X-Git-Url: http://www.git.cypherpunks.ru/?p=govpn.git;a=blobdiff_plain;f=doc%2Ftransport.texi;h=e5f5abba9eba15dec245489f2aa53c807d007b5f;hp=f5ca87e1f0576df4af79d0df51595a16caf4c64f;hb=0bf04621961589bc735dc8bd8a075d7db24c4178;hpb=9addeabf74df4ef01e4a10c9f960b362172524e8

diff --git a/doc/transport.texi b/doc/transport.texi
index f5ca87e..e5f5abb 100644
--- a/doc/transport.texi
+++ b/doc/transport.texi
@@ -2,54 +2,35 @@
 @section Transport protocol
 
 @verbatim
-TAG || ENCRYPTED || NONCE --> PACKET
- ^         ^          ^
- |         |          |
- |         |          +-------------+
- |         |                        |
- |         +-------------+          |
- |                       |          |
- +--< AUTH(AUTH_KEY, ENCRYPTED || NONCE)
-                         ^          ^
-                         |          |
-+------------------------+          |
-|                                   |
-|                   +---------------+
-|                   |
-+--< ENCRYPT(KEY, NONCE, PAYLOAD)
-                    ^       ^
-                    |       |
-                    |       +--< DATA || PAD [|| ZEROS]
-                    |
-                    +--< PRP(PRP_KEY, SERIAL)
+     NONCE = 64bit(ZEROS) || 64bit(MAC(MAC_KEY, SERIAL))
+   PAYLOAD = DATA || PAD [|| ZEROS]
+CIPHERTEXT = ENCRYPT(KEY, NONCE, PAYLOAD)
+       TAG = AUTH(AUTH_KEY, CIPHERTEXT || NONCE)
+   MESSAGE = TAG || CIPHERTEXT || NONCE
 @end verbatim
 
 @code{SERIAL} is message's serial number. Odds are reserved for
-client(->server) messages, evens for server(->client) messages.
+client (to server) messages, evens for server (to client) messages.
 
-@code{PRP} is XTEA block cipher algorithm used here as PRP (pseudo
-random permutation function) to obfuscate @code{SERIAL}. Plaintext
-@code{SERIAL} state is kept in peers internal state, but encrypted
-before transmission.
-
-XTEA's encryption key is the first 128-bit of Salsa20's output with
-established common key and zero nonce (message nonces start from 1).
+@code{MAC} is BLAKE2b-MAC used to obfuscate @code{SERIAL}. MAC's key
+@code{MAC_KEY} is the first 256-bit of ChaCha20's output with established
+common key and zero nonce (message nonces start from 1).
 
 @verbatim
-PRP_KEY = 128bit(ENCRYPT(KEY, 0))
+MAC_KEY = 256bit(ENCRYPT(KEY, 0))
 @end verbatim
 
-@code{ENCRYPT} is Salsa20 stream cipher, with established session
+@code{ENCRYPT} is ChaCha20 stream cipher, with established session
 @code{KEY} and obfuscated @code{SERIAL} used as a nonce. 512 bit of
-Salsa20's output is ignored and only remaining is XORed with ther data,
+ChaCha20's output is ignored and only remaining is XORed with ther data,
 encrypting it.
 
-@code{DATA} is padded with @code{PAD} (0x80 byte). Optional @code{ZEROS}
-may follow, to fillup packet with the junk to conceal pyload packet
-length.
+@code{DATA} is padded using ISO/IEC 7816-4 format (@code{PAD} (0x80
+byte) with optional @code{ZEROS} following), to fill up packet to
+conceal payload packet length.
 
 @code{AUTH} is Poly1305 authentication function. First 256 bits of
-Salsa20's output are used as a one-time key for @code{AUTH}.
+ChaCha20's output are used as a one-time key for @code{AUTH}.
 
 @verbatim
 AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE))
@@ -61,9 +42,9 @@ drop when receiving duplicate ones.
 In @ref{Encless, encryptionless mode} this scheme is slightly different:
 
 @verbatim
- PACKET = ENCODED || NONCE
+  NONCE = MAC(MAC_KEY, SERIAL)
 ENCODED = ENCLESS(DATA || PAD || ZEROS)
-  NONCE = PRP(PRP_KEY, SERIAL)
+ PACKET = ENCODED || NONCE
 @end verbatim
 
 @code{ENCLESS} is AONT and chaffing function. There is no need in