{"id":51460757,"url":"https://github.com/alvarofdezr/cript","last_synced_at":"2026-07-06T05:01:21.163Z","repository":{"id":358836523,"uuid":"1243277357","full_name":"alvarofdezr/cript","owner":"alvarofdezr","description":"Cryptographic Ratcheting Implementation Protocol - Secure group messaging with forward secrecy","archived":false,"fork":false,"pushed_at":"2026-05-19T10:43:33.000Z","size":112,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-19T10:51:10.640Z","etag":null,"topics":["cryptography","ecdsa","forward-secrecy","group-messaging","hkdf","protocol-implementation","python","security","sender-keys-protocol","signature-ratcheting"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alvarofdezr.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-19T07:41:39.000Z","updated_at":"2026-05-19T10:43:37.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/alvarofdezr/cript","commit_stats":null,"previous_names":["alvarofdezr/cript"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/alvarofdezr/cript","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alvarofdezr%2Fcript","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alvarofdezr%2Fcript/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alvarofdezr%2Fcript/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alvarofdezr%2Fcript/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alvarofdezr","download_url":"https://codeload.github.com/alvarofdezr/cript/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alvarofdezr%2Fcript/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35178403,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-06T02:00:07.184Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","ecdsa","forward-secrecy","group-messaging","hkdf","protocol-implementation","python","security","sender-keys-protocol","signature-ratcheting"],"created_at":"2026-07-06T05:01:18.909Z","updated_at":"2026-07-06T05:01:21.157Z","avatar_url":"https://github.com/alvarofdezr.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CRIPT - Cryptographic Ratcheting Implementation Protocol\n\n[![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org/downloads/)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![Security: Cryptography](https://img.shields.io/badge/Security-Cryptography-red.svg)](https://cryptography.io/)\n\nA professional implementation of the **Sender Keys Protocol with Signature Ratcheting** for secure group messaging, based on the academic research:\n\n\u003e **Balbás, D., Collins, D., \u0026 Gajland, P. (2022).** *Analysis and Improvements of the Sender Keys Protocol for Group Messaging.* XVII RECSI 2022, Santander, 25-30.\n\n---\n\n## 🔐 Overview\n\nCRIPT provides a practical, production-ready implementation of the Sender Keys Protocol that enables:\n\n- **Forward Secrecy**: Compromising one ephemeral key doesn't expose previous messages\n- **Post-Compromise Security**: Even if the current key is compromised, past messages remain secure\n- **Scalable Group Messaging**: Efficient protocol for multiple recipients\n- **Signature Ratcheting**: Each message uses a derived ephemeral key for authentication\n\n### Key Features\n\n| Feature | Description |\n|---------|-------------|\n| **ECDSA Signatures** | Uses SECP256R1 (P-256) elliptic curve for signing |\n| **HKDF Key Derivation** | HMAC-based Key Derivation Function (SHA256) for forward secrecy |\n| **Blind Relay Server** | Server cannot read message contents, only routes packets |\n| **Tailscale Integration** | Secure networking over VPN tunnel for private deployment |\n| **Comprehensive Testing** | Unit and integration tests with security validation |\n| **Production-Ready** | Proper error handling, logging, and security practices |\n\n---\n\n## 📦 Installation\n\n### Prerequisites\n- Python 3.10 or higher\n- [uv](https://docs.astral.sh/uv/) package manager (recommended)\n\n### From Source\n\n```bash\n# Install uv (if not already installed)\ncurl -LsSf https://astral.sh/uv/install.sh | sh\n\n# Clone and setup\ngit clone https://github.com/alvarofdezr/cript.git\ncd cript\n\n# Install with uv (creates virtual environment automatically)\nuv sync\n\n# With development tools\nuv sync --group dev\n```\n\n### Using pip (Legacy)\n```bash\npip install cript\n```\n\n---\n\n## 🚀 Quick Start\n\n### 1. **Sender: Create and Sign Messages**\n\n```python\nfrom cript.core.protocol import SenderKeysProtocol\nfrom cript.crypto.ratchet import SignatureRatchet\n\n# Initialize sender\nsender = SenderKeysProtocol.Sender(name=\"Alicia\")\n\n# Create and sign message\nmessage = sender.create_message(\"Hello, secure group!\")\nprint(message.to_json())\n```\n\n### 2. **Receiver: Verify Messages**\n\n```python\nfrom cript.core.protocol import SenderKeysProtocol\nfrom cryptography.exceptions import InvalidSignature\n\n# Initialize receiver\nreceiver = SenderKeysProtocol.Receiver(name=\"Roberto\")\n\n# Register sender's initial public key (exchange happens out-of-band)\n# In production, this comes from a key directory or manual verification\n\n# Verify incoming message\ntry:\n    is_valid = receiver.verify_message(message)\n    if is_valid:\n        content = receiver.get_decrypted_content(message)\n        print(f\"Authenticated content: {content}\")\nexcept InvalidSignature:\n    print(\"⚠️ ALERT: Message signature invalid - possible forgery or tampering!\")\n```\n\n### 3. **Run the Server**\n\n```bash\npython -m cript.network.server\n# Output: CRIPT Server listening on 0.0.0.0:5000\n```\n\n---\n\n## 🏗️ Architecture\n\n```\nCRIPT\n├── src/cript/\n│   ├── crypto/           # Cryptographic primitives\n│   │   ├── keygen.py     # ECDSA key generation\n│   │   ├── hkdf.py       # HKDF-SHA256 key derivation\n│   │   └── ratchet.py    # Signature ratcheting mechanism\n│   ├── core/             # Protocol logic\n│   │   ├── protocol.py   # Sender Keys Protocol implementation\n│   │   └── message.py    # Message serialization\n│   └── network/          # Network layer\n│       ├── server.py     # Blind relay server\n│       └── client.py     # Protocol client\n├── tests/                # Comprehensive test suite\n├── examples/             # Usage examples\n├── docs/                 # Technical documentation\n└── pyproject.toml        # Project configuration\n```\n\n---\n\n## 🔐 Security Properties\n\n### Forward Secrecy (FS)\nEach message uses an ephemeral signature key derived from a chain key. Compromising the current key does not expose past keys.\n\n**Chain Key Derivation:**\n```\nCK_n = HKDF-SHA256(CK_{n-1}, info=\"ChainKey\")\nMK_n = HKDF-SHA256(CK_{n-1}, info=\"MessageKey\")\n```\n\n### Post-Compromise Security (PCS)\nAfter ratcheting, old ephemeral keys are destroyed. The protocol automatically advances to new keys with each message.\n\n### Signature Authentication\n- **Algorithm**: ECDSA with SHA256\n- **Curve**: SECP256R1 (P-256) - NIST standardized\n- **Key Recovery**: Impossible to derive private key from public key\n\n---\n\n## 📊 Protocol Flow\n\n### Message Transmission\n\n```\nSender (Alicia)                    Relay Server                   Receiver (Roberto)\n        │                                 │                                │\n        ├─ Generate ephemeral key       │                                │\n        ├─ Sign message                 │                                │\n        ├─ Package in CriptMessage      │                                │\n        └──────── JSON over TCP ───────\u003e│                                │\n                                        │─────── Forward to all ────────\u003e│\n                                        │                          ├─ Verify signature\n                                        │                          ├─ Update public key\n                                        │                          └─ Extract content\n                                        │                                │\n                                        │                          [Ratchet advanced]\n```\n\n### Key Derivation Timeline\n\n```\nInitial Chain Key (CK_0)\n        │\n        ├─ Derive → Message Key 1, Chain Key 1\n        │   └─ Sign Message 1 with SSK\n        │   └─ Broadcast new ephemeral key\n        │\n        ├─ Derive → Message Key 2, Chain Key 2\n        │   └─ Sign Message 2 with new SSK\n        │   └─ Broadcast new ephemeral key\n        │\n        └─ Continue ratcheting for each message...\n```\n\n---\n\n## 🧪 Testing\n\nRun the comprehensive test suite with uv:\n\n```bash\n# First sync dependencies\nuv sync --group dev\n\n# Run all tests\nuv run pytest tests/ -v\n\n# With coverage\nuv run pytest tests/ --cov=src/cript --cov-report=html\n\n# Specific test file\nuv run pytest tests/test_protocol.py -v\n\n# Run examples\nuv run python examples/01_basic.py\nuv run python examples/02_attacks.py\n```\n\n### Test Coverage\n- Unit tests for cryptographic primitives\n- Protocol state machine tests\n- Attack simulation (tampering detection)\n- Network layer tests\n\n---\n\n## 📖 Examples\n\n### Basic Example\n\n```python\n# examples/basic_messaging.py\nfrom cript.core.protocol import SenderKeysProtocol\n\nsender = SenderKeysProtocol.Sender(\"Alice\")\nreceiver = SenderKeysProtocol.Receiver(\"Bob\")\n\n# Send message\nmsg = sender.create_message(\"Hello, Bob!\")\nprint(f\"Sent: {msg.to_json()}\")\n\n# Receive and verify\nif receiver.verify_message(msg):\n    content = receiver.get_decrypted_content(msg)\n    print(f\"Received: {content}\")\n```\n\n### Network Example\n\n```python\n# examples/network_demo.py\nfrom cript.network.server import CriptServer\nfrom cript.network.client import CriptClient\n\n# Start server\nserver = CriptServer(port=5000)\n# server.start()  # In production thread\n\n# Connect clients\nalice = CriptClient(\"Alicia\", \"localhost\", 5000)\nbob = CriptClient(\"Roberto\", \"localhost\", 5000)\n\nalice.connect()\nbob.connect()\n\n# Exchange messages\nmessage = {...}  # CriptMessage as dict\nalice.send(message)\nreceived = bob.receive()\n```\n\n---\n\n## 🛡️ Security Considerations\n\n### ✅ What This Implementation Protects Against\n\n- **Message Forgery**: Invalid signatures are rejected\n- **Message Tampering**: Signature verification detects any modification\n- **Replay Attacks**: Sequence numbers should be checked by application\n- **Future Compromise**: Old messages remain secure after compromise\n\n### ⚠️ Limitations \u0026 Future Work\n\n- **Symmetric Encryption**: Currently uses placeholder; implement AES-GCM for production\n- **Key Exchange**: Initial key distribution must use secure out-of-band channel\n- **Metadata**: Server can see connection patterns (timing, volume)\n- **Perfect Forward Secrecy for Groups**: Requires additional layer for multi-recipient scenarios\n\n---\n\n## 🔧 Deployment\n\n### On Ubuntu Server with Tailscale\n\n```bash\n# 1. Install Tailscale\ncurl -fsSL https://tailscale.com/install.sh | sh\n\n# 2. Authenticate\nsudo tailscale up\n\n# 3. Clone and setup CRIPT\ngit clone https://github.com/alvarofdezr/cript.git\ncd cript\npip install .\n\n# 4. Start server\npython -m cript.network.server \u0026\n\n# 5. Verify listening on Tailscale IP\nnetstat -tuln | grep 5000\n```\n\n### Docker Deployment\n\n```dockerfile\nFROM python:3.11-slim\nWORKDIR /app\nCOPY . .\nRUN pip install .\nCMD [\"python\", \"-m\", \"cript.network.server\"]\n```\n\n---\n\n## 📚 References\n\n1. **Balbás, D., Collins, D., \u0026 Gajland, P. (2022).** Analysis and Improvements of the Sender Keys Protocol for Group Messaging. XVII RECSI 2022, Santander, 25-30.\n\n2. **Signal Protocol**: https://signal.org/docs/\n   - Reference implementation of Double Ratchet for 1-to-1 messaging\n\n3. **NIST Cryptography Standards**: https://csrc.nist.gov/\n   - ECDSA specification (FIPS 186-4)\n   - SHA256 specification (FIPS 180-4)\n\n4. **RFC 5869**: HMAC-based Extract-and-Expand Key Derivation Function (HKDF)\n   - https://tools.ietf.org/html/rfc5869\n\n---\n\n## 📝 License\n\nThis project is licensed under the **MIT License** - see [LICENSE](LICENSE) file for details.\n\n```\nMIT License\n\nCopyright (c) 2026 CRIPT Contributors\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software...\n```\n\n---\n\n## 🤝 Contributing\n\nContributions are welcome! Please:\n\n1. Fork the repository\n2. Create a feature branch: `git checkout -b feature/amazing-feature`\n3. Commit changes: `git commit -m 'Add amazing feature'`\n4. Push to branch: `git push origin feature/amazing-feature`\n5. Open a Pull Request\n\n### Development Setup\n\n```bash\npip install -e \".[dev]\"\npre-commit install\n```\n\n---\n\n## 📧 Contact \u0026 Support\n\n- **Issues**: [GitHub Issues](https://github.com/alvarofdezr/cript/issues)\n- **Email**: alvarofdezr@outlook.es\n\n---\n\n## 🎯 Roadmap\n\n- [ ] AES-GCM symmetric encryption layer\n- [ ] Extended Key Exchange Protocol (EKEP) implementation\n- [ ] Multi-recipient group messaging\n- [ ] Key directory service\n- [ ] Detailed security audit documentation\n- [ ] Formal verification of protocol properties\n- [ ] Kubernetes deployment guide\n- [ ] Web dashboard for monitoring\n\n---\n\n**CRIPT** - Making group messaging cryptography accessible and secure. 🔐\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falvarofdezr%2Fcript","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falvarofdezr%2Fcript","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falvarofdezr%2Fcript/lists"}