5 releases

0.2.2 Oct 26, 2024
0.2.1 Oct 19, 2024
0.2.0 Oct 19, 2024
0.1.1 Nov 26, 2023
0.1.0 Nov 26, 2023

#406 in Cryptography

Apache-2.0

110KB
2K SLoC

Rust Implementation of the PSP Security Protocol

Google have released the PSP (PSP Security Protocol) specification and a reference implementation. That implementation is in C.

The psp_security crate is a Rust port of the reference implementation. It implements PSP encrypt/decrypt functionality using Rust for memory safety.

The implementation consists of a core psp_security library which implements the PSP packet encapsulation, decapsulation, encryption and decryption and also a command line utility that uses this library. This utility is useful for generating test vectors, and encrypting / decrypting content from the command line.

Building

cargo build

Run the crates unit tests.

cargo test

Install the command line utility. The example below installs it into the current directory.

cargo install --path .

Command Line Utility

A command line utility called psp is provided to illustrate how to use the psp_security library and to provide some simple utilities for encrypting and decrypting packets from a pcap file using PSP.

Usage: psp <COMMAND>

Commands:
  create   Create files that are useful for testing PSP encryption and decryption
  encrypt  Perform PSP encryption on plaintext packets read from a pcap file
  decrypt  Performs PSP decryption on PSP-encrypted packets read from a pcap file
  help     Print this message or the help of the given subcommand(s)

Options:
  -h, --help     Print help
  -V, --version  Print version

Example Usage

# Create a sample input pcap file
psp create pcap -n 10 -v ipv4 -o cleartext.pcap
# Create a sample configuration file
psp create config --spi 98234567 --mode transport --alg aes-gcm128 -c example.cfg
# Encrypt the pcap file using the configuration
psp encrypt -c example.cfg -i cleartext.pcap -o encrypted.pcap
# Decrypt the encrypted packets using the configuration
psp decrypt -c example.cfg -i encrypted.pcap -o decrypted.pcap
# Compare the decrypted packets against the origin sample packets
tcpdump -X -r cleartext.pcap > cleartext.txt
tcpdump -X -r decrypted.pcap > decrypted.txt
diff cleartext.txt decrypted.txt

PSP Example Client / Server

The psp server and psp client utilities implement an example client-server arrangement which establishes a PSP connection, in transport mode, between a client and a server.

psp server -p 10001

psp client -p 10001

Command Details

psp encrypt

Encrypting packets in a pcap file using psp encrypt requires not only a pcap file containing the packets but also a configuration file that specifies the PSP configuration.

$ psp encrypt -h
Perform PSP encryption on plaintext packets read from a pcap file

Usage: psp encrypt [OPTIONS]

Options:
  -v, --verbose          Enable verbose mode
  -e, --error            Forces a single bit error in each output packet which will cause authentication to fail
  -c <CFG_FILE>          PSP encryption configuration file [default: psp_encrypt.cfg]
  -i, --input <INPUT>    Input pcap file containing plaintext packet(s) to encrypt [default: cleartext.pcap]
  -o, --output <OUTPUT>  Output pcap file where the encrypted packet(s) will be written [default: psp_encrypt.pcap]
  -h, --help             Print help (see more with '--help')

psp decrypt

Encrypting packets in a pcap file using psp encrypt requires not only a pcap file containing the packets but also a configuration file that specifies the PSP configuration.

$ psp decrypt -h
Performs PSP decryption on PSP-encrypted packets read from a pcap file

Usage: psp decrypt [OPTIONS]

Options:
  -v, --verbose          Enable verbose mode
  -c <CFG_FILE>          PSP encryption configuration file [default: psp_encrypt.cfg]
  -i, --input <INPUT>    Input pcap file containing encrypted packet(s) to decrypt [default: psp_encrypt.pcap]
  -o, --output <OUTPUT>  Output pcap file where the decrypted packet(s) will be written [default: psp_decrypt.pcap]
  -h, --help             Print help (see more with '--help')

psp create config

The psp create config command can be used to create a sample configuration file in either json or a raw text format. The raw text format is based on the configuration file format that the google PSP C language implementation uses. It is supported here to allow compatibility testing with the C language implementation.

$ psp create config -h
Create a configuration file that can be used with the encrypt and decrypt commands

Usage: psp create config [OPTIONS]

Options:
  -s, --spi <SPI>                      SPI. 32b hex value. Upper bit selects the master key [default: 2587121272]
  -m, --mode <MODE>                    Encap mode: Tunnel or Transport [default: transport] [possible values: transport, tunnel]
  -a, --alg <ALG>                      Crypto Algorithm [default: aes-gcm256] [possible values: aes-gcm128, aes-gcm256]
      --crypto-offset <CRYPTO_OFFSET>  Crypto Offset [default: 0]
  -v, --vc                             Include virtual cookie
  -c, --cfg-file <CFG_FILE>            Name of the output configuration file [default: psp_encrypt.cfg]
  -j, --json                           json file format
  -h, --help                           Print help (see more with '--help')

psp create pcap

The psp create pcap utility can be used to create a sample pcap file which can be used for testing purposes.

$ psp create pcap -h
Create a cleartext pcap file that can be used for testing

Usage: psp create pcap [OPTIONS]

Options:
  -n, --num <NUM>  Number of packets to create [default: 1]
  -v, --ver <VER>  IPv4 or IPv6 packets [default: ipv4] [possible values: ipv4, ipv6]
  -e, --empty      Create empty packets where empty means the size of the L4 payload is 0
  -o <OUTPUT>      Name of the pcap output file [default: cleartext.pcap]
  -h, --help       Print help (see more with '--help')

Dependencies

~60MB
~1.5M SLoC