X-Git-Url: http://www.git.cypherpunks.ru/?p=govpn.git;a=blobdiff_plain;f=doc%2Ftransport.texi;h=e5f5abba9eba15dec245489f2aa53c807d007b5f;hp=d0cb75642564dbee51a693c1943fd9bbe9657840;hb=0bf04621961589bc735dc8bd8a075d7db24c4178;hpb=1bca6f147bf4f16cbea245e1eaac5dc74526a7b4 diff --git a/doc/transport.texi b/doc/transport.texi index d0cb756..e5f5abb 100644 --- a/doc/transport.texi +++ b/doc/transport.texi @@ -1,41 +1,51 @@ -@node Transport protocol +@node Transport @section Transport protocol @verbatim -ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA) + - AUTH(ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA)) + NONCE = 64bit(ZEROS) || 64bit(MAC(MAC_KEY, SERIAL)) + PAYLOAD = DATA || PAD [|| ZEROS] +CIPHERTEXT = ENCRYPT(KEY, NONCE, PAYLOAD) + TAG = AUTH(AUTH_KEY, CIPHERTEXT || NONCE) + MESSAGE = TAG || CIPHERTEXT || NONCE @end verbatim -All transport and handshake messages are indistinguishable from -pseudo random noise. - @code{SERIAL} is message's serial number. Odds are reserved for -client(→server) messages, evens for server(→client) messages. - -@code{ENCn} is XTEA block cipher algorithm used here as PRP (pseudo -random permutation) to randomize, obfuscate @code{SERIAL}. Plaintext -@code{SERIAL} state is kept in peers internal state, but encrypted -before transmission. XTEA is compact and fast enough. Salsa20 is PRF -function and requires much more code to create PRP from it. XTEA's -encryption key is the first 128-bit of Salsa20's output with established +client (to server) messages, evens for server (to client) messages. + +@code{MAC} is BLAKE2b-MAC used to obfuscate @code{SERIAL}. MAC's key +@code{MAC_KEY} is the first 256-bit of ChaCha20's output with established common key and zero nonce (message nonces start from 1). -Encrypted @code{SERIAL} is used as a nonce for @code{DATA} encryption: -encryption key is different during each handshake, so (key, nonce) pair -is always used only once. @code{ENC} is Salsa20 cipher, with established -session @code{KEY} and encrypted @code{SERIAL} used as a nonce. +@verbatim +MAC_KEY = 256bit(ENCRYPT(KEY, 0)) +@end verbatim + +@code{ENCRYPT} is ChaCha20 stream cipher, with established session +@code{KEY} and obfuscated @code{SERIAL} used as a nonce. 512 bit of +ChaCha20's output is ignored and only remaining is XORed with ther data, +encrypting it. + +@code{DATA} is padded using ISO/IEC 7816-4 format (@code{PAD} (0x80 +byte) with optional @code{ZEROS} following), to fill up packet to +conceal payload packet length. @code{AUTH} is Poly1305 authentication function. First 256 bits of -Salsa20 output are used as a one-time key for @code{AUTH}. Next 256 bits -of Salsa20 are ignored. All remaining output is XORed with the data, -encrypting it. +ChaCha20's output are used as a one-time key for @code{AUTH}. + +@verbatim +AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE)) +@end verbatim + +To prevent replay attacks we must remember received @code{SERIAL}s and +drop when receiving duplicate ones. + +In @ref{Encless, encryptionless mode} this scheme is slightly different: + +@verbatim + NONCE = MAC(MAC_KEY, SERIAL) +ENCODED = ENCLESS(DATA || PAD || ZEROS) + PACKET = ENCODED || NONCE +@end verbatim -To prevent replay attacks we remember latest @code{SERIAL} from the -remote peer. If received message's @code{SERIAL} is not greater that the -saved one, then drop it. Optionally, because some UDP packets can be -reordered during transmission, we can allow some window for valid -serials with the @code{-noncediff} option. @code{-noncediff 10} with -current saved serial state equals to 78 allows messages with 68…78 -serials. That time window can be used by attacker to replay packets, so -by default it equals to 1. However it can improve performance because of -rearranged UDP packets. +@code{ENCLESS} is AONT and chaffing function. There is no need in +explicit separate authentication.