X-Git-Url: http://www.git.cypherpunks.ru/?p=govpn.git;a=blobdiff_plain;f=doc%2Ftransport.texi;h=e5f5abba9eba15dec245489f2aa53c807d007b5f;hp=cdbe7aecfa47365502a5ffdd0dc811d1c262d90b;hb=0bf04621961589bc735dc8bd8a075d7db24c4178;hpb=f9b0c70547abc7275dadb649f35ab3d0964bb575 diff --git a/doc/transport.texi b/doc/transport.texi index cdbe7ae..e5f5abb 100644 --- a/doc/transport.texi +++ b/doc/transport.texi @@ -1,42 +1,51 @@ -@node Transport protocol +@node Transport @section Transport protocol @verbatim -ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA_SIZE+DATA+NOISE) + - AUTH(ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA_SIZE+DATA+NOISE)) + NONCE = 64bit(ZEROS) || 64bit(MAC(MAC_KEY, SERIAL)) + PAYLOAD = DATA || PAD [|| ZEROS] +CIPHERTEXT = ENCRYPT(KEY, NONCE, PAYLOAD) + TAG = AUTH(AUTH_KEY, CIPHERTEXT || NONCE) + MESSAGE = TAG || CIPHERTEXT || NONCE @end verbatim -All transport and handshake messages are indistinguishable from -pseudo random noise. - @code{SERIAL} is message's serial number. Odds are reserved for -client(→server) messages, evens for server(→client) messages. - -@code{ENCn} is XTEA block cipher algorithm used here as PRP (pseudo -random permutation) to randomize, obfuscate @code{SERIAL}. Plaintext -@code{SERIAL} state is kept in peers internal state, but encrypted -before transmission. XTEA is compact and fast enough. Salsa20 is PRF -function and requires much more code to create PRP from it. XTEA's -encryption key is the first 128-bit of Salsa20's output with established +client (to server) messages, evens for server (to client) messages. + +@code{MAC} is BLAKE2b-MAC used to obfuscate @code{SERIAL}. MAC's key +@code{MAC_KEY} is the first 256-bit of ChaCha20's output with established common key and zero nonce (message nonces start from 1). -Encrypted @code{SERIAL} is used as a nonce for @code{DATA} encryption: -encryption key is different during each handshake, so (key, nonce) pair -is always used only once. @code{ENC} is Salsa20 cipher, with established -session @code{KEY} and encrypted @code{SERIAL} used as a nonce. -@code{DATA_SIZE} is @emph{uint16} storing length of the @code{DATA}. +@verbatim +MAC_KEY = 256bit(ENCRYPT(KEY, 0)) +@end verbatim + +@code{ENCRYPT} is ChaCha20 stream cipher, with established session +@code{KEY} and obfuscated @code{SERIAL} used as a nonce. 512 bit of +ChaCha20's output is ignored and only remaining is XORed with ther data, +encrypting it. -@code{NOISE} is optional. It is just some junk data, intended to fill up -packet to MTU size. This is useful for concealing payload packets length. +@code{DATA} is padded using ISO/IEC 7816-4 format (@code{PAD} (0x80 +byte) with optional @code{ZEROS} following), to fill up packet to +conceal payload packet length. @code{AUTH} is Poly1305 authentication function. First 256 bits of -Salsa20 output are used as a one-time key for @code{AUTH}. Next 256 bits -of Salsa20 are ignored. All remaining output is XORed with the data, -encrypting it. +ChaCha20's output are used as a one-time key for @code{AUTH}. + +@verbatim +AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE)) +@end verbatim To prevent replay attacks we must remember received @code{SERIAL}s and -if meet one, then drop it. Basically we could just store latest number -and check if received one is greater, but because of UDP packets -reordering this can lead to valid packets dropping and overall -performance degradation. We store up to 256 seen nonces in hash -structure, in two swapping buckets. +drop when receiving duplicate ones. + +In @ref{Encless, encryptionless mode} this scheme is slightly different: + +@verbatim + NONCE = MAC(MAC_KEY, SERIAL) +ENCODED = ENCLESS(DATA || PAD || ZEROS) + PACKET = ENCODED || NONCE +@end verbatim + +@code{ENCLESS} is AONT and chaffing function. There is no need in +explicit separate authentication.