Skip to content

Device app for doing X25519 on a TKey USB security device

License

Notifications You must be signed in to change notification settings

quite/tkey-device-x25519

Repository files navigation

This TKey device app implements X25519, the ECDH key agreement protocol for Curve25519. X25519 is implemented using Monocypher.

It is used by age-plugin-tkey which uses the Go package tkeyx25519 to communicate with this device app running on the TKey. But this can of course also be used by other parties wanting to do ECDH.

Note that this is work in progress. The implementation may change, and this will cause a change of identity of a TKey running this device app. This would mean that the public/private key no longer is the same, and decryption of data encrypted for the previous key pair will not be possible.

Based on https://github.com/tillitis/tkey-device-signer

Building

You can build the device app locally by running build.sh, or checking out what it does.

For reproducibility the device app is typically built in a container, locking down the toolchain, and using specific versions of dependencies. Because if one single bit changes in the app.bin that will run on the TKey (for example due to a newer clang/llvm), then the identity (private/public key) of it will change.

You can use build-in-container.sh to do this using our own container image (see Containerfile in the age-plugin-tkey repo). The clone of this repo that you're sitting in will be mounted into the container and built, but dependencies will be freshly cloned as they don't exist inside (it runs build.sh there). podman is used for running the container (packages: podman rootlesskit slirp4netns).

The x25519/app.bin.sha512 contains the expected hash of the device app binary when built using our container image which currently has clang 17.

About

Device app for doing X25519 on a TKey USB security device

Resources

License

Stars

Watchers

Forks

Packages

No packages published