Reviewability, high 128-bit security margin and
@url{https://en.wikipedia.org/wiki/Deep_packet_inspection, DPI}
-resistance in mind in free software solution are the main goals
-for that daemon.
+censorship resistance in mind in free software solution are the main
+goals for that daemon. Most modern widespread protocols and their
+implementations in software are too complex to be reviewed, analyzed and
+modified.
-State off art cryptography technologies include:
+State off art cryptography technologies includes:
@url{http://cr.yp.to/snuffle.html, Salsa20} stream encryption,
@url{http://143.53.36.235:8080/tea.htm, XTEA} PRP,
@url{http://cr.yp.to/mac.html, Poly1305} message authentication,
-@url{https://en.wikipedia.org/wiki/Encrypted_key_exchange, Diffie-Hellman Encrypted Key Exchange}
-(DH-EKE) powered by @url{http://cr.yp.to/ecdh.html, Curve25519}.
+@url{https://en.wikipedia.org/wiki/PBKDF2} password-based key derivation
+function based on @url{https://en.wikipedia.org/wiki/SHA-2, SHA-512}
+hash function,
+@url{https://en.wikipedia.org/wiki/Encrypted_key_exchange,
+Diffie-Hellman Augmented Encrypted Key Exchange}
+(DH-A-EKE) powered by @url{http://cr.yp.to/ecdh.html, Curve25519},
+@url{http://ed25519.cr.yp.to/, Ed25519} signatures and
+@url{http://elligator.cr.yp.to/, Elligator} curve-point encoding.
Strong
@url{https://en.wikipedia.org/wiki/Zero-knowledge_password_proof, zero-knowledge}
mutual authentication with key exchange stage is invulnerable
@url{https://en.wikipedia.org/wiki/Forward_secrecy, Perfect forward secrecy}
property guarantee that compromising of long-term authentication
pre-shared key can not lead to previously captured traffic decrypting.
-Rehandshaking ensures session keys rotation. MAC authentication with
-one-time keys protects against
+Compromising of peers password file on server side won't allow attacker
+to masquerade as the client, because of asymmetric @strong{verifiers}
+usage, resistant to dictionary attacks. Rehandshaking ensures session
+keys rotation. MAC authentication with one-time keys protects against
@url{https://en.wikipedia.org/wiki/Replay_attack, replay attacks}.
Server can work with several clients simultaneously. Each client is
@strong{identified} by 128-bit key, that does not leak during handshake
-and each client stays @strong{anonymous} for MiTM and DPI.
+and each client stays @strong{anonymous} for MiTM and DPI. All settings
+are applied per-peer separately.
Optional ability to hide payload packets lengths by appending
@strong{noise} to them during transmission. Ability to generate constant
packet rate traffic (@strong{CPR}) that will hide even the fact of
-packets appearance.
+packets appearance, their timestamps.
The only platform specific requirement is TAP network interface support.
API to that kind of device is different, OS dependent and non portable.
@item IPv6 compatible
@item Encrypted and authenticated payload transport
@item Relatively fast handshake
+@item Password-authenticated key exchange
+@item Server-side password verifiers are secure against dictionary attacks
+@item Attacker can not masquerade a client even with password files compromising
@item Replay attack protection
@item Perfect forward secrecy property
@item Mutual two-side authentication
@item Zero knowledge authentication
@item Built-in rehandshake and heartbeat features
@item Several simultaneous clients support
+@item Per-client configuration options
@item Hiding of payload packets length with noise
-@item Hiding of payload packets appearance with constant packet rate traffic
+@item Hiding of payload packets timestamps with constant packet rate traffic
@item Optional built-in HTTP-server for retrieving information about
known connected peers in @url{http://json.org/, JSON} format
@end itemize