X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=doc%2Fhandshake.texi;h=75a65085f712082136675d6b34dc54860db1cd54;hb=0e482169576b59168f44e509863e6b6acbca6f6d;hp=0b7f4bd840dea447bbaaab0d5e895c26f59165b9;hpb=7917cab90f07d111c20c754f5085fc86c9ab45a2;p=govpn.git diff --git a/doc/handshake.texi b/doc/handshake.texi index 0b7f4bd..75a6508 100644 --- a/doc/handshake.texi +++ b/doc/handshake.texi @@ -1,29 +1,31 @@ -@node Handshake protocol +@node Handshake @section Handshake protocol @verbatiminclude handshake.utxt -Each handshake message ends with so called @code{IDtag}: it is an XTEA -encrypted first 64 bits of each message with client's @ref{Identity} as -a key. It is used to transmit identity and to mark packet as handshake -message. Server can determine used identity by trying all possible known -to him keys. It consumes resources, but XTEA is rather fast algorithm -and handshake messages checking is seldom enough event. +Each handshake message ends with so called @code{IDtag}: it is +BLAKE2b-MAC of the first 64 bits of the handshake message, with client's +@ref{Identity} used as a key. It is used to transmit identity and to +mark packet as handshake message. + +If @ref{Noise, noise} is enabled, then data is padded to fill up packet +to MTU's size. @strong{Preparation stage}: @enumerate @item Client knows only his identity and passphrase written somewhere in the -human. Server knows his identity and +human readable form. Server knows his identity and @ref{Verifier structure, verifier}: @code{DSAPub}. @item Client computes verifier which produces @code{DSAPriv} and -@code{DSAPub}. @code{H()} is @emph{HSalsa20} hash function. +@code{DSAPub}. @code{H()} is @emph{BLAKE2b-256} hash function. @item Client generates DH keypair: @code{CDHPub} and @code{CDHPriv}. Also it generates random 64-bit @code{R} that is used as a nonce for -symmetric encryption. @code{El()} is Elligator point encoding algorithm. +symmetric encryption. @code{El()} is Elligator point encoding (and vice +versa) algorithm. @end enumerate @strong{Interaction stage}: @@ -33,7 +35,7 @@ symmetric encryption. @code{El()} is Elligator point encoding algorithm. @verb{|R + enc(H(DSAPub), R, El(CDHPub)) + IDtag -> Server|} [48 bytes] @item -@itemize @bullet +@itemize @item Server remembers client address. @item Decrypts @code{El(CDHPub)}. @item Inverts @code{El()} encoding and gets @code{CDHPub}. @@ -47,7 +49,7 @@ symmetric encryption. @code{El()} is Elligator point encoding algorithm. @verb{|enc(H(DSAPub), R+1, El(SDHPub)) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes] @item -@itemize @bullet +@itemize @item Client decrypts @code{El(SDHPub)}. @item Inverts @code{El()} encoding and gets @code{SDHPub}. @item Computes @code{K}. @@ -62,7 +64,7 @@ symmetric encryption. @code{El()} is Elligator point encoding algorithm. @verb{|enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server|} [120 bytes] @item -@itemize @bullet +@itemize @item Server decrypts @code{RS}, @code{RC}, @code{SC}, @code{Sign(DSAPriv, K)}. @@ -80,7 +82,7 @@ symmetric encryption. @code{El()} is Elligator point encoding algorithm. @verb{|ENC(K, R+2, RC) + IDtag -> Client|} [16 bytes] @item -@itemize @bullet +@itemize @item Client decrypts @code{RC} @item Compares with its own one sent before. @item Computes final session encryption key as server did. @@ -92,3 +94,6 @@ symmetric encryption. @code{El()} is Elligator point encoding algorithm. has 128-bit security margin and that is why are not in use except in handshake process. @code{R*} are required for handshake randomization and two-way authentication. + +In @ref{Encless, encryptionless mode} each @code{enc()} is replaced with +AONT and chaffing function over the noised data.