X-Git-Url: http://www.git.cypherpunks.ru/?p=govpn.git;a=blobdiff_plain;f=doc%2Ftransport.texi;h=e5f5abba9eba15dec245489f2aa53c807d007b5f;hp=97fdce8ba04e397dca7542d38a3d9214196166cb;hb=0bf04621961589bc735dc8bd8a075d7db24c4178;hpb=87f01e08c6135b3e2b092903d56d7c49b3f126a5 diff --git a/doc/transport.texi b/doc/transport.texi index 97fdce8..e5f5abb 100644 --- a/doc/transport.texi +++ b/doc/transport.texi @@ -2,60 +2,50 @@ @section Transport protocol @verbatim -TAG || ENCRYPTED || NONCE <-- PACKET - ^ ^ ^ - | | | - | | +------------+ - | | | - | +------------+ | - | | | - +-->AUTH(AUTH_KEY, ENCRYPTED || NONCE) - ^ ^ - | | -+-----------------------+ | -| | -| +--------------+ -| | -+--> ENCRYPT(KEY, NONCE, PAYLOAD) - ^ ^ - | | - | +--> SIZE || DATA [|| NOISE] - | - +--> PRP(PRP_KEY, SERIAL) + NONCE = 64bit(ZEROS) || 64bit(MAC(MAC_KEY, SERIAL)) + PAYLOAD = DATA || PAD [|| ZEROS] +CIPHERTEXT = ENCRYPT(KEY, NONCE, PAYLOAD) + TAG = AUTH(AUTH_KEY, CIPHERTEXT || NONCE) + MESSAGE = TAG || CIPHERTEXT || NONCE @end verbatim @code{SERIAL} is message's serial number. Odds are reserved for -client(->server) messages, evens for server(->client) messages. +client (to server) messages, evens for server (to client) messages. -@code{PRP} is XTEA block cipher algorithm used here as PRP (pseudo -random permutation function) to obfuscate @code{SERIAL}. Plaintext -@code{SERIAL} state is kept in peers internal state, but encrypted -before transmission. - -XTEA's encryption key is the first 128-bit of Salsa20's output with -established common key and zero nonce (message nonces start from 1). +@code{MAC} is BLAKE2b-MAC used to obfuscate @code{SERIAL}. MAC's key +@code{MAC_KEY} is the first 256-bit of ChaCha20's output with established +common key and zero nonce (message nonces start from 1). @verbatim -PRP_KEY = ENCRYPT(KEY, 0, 128-bit) +MAC_KEY = 256bit(ENCRYPT(KEY, 0)) @end verbatim -@code{ENCRYPT} is Salsa20 stream cipher, with established session +@code{ENCRYPT} is ChaCha20 stream cipher, with established session @code{KEY} and obfuscated @code{SERIAL} used as a nonce. 512 bit of -Salsa20's output is ignored and only remaining is XORed with ther data, +ChaCha20's output is ignored and only remaining is XORed with ther data, encrypting it. -@code{SIZE} is big-endian @emph{uint16} storing length of the -@code{DATA}. - -@code{NOISE} is optional. It is just some junk data, intended to fill up -packet to MTU size. This is useful for concealing payload packets length. +@code{DATA} is padded using ISO/IEC 7816-4 format (@code{PAD} (0x80 +byte) with optional @code{ZEROS} following), to fill up packet to +conceal payload packet length. @code{AUTH} is Poly1305 authentication function. First 256 bits of -Salsa20's output are used as a one-time key for @code{AUTH}. +ChaCha20's output are used as a one-time key for @code{AUTH}. @verbatim -AUTH_KEY = ENCRYPT(KEY, NONCE, 256 bit) +AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE)) @end verbatim To prevent replay attacks we must remember received @code{SERIAL}s and drop when receiving duplicate ones. + +In @ref{Encless, encryptionless mode} this scheme is slightly different: + +@verbatim + NONCE = MAC(MAC_KEY, SERIAL) +ENCODED = ENCLESS(DATA || PAD || ZEROS) + PACKET = ENCODED || NONCE +@end verbatim + +@code{ENCLESS} is AONT and chaffing function. There is no need in +explicit separate authentication.