X-Git-Url: http://www.git.cypherpunks.ru/?p=govpn.git;a=blobdiff_plain;f=doc%2Ftransport.texi;h=e5f5abba9eba15dec245489f2aa53c807d007b5f;hp=a15ae90c0e084a800898f4d6379d9adce7aec29b;hb=0bf04621961589bc735dc8bd8a075d7db24c4178;hpb=cac5fb18c373e59885a67592e1c8d08e825e2896 diff --git a/doc/transport.texi b/doc/transport.texi index a15ae90..e5f5abb 100644 --- a/doc/transport.texi +++ b/doc/transport.texi @@ -2,45 +2,50 @@ @section Transport protocol @verbatim -[PktLen] + ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA_SIZE+DATA+NOISE) + - AUTH(ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA_SIZE+DATA+NOISE)) + NONCE = 64bit(ZEROS) || 64bit(MAC(MAC_KEY, SERIAL)) + PAYLOAD = DATA || PAD [|| ZEROS] +CIPHERTEXT = ENCRYPT(KEY, NONCE, PAYLOAD) + TAG = AUTH(AUTH_KEY, CIPHERTEXT || NONCE) + MESSAGE = TAG || CIPHERTEXT || NONCE @end verbatim -All transport and handshake messages are indistinguishable from -pseudo random noise, except when using TCP connections. - -@code{PktLen} is used only with TCP connections. It is big-endian -@emph{uint16} length of the whole packet (except @code{PktLen} itself). - @code{SERIAL} is message's serial number. Odds are reserved for -client(->server) messages, evens for server(->client) messages. +client (to server) messages, evens for server (to client) messages. -@code{ENCn} is XTEA block cipher algorithm used here as PRP (pseudo -random permutation function) to obfuscate @code{SERIAL}. Plaintext -@code{SERIAL} state is kept in peers internal state, but encrypted -before transmission. XTEA is compact and fast enough. Salsa20 is PRF -function and requires much more code to create PRP from it. +@code{MAC} is BLAKE2b-MAC used to obfuscate @code{SERIAL}. MAC's key +@code{MAC_KEY} is the first 256-bit of ChaCha20's output with established +common key and zero nonce (message nonces start from 1). -XTEA's encryption key is the first 128-bit of Salsa20's output with -established common key and zero nonce (message nonces start from 1). - -@code{ENC} is Salsa20 stream cipher, with established session @code{KEY} -and obfuscated @code{SERIAL} used as a nonce. First 256 bits of -Salsa20's output is used as Poly1305 authentication key, next 256 bits -are ignored. All remaining output is XORed with the data, encrypting it. +@verbatim +MAC_KEY = 256bit(ENCRYPT(KEY, 0)) +@end verbatim -@code{DATA_SIZE} is big-endian @emph{uint16} storing length of the -@code{DATA}. +@code{ENCRYPT} is ChaCha20 stream cipher, with established session +@code{KEY} and obfuscated @code{SERIAL} used as a nonce. 512 bit of +ChaCha20's output is ignored and only remaining is XORed with ther data, +encrypting it. -@code{NOISE} is optional. It is just some junk data, intended to fill up -packet to MTU size. This is useful for concealing payload packets length. +@code{DATA} is padded using ISO/IEC 7816-4 format (@code{PAD} (0x80 +byte) with optional @code{ZEROS} following), to fill up packet to +conceal payload packet length. @code{AUTH} is Poly1305 authentication function. First 256 bits of -Salsa20 output are used as a one-time key for @code{AUTH}. +ChaCha20's output are used as a one-time key for @code{AUTH}. + +@verbatim +AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE)) +@end verbatim To prevent replay attacks we must remember received @code{SERIAL}s and -if meet one, then drop it. Basically we could just store latest number -and check if received one is greater, but because of UDP packets -reordering this can lead to valid packets dropping and overall -performance degradation. We store up to 256 seen nonces in hash -structure, in two swapping buckets. +drop when receiving duplicate ones. + +In @ref{Encless, encryptionless mode} this scheme is slightly different: + +@verbatim + NONCE = MAC(MAC_KEY, SERIAL) +ENCODED = ENCLESS(DATA || PAD || ZEROS) + PACKET = ENCODED || NONCE +@end verbatim + +@code{ENCLESS} is AONT and chaffing function. There is no need in +explicit separate authentication.