https://github.com/pedroalbanese/gosttk
🔒 Pure Go GOST Security Suite
https://github.com/pedroalbanese/gosttk
cmac digital-signature encryption gogost gost-cipher-suite gost-toolkit hash hash-digest hmac kuznechik kuznyechik magma pbkdf2 signature streebog streebog-512 symmetric-ciphers vko-gost
Last synced: about 1 month ago
JSON representation
🔒 Pure Go GOST Security Suite
- Host: GitHub
- URL: https://github.com/pedroalbanese/gosttk
- Owner: pedroalbanese
- License: isc
- Archived: true
- Created: 2021-01-09T22:45:51.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2022-12-10T19:20:12.000Z (over 2 years ago)
- Last Synced: 2025-03-20T19:36:56.922Z (2 months ago)
- Topics: cmac, digital-signature, encryption, gogost, gost-cipher-suite, gost-toolkit, hash, hash-digest, hmac, kuznechik, kuznyechik, magma, pbkdf2, signature, streebog, streebog-512, symmetric-ciphers, vko-gost
- Language: Go
- Homepage:
- Size: 854 KB
- Stars: 12
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
- Security: SECURITY.md
Awesome Lists containing this project
README
## GOST Toolkit: GOST Security Suite written in Go â˜
[](https://github.com/pedroalbanese/gosttk/blob/master/LICENSE.md)
[](http://godoc.org/github.com/pedroalbanese/gosttk)
[](https://github.com/pedroalbanese/gosttk/releases)
[](https://goreportcard.com/report/github.com/pedroalbanese/gosttk)
[](https://golang.org)
[](https://github.com/pedroalbanese/gosttk/releases)
Multi-purpose cross-platform cryptography tool for symmetric encryption, cipher-based message authentication code (CMAC), recursive hash digest, hash-based message authentication code (HMAC), digital signature, shared key agreement (VKO) and PBKDF2 function for embedded systems.
**GOST refers to a set of technical standards maintained by the Euro-Asian Council for Standardization, Metrology and Certification (EASC), a regional standards organization operating under the auspices of the Commonwealth of Independent States (CIS).**
#### GOST is GOvernment STandard of Russian Federation (and Soviet Union):
* GOST 28147-89 64-bit block cipher (RFC 5830)
* GOST R 34.11-94 hash function 256-bit (RFC 5831)
* GOST R 50739-95 data sanitization method (non-cryptographic)
* GOST R 34.10-2001 public key signature function (RFC 5832)
* VKO GOST R 34.10-2001 key agreement function (RFC 4357)
* GOST R 34.10-2012 public key signature function (RFC 7091)
* VKO GOST R 34.10-2012 key agreement function (RFC 7836)
* GOST R 34.11-2012 Стрибог (Streebog) hash function 256/512-bit (RFC 6986)
* GOST R 34.12-2015 128-bit block cipher Кузнечик (Kuznechik) (RFC 7801)
* GOST R 34.12-2015 64-bit block cipher Магма (Magma) (RFC 8891)
* MGM AEAD mode for 64 and 128 bit ciphers (RFC 9058)
## Algorithms
#### Symmetric:
- Block Ciphers:
- GOST 28147-89 CryptoPro
- GOST R 34.12-2015 Magma (default)
- GOST R 34.12-2015 Kuznechik (Grasshopper)
- Supported ParamSets:
- GOST 28147-89 CryptoPro: A, B, C, D, EAC, Z
- Modes of Operation:
- MGM: Multilinear Galois Mode (AEAD)
- CTR: Counter Mode (a.k.a. CNT)
- OFB: Output Feedback Mode
- CFB8: Cipher Feedback Mode (8-bit)
- Message Digest Algorithms:
- GOST R 34.11-94 CryptoPro 256-bit
- GOST R 34.11-2012 Streebog 256/512-bit (default)
#### Asymmetric:
- Public key Algorithms:
- GOST R 34.10-2001 CryptoPro 256-bit
- GOST R 34.10-2012 256/512-bit (default)
- Supported ParamSets:
- GOST R 34.10-2001 256-bit: A, B, C, XA, XB
- GOST R 34.10-2012 256-bit: A, B, C, D
- GOST R 34.10-2012 512-bit: A, B, C
## Features
- Cryptographic Functions:
- Symmetric Encryption + AEAD Mode
- Digital Signature (ECDSA equivalent)
- VKO (выработка ключа общего) shared key negociation (ECDH equivalent)
- Recursive Hash Digest + Check
- CMAC (Cipher-based message authentication code)
- HMAC (Hash-based message authentication code)
- HKDF (HMAC-based key derivation function)
- PBKDF2 (Password-based key derivation function 2)
- TLS 1.2 (Transport Layer Security)
- Non-Cryptographic Functions:
- GOST R 50739-95 data sanitization method
- Bin to Hex/Hex to Bin string conversion
- Random Art (Public key Fingerprint)
#### TODO:
- [ ] TLS 1.3
- [x] MGM Mode of operation
- [x] OFB Mode of operation
- [x] PBKDF2 Function
- [x] GOST 28147-89 CMAC
- [x] GOST 28147-89 symmetric cipher
- [x] GOST R 34.11-94 HMAC
- [x] GOST R 50739-95 data sanitization method
- [x] GOST R 34.10-2001 public key signature function
- [x] VKO GOST R 34.10-2001 key agreement function
- [x] GOST R 34.12-2015 Magma symmetric cipher
## Usage
-128
Block size: 64 or 128. (for symmetric encryption only) (default 64)
-512
Bit length: 256 or 512. (default 256)
-check string
Check hashsum file. ('-' for STDIN)
-crypt string
Encrypt/Decrypt with symmetric ciphers.
-digest string
File/Wildcard to generate hashsum list. ('-' for STDIN)
-hex string
Encode binary string to hex format and vice-versa.
-hkdf int
HMAC-based key derivation function with a given output bit length.
-info string
Associated data, additional info. (for HKDF and AEAD encryption)
-iter int
Iterations. (for SHRED and PBKDF2 only) (default 1)
-iv string
Initialization vector. (for non-AEAD symmetric encryption)
-key string
Private/Public key, password or HMAC key, depending on operation.
-mac string
Compute hash-based/cipher-based message authentication code.
-mode string
Mode of operation: MGM, CTR or OFB. (default "MGM")
-old
Use old roll of algorithms.
-paramset string
Elliptic curve ParamSet: A, B, C, D, XA, XB. (default "A")
-pbkdf2
Password-based key derivation function 2.
-pkey string
Generate keypair, Derive shared secret, Sign and Verify.
-pub string
Remote's side public key.
-rand int
Generate random cryptographic key with a given output bit length.
-recursive
Process directories recursively. (for DIGEST command only)
-salt string
Salt. (for PBKDF2 and HKDF commands)
-shred string
Files/Path/Wildcard to apply data sanitization method.
-signature string
Input signature. (verification only)
-version
Print version information.
## Examples
#### Asymmetric GOST R 34.10-2001 256-bit keypair generation (INI format):
```sh
./gosttk -pkey generate -old [-paramset A|B|C|XA|XB]
```
#### Asymmetric GOST R 34.10-2012 256/512-bit keypair generation (default):
```bash
./gosttk -pkey gen [-paramset A|B|C|D] [-512 -paramset A|B|C]
```
#### Signature (ECDSA equivalent):
```sh
./gosttk -pkey sign [-512|-old] -key $prvkey < file.ext > sign.txt
sign=$(cat sign.txt)
./gosttk -pkey verify [-512|-old] -key $pubkey -signature $sign < file.ext
echo $?
```
#### VKO: Shared key negociation (ECDH equivalent):
```sh
./gosttk -pkey derive [-512|-old] -key $prvkey -pub $pubkey
```
#### Encryption/decryption with Magma (GOST R 34.12-2015) block cipher (default):
```sh
./gosttk -crypt enc -key $shared < plaintext.ext > ciphertext.ext
./gosttk -crypt dec -key $shared < ciphertext.ext > plaintext.ext
```
#### Encryption/decryption with Kuznyechik (GOST R 34.12-2015) block cipher:
```sh
./gosttk -crypt enc -128 -key $shared < plaintext.ext > ciphertext.ext
./gosttk -crypt dec -128 -key $shared < ciphertext.ext > plaintext.ext
```
#### Encryption/decryption with GOST 28147-89 CryptoPro block cipher:
```sh
./gosttk -crypt enc -old -key $shared < plaintext.ext > ciphertext.ext
./gosttk -crypt dec -old -key $shared < ciphertext.ext > plaintext.ext
```
#### CMAC-Kuznechik (cipher-based message authentication code):
```sh
./gosttk -mac cmac -128 -key $128bitkey < file.ext
./gosttk -mac cmac -128 -key $128bitkey -signature $128bitmac < file.ext
```
#### CMAC-Magma (cipher-based message authentication code):
```sh
./gosttk -mac cmac [-old] -key $128bitkey < file.ext
./gosttk -mac cmac [-old] -key $128bitkey -signature $64bitmac < file.ext
```
#### GOST94-CryptoPro hashsum (list):
```sh
./gosttk -digest "*.*" -old [-recursive]
```
#### GOST94-CryptoPro hashsum (single):
```sh
./gosttk -digest - -old < file.ext
```
#### HMAC-GOST94-CryptoPro (hash-based message authentication code):
```sh
./gosttk -mac hmac -old -key $256bitkey < file.ext
./gosttk -mac hmac -old -key $256bitkey -signature $256bitmac < file.ext
```
#### Streebog256/512 hashsum:
```sh
./gosttk -digest - [-512] < file.ext
```
#### HMAC-Streebog256/512:
```sh
./gosttk -mac hmac [-512] -key $256bitkey < file.ext
./gosttk -mac hmac [-512] -key $256bitkey -signature $256bitmac < file.ext
```
#### HKDF (HMAC-based key derivation function 256-bit output):
```sh
./gosttk -hkdf 256 [-512|-old] -key "IKM" -info "AD" -salt "salt"
```
#### PBKDF2 (password-based key derivation function 2):
```sh
./gosttk -pbkdf2 [-512|-old] -key "pass" -iter 10000 -salt "salt"
```
#### Note:
PBKDF2 function can be combined with the CRYPT, HMAC commands:
```sh
./gosttk -crypt enc -128 -pbkdf2 -512 -key "pass" < plaintext.ext > ciphertext.ext
./gosttk -mac hmac [-512] -pbkdf2 -key "pass" -salt "salt" -iter 10000 < file.ext
```
#### Shred (GOST R 50739-95 data sanitization method, 25 iterations):
```sh
./gosttk -shred "keypair.ini" -iter 25
```
#### Bin to Hex/Hex to Bin:
```sh
./gosttk -hex enc < File.ext > File.hex
./gosttk -hex dec < File.hex > File.ext
./gosttk -hex dump < File.ext
```
#### Random Art (Public Key Fingerprint):
```sh
./gosttk -key $pubkey
./gosttk -key - < Pubkey.txt
```
# GOST TLS
Cross-platform hybrid cryptography tool for shared key agreement (VKO), digital signature and TLS 1.2 for small or embedded systems. This tool is similar to the main tool, with the difference that the keys are used in PEM format, which allows the encryption of the private key and the generation of certificates necessary for the TLS protocol.
## Algorithms
- GOST R 34.10-2012 public key signature function (RFC 7091)
- VKO GOST R 34.10-2012 key agreement function (RFC 7836)
- GOST R 34.11-2012 Streebog hash function 256/512-bit (RFC 6986)
- GOST R 34.12-2015 128-bit block cipher Kuznechik (RFC 7801)
### Supported ParamSets:
- GOST R 34.10-2012 256-bit: A, B, C, D
- GOST R 34.10-2012 512-bit: A, B
## Features
Cryptographic Functions:
* Digital Signature (ECDSA-like)
* VKO Shared Key Agreement (ECDH)
* TLS 1.2 (Transport Layer Security)
Non-cryptographic Functions:
* Privacy-Enhanced Mail (PEM format)
* RandomArt (OpenSSH-like)
## Usage
-512
Key length: 256 or 512. (default 256)
-cert string
Certificate name. (default "Certificate.pem")
-ipport string
Local Port/remote's side Public IP:Port.
-key string
Private/Public key, depending on operation.
-paramset string
Elliptic curve ParamSet: A, B, C, D. (default "A")
-pkey string
Generate keypair, Generate certificate. [keygen|certgen]
-private string
Private key path. (for keypair generation) (default "Private.pem")
-public string
Public key path. (for keypair generation) (default "Public.pem")
-pwd string
Password. (for Private key PEM encryption)
-signature string
Input signature. (verification only)
-tcp string
Encrypted TCP/IP Transfer Protocol. [server|ip|client]
## Examples
#### Asymmetric GOST2012 keypair generation:
```sh
./gostls -pkey keygen [-512] [-paramset B] [-pwd "pass"]
```
#### Parse keys info:
```sh
./gostls -pkey [text|modulus] [-pwd "pass"] -key private.pem
./gostls -pkey [text|modulus] -key public.pem
./gostls -pkey randomart -key public.pem
```
#### Digital signature:
```sh
./gostls -pkey sign -key private.pem [-pwd "pass"] < file.ext > sign.txt
sign=$(cat sign.txt|awk '{print $2}')
./gostls -pkey verify -key public.pem -signature $sign < file.ext
echo $?
```
#### VKO Shared key agreement:
```sh
./gostls -pkey derive -key private.pem -public peerkey.pem
```
#### Generate Certificate:
```sh
./gostls -pkey certgen -key private.pem [-pwd "pass"] [-cert "output.ext"]
```
#### Parse Certificate info:
```sh
./gostls -pkey [text|modulus] -cert certificate.pem
```
#### TLS Layer (TCP/IP):
```sh
./gostls -tcp ip > PubIP.txt
./gostls -tcp server -cert certificate.pem -key private.pem [-ipport "8081"]
./gostls -tcp client -cert certificate.pem -key private.pem [-ipport "127.0.0.1:8081"]
```
## License
This project is licensed under the ISC License.
##### Military-Grade Reliability. Copyright (c) 2020-2022 ALBANESE Research Lab.