🔒 Portable, secure by default cryptography
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
c
go
java
javascript
python
ruby
testdata
.gitignore
.travis.yml
Makefile
README.md

README.md

Confidentiality License: MIT Build Status Go Documentation

Portable, secure by default cryptography.

Important: This library is not a substitution for well seasoned TLS implementations and only exists as a supplementary means of offering cryptographic primitives. Make sure you understand the limitations of each function before you use them.

Project state: Unstable, we're still working on the API and used algorithms.

Supported languages

Language Version Remarks
C c99 Requires mbedTLS >= 2.1.0 or OpenSSL >= 1.0.0
Go >= 1.10
Javascript node.js >= 11 Browsers with WebCrypto support
Python >= 3.4
Ruby >= 2.5

Used algorithms

Algorithm Usage
HMAC-SHA256 Message authentication
AES Block encryption
AES-GCM Message and iv encryption (authenticated)
AES-GCM+AES-CTR Stream encryption
X25519+PBKDF2 Key exchange (KEX)

Backward compatibility

Confidentiality will be released using semantic versioning. Releases on the a new major release may introduce algorithm changes that are not compatible with releases on previous major releases. New major versions may be compatible with older releases, unless there are security concerns for supporting older algorithms.

The 0 major release has no promise of backward compatibility and are used to field test algorithm changes.

Message authentication

Using HMAC-SHA256.

Signing

sign(message, key) -> signed message

Verifying

verify(signed message, key) -> [error]

Key exchange

Using Elliptive Curve Diffie-Helman (ECDH) key exchange.

Shared key

exchange(readable & writable stream) -> key

Message encryption

Using AES-128-GCM.

Encrypting

encrypt(message, key) -> encrypted message

Decrypting

decrypt(encypted message, key) -> message

Stream encryption

Using AES-128-GCM for IV hand over and AES-128-CTR for stream encryption.

Encrypting

encrypter(writable stream, key) -> writable stream

Decrypting

decrypter(readable stream, key) -> readable stream

Secure a stream

Performs a key exchange and switches to encrypted/decrypted streams for writing/reading to/from the stream.

secure(readable & writable stream) -> readable & writable stream