Secure transfer of stuff from one side of the internet to the other.
This is more or less (but mostly less) a Golang port of @warner's magic-wormhole which allows you to directly transfer files and folders between computers. I decided to make this because I wanted to send my friend Jessie a file using magic-wormhole and when I told Jessie how to install the dependencies she made this face:
Don't we have enough open-source peer-to-peer file-transfer utilities?
These two gifs should run in sync if you force-reload (Ctl+F5)
$ croc -send croc.exe Sending 4.4 MB file named 'croc.exe' Code is: 4-cement-galaxy-alpha Sending (->63982).. 89% |███████████████████████████████████ | [12s:1s] File sent (2.6 MB/s)
$ croc Enter receive code: 4-cement-galaxy-alpha Receiving file (4.4 MB) into: croc.exe ok? (y/n): y Receiving (<-63975).. 97% |██████████████████████████████████████ | [13s:0s] Received file written to croc.exe (2.6 MB/s)
Note, by default, you don't need any arguments for receiving! This makes it possible for you to just double click the executable to run (nice for those of us that aren't computer wizards).
Or, you can install Go and build from source with
go get github.com/schollz/croc.
How does it work?
croc is similar to magic-wormhole in spirit and design. Like magic-wormhole, croc generates a code phrase for you to share with your friend which allows secure end-to-end transfering of files and folders through a intermediary relay that connects the TCP ports between the two computers.
In croc, code phrase is 16 random bits that are menemonic encoded plus a prepended integer to specify number of threads. This code phrase is hashed using sha256 and sent to a relay which maps that key to that connection. When the relay finds a matching key for both the receiver and the sender (i.e. they both have the same code phrase), then the sender transmits the encrypted metadata to the receiver through the relay. Then the receiver decrypts and reviews the metadata (file name, size), and chooses whether to consent to the transfer.
After the receiver consents to the transfer, the sender transmits encrypted data through the relay. The relay setups up Go channels for each connection which pipes all the data incoming from that sender's connection out to the receiver's connection. After the transmission the channels are destroyed and all the connection and meta data information is wiped from the relay server. The encrypted file data never is stored on the relay.
Encryption uses PBKDF2 (see RFC2898) where the code phrase shared between the sender and receiver is used as the passphrase. For each of the two encrypted data blocks (metadata stored on relay server, and file data transmitted), a random 8-byte salt is used and a IV is generated according to NIST Recommendation for Block ciphers, Section 8.2.
On the receiver's computer, each piece of received encrypted data is written to a separate file. These files are concatenated and then decrypted. The hash of the decrypted file is then checked against the hash transmitted from the sender (part of the meta data block).
Run your own relay
croc relies on a TCP relay to staple the parallel incoming and outgoing connections. The relay temporarily stores connection information and the encrypted meta information. The default uses a public relay at,
cowyo.com, which has no guarantees except that I guarantee to turn if off as soon as it gets abused (click here to check the current status of the public relay).
I recommend you run your own relay, it is very easy. On your server,
your-server.com, just run
$ croc -relay
Now, when you use croc to send and receive you should add
-server your-server.com to use your relay server.
Note: If you are behind a firewall, make sure to open up TCP ports 27001-27009.
- ...@warner for the idea.
- ...@tscholl2 for the encryption gists.
- ...@skorokithakis for code on proxying two connections.
- ...for making pull requests @Girbons, @techtide, @heymatthew, @Lunsford94, @lummie, @jesuiscamille, @threefjord, @marcossegovia, @csleong98, @afotescu, @callmefever, @El-JojA, @anatolyyyyyy, @goggle, @smileboywtu!