From 92174734d28e2036b17e301d5150409a403f7a44 Mon Sep 17 00:00:00 2001 From: Gab <24553253+gabrix73@users.noreply.github.com> Date: Tue, 14 Oct 2025 18:56:01 +0200 Subject: Update README.md --- README.md | 192 +++++++++++++++++++++----------------------------------------- 1 file changed, 66 insertions(+), 126 deletions(-) diff --git a/README.md b/README.md index fd320e0..0c4e969 100644 --- a/README.md +++ b/README.md @@ -1,156 +1,96 @@ -# πŸ›‘οΈ nofuture.go β€” Ephemeral Post-Quantum Text Encryption +# πŸ” NoFuture-Memguard-PQ -[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](./LICENSE) -[![Go Version](https://img.shields.io/badge/Go-1.21+-00ADD8.svg)](https://golang.org) -[![Security Hardened](https://img.shields.io/badge/security-hardened-brightgreen.svg)](#) -[![Status: Experimental](https://img.shields.io/badge/status-experimental-yellow.svg)](#) +**Ephemeral Post-Quantum Text Encryption Plugin for Mainstream Chats** -**nofuture.go** is a secure, ephemeral text encryption application designed to facilitate private communication β€” even across untrusted platforms β€” using post-quantum cryptography, memory-hard key management, and a local virtual keyboard for anti-keylogger defense. +Version 0.5.0 | Built with love and defiance | Privacy is a human right, not a feature -Its core purpose is simple but powerful: +## 🎯 What is it? -> πŸ’¬ **Encrypt sensitive text, exchange it via any mainstream chat, and make the keys disappear forever.** +NoFuture-Memguard-PQ is a **detached external encryption plugin** for any instant messaging platform. Use it in one browser tab while your mainstream chat (WhatsApp Web, Telegram, Signal, etc.) runs in another. ---- +**Key features:** +- πŸ›‘οΈ **Memguard-protected memory** - Keys and plaintext secured against root access and memory dumps +- πŸ”’ **Detached architecture** - Completely isolated from mainstream chat platforms (no backdoors possible) +- πŸ”₯ **Ephemeral by design** - Total key destruction on session end (no future access) +- ⚑ **Post-quantum ready** - Roadmap includes Kyber1024-90s and Dilithium5-AES +- πŸ–±οΈ **Anti-keylogger keyboard** - Virtual keyboard with randomized layout -## πŸ“¦ Project Structure +## πŸš€ Quick Start -- `cmd/` β€” CLI and runtime entry points -- `internal/crypto` β€” Kyber, Dilithium, Argon2, BLAKE2b, XChaCha -- `internal/memory` β€” memguard-backed key handling -- `assets/` β€” frontend static files (keyboard UI, etc.) -- `USAGE.md` β€” basic usage guide +```bash +# Install +git clone +cd nofuture-memguard-pq +go mod download +go build -o nofuture main.go ---- +# Run +./nofuture +# Open http://localhost:8080 +``` ## πŸ“– Documentation -- βœ… [How it works](#session-flow) -- βœ… [Cryptographic primitives](#cryptographic-primitives) -- βœ… [Memory protection](#key-generation--memory-protection) -- βœ… [Virtual keyboard](#virtual-keyboard-anti-keylogger) -- βœ… [Usage example](USAGE.md) - ---- +For complete documentation, open `README.html` in your browser. -## πŸ” Cryptographic Primitives +## ⚠️ Production Deployment -- **Kyber1024-90s** (Post-Quantum Key Encapsulation - KEM) - > Used to establish a shared session key between users. +**NEVER expose the Go server directly to the internet without HTTPS.** -- **Dilithium5-AES** (Post-Quantum Digital Signature - PQDS) - > Used for optional mutual authentication and message verification. +Use a reverse proxy (nginx, Caddy) with TLS certificates: -- **BLAKE2b-512** - > Used in session binding and secure hash-based key derivation. +```nginx +server { + listen 443 ssl http2; + server_name safecomms.yourdomain.com; -- **XChaCha20-Poly1305** - > Used for symmetric encryption of the actual message content. + ssl_certificate /path/to/cert.pem; + ssl_certificate_key /path/to/key.pem; -- **argon2id** with OWASP-recommended parameters - > Memory-hard key derivation used for passphrases and session binding. + location / { + proxy_pass http://localhost:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } +} +``` ---- +## πŸ” Security Model -## 🧠 Key Generation & Memory Protection +1. **Memguard** (PRIMARY) - Protects keys + plaintext in RAM against dumps, swap, debuggers +2. **Detached Architecture** - Mainstream platforms never see keys or plaintext +3. **AEAD Encryption** - XChaCha20-Poly1305 prevents tampering +4. **Total Destruction** - Keys irreversibly wiped on session end -- All cryptographic keys are generated **in volatile memory (RAM)**. -- Sensitive buffers (session keys, private keys, derived secrets) are stored using [`memguard`](https://github.com/awnumar/memguard), a secure memory management library for Go. -- `memguard`: - - Locks memory pages (`mlock`) to prevent swapping. - - Encrypts memory buffers while in RAM. - - Prevents access from other users β€” including the root user or malware. - - Performs secure erasure when buffers are destroyed or on crash. +## πŸ“Š What's Fixed in v0.5.0 -> βœ… **No key material ever touches the disk or garbage-collected heap.** +βœ… Plaintext now protected by memguard (was vulnerable) +βœ… Real encryption (XChaCha20-Poly1305 AEAD) instead of XOR +βœ… Real key exchange (NaCl box) instead of XOR +βœ… HTTPS enforcement (reverse proxy required) +βœ… CORS restrictions (no wildcard) +βœ… Rate limiting (60 req/min per IP) +βœ… Request size limits (1MB max) +βœ… Session timeouts (24h max) +βœ… Authenticated encryption (prevents bit-flipping) +βœ… Session isolation (no cross-contamination) +βœ… Secure cleanup on exit ---- - -## πŸ–±οΈ Virtual Keyboard (Anti-Keylogger) - -To protect local input from keyloggers or spyware, `nofuture.go` integrates an **optional on-screen virtual keyboard** with randomized key layout. - -- Protects against keyloggers reading `/dev/input` or `stdin`. -- No physical keypress events are generated. -- Layout is randomized per session. -- Optional use, recommended for high-security environments. - ---- - -## πŸ” Session Flow - -Encrypted communication is based on shared **Session IDs**, which encapsulate the cryptographic context between two users. - -### πŸ”Έ Phase 1: Create Session - -- Generate a key pair using Kyber KEM. -- Derive a session key and unique **Session ID**. -- All key material is held in memory and locked by `memguard`. - -### πŸ”Έ Phase 2: Share Session ID - -- Copy the Session ID and send it to your contact using **any chat platform**. -- Session IDs **do not contain sensitive data**. -- Transmission over unencrypted channels (chat, email) is acceptable, but encrypted ones are recommended. - -### πŸ”Έ Phase 3: Synchronize Session - -- Your contact imports the Session ID into their instance of `nofuture.go`. -- The app performs a key agreement and mutual validation (using Dilithium signatures if enabled). -- Once both sides are synchronized, they can start exchanging encrypted text. - ---- -## πŸ“Œ What Is the Session ID? +## πŸ—ΊοΈ Roadmap -The `Session ID` is not a simple string or UUID β€” it's a **cryptographic descriptor** of the secure session. -It contains all the necessary public information to allow the other party to **synchronize**, encrypt, and verify the session context. - -### πŸ” Composition of a Session ID - -- πŸ”‘ The **public key** of the sender (Kyber1024-90s) -- 🧬 A **nonce** β€” a unique 24-byte random seed -- 🧠 Optionally, a digital signature (Dilithium5-AES) for verifying the identity -- πŸ†” A hashed session fingerprint using BLAKE2b - -> Think of it like a β€œtemporary public key” for a one-time encrypted channel. - -### 🧩 Why it matters - -Sharing this `Session ID` allows another user to: -- Derive a **shared secret** via post-quantum KEM -- Bind their session securely to yours -- Encrypt data you alone can decrypt (and vice versa) - ----- - -## πŸ’₯ End Session = Total Key Destruction - -When you end the session: - -- All keys are securely wiped using `memguard.Purge()`. -- Session memory is sanitized according to [NIST SP 800-88](https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final). -- No forensic recovery is possible β€” not even with root access or RAM snapshots. -- The ciphertext remains in your chat app, but **can never be decrypted again**. - -> πŸ” One conversation. One key. One chance to read. No future access. - ---- - -## πŸ“„ Usage Example - -See [USAGE.md](USAGE.md) for a full guide on how to use `nofuture.go` alongside a browser-based chat client. - ---- +- βœ… v0.5.0: Memguard + XChaCha20-Poly1305 +- πŸ”„ v1.0.0: Kyber1024-90s + Dilithium5-AES (true post-quantum) +- πŸ”„ v1.1.0: Per-message ratcheting (forward secrecy) +- πŸ”„ v2.0.0: Browser extension ## πŸ“œ License -MIT License β€” see [`LICENSE`](./LICENSE) - ---- - -## ✊ Built with love and defiance -Because **privacy isn’t a feature** β€” it’s a human right. +MIT License +## πŸ’¬ Support +Report security issues privately. For other questions, open an issue. +--- +**One conversation. One key. One chance to read. No future access.** -- cgit v1.2.3