quantum Cryptographic Core Documentation</title>
+ <style>
+ /* Maintain previous styling */
+ </style>
+</head>
+<body>
+ <h1>Nofuture.go - Post-Quantum Cryptographic System</h1>
-Technical Analysis:
+ <div class="section">
+ <h2>MemGuard Initialization & Configuration</h2>
+ <pre><code>memguard.CatchInterrupt()
+memguard.Purge()
+unix.Mlockall(unix.MCL_CURRENT | unix.MCL_FUTURE)</code></pre>
+ <ul>
+ <li><strong>Secure Memory Locking:</strong> Prevents swapping sensitive data to disk</li>
+ <li><strong>Interrupt Handling:</strong> Automatic memory purge on SIGINT/SIGTERM</li>
+ <li><strong>Deep Memory Purge:</strong> Secure wiping of allocated buffers</li>
+ </ul>
+ </div>
-<h4>Nofuture Core Security Features:</h4><br>
-<ul>
-<li>Uses memguard for secure memory management</li>
-<li>Implements curve25519 for public-key cryptography</li>
-<li>Employs NaCl's box encryption for message security</li>
-<li>Utilizes secure session management with random IDs</li>
-<li>Implements CORS protection with proper headers</li>
- </ul>
-<h4>Key Security Components:</h4>
+ <div class="section">
+ <h2>MemGuard in Key Lifecycle Management</h2>
+ <pre><code>passphrase, _ := memguard.NewImmutableRandom(32)
+defer passphrase.Destroy()</code></pre>
+ <ul>
+ <li><strong>Immutable Buffers:</strong> Write-protected memory regions</li>
+ <li><strong>Ephemeral Storage:</strong> Keys exist only in protected memory</li>
+ <li><strong>Automatic Destruction:</strong> Guaranteed wipe with defer</li>
+ </ul>
+ </div>
-a) <b>Memory Protection:</b>
+ <div class="section">
+ <h2>Enclave-Based Cryptography</h2>
+ <pre><code>func deriveEnclaveKey(passphrase *memguard.Enclave) {
+ passBuf, _ := passphrase.Open()
+ defer passBuf.Destroy()
+}</code></pre>
+ <ul>
+ <li><strong>Double-Layer Protection:</strong> Enclave wrapping + locked buffers</li>
+ <li><strong>Controlled Exposure:</strong> Temporary buffer access patterns</li>
+ <li><strong>Zero-Copy Architecture:</strong> Minimize memory exposure</li>
+ </ul>
+ </div>
-<pre>memguard.CatchInterrupt()
-defer memguard.Purge()</pre>
-<p>This ensures sensitive data is wiped from memory when the program terminates or receives an interrupt signal.</p>
+ <div class="section">
+ <h2>Quantum-Safe Key Exchange</h2>
+ <pre><code>pubKey, secKey, _ := quantumKEMKeyPair()
+defer pubKey.Destroy()
+defer secKey.Destroy()</code></pre>
+ <ul>
+ <li><strong>MemGuard-Protected Keys:</strong>
+ <ul>
+ <li>Public Key: Immutable locked buffer</li>
+ <li>Private Key: Enclave-wrapped storage</li>
+ </ul>
+ </li>
+ <li><strong>Zeroization on Completion:</strong> Guaranteed key destruction</li>
+ </ul>
+ </div>
-b) <b>Session Management:</b>
-<ul>
-<li>Private keys are stored in memguard.LockedBuffer</li>
-<li>Public keys are stored as regular bytes</li>
-<li>Sessions are managed in a thread-safe sync.Map</li>
-<li>Session IDs use cryptographically secure random generation</li></ul>
+ <div class="section">
+ <h2>Secure Session Management</h2>
+ <pre><code>type QuantumSession struct {
+ sessionKey *memguard.Enclave
+ remotePubKey *memguard.Enclave
+}</code></pre>
+ <ul>
+ <li><strong>Enclave-Wrapped Session Keys:</strong> Encrypted memory storage</li>
+ <li><strong>Forward Secrecy:</strong> Ephemeral session keys</li>
+ <li><strong>Compartmentalization:</strong> Isolated memory regions per session</li>
+ </ul>
+ </div>
-c) <b>Encryption Process:</b>
-<ul>
-<li>Uses X25519 for key exchange</li>
-<li>mplements box.Seal for authenticated encryption</li>
-<li>Uses random nonces for each encryption</li>
-<li>Zero-copy buffer handling for sensitive data</li>
- </ul>
-
-<h4>Virtual Keyboard Security Features:</h4>
-<ul>
-<li>Randomized key layout on each activation</li>
-<li>Right-click secondary character access</li>
-<li>Drag-and-drop positioning</li>
-<li>Memory-safe input handling</li>
-<li>Protection against keyloggers</li>
- </ul>
-<b>Security Assessment:</b>
+ <div class="section">
+ <h2>Memory-Hardened Cryptography</h2>
+ <pre><code>lockedKey, _ := memguard.NewImmutableFromBytes(key)
+defer lockedKey.Destroy()</code></pre>
+ <ul>
+ <li><strong>Argon2 in Protected Memory:</strong>
+ <ul>
+ <li>Memory-hard derivation in locked buffers</li>
+ <li>Secure salt handling</li>
+ </ul>
+ </li>
+ <li><strong>Multi-Layer Protection:</strong>
+ <ul>
+ <li>mlock() system calls</li>
+ <li>MADV_DONTDUMP flags</li>
+ <li>Guard pages</li>
+ </ul>
+ </li>
+ </ul>
+ </div>
+
+ <div class="section">
+ <h2>MemGuard Best Practices</h2>
+ <ul>
+ <li>๐Ÿ”’ Always use <code>defer .Destroy()</code> with LockedBuffers</li>
+ <li>๐Ÿ›ก๏ธ Prefer <code>NewImmutable</code> for long-lived secrets</li>
+ <li>โš ๏ธ Never expose Enclave contents to logging</li>
+ <li>๐Ÿ”„ Use rolling buffers for repeated operations</li>
+ <li>๐Ÿงน Explicit <code>Purge()</code> after critical operations</li>
+ </ul>
+ </div>
+</body>
-<p>The application provides strong protection against:</p>
-<h4>RAM-based attacks:</h4>
-<ul>
-<li>Protected by memguard's secure memory allocation</li>
-<li>Keys are automatically wiped from memory</li>
-<li>No sensitive data in regular heap memory</li>
-<li>Protected against cold boot attacks</li>
- </ul>
-<h4>Network-based threats:</h4>
-<ul>
-<li>All API endpoints use HTTPS</li>
-<li>Proper CORS implementation</li>
-<li>Input validation on all endpoints</li>
-<li>Session-based authentication</li>
- </ul>
-<h4>Keylogging protection:</h4>
-<ul>
-<li>Virtual keyboard bypasses system keyboard</li>
-<li>Randomized layout prevents pattern analysis</li>
-<li>No physical key events to intercept</li>
-<li>Protection against both software and hardware keyloggers</li>
- </ul>
-
-<h4>Malware resistance:</h4>
-<p>The combination of memguard protection and the virtual keyboard makes it extremely difficult for malware to capture sensitive data because:</p>
-Encryption keys are never exposed in regular memory.<br>
-Virtual keyboard prevents keylogging.<br>
-Memory is actively protected against dumping attempts.<br>
-<h4>Overall Security Assessment:</h4>
-<p>The application provides robust protection against both memory-based attacks and network-based threats.</p>
-<p>The use of memguard for memory protection, combined with the virtual keyboard's anti-keylogging features, creates multiple layers of security that make it extremely difficult for malware or spyware to capture sensitive data.</p>