From 2d7f9b64e8af5da9bb4469a01f22fd5171446710 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Tue, 5 Jan 2016 22:35:16 +0300
Subject: [PATCH] [DOC] Encryptionless mode

Signed-off-by: Sergey Matveev <stargrave@stargrave.org>
---
 README             | 12 +++++++-----
 doc/about.ru.texi  |  6 ++++++
 doc/about.texi     |  5 +++++
 doc/client.texi    |  3 +++
 doc/developer.texi | 36 ++++++++++++++++++++++++------------
 doc/encless.texi   | 37 +++++++++++++++++++++++++++++++++++++
 doc/faq.ru.texi    | 11 +++++++++++
 doc/faq.texi       | 10 ++++++++++
 doc/glossary.texi  |  2 ++
 doc/handshake.texi |  3 +++
 doc/server.texi    |  1 +
 doc/transport.texi | 15 +++++++++++++--
 utils/makedist.sh  | 27 +++++++++++++++------------
 13 files changed, 137 insertions(+), 31 deletions(-)
 create mode 100644 doc/encless.texi

diff --git a/README b/README
index f9274cb..b95b958 100644
--- a/README
+++ b/README
@@ -4,11 +4,13 @@ be reviewable, secure, DPI/censorship-resistant, written on Go.
 It uses fast strong passphrase authenticated key agreement protocol with
 augmented zero-knowledge mutual peers authentication (PAKE DH A-EKE).
 Encrypted, authenticated data transport that hides message's length and
-timestamps. Perfect forward secrecy property. Resistance to: offline
-dictionary attacks, replay attacks, client's passphrases compromising
-and dictionary attacks on the server side. Built-in heartbeating,
-rehandshaking, real-time statistics. Ability to work through UDP, TCP
-and HTTP proxies. IPv4/IPv6-compatibility. GNU/Linux and FreeBSD support.
+timestamps. Optional encryptionless mode, that still preserves data
+confidentiality. Perfect forward secrecy property. Resistance to:
+offline dictionary attacks, replay attacks, client's passphrases
+compromising and dictionary attacks on the server side. Built-in
+heartbeating, rehandshaking, real-time statistics. Ability to work
+through UDP, TCP and HTTP proxies. IPv4/IPv6-compatibility.
+GNU/Linux and FreeBSD support.
 
 GoVPN is free software: see the file COPYING for copying conditions.
 
diff --git a/doc/about.ru.texi b/doc/about.ru.texi
index 31386a5..e35c97c 100644
--- a/doc/about.ru.texi
+++ b/doc/about.ru.texi
@@ -24,6 +24,12 @@ A-EKE (Diffie-Hellman Augmented Encrypted Key Exchange)).
 передачи данных с 128-бит @ref{Developer, порогом безопасности} и
 современной криптографией.
 @item
+Опциональный @ref{Encless, нешифрованный режим}: функции шифрования не
+применяются для исходящего трафика, вместо них кодирование всё-равно
+обеспечивающее конфиденциальность. Юрисдикции и суды не смогут вас
+вынудить выдать ключи шифрования или привлечь за использование
+шифрования.
+@item
 Цензуроустойчивые сообщения транспорта и рукопожатия: неотличимые от
 шума с опциональным скрытием размеров сообщений.
 @item
diff --git a/doc/about.texi b/doc/about.texi
index 6e25072..10a203a 100644
--- a/doc/about.texi
+++ b/doc/about.texi
@@ -21,6 +21,11 @@ Encrypted and authenticated @ref{Transport, payload transport}
 with 128-bit @ref{Developer, security margin} state-of-the-art
 cryptography.
 @item
+Optional @ref{Encless, encryptionless mode} of operation: no encryption
+functions are applied for outgoing traffic, but still confidentiality
+preserving encoding. Jurisdictions and courts can force you to reveal
+encryption keys or sue for encryption usage.
+@item
 Censorship resistant handshake and transport messages: fully
 indistinguishable from the noise with optionally hidden packets lengths.
 @item
diff --git a/doc/client.texi b/doc/client.texi
index 81878d5..88e338e 100644
--- a/doc/client.texi
+++ b/doc/client.texi
@@ -43,6 +43,9 @@ Enable @ref{Noise}.
 @item -cpr
 Set @ref{CPR} in KiB/sec.
 
+@item -encless
+Enable @ref{Encless, encryptionless mode}.
+
 @item -up
 Optional path to script that will be executed after connection is
 established. Interface name will be given to it as a first argument.
diff --git a/doc/developer.texi b/doc/developer.texi
index d9136eb..936e797 100644
--- a/doc/developer.texi
+++ b/doc/developer.texi
@@ -5,26 +5,38 @@ Pay attention how to get @ref{Sources, development source code}.
 
 @table @asis
 @item Nonce and identity encryption
-@url{http://143.53.36.235:8080/tea.htm, XTEA}.
+    @url{http://143.53.36.235:8080/tea.htm, XTEA}.
 @item Data encryption
-@url{http://cr.yp.to/snuffle.html, Salsa20}.
+    @url{http://cr.yp.to/snuffle.html, Salsa20}.
 @item Message authentication
-@url{http://cr.yp.to/mac.html, Poly1305}.
+    @url{http://cr.yp.to/mac.html, Poly1305}.
 @item Password authenticated key agreement
-DH-A-EKE powered by @url{http://cr.yp.to/ecdh.html, Curve25519}
-and @url{http://ed25519.cr.yp.to/, Ed25519}.
+    DH-A-EKE powered by @url{http://cr.yp.to/ecdh.html, Curve25519}
+    and @url{http://ed25519.cr.yp.to/, Ed25519}.
 @item DH elliptic-curve point encoding for public keys
-@url{http://elligator.cr.yp.to/, Elligator}.
+    @url{http://elligator.cr.yp.to/, Elligator}.
 @item Verifier password hashing algorithm
-@url{https://password-hashing.net/#argon2, Argon2d}.
+    @url{https://password-hashing.net/#argon2, Argon2d}.
+@item Encryptionless confidentiality preserving encoding
+    @url{http://people.csail.mit.edu/rivest/chaffing-980701.txt,
+    Chaffing-and-Winnowing} (two Poly1305 MACs for each bit of message)
+    over 128 bits of
+    @url{http://theory.lcs.mit.edu/~cis/pubs/rivest/fusion.ps,
+    All-Or-Nothing-Transformed} (based on
+    @url{http://cseweb.ucsd.edu/~mihir/papers/oaep.html, OAEP} using
+    @url{https://en.wikipedia.org/wiki/Key_derivation_function, HKDF}
+    with @url{https://blake2.net/, BLAKE2b-512} and BLAKE2b-256 based
+    @url{http://crypto.stanford.edu/~dabo/abstracts/saep.html, SAEP+}
+    checksums) data with 128-bits of feeded random.
 @item Packet overhead
-25 bytes per packet.
+    25 bytes per packet. Plus 4128 bytes and noise in encryptionless mode.
 @item Handshake overhead
-4 UDP (2 from client, 2 from server) packets (round-trips for TCP),
-264 bytes total payload.
+    4 UDP (2 from client, 2 from server) packets (round-trips for TCP).
+    264 bytes total payload, 20680 in encryptionless mode.
 @item Entropy required
-832 bits in average on client, 832 bits in average on server side per
-handshake.
+    832 bits in average on client, 832 bits in average on server side
+    per handshake. 128 bits for each outgoing packet in encryptionless
+    mode.
 @end table
 
 @menu
diff --git a/doc/encless.texi b/doc/encless.texi
new file mode 100644
index 0000000..f6d4281
--- /dev/null
+++ b/doc/encless.texi
@@ -0,0 +1,37 @@
+@node Encless
+@subsection Encryptionless mode
+
+Some jurisdictions can force user to reveal his encryption keys. However
+they can not ask for authentication (signing) keys. So you are safe to
+use authentication algorithms, but not the encryption ones. Moreover
+some countries forbids usage of encryption (but again not the
+authentication).
+
+GoVPN provides special encryptionless mode of operation. In this mode it
+replaces Salsa20 function used for confidentiality with rather
+well-known @url{http://people.csail.mit.edu/rivest/chaffing-980701.txt,
+Chaffing-and-Winnowing} (CnW) technology. This is rather traffic and
+resource hungry algorithm, so we use it after
+@url{http://theory.lcs.mit.edu/~cis/pubs/rivest/fusion.ps,
+All-Or-Nothing-Transformation} (based on
+@url{http://cseweb.ucsd.edu/~mihir/papers/oaep.html, Optimal Asymmetric
+Encryption Padding}) on the data. It is confidentiality preserving
+encoding.
+
+AONT is just a keyless encoding of the data. CnW uses only
+authentication function. Handshake additionally uses Diffie-Hellman and
+signature algorithms. No encryption and steganography involved.
+
+In this mode each outgoing packet became larger on 4128 bytes and
+@ref{Noise, noise} is forcefully enabled. So this is rather resource
+hungry mode!
+
+@strong{Beware}: by default packet serial numbers are still processed
+through the XTEA encryption. It is not required for confidentiality and
+security, but for randomizing some parts of the traffic to make it
+indistinguishable from the noise, for making it more DPI-proof. It
+safely can be disabled, turned off or maybe its keys even can be
+revealed without security and forward secrecy loss.
+
+See @code{src/govpn/chaffing} and @code{src/govpn/aont} packages for
+details of AONT and chaffing operations.
diff --git a/doc/faq.ru.texi b/doc/faq.ru.texi
index 2023b76..10f7fda 100644
--- a/doc/faq.ru.texi
+++ b/doc/faq.ru.texi
@@ -67,6 +67,17 @@ Go очень легко читается, поддаётся ревью и по
 вид трафика от другого, то при цензуре ваше единственный вариант это
 заблокировать все его виды.
 
+@item Когда я должен использовать @ref{Encless, нешифрованный режим}?
+Если вы работаете под юрисдикциями где суды могут привлечь вас к
+ответственности за использование шифрования или могут вынудить вас
+как-либо выдать ваши ключи шифрования (хотя сессионные ключи шифрования
+генерируются каждую сессию). В большинстве случаев, эти суды не могут
+требовать аутентификационные ключи или ключи для ЭЦП. @strong{Не
+позволяйте} названию режима вас смутить: он всё-равно обеспечивает
+конфиденциальность и аутентичность передаваемых данных! Но имейте в
+виду, что этот режим требователен к ресурсам и трафику и пока работает
+только в TCP режиме.
+
 @item Когда я должен использовать @ref{Noise, noise} опцию?
 В большинстве случаев она вам не нужна без включённого
 @ref{CPR, постоянного по скорости трафика} (CPR). Без CPR и шума, в
diff --git a/doc/faq.texi b/doc/faq.texi
index a3269f3..79a3aa3 100644
--- a/doc/faq.texi
+++ b/doc/faq.texi
@@ -65,6 +65,16 @@ just @code{cat /dev/urandom | nc somehost}. If you can not differentiate
 one kind of traffic from another, then your only option is to forbid all
 kinds of it.
 
+@item When should I use @ref{Encless, encryptionless mode}?
+If you are operating under jurisdiction where courts can either sue you
+for encryption usage or can force you to somehow reveal you encryption
+keys (however new session encryption keys are generated each session).
+Those courts can not demand for authentication and signing keys in most
+cases. @strong{Do not} let mode's name to confuse you: it still
+provides confidentiality and authenticity of transmitted data! But pay
+attention that this mode is traffic and resource hungry and currently
+operate only in TCP mode.
+
 @item When should I use @ref{Noise, noise} option?
 In most cases you won't need it without @ref{CPR, constant packer rate}
 turned on. Without CPR and noise options GoVPN traffic (like TLS, IPsec,
diff --git a/doc/glossary.texi b/doc/glossary.texi
index 8d1158f..46b8e70 100644
--- a/doc/glossary.texi
+++ b/doc/glossary.texi
@@ -12,6 +12,7 @@
 * Statistics: Stats.
 * Noise::
 * Constant Packet Rate: CPR.
+* Encryptionless mode: Encless.
 * Verifier::
 @end menu
 
@@ -25,4 +26,5 @@
 @include stats.texi
 @include noise.texi
 @include cpr.texi
+@include encless.texi
 @include verifier.texi
diff --git a/doc/handshake.texi b/doc/handshake.texi
index b71ac48..29f59f8 100644
--- a/doc/handshake.texi
+++ b/doc/handshake.texi
@@ -93,3 +93,6 @@ symmetric encryption. @code{El()} is Elligator point encoding algorithm.
 has 128-bit security margin and that is why are not in use except in
 handshake process. @code{R*} are required for handshake randomization
 and two-way authentication.
+
+In @ref{Encless, encryptionless mode} each @code{enc()} is replaced with
+AONT and chaffing function over the noised data.
diff --git a/doc/server.texi b/doc/server.texi
index b785be2..2668b1d 100644
--- a/doc/server.texi
+++ b/doc/server.texi
@@ -35,6 +35,7 @@ Configuration file is JSON file with following example structure:
                                             (default: false)
     "cpr": 64,                          <-- OPTIONAL constant packet
                                             rate in KiB/sec
+    "encless": false,                   <-- OPTIONAL Encryptionless mode
     "verifier": "$argon2d..."           <-- verifier received from client
   },
   [...]
diff --git a/doc/transport.texi b/doc/transport.texi
index 4e26785..f5ca87e 100644
--- a/doc/transport.texi
+++ b/doc/transport.texi
@@ -36,7 +36,7 @@ XTEA's encryption key is the first 128-bit of Salsa20's output with
 established common key and zero nonce (message nonces start from 1).
 
 @verbatim
-PRP_KEY = ENCRYPT(KEY, 0, 128-bit)
+PRP_KEY = 128bit(ENCRYPT(KEY, 0))
 @end verbatim
 
 @code{ENCRYPT} is Salsa20 stream cipher, with established session
@@ -52,8 +52,19 @@ length.
 Salsa20's output are used as a one-time key for @code{AUTH}.
 
 @verbatim
-AUTH_KEY = ENCRYPT(KEY, NONCE, 256 bit)
+AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE))
 @end verbatim
 
 To prevent replay attacks we must remember received @code{SERIAL}s and
 drop when receiving duplicate ones.
+
+In @ref{Encless, encryptionless mode} this scheme is slightly different:
+
+@verbatim
+ PACKET = ENCODED || NONCE
+ENCODED = ENCLESS(DATA || PAD || ZEROS)
+  NONCE = PRP(PRP_KEY, SERIAL)
+@end verbatim
+
+@code{ENCLESS} is AONT and chaffing function. There is no need in
+explicit separate authentication.
diff --git a/utils/makedist.sh b/utils/makedist.sh
index 24235a3..27e9324 100755
--- a/utils/makedist.sh
+++ b/utils/makedist.sh
@@ -73,11 +73,13 @@ be reviewable, secure, DPI/censorship-resistant, written on Go.
 It uses fast strong passphrase authenticated key agreement protocol with
 augmented zero-knowledge mutual peers authentication (PAKE DH A-EKE).
 Encrypted, authenticated data transport that hides message's length and
-timestamps. Perfect forward secrecy property. Resistance to: offline
-dictionary attacks, replay attacks, client's passphrases compromising
-and dictionary attacks on the server side. Built-in heartbeating,
-rehandshaking, real-time statistics. Ability to work through UDP, TCP
-and HTTP proxies. IPv4/IPv6-compatibility. GNU/Linux and FreeBSD support.
+timestamps. Optional encryptionless mode, that still preserves data
+confidentiality. Perfect forward secrecy property. Resistance to:
+offline dictionary attacks, replay attacks, client's passphrases
+compromising and dictionary attacks on the server side. Built-in
+heartbeating, rehandshaking, real-time statistics. Ability to work
+through UDP, TCP and HTTP proxies. IPv4/IPv6-compatibility.
+GNU/Linux and FreeBSD support.
 
 ----------------8<-----------------8<-----------------8<----------------
 
@@ -116,13 +118,14 @@ GoVPN это простой демон виртуальных частных с
 несбалансированный протокол согласования ключей с двусторонней
 аутентификацией сторон (PAKE DH A-EKE). Зашифрованный, аутентифицируемый
 транспортный протокол передачи данных, скрывающий длины сообщений и их
-временные характеристики. Свойство совершенной прямой секретности.
-Устойчивость к: внесетевым (offline) атакам по словарю, атакам
-повторного воспроизведения (replay), компрометации клиентских парольных
-фраз на стороне сервера. Встроенные функции сердцебиения (heartbeat),
-пересогласования ключей, статистика реального времени. Возможность
-работы поверх UDP, TCP и HTTP прокси. Совместимость с IPv4 и IPv6.
-Поддержка GNU/Linux и FreeBSD.
+временные характеристики. Опциональный нешифрованный режим, который
+всё-равно обеспечивает конфиденциальность и аутентичность данных.
+Свойство совершенной прямой секретности. Устойчивость к: внесетевым
+(offline) атакам по словарю, атакам повторного воспроизведения (replay),
+компрометации клиентских парольных фраз на стороне сервера. Встроенные
+функции сердцебиения (heartbeat), пересогласования ключей, статистика
+реального времени. Возможность работы поверх UDP, TCP и HTTP прокси.
+Совместимость с IPv4 и IPv6. Поддержка GNU/Linux и FreeBSD.
 
 ----------------8<-----------------8<-----------------8<----------------
 
-- 
2.44.0