Download Latest Version gosttk_linux-x86.zip (2.6 MB)
Email in envelope

Get an email when there's a new version of GOST Toolkit ☭

Home
Name Modified Size InfoDownloads / Week
gosttk_win32.zip 2022-12-10 2.8 MB
0
gosttk_win64.zip 2022-12-10 2.9 MB
0
gosttk_linux-x86.zip 2022-12-10 2.6 MB
0
gosttk_linux-amd64.zip 2022-12-10 2.8 MB
0
gosttk_linux-armel.zip 2022-12-10 2.6 MB
0
README.md 2022-12-10 9.1 kB
0
Totals: 6 Items   13.7 MB 0

GOST Toolkit: GOST Cipher Suite written in Go

Multi purpose cross-platform cryptography tool for encryption / decryption, hash digest, cipher-based message authentication code (CMAC), hash-based message authentication code (HMAC), digital signature, shared key agreement (VKO) and PBKDF2.

GOST is GOvernment STandard of Russian Federation (and Soviet Union):

  • GOST 28147-89 64-bit block cipher (RFC 5830)
  • GOST R 34.11-94 hash function 256-bit (RFC 5831)
  • GOST R 50739-95 data sanitization method (non-cryptographic)
  • GOST R 34.10-2001 public key signature function (RFC 5832)
  • VKO GOST R 34.10-2001 key agreement function (RFC 4357)
  • GOST R 34.10-2012 public key signature function (RFC 7091)
  • VKO GOST R 34.10-2012 key agreement function (RFC 7836)
  • GOST R 34.11-2012 Streebog hash function 256/512-bit (RFC 6986)
  • GOST R 34.12-2015 128-bit block cipher Kuznechik (RFC 7801)
  • GOST R 34.12-2015 64-bit block cipher Magma

Symmetric Ciphers:

  • GOST 28147-89 CryptoPro
  • GOST R 34.12-2015 Magma (default)
  • GOST R 34.12-2015 Kuznechik (Grasshopper)

Asymmetric Ciphers:

  • GOST R 34.10-2001 CryptoPro 256-bit
  • GOST R 34.10-2012 256/512-bit (default)

Hash Ciphers:

  • GOST R 34.11-94 CryptoPro 256-bit
  • GOST R 34.11-2012 Streebog 256/512-bit (default)

Cryptographic Functions:

  • Symmetric Encryption/Decryption
  • Digital Signature (ECDSA equivalent)
  • VKO shared key negociation (ECDH equivalent)
  • Hash Digest
  • CMAC (Cipher-based message authentication code)
  • HMAC (Hash-based message authentication code)
  • HKDF (Hash-based key derivation function)
  • PBKDF2 (Password-based key derivation function 2)
  • TLS 1.2 (Transport Layer Security)

Non-Cryptographic Functions:

  • GOST R 50739-95 data sanitization method
  • Bin to Hex/Hex to Bin string conversion
  • Random Art Public key Fingerprint (ssh-keygen equivalent)

Supported ParamSets:

  • GOST R 34.10-2001 256-bit: A, B, C, XA, XB
  • GOST R 34.10-2012 256-bit: A, B, C, D
  • GOST R 34.10-2012 512-bit: A, B, C

Usage:

 -128
       Block size: 64 or 128. (for symmetric encryption only) (default 64)
 -512
       Bit length: 256 or 512. (default 256)
 -check string
       Check hashsum file. ('-' for STDIN)
 -crypt string
       Encrypt/Decrypt with symmetric ciphers.
 -digest string
       File/Wildcard to generate hashsum list. ('-' for STDIN)
 -hex string
       Encode binary string to hex format and vice-versa.
 -hkdf int
       Hash-based key derivation function with a given output bit length.
 -info string
       Associated data, additional info. (for HKDF and AEAD encryption)
 -iter int
       Iterations. (for SHRED and PBKDF2 only) (default 1)
 -iv string
       Initialization vector. (for non-AEAD symmetric encryption)
 -key string
       Private/Public key, password or HMAC key, depending on operation.
 -mac string
       Compute hash-based/cipher-based message authentication code.
 -mode string
       Mode of operation: MGM, CTR or OFB. (default "MGM")
 -old
       Use old roll of algorithms.
 -paramset string
       Elliptic curve ParamSet: A, B, C, D, XA, XB. (default "A")
 -pbkdf2
       Password-based key derivation function 2.
 -pkey string
       Generate keypair, Derive shared secret, Sign and Verify.
 -pub string
       Remote's side public key.
 -rand int
       Generate random cryptographic key with a given output bit length.
 -recursive
       Process directories recursively. (for DIGEST command only)
 -salt string
       Salt. (for PBKDF2 and HKDF commands)
 -shred string
       Files/Path/Wildcard to apply data sanitization method.
 -signature string
       Input signature. (verification only)
 -version
       Print version information.

Examples:

Asymmetric GOST R 34.10-2001 256-bit keypair generation (INI format):

./gosttk -pkey gen -old

Asymmetric GOST R 34.10-2012 256/512-bit keypair generation (default):

./gosttk -pkey gen [-512]

Signature (ECDSA equivalent):

./gosttk -pkey sign [-512|-old] -key $prvkey < file.ext > sign.txt
sign=$(cat sign.txt)
./gosttk -pkey verify [-512|-old] -key $pubkey -signature $sign < file.ext
echo $?

VKO: Shared key negociation (ECDH equivalent):

./gosttk -pkey derive [-512|-old] -key $prvkey -pub $pubkey

Encryption/decryption with Magma (GOST R 34.12-2015) symmetric cipher (default):

./gosttk -crypt enc -key $shared < plaintext.ext > ciphertext.ext
./gosttk -crypt dec -key $shared < ciphertext.ext > plaintext.ext

Encryption/decryption with Kuznyechik (GOST R 34.12-2015) symmetric cipher:

./gosttk -crypt enc -128 -key $shared < plaintext.ext > ciphertext.ext
./gosttk -crypt dec -128 -key $shared < ciphertext.ext > plaintext.ext

Encryption/decryption with GOST 28147-89 CryptoPro symmetric cipher:

./gosttk -crypt enc -old -key $shared < plaintext.ext > ciphertext.ext
./gosttk -crypt dec -old -key $shared < ciphertext.ext > plaintext.ext

CMAC-Kuznechik (cipher-based message authentication code):

./gosttk -mac cmac -128 -key $128bitkey < file.ext

CMAC-Magma (cipher-based message authentication code):

./gosttk -mac cmac [-old] -key $128bitkey < file.ext

GOST94-CryptoPro hashsum (list):

./gosttk -digest "*.*" -old [-recursive]

GOST94-CryptoPro hashsum (single):

./gosttk -digest - -old < file.ext

HMAC-GOST94-CryptoPro (hash-based message authentication code):

./gosttk -mac hmac -old -key $256bitkey < file.ext

Streebog256/512 hashsum:

./gosttk -digest - [-512] < file.ext

HMAC-Streebog256/512:

./gosttk -mac hmac [-512] -key $256bitkey < file.ext

PBKDF2 (password-based key derivation function 2):

./gosttk -pbkdf2 [-512|-old] -key "pass" -iter 10000 -salt "salt"

Note:

The PBKDF2 function can be combined with the CRYPT and HMAC commands:

./gosttk -crypt -128 -pbkdf2 -512 -key "pass" < plaintext.ext > ciphertext.ext
./gosttk -mac hmac [-512] -pbkdf2 -key "pass" -iter 10000 -salt "salt" < file.ext

Shred (GOST R 50739-95 data sanitization method, 25 iterations):

./gosttk -shred keypair.ini -iter 25

Bin to Hex/Hex to Bin:

echo somestring|./gosttk -hex enc
echo hexstring|./gosttk -hex dec

Random Art (Public Key Fingerprint):

./gosttk -key $pubkey

GOST TLS

Cross-platform hybrid cryptography tool for shared key agreement (VKO), digital signature and TLS 1.2 for small or embedded systems.

Command-line Security Suite

  • GOST R 34.10-2012 public key signature function (RFC 7091)
  • VKO GOST R 34.10-2012 key agreement function (RFC 7836)
  • GOST R 34.11-2012 Streebog hash function 256/512-bit (RFC 6986)
  • GOST R 34.12-2015 128-bit block cipher Kuznechik (RFC 7801)

Supported ParamSets:

  • GOST R 34.10-2012 256-bit: A, B, C, D
  • GOST R 34.10-2012 512-bit: A, B

Features

Cryptographic Functions:

  • Digital Signature (ECDSA-like)
  • VKO Shared Key Agreement (ECDH)
  • TLS 1.2 (Transport Layer Security)

Non-cryptographic Functions:

  • Privacy-Enhanced Mail (PEM format)
  • RandomArt (OpenSSH-like)

Usage

 -512
       Key length: 256 or 512. (default 256)
 -cert string
       Certificate name. (default "Certificate.pem")
 -ipport string
       Local Port/remote's side Public IP:Port.
 -key string
       Private/Public key, depending on operation.
 -paramset string
       Elliptic curve ParamSet: A, B, C, D. (default "A")
 -pkey string
       Generate keypair, Generate certificate. [keygen|certgen]
 -private string
       Private key path. (for keypair generation) (default "Private.pem")
 -public string
       Public key path. (for keypair generation) (default "Public.pem")
 -pwd string
       Password. (for Private key PEM encryption)
 -signature string
       Input signature. (verification only)
 -tcp string
       Encrypted TCP/IP Transfer Protocol. [server|ip|client]

Examples

Asymmetric GOST2012 keypair generation:

./gostls -pkey keygen [-512] [-paramset B] [-pwd "pass"]

Parse keys info:

./gostls -pkey [text|modulus] [-pwd "pass"] -key private.pem
./gostls -pkey [text|modulus] -key public.pem
./gostls -pkey randomart -key public.pem

Digital signature:

./gostls -pkey sign -key private.pem [-pwd "pass"] < file.ext > sign.txt
sign=$(cat sign.txt|awk '{print $2}')
./gostls -pkey verify -key public.pem -signature $sign < file.ext
echo $?

VKO Shared key agreement:

./gostls -pkey derive -key private.pem -public peerkey.pem

Generate Certificate:

./gostls -pkey certgen -key private.pem [-pwd "pass"] [-cert "output.ext"]

Parse Certificate info:

./gostls -pkey [text|modulus] -cert certificate.pem

TLS Layer (TCP/IP):

./gostls -tcp ip > PubIP.txt
./gostls -tcp server -cert certificate.pem -key private.pem [-ipport "8081"]
./gostls -tcp client -cert certificate.pem -key private.pem [-ipport "127.0.0.1:8081"]

Military-Grade Reliability. Copyright (c) 2020-2022 Pedro Albanese - ALBANESE Lab.

Source: README.md, updated 2022-12-10