Forem: NKN

Encrypted Stream for net.Conn or io.ReadWriter

Zheng "Bruce" Li — Wed, 03 Jun 2020 20:41:10 +0000

It's surprising to find that no Golang library can easily transform a net.Conn to an encrypted and/or authenticated net.Conn. So I wrote one that works in one line, welcome to give it a try!

https://github.com/nknorg/encrypted-stream

Overview

Encrypted-stream is a Golang library that transforms any net.Conn or io.ReadWriter stream to an encrypted and/or authenticated stream.

The encrypted stream implements net.Conn and io.ReadWriter and can be used as drop-in replacement.

Works with any encryption, authentication, or authenticated encryption algorithm or even arbitrary transformation. Only a cipher that implements encrypt/decrypt needs to be provided. XSalsa20-Poly1305 and AES-GCM are provided as reference cipher.

The encrypted stream only adds a small constant memory overhead compared to the original stream.

Usage

Assume you have a net.Conn and you want to transform it into an encrypted net.Conn:

conn, err := net.Dial("tcp", "host:port")

You first need to have a shared key at both side of the connection, (e.g. derived from key exchange algorithm, or pre-determined). Then all you need to do is to choose or implements a cipher:

encryptedConn, err := stream.NewEncryptedStream(conn, &stream.Config{ Cipher: stream.NewXSalsa20Poly1305Cipher(&key), })

Now you can use encryptedConn just like conn, but everything is encrypted and authenticated.

See stream_test.go for complete example and benchmark with TCP connection.

Benchmark

$ go test -v -bench=. -run=^$
goos: darwin
goarch: amd64
pkg: github.com/nknorg/encrypted-stream
BenchmarkPipeXSalsa20Poly1305-12            4712        254008 ns/op     516.01 MB/s           1 B/op          0 allocs/op
BenchmarkPipeAESGCM128-12                  18675         65688 ns/op    1995.38 MB/s           0 B/op          0 allocs/op
BenchmarkPipeAESGCM256-12                  16060         74029 ns/op    1770.55 MB/s           0 B/op          0 allocs/op
BenchmarkTCPXSalsa20Poly1305-12             6760        263446 ns/op     497.53 MB/s           0 B/op          0 allocs/op
BenchmarkTCPAESGCM128-12                   14780         82979 ns/op    1579.57 MB/s           0 B/op          0 allocs/op
BenchmarkTCPAESGCM256-12                   13321         92393 ns/op    1418.64 MB/s           0 B/op          0 allocs/op
PASS
ok      github.com/nknorg/encrypted-stream  9.471s

NKN SDK: powering client side communication without servers

Zheng "Bruce" Li — Wed, 25 Mar 2020 17:31:01 +0000

What can developers do with NKN’s latest SDK, a decentralized communication stack that enables true peer to peer messaging, streaming, and file transfer? We would like to sort them into two main categories:

Things you can do ONLY with NKN SDK.
1. Send and receive data for free between any NKN powered apps regardless of their network condition without setting up a server or relying on any third party services.
2. Network agnostic: Neither sender nor receiver needs to have public IP address or port forwarding. NKN powered apps only establish outbound (websocket) connections, so Internet access is all they need. This is ideal for client side peer to peer communication.
Things you can do BETTER with NKN SDK
1. Top level security: All data are end to end authenticated and encrypted. No one else in the world except sender and receiver can see or modify the content of the data. The same public key is used for both routing and encryption, eliminating the possibility of man in the middle attack.
2. Decent performance: By aggregating multiple overlay paths concurrently, NKN powered apps can get ~100ms end to end latency and 10+mbps end to end session throughput between most international locations. This might sound modest, but it is actually faster than most file transfer services (e.g. instant messenger, gmail/google-drive, wetransfer.com, or dropbox)
3. Everything is free, open source and decentralized.

NKN recently combined three Javascript SDKs (client, multi-client and wallet) into a single one, and added several important new features that developers will love.

NKN Client: Send and receive data for free between any NKN clients regardless their network condition without setting up a server or relying on any third party services. Data are end to end encrypted by default. Typically you might want to use multiclient instead of using client directly.
NKN MultiClient: Send and receive data using multiple NKN clients concurrently to improve reliability and latency. In addition, it supports session mode, a reliable streaming protocol similar to TCP based on ncp.
NKN Wallet: Wallet SDK for NKN blockchain. It can be used to create wallet, transfer token to NKN wallet address, register name, subscribe to topic, etc.

Several example applications that are built on NKN SDK are:

nMobile: a secure mobile wallet and chat application.
- More information
- Google Play Store download
D-Chat: a decentralized chat as Chrome/Firefox browser extension.
- More information
- Gitlab
nFTP: a high throughput and direct file transfer between any clients

So if your application needs these unique communication capabilities of NKN, would like to simplify and get rid of the servers, or simply to reduce server costs, you can head to NKN’s Developer Portal as well as our github repository to get started:

https://www.nkn.org/developer/

https://github.com/nknorg/nkn-sdk-js

Secure Remote File Access for Network Attached Storage (NAS)

Allen Dixon — Tue, 10 Mar 2020 22:20:50 +0000

Network Attached Storage (NAS) have enjoyed wide adoption both at home and in enterprises, offering a more secure and lower cost local storage as an alternative or complement to cloud based storage. With NKN’s secure remote file access service, users can access their NAS files from anywhere without the need to host a central server, saving development and maintenance effort, as well as time and money. And users can enjoy even higher levels of security and privacy when accessing NAS remotely.

Key Benefits

Secure Access from Anywhere - Access your files securely from anywhere even if your NAS is behind a router/firewall with no public IP address or open ports, by using NKN’s unique NKN addressing and network architecture
Reliable - NKN’s network of up to 20,000 servers in more than 40 countries ensures there is always a relay node available.
One Connection - Access all the files and services on your NAS from one connection.

Solution Overview

NKN secure remote file access service creates an end-to-end encrypted tunnel between the NAS device and the remote application. In order to accomplish this, internet connections are established by both the NAS device and remote application to a series of relay nodes within NKN’s public server network. Multiple nodes are used for both reliability as well as to enable faster transfer speed via multi-path data routing and aggregation . These relay nodes provide the interconnect to establish a single virtual tunnel between the NAS device and remote application. Relay nodes also provide a publicly available connection point for the NAS device, which are often connected behind a firewall or NAT gateway and do not have a public IP address or open ports. Please see figure 1 below.

Once a connection between the NAS device and relay node is established it will begin listening on a unique NKN Address (For example: 20d72feef55…) as shown in Figure 2. This is a routable address within the NKN network and will be used by the remote application to establish a connection to the same relay nodes as the NAS. In addition, this NKN Address also includes a public key which will help establish E2E encryption without the need to consult a 3rd party Certificate Authority (CA).

Once the tunnel is established, the remote application will have access to any of the local services available on the NAS including access to the users content such as photos, movies, and other files.

There are additional security measures that the NAS device can set up for even more protection:

Create a whitelist of allowed user applications, as identified by user app’s NKN address
Enforce user IAM (Identity and Access Management) roles and privileges to better manage file access rights in a finer grain

Setup

Typically for best user experience, NAS vendors work with NKN technical team to integrate NKN tunnel service with their NAS firmware and their mobile app. However, if you just want to try out NKN secure remote file access solution without commiting to integration, you can use the following steps to test it out.

Download the nkn-tunnel SDK

In order to implement NKN’s secure remote file access solution, you must run nkn-tunnel as a standalone program or SDK on both the NAS device and remote application.

Download the latest Mac, Windows, and Linux releases at:
https://github.com/nknorg/nkn-tunnel/releases

NOTE: nkn-tunnel is written in Go and can be compiled to work in your preferred environment such as Android, iOS, and more.

Start nkn-tunnel service

NAS Setup

To start nkn-tunnel on NAS (server side), you can run the following command:

./nkn-tunnel -from nkn -to 127.0.0.1:8080 -s <seed>

The use of -s is optional, for example if you wish to recover a pre-existing encryption key (or seed, 64 digit HEX). Otherwise a new key will be generated if this option is not set.

The nkn-tunnel application will connect to the nkn network and will begin listening for secure connections on port 8080. The output will show an NKN specific listening-address (see example below) which will be used by the remote application to connect.

Example Output:

2020/03/02 13:33:53 Listening at
5177bc471bed64cc98b8d39c1b465b5d316cb756c1eeeb99d6b13700d86809f9

Remote Application Setup

To start nkn-tunnel on the remote application (client side), you can run the following command:

./nkn-tunnel -from 127.0.0.1:8081 -to <listening-address>

The listening-address is the unique NKN address that was displayed when launching nkn-tunnel on the NAS device.

For more information on nkn-tunnnel and its usage, please visit our github for the latest release notes.

Success Stories

NKN’s Secure Remote File Access service has been successfully integrated and available on our customer’s consumer product deployed to more than 15,000 customers worldwide.

Summary

NKN’s Secure Remote File Access service for Network Attached Storage turns your local storage into a universally accessible global storage. You can remotely connect to your NAS, even if your device is behind a firewall or gateway, with no public IP address or open ports, and our all of your data is accessed via end-to-end encrypted tunnel for security. The service also offers accelerated performance for downloading data from your NAS with several times faster download experience compared to a cloud based solution. It only takes a few steps to setup and configure and we offer a free open source SDK to get you started.

You can also find more product information and web-based test drive at:
https://dataride.nkn.org/filetransfer/

Universally accessible NAS, accelerated data transfer, and low cost to deploy… Enhance your NAS product today with NKN!

Home: https://nkn.org/
Email: contact@nkn.org
Telegram: https://t.me/nknorg
Twitter: https://twitter.com/NKN_ORG
Forum: https://forum.nkn.org
Medium: https://medium.com/nknetwork
Linkedin: https://www.linkedin.com/company/nknetwork/
Github: https://github.com/nknorg
Discord: https://discord.gg/yVCWmkC
YouTube: http://www.youtube.com/c/NKNORG

Use nsh to Run Secure Remote Commands

Yilun Zhang — Mon, 09 Mar 2020 23:18:07 +0000

Introduction

It can often be difficult to manage multiple machines on a daily basis. While Secure Shell (SSH) is a good choice for remote access, the protocol itself has some drawbacks in both convenience and security.

For instance, remote machines need to have a public IP address and a forwarded port in order to access them, which exposes them to the internet, or at least a larger network. This is especially concerning if you use a password for authentication instead of a public and private key pair. Furthermore, if you don’t know the remote machine’s public key in advance, you might be vulnerable to a "man-in-the-middle" attack. And many remote machines you want to access either don’t have public IP address, or they have a dynamic IP address you might not know.

In addition, SSH requires one connection per remote session. If a user needs to run a single command across hundreds or even thousands of machines, they must first establish a connection to each machine with a TCP handshake, which is less efficient.

NKN Shell, or nsh, is an alternative to SSH that provides a convenient and secure way to run remote commands. nsh takes advantage of NKN’s global public network which provides secure and decentralized data transmission. The architecture uses unique addresses that contain a public key used for both routing and end-to-end encryption without any public key infrastructure (PKI). The network also does not require the remote server to have a public IP address. The remote server only needs to have Internet access and be able to establish outbound HTTP and websocket connections. As a result, your remote machines are not exposed to the open Internet.

In this tutorial you will use the NKN shell daemon and the NKN Shell Client Xterm applications to execute commands on a remote machine. To do so, you will install and configure the NKN Shell daemon on a remote machine with internet access, generate a key pair, and make your connection from a client.

Prerequisites

To follow this tutorial you will need the following:

One Ubuntu 18.04 server set up by following the Ubuntu 18.04 initial server setup guide, including a non-root sudo-enabled user and a firewall.
A Web browser installed on your local machine.

Step 1 — Installing NKN Shell Daemon on a Remote Server

First, install the NKN shell daemon (nsd) on your server. This application will invoke nkn-multiclient, which will connect to NKN's public network and obtain an address for routing. The daemon will then listen for incoming shell commands from authenticated and whitelisted clients, execute those commands, and then send back results.

Start by downloading the latest pre-built nshd binary from GitHub:

wget https://github.com/nknorg/nkn-shell-daemon/releases/latest/download/linux-amd64.tar.gz

Decompress the file:

tar -zxvf linux-amd64.tar.gz

Then move the files into the /usr/local/bin directory so they are available system wide:

sudo mv ./linux-amd64/* /usr/local/bin/

Next, you'll configure this to run as a daemon process using Systemd so that it will restart if the server is reset.

Create a file called nshd.service in /etc/systemd/system:

sudo nano /etc/systemd/system/nshd.service

Add the following service definition to the file to configure the service:

[Unit]
Description=NKN Shell Daemon
After=network.target

[Service]
Type=simple
User=root
Group=root
Restart=always
ExecStart=/usr/local/bin/nshd

[Install]
WantedBy=multi-user.target

Learn more about Systemd unit files in Understanding Systemd Units and Unit Files.

Save the file and exit the editor. Then enable and start the nshd service with the following commands:

sudo systemctl enable nshd.service
sudo systemctl start nshd.service

Run the following command to ensure the service is active and started:

sudo systemctl status nshd.service

You'll see that the status is active:

● nshd.service - NKN Shell Daemon
   Loaded: loaded (/etc/systemd/system/nshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-02-19 19:16:02 UTC; 7s ago
 Main PID: 3457 (nshd)
    Tasks: 10 (limit: 1152)
   CGroup: /system.slice/nshd.service
           └─3457 /usr/local/bin/nshd

Feb 19 19:16:02 your_hostname systemd[1]: Started NKN Shell Daemon.
Feb 19 19:16:03 your_hostname nshd[3457]: Create directory /etc/nshd/
Feb 19 19:16:03 your_hostname nshd[3457]: Create password and save to file /etc/nshd/wallet.pswd
Feb 19 19:16:03 your_hostname nshd[3457]: Create wallet and save to file /etc/nshd/wallet.json
Feb 19 19:16:03 your_hostname nshd[3457]: Create authorized pubkeys file /etc/nshd/authorized_pubkeys
Feb 19 19:16:03 your_hostname nshd[3457]: Listening at d46567b883a3070ee3fe879d9fa2d5dc55a95f79ff2797c42df36c6979e5c4Aba

In order to connect to your server, you'll need to get its NKN address, which you can find in the output of the previous command. You can also run the following command to obtain the address:

nshd addr

You'll see your address appear:

e70ca28ede84fc0659f2869255e8a393aef35b4fa5a7e036f29127c7dba75383

Take note of this address as you will need it to connect to your server.

Now that the daemon is running and listening, you can configure the web-based client to talk to the server.

Step 2 — Configuring Permissions for NKN Shell Client

You'll need a compatible client that can connect to the remote machine. In this tutorial you'll use NKN Shell Client Xterm, a web-based NKN shell client. There are a few different ways to run it:

Use the hosted version at https://nsh.nkn.org/. Note that while this web page is hosted on a server, it’s actually a pure local web app that runs in your browser.
Get the source code and host it yourself.
Use the nShell Chrome extension.

In this tutorial you'll use the hosted version. On your local machine, open your web browser and navigate to https://nsh.nkn.org. You'll see a welcome screen:

Click Generate New Key Pair. Your keys will be generated and displayed as shown in the following image:

Note: When you generate a new key pair, you will see a Secret Seed. Keep this secret seed secure and safe, just like you would with your SSH private key. Anyone who has this secret seed can use it to regenerate your public key and then run commands on your remote machines. Your browser will remember this seed, but you should copy it somewhere safe so you can use it again on a new machine.

Save the Secret Seed somewhere safe. You can use it later to regenerate your public key so you can connect from a different client machine.

Since this is a new key pair, you must add the Public Key to the file /etc/nshd/authorized_pubkeys on your server.

/etc/nshd/authorized_pubkeys has a similar role as the ~/authorized_keys file which controls which SSH public keys can log in. The authorized_pubkeys file can specify which user is associated with a key. For security purposes, you'll want to log in using a non-root user in this tutorial, so you'll associate the generated public key with your sammy user you created in the Initial Server Setup guide in this article's prerequisite.

To associate a user with the public key, you'll need to get the user id (UID) and group id (GID) of this user. Execute the following command on your server while logged in as the sammy user:

id

You'll see the UID and GID of the user:

uid=1000(sammy) gid=1000(sammy) groups=1000(sammy),27(sudo)

Now open the authorized_pubkeys file in your editor:

sudo nano /etc/nshd/authorized_pubkeys

Add a single line containing the public key, uid, and gid, separated by spaces:

5d5367a5730427c205904a4457392051d2045dbce0186518fb6eb24dd9e41ba6 1000 1000

Save the file.

Verify that the file contains the correct content:

cat /etc/nshd/authorized_pubkeys

You'll see your key printed on the screen:

5d5367a5730427c205904a4457392051d2045dbce0186518fb6eb24dd9e41ba6 1000 1000

Then restart the nshd daemon to apply the changes:

sudo systemctl restart nshd.service

Now let's test it out by connecting to the server and running a command.

Step 3 — Sending a Command to the remote machine and receive a response

In NKN Shell Client, enter your remote nshd address from Step 1, as well as an optional client identifier:

Click Connect to initiate the connection.

You'll be connected to your remote machine and shown a terminal prompt within the browser. From here you can use it just like SSH. For example, execute the following command to switch to the /etc/nshd directory:

cd /etc/nshd

Then list its contents:

ls

You'll see the contents of the directory:

authorized_pubkeys  wallet.json  wallet.pswd

You can disconnect by typing exit. When you need to reconnect, revisit the web interface and enter your connection details. If you generate a new key pair, you'll need to add the new public key to your server.

Conclusion

In this tutorial, you installed and configured nsh to securely and conveniently send commands to a remote machine. nsh is a great way to access your remote machines when you need to quickly run a command to get the latest status of a service or peek at some configuration settings. The application is based on NKN’s global public network, and it’s free to use so you can incorporate it into your own application or workflow today.

You can also explore nkn-tunnel which supports original SSH or any other TCP based applications.

The post was initially posted on DigitalOcean's blog: How To Use nsh to Run Secure Remote Commands On Ubuntu 18.04