kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
freebsd-ports/net/rosenpass/pkg-descr
Robert Clausecker 55bf3daa4a net/rosenpass: Wireguard-based post-quantum VPN 
Rosenpass implements a post-quantum-secure key exchange in the spirit of
a Noise protocol. The motivating use case is integrating with the
WireGuard VPN: In this mode, the key generated by Rosenpass is supplied
to WireGuard as its pre-shared symmetric key (PSK). This results in a
WireGuard VPN connection with hybrid post-quantum security.

While Rosenpass is designed with WireGuard in mind, it can be used as a
stand-alone tool to exchange keys. Using this mode, it can be used to
secure other protocols against attacks from quantum computers, given
that they offer using a PSK, and that a secure PSK is sufficient for
security of the protocol. To use this mode, the rosenpass binary must be
used together with the outfile <FILE> parameter. Then, Rosenpass will
write a key to the given file every two minutes, and print a message on
standard out to notify the user or the calling script that the key has
changed.

The implementation is written in Rust but uses libsodium and liboqs --
both of which are C libraries. This does not result in pretty code
everywhere, but enables some advanced security features such as using
libsodium's sodium_malloc. We use a couple of techniques to make sure
the code is secure: We use variable colouring (gating use of a secret
value through a .secret() method), and the code zeroizes all key
material.

WWW: https://rosenpass.eu
2023-09-10 12:13:03 -04:00

23 lines
1.3 KiB
Text
Raw Blame History

Rosenpass implements a post-quantum-secure key exchange in the spirit of
a Noise protocol. The motivating use case is integrating with the
WireGuard VPN: In this mode, the key generated by Rosenpass is supplied
to WireGuard as its pre-shared symmetric key (PSK). This results in a
WireGuard VPN connection with hybrid post-quantum security.
While Rosenpass is designed with WireGuard in mind, it can be used as a
stand-alone tool to exchange keys. Using this mode, it can be used to
secure other protocols against attacks from quantum computers, given
that they offer using a PSK, and that a secure PSK is sufficient for
security of the protocol. To use this mode, the rosenpass binary must be
used together with the outfile <FILE> parameter. Then, Rosenpass will
write a key to the given file every two minutes, and print a message on
standard out to notify the user or the calling script that the key has
changed.
The implementation is written in Rust but uses libsodium and liboqs --
both of which are C libraries. This does not result in pretty code
everywhere, but enables some advanced security features such as using
libsodium's sodium_malloc. We use a couple of techniques to make sure
the code is secure: We use variable colouring (gating use of a secret
value through a .secret() method), and the code zeroizes all key
material.
Reference in a new issue View git blame Copy permalink