NaCl

From Qontrol.nl Wiki
Jump to navigation Jump to search

"NaCl (pronounced "salt") is a new easy-to-use high-speed software library for network communication, encryption, decryption, signatures, etc. NaCl's goal is to provide all of the core operations needed to build higher-level cryptographic tools. Of course, other libraries already exist for these core operations. NaCl advances the state of the art by improving security, by improving usability, and by improving speed."

Python and C implementations

The NaCl library was originally implemented in Python. It was ported to C afterwards, later also providing C++ language bindings. The C sourcecode is available on http://nacl.cace-project.eu/, and is used in my QuickTun VPN software.

The C code is very straight-forward, and trivial to port to C# and JavaScript.

See NaCl/Windows for information on building NaCl on Windows.

Building a dynamic shared library from the C code

See NaCl/Shared for information about building a shared, dynamically linkable library. A dynamic shared library and an automated way to build one on Debian/Ubuntu systems, are also available in the repository at http://apt.ucis.nl/.

Building only reference implementations

Sometimes it is desirable to build a generic platform independent library. In this case, it is recommended to only use the reference implementations of the provided primitives. To do so, the patch below can be used on the do script (patch do patchfile):

*** do.org      2011-02-27 17:47:19.997126841 +0100
--- do  2011-02-27 18:05:53.837122146 +0100
***************
*** 168,169 ****
--- 168,173 ----
          implementationdir=`dirname $doth`
+         implementation=`basename "$implementationdir"`
+         if [ "$implementation" != "ref" -a "$implementation" != "ref2" ]; then
+           continue;
+         fi
        opi=`echo "$implementationdir" | tr ./- ___`

C# / .Net implementation

This is a partial port directly from the original C sourcecode to pure ("unsafe") C# code. All code has been put into classes, and array operations had to be changed to use pointers. Only few changed had to be made to the actual logic. The sourcecode, as well as a precompiled library are available at http://oss.ucis.nl/nacl/. Note that not all code has been ported yet. More specifically, everything needed to provide curve25519xsalsa20poly1305 crypto-box functionality has been ported.

Most of the ported code should be as secure as the original C code. The key generation procedure may be less secure, due to the use of a possibly pseudo-random number generator (depending on the .Net framework implementation). The C# code performs somewhat slower than the original C code.

The C# NaCl library is currently used by the VNE library to provide QuickTun VPN tunnel functionality.

Another partial C# port is available here as part of GbDns.

JavaScript implementation

This is another partial port based on the above C# sourcecode to pure browser-compliant JavaScript. It tries to resemble the original sourcecode as close as possible. The sourcecode, as well as an usage example, is available at http://oss.ucis.nl/nacl/js/. Note that only the curve25519xsalsa20poly1305 key generation has been implemented so far - but further porting should be trivial.

The key generation procedure may be less secure than the original code, due to the use of a possibly pseudo-random number generator. Also, browsers tend to be prone to all kinds of (cross-site) scripting attacks. The code is a lot slower than the original C code, as it's dynamically interpreted. Obviously, it performs best in Google Chrome, then comes Firefox, and is just terribly slow in MSIE. But hey, it works!

PHP binding

An incomplete PHP extension to support is available in source form at http://oss.ucis.nl/hg/php_nacl/ and as a debian/ubuntu package at http://apt.ucis.nl/ (php5-nacl).