2 @unnumbered Packet format
5 @url{https://tools.ietf.org/html/rfc4506, XDR}-encoded structures.
9 * Encrypted packet: Encrypted.
15 Plain packet contains either the whole file, or file request (freq), or
16 transition packet or email message. It is called "plain", because it
17 contains plaintext, but plain packets would never be stored on your hard
22 +-------------------------------+--...---+
23 | MAGIC | TYPE | PATHLEN | PATH | PAYLOAD|
24 +-------------------------------+--...---+
27 @multitable @columnfractions 0.2 0.3 0.5
28 @headitem @tab XDR type @tab Value
29 @item Magic number @tab
30 8-byte, fixed length opaque data @tab
31 @verb{|N N C P P 0x00 0x00 0x01|}
32 @item Payload type @tab
34 0 (file), 1 (freq), 2 (mail), 3 (transition)
35 @item Path length @tab
37 actual length of @emph{path} field's payload
39 255 byte, fixed length opaque data @tab
41 @item UTF-8 encoded destination path for file transfer
42 @item UTF-8 encoded source path for file request
43 @item UTF-8 encoded, space separated, email recipients list
44 @item Node's id the transition packet must be relayed on
48 Path has fixed size because of hiding its actual length -- it is
49 valuable metadata. Payload is appended to the header -- it is not stored
50 as XDR field, because most XDR libraries will store all that data in the
53 Depending on the packet's type, payload could store:
57 @item Destination path for freq
58 @item @url{http://zlib.net/, zlib} compressed email
59 @item Whole encrypted packet we need to relay on
63 @section Encrypted packet
65 Encrypted packets are the only files found in spools, in exchangeable
66 storages and that are synchronized between TCP daemons.
68 Each encrypted packet has the following header:
71 +------------ HEADER -------------+ +-------- ENCRYPTED --------+
73 +-------------------------------------+------------+----...-----------+------+
74 | MAGIC | NICE | SENDER | EPUB | SIGN | SIZE | MAC | CIPHERTEXT | MAC | JUNK |
75 +------------------------------/------\------------+----...-----------+------+
77 +-------------------------------------+
78 | MAGIC | NICE | RCPT | SENDER | EPUB |
79 +-------------------------------------+
82 @multitable @columnfractions 0.2 0.3 0.5
83 @headitem @tab XDR type @tab Value
84 @item Magic number @tab
85 8-byte, fixed length opaque data @tab
86 @verb{|N N C P E 0x00 0x00 0x01|}
89 1-255, packet @ref{Niceness, niceness} level
91 32-byte, fixed length opaque data @tab
93 @item Exchange public key @tab
94 32-byte, fixed length opaque data @tab
95 Ephemeral curve25519 public key
97 64-byte, fixed length opaque data @tab
98 ed25519 signature for that packet's header
101 Signature is calculated over the following structure:
106 @item Recipient (32-byte recipient node's id)
108 @item Exchange public key
111 All following encryption is done using
112 @url{https://www.schneier.com/academic/twofish/, Twofish} algorithm with
114 @url{https://en.wikipedia.org/wiki/Counter_mode#Counter_.28CTR.29, CTR}
115 mode of operation with zero initialization vector (because each
116 encrypted packet has ephemeral exchange key). @url{https://blake2.net/,
117 BLAKE2b-256} MAC is appended to the ciphertext.
119 After the headers comes an encrypted payload size and MAC of that size.
121 @multitable @columnfractions 0.2 0.3 0.5
122 @headitem @tab XDR type @tab Value
124 unsigned hyper integer @tab
128 Next comes the actual encrypted payload with corresponding MAC.
130 Each node has static @strong{exchange} and @strong{signature} keypairs.
131 When node A want to send encrypted packet to node B, it:
134 @item generates ephemeral @url{http://cr.yp.to/ecdh.html, curve25519} keypair
135 @item prepares structure for signing
136 @item signs that structure using private
137 @url{http://ed25519.cr.yp.to/, ed25519} signature key
138 @item takes remote node's exchange public key and performs
139 Diffie-Hellman computation on this remote static public key and
140 private ephemeral one
141 @item derived ephemeral key is used as an input to
142 @url{https://en.wikipedia.org/wiki/HKDF, HKDF}-BLAKE2b-256 KDF
143 @item derives four session keys using
144 @url{https://en.wikipedia.org/wiki/HKDF, HKDF}-BLAKE2b-256 KDF:
146 @item "Size" encryption (for Twofish) key
147 @item "Size" authentication (for BLAKE2b-MAC) key
148 @item Payload encryption key
149 @item Payload authentication key
151 @item encrypts size, appends its ciphertext to the header
152 @item appends MAC tag over that ciphertext
153 @item encrypts and appends payload ciphertext
154 @item appends MAC tag over that payload ciphertext
155 @item possibly appends any kind of "junk" noise data to hide real
156 payload's size from the adversary