CLIQUE-KEYGEN(1) Clique Reference Manual CLIQUE-KEYGEN(1) NAME clique-keygen - generate a cryptographic key for Clique endpoints SYNOPSIS clique-keygen [OPTION]... DESCRIPTION The clique-keygen program is part of the reference implementation for the Clique(7) protocol for encrypted Internet communication with many types of metadata protected against eavesdropping. This program generates a randomized key for encrypting and decrypting communication between two machines within a clique. The key should be installed as specified by the KeyDirectory directive of cipher.conf(5). The key's filename should have few adornments and is used at each end- point as a "domain" or encrypted path from one peer to the other. These filenames need not be the same at each endpoint, and typically would be given names which locally identify the endpoint to which each connects. OPTIONS -h Print version number and option summary. -o FILE Write output to FILE instead of clique.key. -r Encrypt messages using 4096-bit Rijndael. This is the default; in the future there will be an option to encrypt messages using one-time pads. -s SOURCE Read key material from SOURCE instead of /dev/random. EXIT STATUS Returns 0 if successful, or 1 if unsuccessful. ENVIRONMENT The environment is completely ignored by this command for security rea- sons. Except for macOS, which lacks a library function to accomplish this. NOTES Like the Advanced Encryption Standard, Clique uses a symmetric cipher based on Rijndael. Unlike AES, Clique uses no subkeys, instead directly specifying the key for each round. This permits a much greater effective key size; whereas AES uses 128-, 192-, or 256-bit keys, Clique uses a 4096-bit key. As the Clique network protocol is the focus of active graduate research, it should be regarded as experimental at this time. BUGS This program is slow in its default and most secure mode, because key material is taken from the kernel's random number source device /dev/random. Reads from this device block until the kernel has accumu- lated enough entropy to fill the request. Whatever source of key material is used by this program, it is used unvalidated and unmodified. Any weaknesses or compromises concerning that source are propagated directly to the key. Clique keys are not themselves encrypted, and as such are not associ- ated with any passphrases, etc. It is not possible to share a key among more than two machines without incurring severe errors, to include deadlock and data corruption. These errors are limited to the over-shared key(s). Rather than having three peers share a single key, a total of three keys is used, one for each of the three transmission paths involved. No provision is available yet for resetting keys that have been locked out by system clock jumps. Manual attempts to reset a key in hexadeci- mal would require the ability to compute HMACs and may not be worth the effort. A backup copy of your keys is suggested. Of course, in future versions of Clique, you should never make a backup of any one-time pads. Make backup one-time pads instead. The documentation is likely to be incomplete in some respects, and dif- ficult to absorb in several respects. EXAMPLES $ clique-keygen Create a file named clique.key from /dev/random. $ clique-keygen -s /dev/urandom -o mike-susan Create a key in file mike-susan from /dev/urandom. SEE ALSO clique-cipherer(1), clique-deliverer(1), clique-scheduler(1), cipher.conf(5), sched.conf(5), clique(7) 2016-12-20 CLIQUE-KEYGEN(1)