3 @cindex Handshake protocol
8 @cindex Perfect Forward Secrecy
17 @section Handshake protocol
19 @verbatiminclude handshake.utxt
21 Each handshake message ends with so called @code{IDtag}: it is an XTEA
22 encrypted first 64 bits of each message with client's @ref{Identity} as
23 a key. It is used to transmit identity and to mark packet as handshake
26 If @ref{Noise, noise} is enabled, then data is padded to fill up packet
29 @strong{Preparation stage}:
33 Client knows only his identity and passphrase written somewhere in the
34 human readable form. Server knows his identity and
35 @ref{Verifier structure, verifier}: @code{DSAPub}.
37 Client computes verifier which produces @code{DSAPriv} and
38 @code{DSAPub}. @code{H()} is @emph{BLAKE2b-256} hash function.
40 Client generates DH keypair: @code{CDHPub} and @code{CDHPriv}.
41 Also it generates random 64-bit @code{R} that is used as a nonce for
42 symmetric encryption. @code{El()} is Elligator point encoding (and vice
46 @strong{Interaction stage}:
50 @verb{|R + enc(H(DSAPub), R, El(CDHPub)) + IDtag -> Server|} [48 bytes]
54 @item Server remembers client address.
55 @item Decrypts @code{El(CDHPub)}.
56 @item Inverts @code{El()} encoding and gets @code{CDHPub}.
57 @item Generates DH keypair: @code{SDHPriv}/@code{SDHPub}.
58 @item Computes common shared key @code{K = H(DH(SDHPriv, CDHPub))}.
59 @item Generates 64-bit random number @code{RS}.
60 @item Generates 256-bit pre-master secret @code{SS}.
64 @verb{|enc(H(DSAPub), R+1, El(SDHPub)) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes]
68 @item Client decrypts @code{El(SDHPub)}.
69 @item Inverts @code{El()} encoding and gets @code{SDHPub}.
70 @item Computes @code{K}.
71 @item Decrypts @code{RS} and @code{SS}.
72 @item Remembers @code{SS}.
73 @item Generates 64-bit random number @code{RC}.
74 @item Generates 256-bit pre-master secret @code{SC}.
75 @item Signs with @code{DSAPriv} key @code{K}.
79 @verb{|enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server|} [120 bytes]
83 @item Server decrypts @code{RS}, @code{RC}, @code{SC},
84 @code{Sign(DSAPriv, K)}.
86 @item Compares @code{RS} with its own one sent before. Server
87 decrypts @code{RS}, @code{RC}, @code{SC} with key @code{K}, compares
88 @code{RS} with its own one sent before.
90 @item Verifies @code{K} signature with verifier @code{DSAPub}.
92 @item Computes final session encryption key:
93 @code{MasterKey=SS XOR SC}.
97 @verb{|ENC(K, R+2, RC) + IDtag -> Client|} [16 bytes]
101 @item Client decrypts @code{RC}
102 @item Compares with its own one sent before.
103 @item Computes final session encryption key as server did.
108 @code{MasterKey} is high entropy 256-bit key. @code{K} DH-derived one
109 has 128-bit security margin and that is why are not in use except in
110 handshake process. @code{R*} are required for handshake randomization
111 and two-way authentication.
113 In @ref{Encless, encryptionless mode} each @code{enc()} is replaced with
114 AONT and chaffing function over the noised data.