1 @node Handshake protocol
2 @section Handshake protocol
4 @verbatiminclude handshake.utxt
6 Each handshake message ends with so called @code{IDtag}: it is an XTEA
7 encrypted first 64 bits of each message with client's identity as a key.
8 It is used to transmit identity and to mark packet as handshake message.
9 Server can determine used identity by trying all possible known to him
10 keys. It consumes resources, but XTEA is rather fast algorithm and
11 handshake messages checking is seldom enough event.
15 client generates @code{CPubKey}, random 64bit @code{R} that is used as a
18 @verb{|R + enc(PSK, R, CPubKey) + IDtag -> Server|} [48 bytes]
20 server remembers clients address, decrypt @code{CPubKey}, generates
21 @code{SPrivKey}/@code{SPubKey}, computes common shared key @code{K}
22 (based on @code{CPubKey} and @code{SPrivKey}), generates 64bit random
23 number @code{RS} and 256bit random @code{SS}. PSK-encryption uses
24 incremented @code{R} (from previous message) for nonce
26 @verb{|enc(PSK, R+1, SPubKey) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes]
28 client decrypt @code{SPubKey}, computes @code{K}, decrypts @code{RS},
29 @code{SS} with key @code{K}, remembers @code{SS}, generates 64bit random
30 number @code{RC} and 256bit random @code{SC},
32 @verb{|enc(K, R+1, RS + RC + SC) + IDtag -> Server|} [56 bytes]
34 server decrypt @code{RS}, @code{RC}, @code{SC} with key @code{K},
35 compares @code{RS} with it's own one send before, computes final main
36 encryption key @code{S = SS XOR SC}
38 @verb{|ENC(K, 0, RC) + IDtag -> Client|} [16 bytes]
40 server switches to the new client
42 client decrypts @code{RC} and compares with it's own generated one,
43 computes final main encryption key @code{S}
46 Where PSK is 256bit pre-shared key. @code{R*} are required for handshake
47 randomization and two-way authentication. K key is used only during
48 handshake. DH public keys can be trivially derived from private ones.