@node Noise
@section Noise
-You may turn on @code{-noise} option, that forces to fill up all
-outgoing packets to their maximum (MTU) size. Without that option GoVPN
-provides confidentiality and authenticity of payload, but it's size
-leaks to the observer.
+So-called noise is used to hide underlying payload packets lengths.
+Without it GoVPN provides confidentiality and authenticity of messages,
+but not their timestamps of appearance and sizes.
-As it can be applied only to outgoing traffic, you should enable it on
-both sides in most cases.
+You may turn on @code{-noise} option, that forces to fill up all
+outgoing packets to their maximum (MTU) size. As it can be applied only
+to outgoing traffic, you should enable it on both sides in most cases.
-Pay attention that this can dramatically increase your traffic!
+Pay attention that this can dramatically increase your traffic! It is
+turned off by default.
@node Overview
@unnumbered Overview
-GoVPN is simple secure virtual private network daemon. It uses
+GoVPN is simple secure virtual private network daemon, written entirely
+on @url{http://golang.org/, Go programming language}.
+
+Reviewability, high 128-bit security margin and
+@url{https://en.wikipedia.org/wiki/Deep_packet_inspection, DPI}
+resistance in mind in free software solution are the main goals
+for that daemon.
+
+State off art cryptography technologies include:
+@url{http://cr.yp.to/snuffle.html, Salsa20} stream encryption,
+@url{http://143.53.36.235:8080/tea.htm, XTEA} block encryption,
+@url{http://cr.yp.to/mac.html, Poly1305} message authentication,
@url{https://en.wikipedia.org/wiki/Encrypted_key_exchange, Diffie-Hellman Encrypted Key Exchange}
-(DH-EKE) for mutual zero-knowledge peers authentication and
-authenticated encrypted data transport. It is written entirely on
-@url{http://golang.org/, Go programming language}.
-
-All packets captured on network interface are encrypted, authenticated
-and sent to remote server, that writes them to his interface, and vice
-versa. Client and server use pre-shared authentication key (PSK) and
-128-bit identification key. There are heartbeat packets used to prevent
-session termination because of peers inactivity.
-
-Handshake is used to mutually authenticate peers, exchange common secret
-per-session encryption key and check UDP transport availability.
-
-Because of UDP and authentication overhead: each packet grows in size
-during transmission, so you have to lower you maximum transmission unit
-(MTU) on virtual network interface.
+(DH-EKE) powered by @url{http://cr.yp.to/ecdh.html, Curve25519}.
+Strong
+@url{https://en.wikipedia.org/wiki/Zero-knowledge_password_proof, zero-knowledge}
+mutual authentication with key exchange stage is invulnerable
+to man-in-the-middle attacks.
+@url{https://en.wikipedia.org/wiki/Forward_secrecy, Perfect forward secrecy}
+property guarantee that compromising of long-term authentication
+pre-shared key can not lead to previously captured traffic decrypting.
+Rehandshaking ensures session keys rotation. MAC authentication with
+one-time keys protects against
+@url{https://en.wikipedia.org/wiki/Replay_attack, replay attacks}.
-High security is the goal for that daemon. It uses fast cryptography
-algorithms with 128bit security margin, strong mutual zero-knowledge
-authentication and perfect-forward secrecy property. An attacker can not
-know anything about payload (except it's size and time) from captured
-traffic, even if pre-shared key is compromised. Rehandshake is performed
-by client every 4 GiB of transfered data.
+Server can work with several clients simultaneously. Each client is
+@strong{identified} by 128-bit key, that does not leak during handshake
+and each client stays @strong{anonymous} for MiTM and DPI.
-Each client also has it's own identification key and server works with
-all of them independently. Identification key is not secret, but it is
-encrypted (obfuscated) during transmission.
The only platform specific requirement is TAP network interface support.
API to that kind of device is different, OS dependent and non portable.
@item IPv6 compatible
@item Encrypted and authenticated payload transport
@item Relatively fast handshake
-@item
-@url{https://en.wikipedia.org/wiki/Replay_attack, Replay attack} protection
-@item
-@url{https://en.wikipedia.org/wiki/Forward_secrecy, Perfect forward secrecy}
-(if long-term pre-shared keys are compromised, no captured traffic can
-be decrypted anyway)
-@item
-Mutual two-side authentication (noone will send real network interface
-data unless the other side is authenticated)
-@item
-@url{https://en.wikipedia.org/wiki/Zero-knowledge_password_proof, Zero knowledge}
-authentication (pre-shared key is not transmitted in any form between
-the peers, not even it's hash value)
+@item Replay attack protection
+@item Perfect forward secrecy property
+@item Mutual two-side authentication
+@item Zero knowledge authentication
@item Built-in rehandshake and heartbeat features
@item Several simultaneous clients support
-@item Optional noise-appending for concealing underlying packet's length
+@item Hiding of payload packets length by noise appending
@item Optional built-in HTTP-server for retrieving information about
known connected peers in @url{http://json.org/, JSON} format
@end itemize