xilioscient/rinnegato

GitHub: xilioscient/rinnegato

一款基于 Rust 的抗量子多路径隧道工具,结合 Shamir 秘密共享、混合 KEM 和流量伪装实现高安全性数据传输。

Stars: 0 | Forks: 0

# Labyrinth-Mesh **抗量子多路径隧道** — 混合 KEM (X25519 + Kyber-1024) · BLAKE3 认证 · Shamir 3-of-5 SSS · Dilithium3 身份 · 阈值 KEM · 自适应调度器 · TLS 1.3 + HTTP/2 隐写术 ## 功能说明 Labyrinth-Mesh 接收任何 payload,通过 GF(2⁸) 上的 Shamir 秘密共享将其拆分为 5 个份额,使用 BLAKE3 对每个份额进行身份验证,通过混合 KEM(X25519 + Kyber-1024 组合)协商会话密钥,并通过 N 条独立路径分发这些份额。接收方可以从 5 个份额中的任意 3 个重构出原始数据。 会话密钥结合了经典和后量子原语——可同时抵御破解 RSA 的攻击者和量子攻击者。每个份额都独立计时和路由;没有任何单一路径携带足以重构 payload 的信息。 **`--http` 模式** 使用真实的 TLS 1.3 + HTTP/2 传输替代原始 UDP。接收方在运行时生成自签名证书,通过 Dilithium3 签名的控制通道进行交换,发送方使用自定义的 TLS 1.3 协议栈和 Chrome 124 的 ClientHello 进行连接(JA3/JA4 指纹与 Chrome 124 完全一致)。份额使用 Chrome 的请求头和经过填充的大小进行 POST 传输。 ## 快速开始(3 个终端) ``` # T1 — 接收器 labyrinth recv --ctrl 0.0.0.0:8199 --udp 0.0.0.0:8200 --mgmt 0.0.0.0:9090 # T2 — 实时 TUI labyrinth-tui --mgmt 127.0.0.1:9090 # T3 — 发送器(按 Ctrl+D 关闭) labyrinth send --to 127.0.0.1:8199 ``` HTTP/2 模式(TLS 指纹与 Chrome 124 完全一致 — JA3/JA4): ``` # T1 labyrinth recv --ctrl 0.0.0.0:8199 --udp 0.0.0.0:443 --http --sign # T2 labyrinth send --to 127.0.0.1:8199 --remotes 127.0.0.1:443 --http ``` ## 二进制文件 | Binary | Description | |---|---| | `labyrinth` | CLI: `send` `recv` `status` `setup` | | `labyrinth-tui` | Ratatui TUI 仪表板,500ms 轮询 | | `labyrinth-server` | 独立管理平面 | | `labyrinth_mesh` | 通过环境变量配置的 Mesh 节点 | ## CLI — `labyrinth` ### `labyrinth send` ``` --to Receiver ctrl address (KEM exchange) [default: 127.0.0.1:8199] --file, -f File to send (default: stdin) --remotes Comma-separated UDP/HTTPS destinations [default: 127.0.0.1:8200] --receiver-key Dilithium3 fingerprint of receiver (TOFU if omitted) --tkem-threshold Threshold KEM: min relay shares needed (requires receiver --tkem-relays) --http Use TLS 1.3 + HTTP/2 transport instead of raw UDP --jitter-min Minimum inter-batch jitter [default: 200] --jitter-max Maximum inter-batch jitter [default: 1200] --stagger Max per-share random delay [default: 5] --mgmt Start management plane on this address ``` 示例: ``` labyrinth send --to 192.168.1.10:8199 --file secret.pdf labyrinth send --to 127.0.0.1:8199 --remotes 127.0.0.1:443 --http --file payload.bin labyrinth send --to 127.0.0.1:8199 --tkem-threshold 2 echo "hello" | labyrinth send --to 127.0.0.1:8199 ``` ### `labyrinth recv` ``` --ctrl TCP listen for KEM key exchange [default: 0.0.0.0:8199] --udp UDP / HTTPS listen address [default: 0.0.0.0:8200] --output, -o Output file (default: stdout) --sign Generate Dilithium3 keypair and print fingerprint --tkem-relays Threshold KEM: number of independent relay sub-keypairs [default: 1] --http Use TLS 1.3 + HTTP/2 transport (auto-generates self-signed cert) --mgmt Start management plane on this address ``` 示例: ``` labyrinth recv --output /tmp/received.pdf --mgmt 0.0.0.0:9090 labyrinth recv --sign labyrinth recv --tkem-relays 3 labyrinth recv --ctrl 0.0.0.0:8199 --udp 0.0.0.0:443 --http --sign ``` ### `labyrinth status` ``` labyrinth status labyrinth status --mgmt 10.0.0.5:9090 --format json ``` ### `labyrinth setup` ``` labyrinth setup # interactive wizard ``` ## TUI — `labyrinth-tui` ``` labyrinth-tui --mgmt 127.0.0.1:9090 ``` | Key | Action | |---|---| | `q` / `Ctrl+C` | 退出 | | `p` | 暂停 / 恢复轮询 | | `f` | 故障转移弹窗(显示路径) | | `0`–`9` | 在弹窗中切换路径 | | `Esc` | 关闭弹窗 | | `r` | 重置本地增量计数器 | ## 管理平面 HTTP API | Endpoint | Method | Description | |---|---|---| | `/health` | GET | `{"status":"ok"/"degraded"/"critical", ...}` | | `/metrics` | GET | 会话、分片、ratchet 和重放计数器 | | `/metrics/paths` | GET | 按路径统计的字节/数据包数组 | | `/metrics/stream` | GET | 每 1 秒推送一次的 SSE JSON 流 | | `/metrics/rtt/p95` | GET | RTT 第 95 百分位数 | | `/logs` | GET | 最后 500 条进程日志条目 | | `/path/{idx}/activate` | POST | 重新激活路径 idx | | `/path/{idx}/deactivate` | POST | 停用路径 idx | ``` curl 127.0.0.1:9090/health curl 127.0.0.1:9090/metrics curl -H "Authorization: Bearer TOKEN" 127.0.0.1:9090/metrics/stream curl -X POST 127.0.0.1:9090/path/1/deactivate ``` ## 安全技术栈 ``` Payload │ ▼ GF(2⁸) Shamir SSS n=5 shares, k=3 threshold │ ▼ Hybrid KEM X25519 + Kyber-1024 combined │ key = BLAKE3-derive(kyber_ss ‖ x25519_ss) │ + BLAKE3 auth tag 8 bytes per share, constant-time verify │ + Key ratchet rotation every 10,000 packets via BLAKE3-KDF │ + Replay window 128-bit sliding bitmap │ + Dilithium3 optional receiver identity (post-quantum sig) │ + Threshold KEM K-of-N sub-key ceremony, info-theoretically secure ▼ Transport │ UDP mode: phase3 wire-format framing (TLS1.3 / QUIC / WS / HTTP2) │ + Markov IAT + ChaCha20 padding + CBR cover traffic (XDP) │ │ HTTP mode: real TLS 1.3 + HTTP/2, ALPN negotiated │ self-signed cert + Dilithium3-pinned via ctrl channel │ Chrome headers + bucket padding [512,1024,2048,4096,8192]B │ empirical Chrome IAT distribution ▼ Network paths (multi-path, adaptive scheduler) ``` **威胁模型:** 具备 ML 分类器的链路 DPI 攻击者、破解 RSA/ECDH 的量子攻击者、重放攻击、中继节点沦陷、时序流量分析。 ## 自适应多路径调度器 调度器通过轻量级探测包测量每条路径的 RTT 和丢包率,计算 EWMA 得分,并根据路径质量按比例分配 Shamir 份额。死路径(丢包率 > 85%)将进入指数退避(1s → 60s),并在其恢复后自动重新接入。 ## 阈值 KEM 消除了 KEM 设置中的单点沦陷风险。接收方生成 N 个独立的子密钥对;发送方在其中使用 Shamir 算法拆分主密钥。会话密钥只能从 N 个子密钥中的 ≥ K 个推导得出。即使 K−1 个中继子密钥被泄露(且其中一个被量子破解),会话密钥在信息论意义上仍然是安全的。 ``` labyrinth recv --tkem-relays 3 labyrinth send --to 127.0.0.1:8199 --tkem-threshold 2 ``` ## 构建与测试 ``` cargo build --workspace # debug cargo build --release --workspace # release (LTO + codegen-units=1) cargo build --release -p labyrinth-cli # CLI only cargo test --workspace # all tests cargo test -p labyrinth-core --lib # unit tests cargo test --test integration_http_transport -- --test-threads=1 cargo test --test integration_labyrinth cargo test --test integration_improvements ``` ## 环境变量 — `labyrinth_mesh` | Variable | Default | Description | |---|---|---| | `LABYRINTH_MODE` | `send` | `send` 或 `recv` | | `LABYRINTH_CTRL` | `0.0.0.0:8199` | 用于 KEM 的 TCP 监听端口(接收方) | | `LABYRINTH_RECV_CTRL` | `127.0.0.1:8199` | 用于 KEM 的 TCP 连接端口(发送方) | | `LABYRINTH_UDP_LISTEN` | `0.0.0.0:8200` | UDP / HTTPS 监听端口(接收方) | | `LABYRINTH_REMOTES` | `127.0.0.1:8200` | 目标地址,以逗号分隔 | | `LABYRINTH_HTTP_MODE` | `false` | `1` → TLS 1.3 + HTTP/2 模式 | | `LABYRINTH_JITTER_MIN_MS` | `200` | 批次间最小抖动 (ms) | | `LABYRINTH_JITTER_MAX_MS` | `1200` | 批次间最大抖动 (ms) | | `LABYRINTH_SHARE_STAGGER_MS` | `5` | 每个份额的最大随机延迟 (ms) | | `LABYRINTH_CBR_ENABLED` | `false` | `1` → XDP 掩护流量 (Linux ≥ 5.15) | | `LABYRINTH_CBR_BPS` | `0` (= 2 Mbps) | CBR 速率,单位为 bit/s | | `DMPOT_MGMT_ADDR` | _(off)_ | 启动管理平面 | | `LABYRINTH_BIND` | `0.0.0.0:9090` | `labyrinth-server` 绑定地址 | ## 仓库结构 ``` labyrinth-core/ Core library src/ v2/ Hybrid KEM, Shamir, BLAKE3, ratchet, replay, threshold KEM phase1/ GF(2⁸) arithmetic phase3/ Protocol framing (TLS1.3/QUIC/WS/HTTP2) + Markov IAT phase4/ XDP/eBPF cover traffic + MultiPathController phase5/ Anti-debug, memory integrity chrome_tls/ Custom TLS 1.3 stack — Chrome 124 ClientHello, JA3/JA4 identical http_transport/ TLS bundle, bucket padding, Chrome headers, HTTPS server scheduler/ Adaptive multi-path scheduler (EWMA) management_plane/ Axum HTTP API + SSE metrics/ SharedMetrics file_transfer/ FileSender / FileReceiver + BLAKE3 verify log_capture/ 500-entry ring buffer labyrinth-cli/ `labyrinth` CLI (clap subcommands) labyrinth-tui/ `labyrinth-tui` Ratatui dashboard labyrinth-server/ `labyrinth-server` standalone management plane docker-compose.yml Backend container quickstart.sh One-liner bootstrap ``` ## 核心依赖 ``` pqcrypto-kyber = "0.7" Kyber-768 KEM (hybrid PQ key share, Chrome 124) pqcrypto-kyber = "0.7" Kyber-1024 KEM (session KEM, NIST PQC Level 5) x25519-dalek = "2" X25519 ECDH (hybrid KEM + TLS key share) pqcrypto-dilithium = "0.5" Dilithium3 post-quantum signatures blake3 = "1.5" Auth tags + KDF + ratchet sharks = "0.5" Shamir Secret Sharing over GF(256) aes-gcm = "0.10" AES-128-GCM for custom TLS 1.3 AEAD hmac = "0.12" HMAC-SHA256 for TLS 1.3 Finished messages rcgen = "0.13" Runtime self-signed cert generation tokio-rustls = "0.26" Async TLS 1.3 server (receiver side) hyper = "1" HTTP/2 client + server axum = "0.7" Management plane + share endpoint aya = "0.12" eBPF userspace loader (cover traffic) tokio = "1" Async runtime ```
标签:Radare2, Rust, TLS指纹, 可视化界面, 多路径隧道, 抗量子密码学, 流量伪装, 网络流量审计, 网络通信, 通知系统