X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=doc%2Ftransport.texi;h=1518d6f95fa59d02324409e9818234416827e5c0;hb=4cc7cf27a64355bbe1f64418a55e860baeb63ac0;hp=b76286138f63af78bb9f43bc02ec5d774d1e5716;hpb=e7ba034dd3beb3f8f54c4d2e0f858eb23f58c147;p=govpn.git diff --git a/doc/transport.texi b/doc/transport.texi index b762861..1518d6f 100644 --- a/doc/transport.texi +++ b/doc/transport.texi @@ -1,45 +1,50 @@ -@node Transport protocol +@node Transport @section Transport protocol @verbatim -ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA_SIZE+DATA+NOISE) + - AUTH(ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA_SIZE+DATA+NOISE)) + NONCE = 64bit(MAC(MAC_KEY, SERIAL)) + PAYLOAD = DATA || PAD [|| ZEROS] +CIPHERTEXT = ENCRYPT(KEY, NONCE, PAYLOAD) + TAG = AUTH(AUTH_KEY, CIPHERTEXT || NONCE) + MESSAGE = TAG || CIPHERTEXT || NONCE @end verbatim -All transport and handshake messages are indistinguishable from -pseudo random noise. - @code{SERIAL} is message's serial number. Odds are reserved for -client(→server) messages, evens for server(→client) messages. - -@code{ENCn} is XTEA block cipher algorithm used here as PRP (pseudo -random permutation) to randomize, obfuscate @code{SERIAL}. Plaintext -@code{SERIAL} state is kept in peers internal state, but encrypted -before transmission. XTEA is compact and fast enough. Salsa20 is PRF -function and requires much more code to create PRP from it. XTEA's -encryption key is the first 128-bit of Salsa20's output with established +client (to server) messages, evens for server (to client) messages. + +@code{MAC} is BLAKE2b-MAC used to obfuscate @code{SERIAL}. MAC's key +@code{MAC_KEY} is the first 256-bit of Salsa20's output with established common key and zero nonce (message nonces start from 1). -Encrypted @code{SERIAL} is used as a nonce for @code{DATA} encryption: -encryption key is different during each handshake, so (key, nonce) pair -is always used only once. @code{ENC} is Salsa20 cipher, with established -session @code{KEY} and encrypted @code{SERIAL} used as a nonce. -@code{DATA_SIZE} is @emph{uint16} storing length of the @code{DATA}. +@verbatim +MAC_KEY = 256bit(ENCRYPT(KEY, 0)) +@end verbatim + +@code{ENCRYPT} is Salsa20 stream cipher, with established session +@code{KEY} and obfuscated @code{SERIAL} used as a nonce. 512 bit of +Salsa20's output is ignored and only remaining is XORed with ther data, +encrypting it. -@code{NOISE} is optional. It is just some junk data, intended to fill up -packet to MTU size. This is useful for concealing payload packets length. +@code{DATA} is padded with @code{PAD} (0x80 byte). Optional @code{ZEROS} +may follow, to fill up packet to conceal payload packet length. @code{AUTH} is Poly1305 authentication function. First 256 bits of -Salsa20 output are used as a one-time key for @code{AUTH}. Next 256 bits -of Salsa20 are ignored. All remaining output is XORed with the data, -encrypting it. +Salsa20's output are used as a one-time key for @code{AUTH}. + +@verbatim +AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE)) +@end verbatim + +To prevent replay attacks we must remember received @code{SERIAL}s and +drop when receiving duplicate ones. + +In @ref{Encless, encryptionless mode} this scheme is slightly different: + +@verbatim + NONCE = MAC(MAC_KEY, SERIAL) +ENCODED = ENCLESS(DATA || PAD || ZEROS) + PACKET = ENCODED || NONCE +@end verbatim -To prevent replay attacks we remember latest @code{SERIAL} from the -remote peer. If received message's @code{SERIAL} is not greater that the -saved one, then drop it. Optionally, because some UDP packets can be -reordered during transmission, we can allow some window for valid -serials with the @code{-noncediff} option. @code{-noncediff 10} with -current saved serial state equals to 78 allows messages with 68…78 -serials. That time window can be used by attacker to replay packets, so -by default it equals to 1. However it can improve performance because of -rearranged UDP packets. +@code{ENCLESS} is AONT and chaffing function. There is no need in +explicit separate authentication.