noise
esp-web-tools
noise | esp-web-tools | |
---|---|---|
7 | 7 | |
502 | 362 | |
1.6% | 7.2% | |
3.9 | 8.0 | |
2 months ago | 8 days ago | |
Go | TypeScript | |
GNU General Public License v3.0 or later | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
noise
-
A simple, (as-of-yet unidentified) asymmetric Authenticated Key Exchange
This is Noise IK (possibly with minor differences in the hashing):
https://noiseprotocol.org/
Wireguard uses NoiseIK, plus a static public key for the initiator which is encrypted to the agreed-upon-session-key without adding additional round trips. Your protocol simply omits the parts related to the initiator's static public key, because it has none.
-
Show HN: Willow – Open-Source Privacy-Focused Voice Assistant Hardware
With regard to this:
> - On the wire/protocol stuff. We're doing pretty rudimentary "open new connection, stream voice, POST somewhere". This adds extra latency and CPU usage because of repeated TLS handshakes, etc. We have plans to use Websockets and what-not to cut down on this.
I've recently used the Noise protocol[1] to do some encrypted communication between two services I control but separated by the internet.
It was surprisingly easy!
[1]: https://noiseprotocol.org/
-
How much secure is my UDP based network protocol?
Rolling your own initial handshake is hard. Right now I strongly encourage you take a look at the Noise protocol framework. Specifically the XK and IK patterns for identified clients, and the NK pattern for anonymous clients. The best security will be achieved by the XK pattern, but if you need to reduce the number of messages to a minimum IK might be a bit more attractive. (Also, if I recall correctly IK is used by Wireguard, so there's an example to follow).
- Noise Protocol Framework
-
Rosenpass – formally verified post-quantum WireGuard
Rosenpass author here;
There is a confusion about terminology here I think. Mathematical proofs including cryptography proofs use models simplifying reality; i.e. the real practical system might still be susceptible to attacks despite a proof of security.
For crypto primitives (classic mc eliece, curve25519, ed25519, RSA, etc etc) the standard for proofs is currently showing that they are as hard as some well studied mathematical problem. This is done by showing that an attack on the primitive leads to an attack on the underlying mathematical primitive. The proof for Diffie-Hellman shows that attacking DH leads to an efficient solution for the discrete log problem. I.e. the proof is a reduction to the underlying primitive.
No primitive is perfectly secure (at least a brute force – i.e. guessing each possibility is possible); there is some probability that the adversary can guess the right key. We call this probability the adversary's advantage. One task in cryptoanalysis is to find better attacks against primitives with a higher advantage; if an attack with a polynomial time average runtime is found, the primitive is broken. Finding a higher non-polynomial attack is still an interesting result.
The standard for protocols is proving that the protocol is secure assuming the primitives are secure; since multiple primitives are used you basically get a formula deriving an advantage for breaking the entire protocol. The proof is a reduction to a set of primitives.
We did not build a proof in that gold standard, although we are working on it. We built a proof in the symbolic model – known as a symbolic analysis. This uses the perfect cryptography assumption; i.e. we assumed that the advantages for each primitive are zero. Google "Dolev-Yao-Model".
This makes the proof much easier; a proof assistant such as ProVerif can basically find a proof automatically using logic programming methods (horn clauses).
The definitions of security are fairly well understood; unfortunately there is a lot to go into so I can't expand on that here. Looking up "IND-CPA" and "IND-CCA" might be a good start; these are the security games/models of security for asymmetric encryption; you could move on to the models for key exchange algorithms there. Reading the [noise protocol spec](https://noiseprotocol.org/) is also a good start.
-
Whisper: Wraps any Go io.ReadWriter in a secure tunnel using Ed25519/X25519
There is no description of the protocol or of its security goals, so I am making some guesses based on a cursory look at the source and what I imagine this might be for.
A single symmetric key is derived for both directions, and there is no checking of nonces, so as far as I can tell any message can be dropped, reordered, or replayed in both directions. (Including replaying message from A to B as if they were from B to A.)
This is a bit like using ECB and likely to lead to fun application-specific attacks like [0].
This is very much rolling your own crypto, in a dangerous way. I am on the record as being "against" the "don't roll your own crypto" refrain [1], but mostly because it doesn't work: it should discourage people from publishing hand-rolled protocols such as this, but instead people think it means "don't roll your own primitives" and accept the use of "Ed25519/X25519" as probably secure.
Please read about the Noise framework [2] to get an idea of how much nuance there is to this, and consider using a Go implementation of it [3] instead.
P.S. This kind of issue is also why I maintain that NaCl is not a high-level scheme [4]: this could have used NaCl and have the exact same issues. libsodium has a couple slightly higher-level APIs that could have helped, secretstream [5] and kx [6], but again please use Noise.
[0] https://cryptopals.com/sets/2/challenges/13
[1] https://securitycryptographywhatever.buzzsprout.com/1822302/...
[2] https://noiseprotocol.org/noise.html
[3] https://github.com/flynn/noise
[4] https://words.filippo.io/dispatches/nacl-api/
[5] https://libsodium.gitbook.io/doc/secret-key_cryptography/sec...
[6] https://libsodium.gitbook.io/doc/key_exchange
esp-web-tools
-
Show HN: Willow – Open-Source Privacy-Focused Voice Assistant Hardware
Some feedback to make your project easier to install and integrate better with Home Assistant (I'm the founder):
Home Assistant is building a voice assistant as part of our Year of the Voice theme. https://www.home-assistant.io/blog/2023/04/27/year-of-the-vo...
As part of our recent chapter 2 milestone, we introduced new Assist Pipelines. This allows users to configure multiple voice assistants. Your project is using the old "conversation" API. Instead it should use our new assist pipelines API. Docs: https://developers.home-assistant.io/docs/voice/pipelines/
You can even off-load the STT and TTS fully to Home Assistant and only focus on wake words.
You will see a lot higher adoption rate if users can just buy the ESP BOX and install the software on it without installing/compiling stuff. That's exactly why we created ESP Web Tools. It offers projects to offer browser-based installation directly from their website. https://esphome.github.io/esp-web-tools/
If you're going the ESP Web Tools route (and you should!), we've also created Improv Wi-Fi, a small protocol to configure Wi-Fi on the ESP device. This will allow ESP Web Tools to offer an onboarding wizard in the browser once the software has been installed. More info at https://www.improv-wifi.com/
Good luck!
-
esp32-audio-kit
Note: if anyone else wants to make an installer website like this, it’s called ESP Web Tools and open source: https://esphome.github.io/esp-web-tools/
- ESP Web Tools: install ESP-firmware via your browser!
-
Ask HN: Can you share websites that are pushing the utility of browsers forward?
ESP Web Tools uses WebSerial to allow users to install, update and manage firmware running on ESP microcontrollers: https://esphome.github.io/esp-web-tools/
-
I created a beginner-friendly library for the ESP8266 that allows you to control multiple FastLED animations using custom sliders and color pickers.
If you want to make the project even more accessible, consider setting up a GitHub pages with ESP Web Tools: https://esphome.github.io/esp-web-tools/
-
BIPES: Web based IDE for micropython devices [GNUv3.0 license]
Instead of esptool suggestions, use ESP web tools and your whole flow can be web based. https://esphome.github.io/esp-web-tools/
- Show HN: Flash your ESP32 from the browser using JavaScript
What are some alternatives?
willow - Open source, local, and self-hosted Amazon Echo/Google Home competitive Voice Assistant alternative
Adafruit_WebSerial_ESPTool - A Web Serial tool for updating your ESP bootloader.
rosenpass - Rosenpass is a post-quantum-secure VPN that uses WireGuard to transport the actual data.
squeezelite-esp32 - ESP32 Music streaming based on Squeezelite, with support for multi-room sync, AirPlay, Bluetooth, Hardware buttons, display and more
FastNoise - Fast Portable Noise Library - C# C++ C Java HLSL GLSL JavaScript Rust Go
sandspiel - Creative cellular automata browser game
imagemagick - haskell imagemagick bindings
WLED - Control WS2812B and many more types of digital RGB LEDs with an ESP8266 or ESP32 over WiFi!
whisper - Wraps an io.ReadWriter in a secure tunnel using modern elliptic-curve cryptography.
telegram-tt - Telegram Web A, GPL v3
matplotlib - Haskell bindings for Python's Matplotlib
standards-positions