[DOC] Encryptionless mode

Signed-off-by: Sergey Matveev <stargrave@stargrave.org>

diff --git a/README b/README
index f9274cb5d98a11ba8c46335c68ef5432e7785b01..b95b958ca48acb31fefb3d01a6983968dcc3a1a2 100644 (file)
--- a/README
+++ b/README
@@ -4,11 +4,13 @@ be reviewable, secure, DPI/censorship-resistant, written on Go.
 It uses fast strong passphrase authenticated key agreement protocol with
 augmented zero-knowledge mutual peers authentication (PAKE DH A-EKE).
 Encrypted, authenticated data transport that hides message's length and
 It uses fast strong passphrase authenticated key agreement protocol with
 augmented zero-knowledge mutual peers authentication (PAKE DH A-EKE).
 Encrypted, authenticated data transport that hides message's length and

-timestamps. Perfect forward secrecy property. Resistance to: offline
-dictionary attacks, replay attacks, client's passphrases compromising
-and dictionary attacks on the server side. Built-in heartbeating,
-rehandshaking, real-time statistics. Ability to work through UDP, TCP
-and HTTP proxies. IPv4/IPv6-compatibility. GNU/Linux and FreeBSD support.
+timestamps. Optional encryptionless mode, that still preserves data
+confidentiality. Perfect forward secrecy property. Resistance to:
+offline dictionary attacks, replay attacks, client's passphrases
+compromising and dictionary attacks on the server side. Built-in
+heartbeating, rehandshaking, real-time statistics. Ability to work
+through UDP, TCP and HTTP proxies. IPv4/IPv6-compatibility.
+GNU/Linux and FreeBSD support.

 
 GoVPN is free software: see the file COPYING for copying conditions.
 
 
 GoVPN is free software: see the file COPYING for copying conditions.
 

diff --git a/doc/about.ru.texi b/doc/about.ru.texi
index 31386a5f7d3ae84aace61737289fc20f49922200..e35c97c1861e20748f4d9c190b431b6aca5b4f91 100644 (file)
--- a/doc/about.ru.texi
+++ b/doc/about.ru.texi
@@ -24,6 +24,12 @@ A-EKE (Diffie-Hellman Augmented Encrypted Key Exchange)).
 передачи данных с 128-бит @ref{Developer, порогом безопасности} и
 современной криптографией.
 @item
 передачи данных с 128-бит @ref{Developer, порогом безопасности} и
 современной криптографией.
 @item

+Опциональный @ref{Encless, нешифрованный режим}: функции шифрования не
+применяются для исходящего трафика, вместо них кодирование всё-равно
+обеспечивающее конфиденциальность. Юрисдикции и суды не смогут вас
+вынудить выдать ключи шифрования или привлечь за использование
+шифрования.
+@item

 Цензуроустойчивые сообщения транспорта и рукопожатия: неотличимые от
 шума с опциональным скрытием размеров сообщений.
 @item
 Цензуроустойчивые сообщения транспорта и рукопожатия: неотличимые от
 шума с опциональным скрытием размеров сообщений.
 @item

diff --git a/doc/about.texi b/doc/about.texi
index 6e25072188f06c2bf3ff63f30c5eeeaa500c96ea..10a203a4906a3364b0fdce70f6608312fb250633 100644 (file)
--- a/doc/about.texi
+++ b/doc/about.texi
@@ -21,6 +21,11 @@ Encrypted and authenticated @ref{Transport, payload transport}
 with 128-bit @ref{Developer, security margin} state-of-the-art
 cryptography.
 @item
 with 128-bit @ref{Developer, security margin} state-of-the-art
 cryptography.
 @item

+Optional @ref{Encless, encryptionless mode} of operation: no encryption
+functions are applied for outgoing traffic, but still confidentiality
+preserving encoding. Jurisdictions and courts can force you to reveal
+encryption keys or sue for encryption usage.
+@item

 Censorship resistant handshake and transport messages: fully
 indistinguishable from the noise with optionally hidden packets lengths.
 @item
 Censorship resistant handshake and transport messages: fully
 indistinguishable from the noise with optionally hidden packets lengths.
 @item

diff --git a/doc/client.texi b/doc/client.texi
index 81878d57d2b08ec13a7cdaf0a6fea55000a7397e..88e338e3090de2c05cf0c89241e4294712101e21 100644 (file)
--- a/doc/client.texi
+++ b/doc/client.texi
@@ -43,6 +43,9 @@ Enable @ref{Noise}.
 @item -cpr
 Set @ref{CPR} in KiB/sec.
 
 @item -cpr
 Set @ref{CPR} in KiB/sec.
 

+@item -encless
+Enable @ref{Encless, encryptionless mode}.
+

 @item -up
 Optional path to script that will be executed after connection is
 established. Interface name will be given to it as a first argument.
 @item -up
 Optional path to script that will be executed after connection is
 established. Interface name will be given to it as a first argument.

diff --git a/doc/developer.texi b/doc/developer.texi
index d9136eb11518d2afc4179c35bd555bf06fa36236..936e7977bda9ca02ce02fba908706eb09a85c8ba 100644 (file)
--- a/doc/developer.texi
+++ b/doc/developer.texi
@@ -5,26 +5,38 @@ Pay attention how to get @ref{Sources, development source code}.
 
 @table @asis
 @item Nonce and identity encryption
 
 @table @asis
 @item Nonce and identity encryption

-@url{http://143.53.36.235:8080/tea.htm, XTEA}.
+    @url{http://143.53.36.235:8080/tea.htm, XTEA}.

 @item Data encryption
 @item Data encryption

-@url{http://cr.yp.to/snuffle.html, Salsa20}.
+    @url{http://cr.yp.to/snuffle.html, Salsa20}.

 @item Message authentication
 @item Message authentication

-@url{http://cr.yp.to/mac.html, Poly1305}.
+    @url{http://cr.yp.to/mac.html, Poly1305}.

 @item Password authenticated key agreement
 @item Password authenticated key agreement

-DH-A-EKE powered by @url{http://cr.yp.to/ecdh.html, Curve25519}
-and @url{http://ed25519.cr.yp.to/, Ed25519}.
+    DH-A-EKE powered by @url{http://cr.yp.to/ecdh.html, Curve25519}
+    and @url{http://ed25519.cr.yp.to/, Ed25519}.

 @item DH elliptic-curve point encoding for public keys
 @item DH elliptic-curve point encoding for public keys

-@url{http://elligator.cr.yp.to/, Elligator}.
+    @url{http://elligator.cr.yp.to/, Elligator}.

 @item Verifier password hashing algorithm
 @item Verifier password hashing algorithm

-@url{https://password-hashing.net/#argon2, Argon2d}.
+    @url{https://password-hashing.net/#argon2, Argon2d}.
+@item Encryptionless confidentiality preserving encoding
+    @url{http://people.csail.mit.edu/rivest/chaffing-980701.txt,
+    Chaffing-and-Winnowing} (two Poly1305 MACs for each bit of message)
+    over 128 bits of
+    @url{http://theory.lcs.mit.edu/~cis/pubs/rivest/fusion.ps,
+    All-Or-Nothing-Transformed} (based on
+    @url{http://cseweb.ucsd.edu/~mihir/papers/oaep.html, OAEP} using
+    @url{https://en.wikipedia.org/wiki/Key_derivation_function, HKDF}
+    with @url{https://blake2.net/, BLAKE2b-512} and BLAKE2b-256 based
+    @url{http://crypto.stanford.edu/~dabo/abstracts/saep.html, SAEP+}
+    checksums) data with 128-bits of feeded random.

 @item Packet overhead
 @item Packet overhead

-25 bytes per packet.
+    25 bytes per packet. Plus 4128 bytes and noise in encryptionless mode.

 @item Handshake overhead
 @item Handshake overhead

-4 UDP (2 from client, 2 from server) packets (round-trips for TCP),
-264 bytes total payload.
+    4 UDP (2 from client, 2 from server) packets (round-trips for TCP).
+    264 bytes total payload, 20680 in encryptionless mode.

 @item Entropy required
 @item Entropy required

-832 bits in average on client, 832 bits in average on server side per
-handshake.
+    832 bits in average on client, 832 bits in average on server side
+    per handshake. 128 bits for each outgoing packet in encryptionless
+    mode.

 @end table
 
 @menu
 @end table
 
 @menu

diff --git a/doc/encless.texi b/doc/encless.texi
new file mode 100644 (file)
index 0000000..f6d4281
--- /dev/null
+++ b/doc/encless.texi
@@ -0,0 +1,37 @@
+@node Encless
+@subsection Encryptionless mode
+
+Some jurisdictions can force user to reveal his encryption keys. However
+they can not ask for authentication (signing) keys. So you are safe to
+use authentication algorithms, but not the encryption ones. Moreover
+some countries forbids usage of encryption (but again not the
+authentication).
+
+GoVPN provides special encryptionless mode of operation. In this mode it
+replaces Salsa20 function used for confidentiality with rather
+well-known @url{http://people.csail.mit.edu/rivest/chaffing-980701.txt,
+Chaffing-and-Winnowing} (CnW) technology. This is rather traffic and
+resource hungry algorithm, so we use it after
+@url{http://theory.lcs.mit.edu/~cis/pubs/rivest/fusion.ps,
+All-Or-Nothing-Transformation} (based on
+@url{http://cseweb.ucsd.edu/~mihir/papers/oaep.html, Optimal Asymmetric
+Encryption Padding}) on the data. It is confidentiality preserving
+encoding.
+
+AONT is just a keyless encoding of the data. CnW uses only
+authentication function. Handshake additionally uses Diffie-Hellman and
+signature algorithms. No encryption and steganography involved.
+
+In this mode each outgoing packet became larger on 4128 bytes and
+@ref{Noise, noise} is forcefully enabled. So this is rather resource
+hungry mode!
+
+@strong{Beware}: by default packet serial numbers are still processed
+through the XTEA encryption. It is not required for confidentiality and
+security, but for randomizing some parts of the traffic to make it
+indistinguishable from the noise, for making it more DPI-proof. It
+safely can be disabled, turned off or maybe its keys even can be
+revealed without security and forward secrecy loss.
+
+See @code{src/govpn/chaffing} and @code{src/govpn/aont} packages for
+details of AONT and chaffing operations.

diff --git a/doc/faq.ru.texi b/doc/faq.ru.texi
index 2023b76654c4cc14480f86a575a56bd4563af561..10f7fda6672b2dc0ad4683856d80e4abdb8b556d 100644 (file)
--- a/doc/faq.ru.texi
+++ b/doc/faq.ru.texi
@@ -67,6 +67,17 @@ Go очень легко читается, поддаётся ревью и по
 вид трафика от другого, то при цензуре ваше единственный вариант это
 заблокировать все его виды.
 
 вид трафика от другого, то при цензуре ваше единственный вариант это
 заблокировать все его виды.
 

+@item Когда я должен использовать @ref{Encless, нешифрованный режим}?
+Если вы работаете под юрисдикциями где суды могут привлечь вас к
+ответственности за использование шифрования или могут вынудить вас
+как-либо выдать ваши ключи шифрования (хотя сессионные ключи шифрования
+генерируются каждую сессию). В большинстве случаев, эти суды не могут
+требовать аутентификационные ключи или ключи для ЭЦП. @strong{Не
+позволяйте} названию режима вас смутить: он всё-равно обеспечивает
+конфиденциальность и аутентичность передаваемых данных! Но имейте в
+виду, что этот режим требователен к ресурсам и трафику и пока работает
+только в TCP режиме.
+

 @item Когда я должен использовать @ref{Noise, noise} опцию?
 В большинстве случаев она вам не нужна без включённого
 @ref{CPR, постоянного по скорости трафика} (CPR). Без CPR и шума, в
 @item Когда я должен использовать @ref{Noise, noise} опцию?
 В большинстве случаев она вам не нужна без включённого
 @ref{CPR, постоянного по скорости трафика} (CPR). Без CPR и шума, в

diff --git a/doc/faq.texi b/doc/faq.texi
index a3269f31a00070bec5b02f2c6c77fd1d9ab65eef..79a3aa38f0e77f629a80289cacdab9cfb26eb5ba 100644 (file)
--- a/doc/faq.texi
+++ b/doc/faq.texi
@@ -65,6 +65,16 @@ just @code{cat /dev/urandom | nc somehost}. If you can not differentiate
 one kind of traffic from another, then your only option is to forbid all
 kinds of it.
 
 one kind of traffic from another, then your only option is to forbid all
 kinds of it.
 

+@item When should I use @ref{Encless, encryptionless mode}?
+If you are operating under jurisdiction where courts can either sue you
+for encryption usage or can force you to somehow reveal you encryption
+keys (however new session encryption keys are generated each session).
+Those courts can not demand for authentication and signing keys in most
+cases. @strong{Do not} let mode's name to confuse you: it still
+provides confidentiality and authenticity of transmitted data! But pay
+attention that this mode is traffic and resource hungry and currently
+operate only in TCP mode.
+

 @item When should I use @ref{Noise, noise} option?
 In most cases you won't need it without @ref{CPR, constant packer rate}
 turned on. Without CPR and noise options GoVPN traffic (like TLS, IPsec,
 @item When should I use @ref{Noise, noise} option?
 In most cases you won't need it without @ref{CPR, constant packer rate}
 turned on. Without CPR and noise options GoVPN traffic (like TLS, IPsec,

diff --git a/doc/glossary.texi b/doc/glossary.texi
index 8d1158f28d3eb49a1660ff955d5d6cf2303f3e42..46b8e70b0de2679f4a6c944e53eb32cf2f4846bf 100644 (file)
--- a/doc/glossary.texi
+++ b/doc/glossary.texi
@@ -12,6 +12,7 @@
 * Statistics: Stats.
 * Noise::
 * Constant Packet Rate: CPR.
 * Statistics: Stats.
 * Noise::
 * Constant Packet Rate: CPR.

+* Encryptionless mode: Encless.

 * Verifier::
 @end menu
 
 * Verifier::
 @end menu
 


@@ -25,4 +26,5 @@
 @include stats.texi
 @include noise.texi
 @include cpr.texi
 @include stats.texi
 @include noise.texi
 @include cpr.texi

+@include encless.texi

 @include verifier.texi
 @include verifier.texi

diff --git a/doc/handshake.texi b/doc/handshake.texi
index b71ac489a3f9ce2663dd227eb3ba1905445a63fc..29f59f8b44f989e3c2c23d2bd1a64d3cec32dd58 100644 (file)
--- a/doc/handshake.texi
+++ b/doc/handshake.texi
@@ -93,3 +93,6 @@ symmetric encryption. @code{El()} is Elligator point encoding algorithm.
 has 128-bit security margin and that is why are not in use except in
 handshake process. @code{R*} are required for handshake randomization
 and two-way authentication.
 has 128-bit security margin and that is why are not in use except in
 handshake process. @code{R*} are required for handshake randomization
 and two-way authentication.

+
+In @ref{Encless, encryptionless mode} each @code{enc()} is replaced with
+AONT and chaffing function over the noised data.

diff --git a/doc/server.texi b/doc/server.texi
index b785be21e8c31f38d8c35127329cb63cd32d796c..2668b1da962e543b09dddba3e37a16d0ed233a35 100644 (file)
--- a/doc/server.texi
+++ b/doc/server.texi
@@ -35,6 +35,7 @@ Configuration file is JSON file with following example structure:
                                             (default: false)
     "cpr": 64,                          <-- OPTIONAL constant packet
                                             rate in KiB/sec
                                             (default: false)
     "cpr": 64,                          <-- OPTIONAL constant packet
                                             rate in KiB/sec

+    "encless": false,                   <-- OPTIONAL Encryptionless mode

     "verifier": "$argon2d..."           <-- verifier received from client
   },
   [...]
     "verifier": "$argon2d..."           <-- verifier received from client
   },
   [...]

diff --git a/doc/transport.texi b/doc/transport.texi
index 4e26785b409c9138cba94e8282d469c71fc24ff8..f5ca87e1f0576df4af79d0df51595a16caf4c64f 100644 (file)
--- a/doc/transport.texi
+++ b/doc/transport.texi
@@ -36,7 +36,7 @@ XTEA's encryption key is the first 128-bit of Salsa20's output with
 established common key and zero nonce (message nonces start from 1).
 
 @verbatim
 established common key and zero nonce (message nonces start from 1).
 
 @verbatim

-PRP_KEY = ENCRYPT(KEY, 0, 128-bit)
+PRP_KEY = 128bit(ENCRYPT(KEY, 0))

 @end verbatim
 
 @code{ENCRYPT} is Salsa20 stream cipher, with established session
 @end verbatim
 
 @code{ENCRYPT} is Salsa20 stream cipher, with established session


@@ -52,8 +52,19 @@ length.
 Salsa20's output are used as a one-time key for @code{AUTH}.
 
 @verbatim
 Salsa20's output are used as a one-time key for @code{AUTH}.
 
 @verbatim

-AUTH_KEY = ENCRYPT(KEY, NONCE, 256 bit)
+AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE))

 @end verbatim
 
 To prevent replay attacks we must remember received @code{SERIAL}s and
 drop when receiving duplicate ones.
 @end verbatim
 
 To prevent replay attacks we must remember received @code{SERIAL}s and
 drop when receiving duplicate ones.

+
+In @ref{Encless, encryptionless mode} this scheme is slightly different:
+
+@verbatim
+ PACKET = ENCODED || NONCE
+ENCODED = ENCLESS(DATA || PAD || ZEROS)
+  NONCE = PRP(PRP_KEY, SERIAL)
+@end verbatim
+
+@code{ENCLESS} is AONT and chaffing function. There is no need in
+explicit separate authentication.

diff --git a/utils/makedist.sh b/utils/makedist.sh
index 24235a37a7cafef380825c9c48b0c41a885a4170..27e932472ab01ff32ebf6f01cc55e04b9e1a5c46 100755 (executable)
--- a/utils/makedist.sh
+++ b/utils/makedist.sh
@@ -73,11 +73,13 @@ be reviewable, secure, DPI/censorship-resistant, written on Go.
 It uses fast strong passphrase authenticated key agreement protocol with
 augmented zero-knowledge mutual peers authentication (PAKE DH A-EKE).
 Encrypted, authenticated data transport that hides message's length and
 It uses fast strong passphrase authenticated key agreement protocol with
 augmented zero-knowledge mutual peers authentication (PAKE DH A-EKE).
 Encrypted, authenticated data transport that hides message's length and

-timestamps. Perfect forward secrecy property. Resistance to: offline
-dictionary attacks, replay attacks, client's passphrases compromising
-and dictionary attacks on the server side. Built-in heartbeating,
-rehandshaking, real-time statistics. Ability to work through UDP, TCP
-and HTTP proxies. IPv4/IPv6-compatibility. GNU/Linux and FreeBSD support.
+timestamps. Optional encryptionless mode, that still preserves data
+confidentiality. Perfect forward secrecy property. Resistance to:
+offline dictionary attacks, replay attacks, client's passphrases
+compromising and dictionary attacks on the server side. Built-in
+heartbeating, rehandshaking, real-time statistics. Ability to work
+through UDP, TCP and HTTP proxies. IPv4/IPv6-compatibility.
+GNU/Linux and FreeBSD support.

 
 ----------------8<-----------------8<-----------------8<----------------
 
 
 ----------------8<-----------------8<-----------------8<----------------
 


@@ -116,13 +118,14 @@ GoVPN это простой демон виртуальных частных с
 несбалансированный протокол согласования ключей с двусторонней
 аутентификацией сторон (PAKE DH A-EKE). Зашифрованный, аутентифицируемый
 транспортный протокол передачи данных, скрывающий длины сообщений и их
 несбалансированный протокол согласования ключей с двусторонней
 аутентификацией сторон (PAKE DH A-EKE). Зашифрованный, аутентифицируемый
 транспортный протокол передачи данных, скрывающий длины сообщений и их

-временные характеристики. Свойство совершенной прямой секретности.
-Устойчивость к: внесетевым (offline) атакам по словарю, атакам
-повторного воспроизведения (replay), компрометации клиентских парольных
-фраз на стороне сервера. Встроенные функции сердцебиения (heartbeat),
-пересогласования ключей, статистика реального времени. Возможность
-работы поверх UDP, TCP и HTTP прокси. Совместимость с IPv4 и IPv6.
-Поддержка GNU/Linux и FreeBSD.
+временные характеристики. Опциональный нешифрованный режим, который
+всё-равно обеспечивает конфиденциальность и аутентичность данных.
+Свойство совершенной прямой секретности. Устойчивость к: внесетевым
+(offline) атакам по словарю, атакам повторного воспроизведения (replay),
+компрометации клиентских парольных фраз на стороне сервера. Встроенные
+функции сердцебиения (heartbeat), пересогласования ключей, статистика
+реального времени. Возможность работы поверх UDP, TCP и HTTP прокси.
+Совместимость с IPv4 и IPv6. Поддержка GNU/Linux и FreeBSD.

 
 ----------------8<-----------------8<-----------------8<----------------
 
 
 ----------------8<-----------------8<-----------------8<----------------