It uses fast strong passphrase authenticated key agreement protocol with
augmented zero-knowledge mutual peers authentication (PAKE DH A-EKE).
Encrypted, authenticated data transport that hides message's length and
-timestamps. Perfect forward secrecy property. Resistance to: offline
-dictionary attacks, replay attacks, client's passphrases compromising
-and dictionary attacks on the server side. Built-in heartbeating,
-rehandshaking, real-time statistics. Ability to work through UDP, TCP
-and HTTP proxies. IPv4/IPv6-compatibility. GNU/Linux and FreeBSD support.
+timestamps. Optional encryptionless mode, that still preserves data
+confidentiality. Perfect forward secrecy property. Resistance to:
+offline dictionary attacks, replay attacks, client's passphrases
+compromising and dictionary attacks on the server side. Built-in
+heartbeating, rehandshaking, real-time statistics. Ability to work
+through UDP, TCP and HTTP proxies. IPv4/IPv6-compatibility.
+GNU/Linux and FreeBSD support.
GoVPN is free software: see the file COPYING for copying conditions.
передачи данных с 128-бит @ref{Developer, порогом безопасности} и
современной криптографией.
@item
+Опциональный @ref{Encless, нешифрованный режим}: функции шифрования не
+применяются для исходящего трафика, вместо них кодирование всё-равно
+обеспечивающее конфиденциальность. Юрисдикции и суды не смогут вас
+вынудить выдать ключи шифрования или привлечь за использование
+шифрования.
+@item
Цензуроустойчивые сообщения транспорта и рукопожатия: неотличимые от
шума с опциональным скрытием размеров сообщений.
@item
with 128-bit @ref{Developer, security margin} state-of-the-art
cryptography.
@item
+Optional @ref{Encless, encryptionless mode} of operation: no encryption
+functions are applied for outgoing traffic, but still confidentiality
+preserving encoding. Jurisdictions and courts can force you to reveal
+encryption keys or sue for encryption usage.
+@item
Censorship resistant handshake and transport messages: fully
indistinguishable from the noise with optionally hidden packets lengths.
@item
@item -cpr
Set @ref{CPR} in KiB/sec.
+@item -encless
+Enable @ref{Encless, encryptionless mode}.
+
@item -up
Optional path to script that will be executed after connection is
established. Interface name will be given to it as a first argument.
@table @asis
@item Nonce and identity encryption
-@url{http://143.53.36.235:8080/tea.htm, XTEA}.
+ @url{http://143.53.36.235:8080/tea.htm, XTEA}.
@item Data encryption
-@url{http://cr.yp.to/snuffle.html, Salsa20}.
+ @url{http://cr.yp.to/snuffle.html, Salsa20}.
@item Message authentication
-@url{http://cr.yp.to/mac.html, Poly1305}.
+ @url{http://cr.yp.to/mac.html, Poly1305}.
@item Password authenticated key agreement
-DH-A-EKE powered by @url{http://cr.yp.to/ecdh.html, Curve25519}
-and @url{http://ed25519.cr.yp.to/, Ed25519}.
+ DH-A-EKE powered by @url{http://cr.yp.to/ecdh.html, Curve25519}
+ and @url{http://ed25519.cr.yp.to/, Ed25519}.
@item DH elliptic-curve point encoding for public keys
-@url{http://elligator.cr.yp.to/, Elligator}.
+ @url{http://elligator.cr.yp.to/, Elligator}.
@item Verifier password hashing algorithm
-@url{https://password-hashing.net/#argon2, Argon2d}.
+ @url{https://password-hashing.net/#argon2, Argon2d}.
+@item Encryptionless confidentiality preserving encoding
+ @url{http://people.csail.mit.edu/rivest/chaffing-980701.txt,
+ Chaffing-and-Winnowing} (two Poly1305 MACs for each bit of message)
+ over 128 bits of
+ @url{http://theory.lcs.mit.edu/~cis/pubs/rivest/fusion.ps,
+ All-Or-Nothing-Transformed} (based on
+ @url{http://cseweb.ucsd.edu/~mihir/papers/oaep.html, OAEP} using
+ @url{https://en.wikipedia.org/wiki/Key_derivation_function, HKDF}
+ with @url{https://blake2.net/, BLAKE2b-512} and BLAKE2b-256 based
+ @url{http://crypto.stanford.edu/~dabo/abstracts/saep.html, SAEP+}
+ checksums) data with 128-bits of feeded random.
@item Packet overhead
-25 bytes per packet.
+ 25 bytes per packet. Plus 4128 bytes and noise in encryptionless mode.
@item Handshake overhead
-4 UDP (2 from client, 2 from server) packets (round-trips for TCP),
-264 bytes total payload.
+ 4 UDP (2 from client, 2 from server) packets (round-trips for TCP).
+ 264 bytes total payload, 20680 in encryptionless mode.
@item Entropy required
-832 bits in average on client, 832 bits in average on server side per
-handshake.
+ 832 bits in average on client, 832 bits in average on server side
+ per handshake. 128 bits for each outgoing packet in encryptionless
+ mode.
@end table
@menu
--- /dev/null
+@node Encless
+@subsection Encryptionless mode
+
+Some jurisdictions can force user to reveal his encryption keys. However
+they can not ask for authentication (signing) keys. So you are safe to
+use authentication algorithms, but not the encryption ones. Moreover
+some countries forbids usage of encryption (but again not the
+authentication).
+
+GoVPN provides special encryptionless mode of operation. In this mode it
+replaces Salsa20 function used for confidentiality with rather
+well-known @url{http://people.csail.mit.edu/rivest/chaffing-980701.txt,
+Chaffing-and-Winnowing} (CnW) technology. This is rather traffic and
+resource hungry algorithm, so we use it after
+@url{http://theory.lcs.mit.edu/~cis/pubs/rivest/fusion.ps,
+All-Or-Nothing-Transformation} (based on
+@url{http://cseweb.ucsd.edu/~mihir/papers/oaep.html, Optimal Asymmetric
+Encryption Padding}) on the data. It is confidentiality preserving
+encoding.
+
+AONT is just a keyless encoding of the data. CnW uses only
+authentication function. Handshake additionally uses Diffie-Hellman and
+signature algorithms. No encryption and steganography involved.
+
+In this mode each outgoing packet became larger on 4128 bytes and
+@ref{Noise, noise} is forcefully enabled. So this is rather resource
+hungry mode!
+
+@strong{Beware}: by default packet serial numbers are still processed
+through the XTEA encryption. It is not required for confidentiality and
+security, but for randomizing some parts of the traffic to make it
+indistinguishable from the noise, for making it more DPI-proof. It
+safely can be disabled, turned off or maybe its keys even can be
+revealed without security and forward secrecy loss.
+
+See @code{src/govpn/chaffing} and @code{src/govpn/aont} packages for
+details of AONT and chaffing operations.
вид трафика от другого, то при цензуре ваше единственный вариант это
заблокировать все его виды.
+@item Когда я должен использовать @ref{Encless, нешифрованный режим}?
+Если вы работаете под юрисдикциями где суды могут привлечь вас к
+ответственности за использование шифрования или могут вынудить вас
+как-либо выдать ваши ключи шифрования (хотя сессионные ключи шифрования
+генерируются каждую сессию). В большинстве случаев, эти суды не могут
+требовать аутентификационные ключи или ключи для ЭЦП. @strong{Не
+позволяйте} названию режима вас смутить: он всё-равно обеспечивает
+конфиденциальность и аутентичность передаваемых данных! Но имейте в
+виду, что этот режим требователен к ресурсам и трафику и пока работает
+только в TCP режиме.
+
@item Когда я должен использовать @ref{Noise, noise} опцию?
В большинстве случаев она вам не нужна без включённого
@ref{CPR, постоянного по скорости трафика} (CPR). Без CPR и шума, в
one kind of traffic from another, then your only option is to forbid all
kinds of it.
+@item When should I use @ref{Encless, encryptionless mode}?
+If you are operating under jurisdiction where courts can either sue you
+for encryption usage or can force you to somehow reveal you encryption
+keys (however new session encryption keys are generated each session).
+Those courts can not demand for authentication and signing keys in most
+cases. @strong{Do not} let mode's name to confuse you: it still
+provides confidentiality and authenticity of transmitted data! But pay
+attention that this mode is traffic and resource hungry and currently
+operate only in TCP mode.
+
@item When should I use @ref{Noise, noise} option?
In most cases you won't need it without @ref{CPR, constant packer rate}
turned on. Without CPR and noise options GoVPN traffic (like TLS, IPsec,
* Statistics: Stats.
* Noise::
* Constant Packet Rate: CPR.
+* Encryptionless mode: Encless.
* Verifier::
@end menu
@include stats.texi
@include noise.texi
@include cpr.texi
+@include encless.texi
@include verifier.texi
has 128-bit security margin and that is why are not in use except in
handshake process. @code{R*} are required for handshake randomization
and two-way authentication.
+
+In @ref{Encless, encryptionless mode} each @code{enc()} is replaced with
+AONT and chaffing function over the noised data.
(default: false)
"cpr": 64, <-- OPTIONAL constant packet
rate in KiB/sec
+ "encless": false, <-- OPTIONAL Encryptionless mode
"verifier": "$argon2d..." <-- verifier received from client
},
[...]
established common key and zero nonce (message nonces start from 1).
@verbatim
-PRP_KEY = ENCRYPT(KEY, 0, 128-bit)
+PRP_KEY = 128bit(ENCRYPT(KEY, 0))
@end verbatim
@code{ENCRYPT} is Salsa20 stream cipher, with established session
Salsa20's output are used as a one-time key for @code{AUTH}.
@verbatim
-AUTH_KEY = ENCRYPT(KEY, NONCE, 256 bit)
+AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE))
@end verbatim
To prevent replay attacks we must remember received @code{SERIAL}s and
drop when receiving duplicate ones.
+
+In @ref{Encless, encryptionless mode} this scheme is slightly different:
+
+@verbatim
+ PACKET = ENCODED || NONCE
+ENCODED = ENCLESS(DATA || PAD || ZEROS)
+ NONCE = PRP(PRP_KEY, SERIAL)
+@end verbatim
+
+@code{ENCLESS} is AONT and chaffing function. There is no need in
+explicit separate authentication.
It uses fast strong passphrase authenticated key agreement protocol with
augmented zero-knowledge mutual peers authentication (PAKE DH A-EKE).
Encrypted, authenticated data transport that hides message's length and
-timestamps. Perfect forward secrecy property. Resistance to: offline
-dictionary attacks, replay attacks, client's passphrases compromising
-and dictionary attacks on the server side. Built-in heartbeating,
-rehandshaking, real-time statistics. Ability to work through UDP, TCP
-and HTTP proxies. IPv4/IPv6-compatibility. GNU/Linux and FreeBSD support.
+timestamps. Optional encryptionless mode, that still preserves data
+confidentiality. Perfect forward secrecy property. Resistance to:
+offline dictionary attacks, replay attacks, client's passphrases
+compromising and dictionary attacks on the server side. Built-in
+heartbeating, rehandshaking, real-time statistics. Ability to work
+through UDP, TCP and HTTP proxies. IPv4/IPv6-compatibility.
+GNU/Linux and FreeBSD support.
----------------8<-----------------8<-----------------8<----------------
несбалансированный протокол согласования ключей с двусторонней
аутентификацией сторон (PAKE DH A-EKE). Зашифрованный, аутентифицируемый
транспортный протокол передачи данных, скрывающий длины сообщений и их
-временные характеристики. Свойство совершенной прямой секретности.
-Устойчивость к: внесетевым (offline) атакам по словарю, атакам
-повторного воспроизведения (replay), компрометации клиентских парольных
-фраз на стороне сервера. Встроенные функции сердцебиения (heartbeat),
-пересогласования ключей, статистика реального времени. Возможность
-работы поверх UDP, TCP и HTTP прокси. Совместимость с IPv4 и IPv6.
-Поддержка GNU/Linux и FreeBSD.
+временные характеристики. Опциональный нешифрованный режим, который
+всё-равно обеспечивает конфиденциальность и аутентичность данных.
+Свойство совершенной прямой секретности. Устойчивость к: внесетевым
+(offline) атакам по словарю, атакам повторного воспроизведения (replay),
+компрометации клиентских парольных фраз на стороне сервера. Встроенные
+функции сердцебиения (heartbeat), пересогласования ключей, статистика
+реального времени. Возможность работы поверх UDP, TCP и HTTP прокси.
+Совместимость с IPv4 и IPv6. Поддержка GNU/Linux и FreeBSD.
----------------8<-----------------8<-----------------8<----------------