# cutehip

**Repository Path**: junwuming/cutehip

## Basic Information

- **Project Name**: cutehip
- **Description**: RFC7401主机标识协议
- **Primary Language**: Python
- **License**: Apache-2.0
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2021-03-11
- **Last Updated**: 2022-07-18

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# Notes

1. 使用HIT的时候注意补全前面的0，例如 `2001:2001:36c1:28d3:e52e:9fcf:ad7e:cd7` 应该修改为 `2001:2001:36c1:28d3:e52e:9fcf:ad7e:0cd7`

2. 此版本只针对与 处在同一网段的2个主机之间实现的HIP通信，跨网段通信会导致 失败，但是具体的原因还未诊断出来

3. 贴出一些常用的命令：

   ```
   bash tools/genkey.sh gen RSA 1024
   git fetch --all && git reset --hard origin/master && git pull  --> 强制同步远程仓库
   ```
   
   

# About

This is the replacement for the Java-based implementation of Host Indentity Protocol (HIP) version 2.

The solution was tested on Ubuntu 18.04, but in general, all Ubuntu like platforms should work fine.
We have also tested the implmentation on Raspberry PI.

# Introduction

Host Identity Protocol, or HIP, is layer 3.5 solution,
which was initially designed to split the dual role of the IP address: 
locator and identifier. Using HIP protocol one can solve not
only mobility problems, but also establish authenticated secure
channel. This repository contains the implementation of HIP and 
IPSec protocols using Python.

At the moment the development is ongoing. Linux was selected as a target system and all the 
development currently done for this operating system.

Cryptographic library was missing Diffie-Hellman and Elliptic Curve Diffie-Hellman so we 
have implemented these protocols in Python. We have also made some measurements just to
understand how well Python copes with these computation intensive tasks.

# Usage

Currently RSA and ECDSA (HI) algorithms for Host Identity are supported. To test the implementation one
need to first install the needed libraries.

```
$ sudo pip3 install pycryptodome
$ sudo pip3 install netifaces
```

Make sure also net-tools are installed (needed for ifconfig):

```
$ sudo apt-get install net-tools
```

```
$ git clone https://github.com/dmitriykuptsov/cutehip.git
$ cd cutehip
```

Then generate the keys on both initiator and responder as follows (only small keys are supported
at the moment, because fragmentation does not work)

```
$ bash tools/genkey.sh gen RSA 1024
```

or (to create ECDSA key pair)
```
$ bash tools/genkey.sh gen ECDSA secp384r1
```

ECDSALow is not supported due to used cryptographic library limitations.

The next step is to change the configuration. If RSA is used, set sig_alg to 0x5, and hash 
algorithm (hash_alg) to 0x1. If ECDSA is used for signatures, set sig_alg 0x7, and hash
algorithm (hash_alg) to 0x2. Also make sure you set the correct order of the cipher algorithm
and Diffie-Hellman algorithm (the first one in the list will be used during the BEX). Also 
the first cipher will be used for encrypting/decrypting ESP payload.

Once the keys are generated and configuration file is modified, run the responder:

```
$ sudo python3 cutehipd
```

Check the HIT of the responder (first you need to SSH on the responder and only then execute the below command):

```
$ ifconfig hip0
```

Then repeat the operation on intiator.

Update the hosts file (on initiator)
```
$ echo "<RHIT> <IP>" >> config/hosts
```

Remember to pad HIT with zeros if needed (ifconfig tool strips off unneeded zeros).

Run the initiator
```
$ sudo python3 cutehipd
```

Test the connection
```
$ ssh pi@<RHIT>
```

You should get security association installed once HIP BEX completes.