-
Notifications
You must be signed in to change notification settings - Fork 69
Encryption modules
The encryption modules supposed to take care of the encryption of the data streams. At this stage only three different modules are supported, but the framework allows to extend this list and create new modules.
The default modules are based on the cryptography python package which support both Python 2.7 and 3. Assuming that this package was coded in a secure manner, the encryption modules should provide decent security for the users. For the details and disclaimers please see the modules below.
This part of the framework is really delicate and should be transparent for the transport modules. Since the transport protocols and their payloads are usually limited, therefore every byte matters (just think about DNS). Wasting a byte or couple of bytes could drastically decrease the throughput of the module and the usability.
Having said that all modules should be robust, have a low overhead, based on a stream cipher and ideally use Elliptic-curve Diffie-Hellman for key exchange and a symmetric algorithm to encrypt.
At the moment only three encryption modules (two really) are supported:
- None - provides no encryption
- Basic - the default - provides reasonable security
- Advanced - provides the best security
Not surprisingly every extra functionality comes with a performance penalty. Encryption is a heavy stuff, it is quite CPU intense so the throughput will be decreased as well.
Before the wrong conclusion is made from the following example, the measurement was done by using the TCP module. Although the advance encryption module gives better security and its results are better, unfortunately it has an overhead, which makes it less desirable for low bandwidth modules like DNS.
The following measurement cannot be considered as accurate values, but it gives an idea about the utilization and throughput during using the tool in different ways:
- Without the tool
- Downstream bandwidth: 54.63 Mbps
- Upstream bandwidth: 3.03 Mbps
- CPU Util: N/A
- Using the tool without encryption (none module)
- Downstream bandwidth: 51.55 Mbps
- Upstream bandwidth: 2.90 Mbps
- CPU Util: 17%
- Using the tool with encryption (basic module)
- Downstream bandwidth: 33.90 Mbps
- Upstream bandwidth: 2.86 Mbps
- CPU Util: 35%
- Using the tool with encryption (advanced module)
- Downstream bandwidth: 42.19 Mbps
- Upstream bandwidth: 2.81 Mbps
- CPU Util: 35%
In some cases an older version of the cryptography package is already installed for Python. If that version is older than the 2.0 then it could fail with the following error:
AttributeError: 'module' object has no attribute 'ChaCha20'
If this happens, it means that the package needs to be upgraded. The following command could fix the issue:
# pip install --upgrade cryptography
XFLTReaT 2017-2020 Balazs Bucsay @xoreipeip
- Home - Introduction to XFLTReaT
- The framework - The framework explained
- Installation - How to install the tool
- Configuration - How to configure the framework
- Operating System support - See the supported Operating Systems
- Transport modules - Explanation of the transport modules
- Authentication modules - Explanation of the authentication modules
- Encryption modules - Explanation of the encryption modules
- Use Cases - Examples use cases
- Development - How to develop for the framework