NaCl

From Qontrol.nl Wiki
Jump to navigation Jump to search

"NaCl (pronounced "salt") is a new easy-to-use high-speed software library for network communication, encryption, decryption, signatures, etc. NaCl's goal is to provide all of the core operations needed to build higher-level cryptographic tools. Of course, other libraries already exist for these core operations. NaCl advances the state of the art by improving security, by improving usability, and by improving speed."

Python and C implementations

The NaCl library was originally implemented in Python. It was ported to C afterwards, later also providing C++ language bindings. The C sourcecode is available on http://nacl.cace-project.eu/, and is used in my QuickTun VPN software.

The C code is very straight-forward, and trivial to port to C# and JavaScript.

See NaCl/Windows for information on building NaCl on Windows.

Building a dynamic shared library from the C code

See NaCl/Shared for information about building a shared, dynamically linkable library. A dynamic shared library and an automated way to build one on Debian/Ubuntu systems, are also available in the repository at http://apt.ucis.nl/. Libsodium (http://www.libsodium.org) provides a more maintainable and up-to-date, compatible, alternative.

Building only reference implementations

Sometimes it is desirable to build a generic platform independent library. In this case, it is recommended to only use the reference implementations of the provided primitives. To do so, the patch below can be used on the do script (patch do patchfile):

*** do.org      2011-02-27 17:47:19.997126841 +0100
--- do  2011-02-27 18:05:53.837122146 +0100
***************
*** 168,169 ****
--- 168,173 ----
          implementationdir=`dirname $doth`
+         implementation=`basename "$implementationdir"`
+         if [ "$implementation" != "ref" -a "$implementation" != "ref2" ]; then
+           continue;
+         fi
        opi=`echo "$implementationdir" | tr ./- ___`

C# / .Net implementation

This is a partial port directly from the original C sourcecode to pure ("unsafe") C# code. All code has been put into classes, and array operations had to be changed to use pointers. Only few changes had to be made to the actual logic. The sourcecode is available at https://bitbucket.org/IvoSmits/ucis.core as part of the UCIS.Core project. Note that not all code has been ported yet.

Most of the ported code should be as secure as the original C code. The C# code performs somewhat slower than the original C code, mostly because the original code is highly optimized for specific hardware.

The C# NaCl library is currently used by the VNE library to provide QuickTun VPN tunnel functionality.

JavaScript implementation

This is another partial port based on the above C# sourcecode to pure browser-compliant JavaScript. It tries to resemble the original sourcecode as close as possible. The sourcecode, as well as an usage example, is available at http://oss.ucis.nl/nacl/js/. Note that only the curve25519xsalsa20poly1305 key generation has been implemented so far - but further porting should be trivial.

The key generation procedure may be less secure than the original code, due to the use of a possibly pseudo-random number generator. Also, browsers tend to be prone to all kinds of (cross-site) scripting attacks. The code is a lot slower than the original C code, as it's dynamically interpreted. Obviously, it performs best in Google Chrome, then comes Firefox, and is just terribly slow in MSIE. But hey, it works!

PHP binding

A PHP extension to support some commonly used NaCl functions is available in source form at http://oss.ucis.nl/hg/php_nacl/ and as a debian/ubuntu package at http://apt.ucis.nl/ (php5-nacl).

Other PHP modules providing similar functionality are available, providing their own, incompatible, interfaces. See below.

Other implementations and bindings