@unnumbered Packet format
All packets are
-@url{https://en.wikipedia.org/wiki/External_Data_Representation,
-XDR}-encoded structures.
+@url{https://tools.ietf.org/html/rfc4506, XDR}-encoded structures.
@menu
* Plain packet: Plain.
@end verbatim
@multitable @columnfractions 0.2 0.3 0.5
-@headitem @tab XDR type @tab Value
+@headitem @tab XDR type @tab Value
@item Magic number @tab
8-byte, fixed length opaque data @tab
- @verb{|NNCPP0x00x00x01|}
+ @verb{|N N C P P 0x00 0x00 0x01|}
@item Payload type @tab
unsigned integer @tab
0 (file), 1 (freq), 2 (mail), 3 (transition)
@item Path length @tab
unsigned integer @tab
- actual length of following field's payload
+ actual length of @emph{path} field's payload
@item Path @tab
255 byte, fixed length opaque data @tab
@itemize
@item UTF-8 encoded destination path for file transfer
@item UTF-8 encoded source path for file request
@item UTF-8 encoded, space separated, email recipients list
- @item Node id the transition packet must be relayed on
+ @item Node's id the transition packet must be relayed on
@end itemize
@end multitable
Each encrypted packet has the following header:
@verbatim
- +--------------- HEADER ----------+ +-------- ENCRYPTED --------+
+ +------------ HEADER -------------+ +-------- ENCRYPTED --------+
/ \ / \
-+-------------------------------------+------------+----...-----------+------+
-| MAGIC | NICE | SENDER | EPUB | SIGN | SIZE | MAC | CIPHERTEXT | MAC | JUNK |
-+------------------------------/------\------------+----...-----------+------+
- / \
- +-------------------------------------+
- | MAGIC | NICE | RCPT | SENDER | EPUB |
- +-------------------------------------+
++--------------------------------------------+------------+----...-----------+------+
+| MAGIC | NICE | SENDER | RCPT | EPUB | SIGN | SIZE | MAC | CIPHERTEXT | MAC | JUNK |
++-------------------------------------/------\------------+----...-----------+------+
+ / \
+ +-------------------------------------+
+ | MAGIC | NICE | SENDER | RCPT | EPUB |
+ +-------------------------------------+
@end verbatim
@multitable @columnfractions 0.2 0.3 0.5
-@headitem @tab XDR type @tab Value
+@headitem @tab XDR type @tab Value
@item Magic number @tab
8-byte, fixed length opaque data @tab
- @verb{|NNCPE0x00x00x01|}
+ @verb{|N N C P E 0x00 0x00 0x01|}
@item Niceness @tab
unsigned integer @tab
1-255, packet @ref{Niceness, niceness} level
@item Sender @tab
32-byte, fixed length opaque data @tab
Sender node's id
+@item Recipient @tab
+ 32-byte, fixed length opaque data @tab
+ Recipient node's id
@item Exchange public key @tab
32-byte, fixed length opaque data @tab
Ephemeral curve25519 public key
ed25519 signature for that packet's header
@end multitable
-Signature is calculated over the following structure:
-
-@itemize
-@item Magic number
-@item Niceness
-@item Recipient (32-byte recipient node's id)
-@item Sender
-@item Exchange public key
-@end itemize
+Signature is calculated over all previous fields.
-All following encryption is done using
-@url{https://www.schneier.com/academic/twofish/, Twofish} algorithm with
-256-bit key in
-@url{https://en.wikipedia.org/wiki/Counter_mode#Counter_.28CTR.29, CTR}
-mode of operation with zero initialization vector (because each
-encrypted packet has ephemeral exchange key). @url{https://blake2.net/,
+All following encryption is done using @url{https://cr.yp.to/chacha.html,
+ChaCha20} algorithm. Data is splitted on 128 KiB blocks. Each block is
+encrypted with increasing nonce counter. @url{https://blake2.net/,
BLAKE2b-256} MAC is appended to the ciphertext.
After the headers comes an encrypted payload size and MAC of that size.
@multitable @columnfractions 0.2 0.3 0.5
-@headitem @tab XDR type @tab Value
+@headitem @tab XDR type @tab Value
@item Size @tab
unsigned hyper integer @tab
- @verb{|NNCPE0x00x00x01|}
Payload size.
@end multitable
@item takes remote node's exchange public key and performs
Diffie-Hellman computation on this remote static public key and
private ephemeral one
-@item derived ephemeral key is used as an input to
- @url{https://en.wikipedia.org/wiki/HKDF, HKDF}-BLAKE2b-256 KDF
-@item derives four session keys using
- @url{https://en.wikipedia.org/wiki/HKDF, HKDF}-BLAKE2b-256 KDF:
+@item derived ephemeral key is used as a key input to
+ @url{https://blake2.net/, BLAKE2Xb} XOF
+@item derives five session keys using output from the XOF above:
@enumerate
- @item "Size" encryption (for Twofish) key
+ @item "Size" encryption (for ChaCha20) key
@item "Size" authentication (for BLAKE2b-MAC) key
@item Payload encryption key
@item Payload authentication key
+ @item Optional pad generation key (for ChaCha20)
@end enumerate
@item encrypts size, appends its ciphertext to the header
@item appends MAC tag over that ciphertext