1 @node Transport protocol
2 @section Transport protocol
5 ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA_SIZE+DATA+NOISE) +
6 AUTH(ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA_SIZE+DATA+NOISE))
9 All transport and handshake messages are indistinguishable from
12 @code{SERIAL} is message's serial number. Odds are reserved for
13 client(→server) messages, evens for server(→client) messages.
15 @code{ENCn} is XTEA block cipher algorithm used here as PRP (pseudo
16 random permutation) to randomize, obfuscate @code{SERIAL}. Plaintext
17 @code{SERIAL} state is kept in peers internal state, but encrypted
18 before transmission. XTEA is compact and fast enough. Salsa20 is PRF
19 function and requires much more code to create PRP from it. XTEA's
20 encryption key is the first 128-bit of Salsa20's output with established
21 common key and zero nonce (message nonces start from 1).
23 Encrypted @code{SERIAL} is used as a nonce for @code{DATA} encryption:
24 encryption key is different during each handshake, so (key, nonce) pair
25 is always used only once. @code{ENC} is Salsa20 cipher, with established
26 session @code{KEY} and encrypted @code{SERIAL} used as a nonce.
27 @code{DATA_SIZE} is @emph{uint16} storing length of the @code{DATA}.
29 @code{NOISE} is optional. It is just some junk data, intended to fill up
30 packet to MTU size. This is useful for concealing payload packets length.
32 @code{AUTH} is Poly1305 authentication function. First 256 bits of
33 Salsa20 output are used as a one-time key for @code{AUTH}. Next 256 bits
34 of Salsa20 are ignored. All remaining output is XORed with the data,
37 To prevent replay attacks we must remember received @code{SERIAL}s and
38 if meet one, then drop it. Basically we could just store latest number
39 and check if received one is greater, but because of UDP packets
40 reordering this can lead to valid packets dropping and overall
41 performance degradation. We store up to 256 seen nonces in hash
42 structure, in two swapping buckets.