From e0e122675963a32defd27da10d22130ccf7d16ec Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Sun, 24 May 2015 11:38:04 +0300 Subject: [PATCH] [DOC] Various fixes Signed-off-by: Sergey Matveev --- doc/developer.texi | 3 +- doc/egd.texi | 5 ++-- doc/overview.texi | 65 ++++++++++++++++++----------------------- doc/precautions.texi | 6 ++-- doc/transport.texi | 4 +-- doc/verifierstruct.texi | 8 ++--- 6 files changed, 41 insertions(+), 50 deletions(-) diff --git a/doc/developer.texi b/doc/developer.texi index 0ced286..5f85e00 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -21,7 +21,8 @@ and @url{http://ed25519.cr.yp.to/, Ed25519}. @item Handshake overhead 4 UDP (2 from client, 2 from server) packets, 264 bytes total payload. @item Entropy required -832 bits on client side, 832 bits on server side per handshake. +832 bits in average on client, 832 bits in average on server side per +handshake. @end table @menu diff --git a/doc/egd.texi b/doc/egd.texi index 6b6780e..77d34bf 100644 --- a/doc/egd.texi +++ b/doc/egd.texi @@ -7,11 +7,12 @@ number generator. Some operating systems do not have good enough quality PRNG, bad @code{/dev/urandom}. You should use separate PRNG with them. GoVPN -communicates with them using Entropy Gathering Daemon protocol. +communicates with them using +@url{http://egd.sourceforge.net/, Entropy Gathering Daemon} protocol. To switch using EGD-compatible daemons instead of @code{crypto/rand} library you provide @code{-egd PATH} command line option, where -@code{PATH} is either host:port or path to the domain socket. +@code{PATH} is the domain socket. @example % ./govpn-server [...] -egd /var/run/egd.sock diff --git a/doc/overview.texi b/doc/overview.texi index dc68994..23ba75d 100644 --- a/doc/overview.texi +++ b/doc/overview.texi @@ -11,29 +11,16 @@ goals for that daemon. Most modern widespread protocols and their implementations in software are too complex to be reviewed, analyzed and modified. -State off art cryptography technologies includes: -@url{http://cr.yp.to/snuffle.html, Salsa20} stream encryption, -@url{http://143.53.36.235:8080/tea.htm, XTEA} PRP, -@url{http://cr.yp.to/mac.html, Poly1305} message authentication, -@url{https://en.wikipedia.org/wiki/PBKDF2} password-based key derivation -function based on @url{https://en.wikipedia.org/wiki/SHA-2, SHA-512} -hash function, -@url{https://en.wikipedia.org/wiki/Encrypted_key_exchange, -Diffie-Hellman Augmented Encrypted Key Exchange} -(DH-A-EKE) powered by @url{http://cr.yp.to/ecdh.html, Curve25519}, -@url{http://ed25519.cr.yp.to/, Ed25519} signatures and -@url{http://elligator.cr.yp.to/, Elligator} curve-point encoding. -Strong -@url{https://en.wikipedia.org/wiki/Zero-knowledge_password_proof, zero-knowledge} -mutual authentication with key exchange stage is invulnerable -to man-in-the-middle attacks. +@ref{Developer manual, State off art cryptography technologies}. Strong +mutual authenticated key exchange is invulnerable to man-in-the middle +attachs. @url{https://en.wikipedia.org/wiki/Forward_secrecy, Perfect forward secrecy} -property guarantee that compromising of long-term authentication -pre-shared key can not lead to previously captured traffic decrypting. -Compromising of peers password file on server side won't allow attacker +property guarantees that compromising of long-term authentication keys +does not lead to previously captured traffic decrypting. +Compromising of peers password files on server side won't allow attacker to masquerade as the client, because of asymmetric @strong{verifiers} usage, resistant to dictionary attacks. Rehandshaking ensures session -keys rotation. MAC authentication with one-time keys protects against +keys rotation. One-time keys MAC authentication protects against @url{https://en.wikipedia.org/wiki/Replay_attack, replay attacks}. Server can work with several clients simultaneously. Each client is @@ -61,22 +48,26 @@ Works with @url{https://en.wikipedia.org/wiki/TAP_(network_driver), TAP} network interfaces on top of UDP entirely @item @url{https://www.gnu.org/, GNU}/Linux and -@url{http://www.freebsd.org/, FreeBSD} support -@item IPv6 compatible -@item Encrypted and authenticated payload transport -@item Relatively fast handshake -@item Password-authenticated key exchange -@item Server-side password verifiers are secure against dictionary attacks -@item Attacker can not masquerade a client even with password files compromising -@item Replay attack protection -@item Perfect forward secrecy property -@item Mutual two-side authentication -@item Zero knowledge authentication -@item Built-in rehandshake and heartbeat features -@item Several simultaneous clients support -@item Per-client configuration options -@item Hiding of payload packets length with noise -@item Hiding of payload packets timestamps with constant packet rate traffic +@url{http://www.freebsd.org/, FreeBSD} support. +@item IPv6 compatible. +@item Encrypted and authenticated payload transport. +@item Relatively fast handshake. +@item Password-authenticated key exchange. +@item Server-side password verifiers are secure against dictionary +attacks. +@item Attacker can not masquerade a client even with password files +compromising. +@item Replay attack protection. +@item Perfect forward secrecy property. +@item Mutual two-side authentication. +@item Zero knowledge authentication. +@item Built-in rehandshake and heartbeat features. +@item Several simultaneous clients support. +@item Per-client configuration options. +@item Hiding of payload packets length with noise. +@item Hiding of payload packets timestamps with constant packet rate +traffic. @item Optional built-in HTTP-server for retrieving information about -known connected peers in @url{http://json.org/, JSON} format +known connected peers in @url{http://json.org/, JSON} format. +@item Compatibility with @url{http://egd.sourceforge.net/, EGD} PRNGs. @end itemize diff --git a/doc/precautions.texi b/doc/precautions.texi index f69d534..0539822 100644 --- a/doc/precautions.texi +++ b/doc/precautions.texi @@ -4,14 +4,12 @@ @enumerate @item We use password (passphrase) authentication, so overall security fully -depends on its strength. So you should use long, high-entropy -passphrases. Also remember to keep passphrase on temporary file and read +depends on its strength. You @strong{should} use long, high-entropy +passphrases. Also remember to keep passphrase in temporary file and read it securely as described in @ref{Verifier}. @item You must @strong{never} use one key for multiple clients. -If so, then all security is ruined and transmitted data can -be decrypted. @item You must use @strong{cryptographically good} pseudo random number diff --git a/doc/transport.texi b/doc/transport.texi index c1e0d7f..cdbe7ae 100644 --- a/doc/transport.texi +++ b/doc/transport.texi @@ -38,5 +38,5 @@ To prevent replay attacks we must remember received @code{SERIAL}s and if meet one, then drop it. Basically we could just store latest number and check if received one is greater, but because of UDP packets reordering this can lead to valid packets dropping and overall -performance degradation. We store 256 seen nonces in hash structure, in -two swapping buckets. +performance degradation. We store up to 256 seen nonces in hash +structure, in two swapping buckets. diff --git a/doc/verifierstruct.texi b/doc/verifierstruct.texi index b508b48..65a4e08 100644 --- a/doc/verifierstruct.texi +++ b/doc/verifierstruct.texi @@ -10,7 +10,7 @@ SOURCE = PBKDF2(SALT=PeerId, PASSWORD, 1<<16, SHA512) PUB, PRIV = Ed25519.Generate(SOURCE) @end verbatim -Verifier is public key of Ed25519 generated from the PBKDF2 of the -passphrase in hexadecimal encoding. @code{PeerId} is used as a 128-bit -salt. Server stores and knows only verifier. Client can compute the -whole keypair every time he makes handshake. +Verifier is @code{PUB} public key of Ed25519 generated from the PBKDF2 +of the passphrase in hexadecimal encoding. @code{PeerId} is used as a +128-bit salt. Server stores and knows only verifier. Client can compute +the whole keypair every time he makes handshake. -- 2.44.0