X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=doc%2Fhandshake.texi;h=6f1e37e32a72098cb00abb3b28238fe8ae1cfcf2;hb=cae1bf7a68f5be04942cdb96f91e5eca44232f5c;hp=533fef9cc90d16a068b266dd38a2ecaabefdf1c9;hpb=1f0e56f6a94ab99ef3b46eb1b07f65c802f508c0;p=govpn.git diff --git a/doc/handshake.texi b/doc/handshake.texi index 533fef9..6f1e37e 100644 --- a/doc/handshake.texi +++ b/doc/handshake.texi @@ -4,45 +4,89 @@ @verbatiminclude handshake.utxt Each handshake message ends with so called @code{IDtag}: it is an XTEA -encrypted first 64 bits of each message with client's identity as a key. -It is used to transmit identity and to mark packet as handshake message. -Server can determine used identity by trying all possible known to him -keys. It consumes resources, but XTEA is rather fast algorithm and -handshake messages checking is seldom enough event. +encrypted first 64 bits of each message with client's @ref{Identity} as +a key. It is used to transmit identity and to mark packet as handshake +message. Server can determine used identity by trying all possible known +to him keys. It consumes resources, but XTEA is rather fast algorithm +and handshake messages checking is seldom enough event. + +@strong{Preparation stage}: @enumerate @item -client generates @code{CPubKey}, random 64bit @code{R} that is used as a -nonce for encryption +Client knows only his identity and passphrase written somewhere in the +human. Server knows his identity and +@ref{Verifier structure, verifier}: @code{DSAPub}. @item -@verb{|R + enc(PSK, R, CPubKey) + IDtag -> Server|} [48 bytes] +Client computes verifier which produces @code{DSAPriv} and +@code{DSAPub}. @code{H()} is @emph{HSalsa20} hash function. @item -server remembers clients address, decrypt @code{CPubKey}, generates -@code{SPrivKey}/@code{SPubKey}, computes common shared key @code{K} -(based on @code{CPubKey} and @code{SPrivKey}), generates 64bit random -number @code{RS} and 256bit random @code{SS}. PSK-encryption uses -incremented @code{R} (from previous message) for nonce +Client generates DH keypair: @code{CDHPub} and @code{CDHPriv}. +Also it generates random 64-bit @code{R} that is used as a nonce for +symmetric encryption. +@end enumerate + +@strong{Interaction stage}: + +@enumerate @item -@verb{|enc(PSK, R+1, SPubKey) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes] +@verb{|R + enc(H(DSAPub), R, CDHPub) + IDtag -> Server|} [48 bytes] + @item -client decrypt @code{SPubKey}, computes @code{K}, decrypts @code{RS}, -@code{SS} with key @code{K}, remembers @code{SS}, generates 64bit random -number @code{RC} and 256bit random @code{SC}, +@itemize @bullet +@item Server remembers client address. +@item Decrypts @code{CDHPub}. +@item Generates DH keypair: @code{SDHPriv}/@code{SDHPub}. +@item Computes common shared key @code{K = H(DH(SDHPriv, CDHPub))}. +@item Generates 64-bit random number @code{RS}. +@item Generates 256-bit pre-master secret @code{SS}. +@end itemize + @item -@verb{|enc(K, R+1, RS + RC + SC) + IDtag -> Server|} [56 bytes] +@verb{|enc(H(DSAPub), R+1, SDHPub) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes] + @item -server decrypt @code{RS}, @code{RC}, @code{SC} with key @code{K}, -compares @code{RS} with it's own one send before, computes final main -encryption key @code{S = SS XOR SC} +@itemize @bullet +@item Client decrypts @code{SDHPub}. +@item Computes @code{K}. +@item Decrypts @code{RS} and @code{SS}. +@item Remembers @code{SS}. +@item Generates 64-bit random number @code{RC}. +@item Generates 256-bit pre-master secret @code{SC}. +@item Signs with @code{DSAPriv} key @code{K}. +@end itemize + @item -@verb{|ENC(K, 0, RC) + IDtag -> Client|} [16 bytes] +@verb{|enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server|} [120 bytes] + +@item +@itemize @bullet + @item Server decrypts @code{RS}, @code{RC}, @code{SC}, + @code{Sign(DSAPriv, K)}. + + @item Compares @code{RS} with it's own one sent before. Server + decrypts @code{RS}, @code{RC}, @code{SC} with key @code{K}, compares + @code{RS} with it's own one sent before. + + @item Verifies @code{K} signature with verifier @code{DSAPub}. + + @item Computes final session encryption key: + @code{MasterKey=SS XOR SC}. +@end itemize + @item -server switches to the new client +@verb{|ENC(K, R+2, RC) + IDtag -> Client|} [16 bytes] + @item -client decrypts @code{RC} and compares with it's own generated one, -computes final main encryption key @code{S} +@itemize @bullet +@item Client decrypts @code{RC} +@item Compares with it's own one sent before. +@item Computes final session encryption key as server did. +@end itemize + @end enumerate -Where PSK is 256bit pre-shared key. @code{R*} are required for handshake -randomization and two-way authentication. K key is used only during -handshake. DH public keys can be trivially derived from private ones. +@code{MasterKey} is high entropy 256-bit key. @code{K} DH-derived one +has 128-bit security margin and that is why are not in use except in +handshake process. @code{R*} are required for handshake randomization +and two-way authentication.