README.md 2.72 KB
Newer Older
Jan Včelák's avatar
Jan Včelák committed
1
# NSEC5 Crypto
Jan Včelák's avatar
README  
Jan Včelák committed
2

Jan Včelák's avatar
Jan Včelák committed
3
4
This repository contains **sample implementation** of cryptographic functions required for NSEC5.

5
NSEC5 is a recently proposed mechanism for authenticated denial of existence in DNSSEC, which prevents zone enumeration.
Jan Včelák's avatar
README  
Jan Včelák committed
6

7
8
9
10
11
The sample implementation covers following libraries:

- [OpenSSL](http://openssl.org/)
- [Nettle](http://www.lysator.liu.se/~nisse/nettle/)
- [GnuTLS](http://gnutls.org/) (3.0 or newer)
Jan Včelák's avatar
README  
Jan Včelák committed
12
13
14

## Quick Start

Jan Včelák's avatar
Jan Včelák committed
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Fetch the source code, compile demo programs, generate an RSA key, and run the demo:

```
$ git clone https://gitlab.labs.nic.cz/knot/nsec5-crypto.git
$ cd nsec5-crypto
$ make
$ openssl genrsa 2048 > key.pem
$ ./demo_openssl sha1 key.pem testinput
```

## Demo

To compile included demo programs (`demo_openssl` and `demo_gnutls`), execute `make` in the root of the repository.
If all libraries and *pkg-config* are available, everything should go smoothly.

```
$ make
cc -std=gnu99 -Wall -g -O2 -Icrypto -lcrypto  -o demo_openssl demo/main.c demo/openssl.c crypto/openssl_fdh.c
cc -std=gnu99 -Wall -g -O2 -Icrypto -lgnutls -lnettle -lhogweed  -lgmp -o demo_gnutls demo/main.c demo/gnutls.c crypto/gnutls_fdh.c crypto/nettle_fdh.c crypto/nettle_mgf.c
```

To compile individual demo programs, run `make demo_<name>` as usual:

```
$ make demo_openssl
cc -std=gnu99 -Wall -g -O2 -Icrypto -lcrypto  -o demo_openssl demo/main.c demo/openssl.c crypto/openssl_fdh.c
```

To override compilation and linking parameters for dependend libraries (also required when *pkg-config* is not available), add `<name>_FLAGS` parameter:

```
$ make demo_openssl openssl_FLAGS="-I/usr/local/include -L/usr/local/lib64 -lcrypto"
cc -std=gnu99 -Wall -g -O2 -Icrypto -I/usr/local/include -L/usr/local/lib64 -lcrypto -o demo_openssl demo/main.c demo/openssl.c crypto/openssl_fdh.c
```

Jan Včelák's avatar
Jan Včelák committed
50
The demo program takes a name of a hash function, a private RSA key in PEM format, and input from the command line. The input is then signed and verified:
Jan Včelák's avatar
Jan Včelák committed
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

```
$ ./demo_gnutls sha1 key_1024.pem teststring
## GnuTLS
# input
74 65 73 74 73 74 72 69 6e 67 
# signature
51 7b dd a8 b3 ee c2 f5 a7 bf fc f5 d5 67 96 d1
7d a0 b2 a7 a9 db 49 cb 2c 4b c7 50 b6 ab 79 dd
57 49 d3 39 64 c4 9b a4 0f b1 8e 4c 46 33 0b 86
c7 c0 10 0b a6 29 fc 3c 08 b4 18 5b 7d bf 7b e7
f7 31 78 1b a5 4d d1 10 4f 08 47 95 4f 83 7e 7c
2f ab 14 98 05 3a 40 a0 f4 d4 b7 18 f0 49 56 52
f8 d1 df c4 e0 47 8e 95 2b 0f 4d 0c 4c bb 83 91
8b 0a 33 1e 6c 77 45 f7 c5 25 da 01 09 8d 43 c4
# verification
succeeded
```

70
To generate a new RSA key, utilities supplied with OpenSSL or GnuTLS can be used:
Jan Včelák's avatar
Jan Včelák committed
71
72
73
74
75

```
(openssl)$ openssl genrsa 2048 > key.pem
(gnutls)$ certtool --generate-privkey --rsa --bits 2048 > key.pem
```
Jan Včelák's avatar
README  
Jan Včelák committed
76
77
78

## Rerefences

79
- [NSEC5 Project Page](http://www.cs.bu.edu/~goldbe/papers/nsec5.html)
Jan Včelák's avatar
README  
Jan Včelák committed
80
81
82
83

## License

TBD