Replace Twofish/HKDF with ChaCha20/BLAKE2X for speed and simplicity

[nncp.git] / doc / pkt.texi

diff --git a/doc/pkt.texi b/doc/pkt.texi
index 35700c18093f80517fcf8bc7d27c4167879d158d..3f8cd92177a1456eef54f4cf592bf6380af10af2 100644 (file)
--- a/doc/pkt.texi
+++ b/doc/pkt.texi
@@ -2,8 +2,7 @@
 @unnumbered Packet format
 
 All packets are
-@url{https://en.wikipedia.org/wiki/External_Data_Representation,
-XDR}-encoded structures.
+@url{https://tools.ietf.org/html/rfc4506, XDR}-encoded structures.
 
 @menu
 * Plain packet: Plain.
@@ -26,23 +25,23 @@ drive.
 @end verbatim
 
 @multitable @columnfractions 0.2 0.3 0.5
-@headitem  @tab XDR type @tab Value
+@headitem @tab XDR type @tab Value
 @item Magic number @tab
     8-byte, fixed length opaque data @tab
-    @verb{|NNCPP0x00x00x01|}
+    @verb{|N N C P P 0x00 0x00 0x01|}
 @item Payload type @tab
     unsigned integer @tab
     0 (file), 1 (freq), 2 (mail), 3 (transition)
 @item Path length @tab
     unsigned integer @tab
-    actual length of following field's payload
+    actual length of @emph{path} field's payload
 @item Path @tab
     255 byte, fixed length opaque data @tab
     @itemize
     @item UTF-8 encoded destination path for file transfer
     @item UTF-8 encoded source path for file request
     @item UTF-8 encoded, space separated, email recipients list
-    @item Node id the transition packet must be relayed on
+    @item Node's id the transition packet must be relayed on
     @end itemize
 @end multitable
 
@@ -69,28 +68,31 @@ storages and that are synchronized between TCP daemons.
 Each encrypted packet has the following header:
 
 @verbatim
-  +--------------- HEADER ----------+   +-------- ENCRYPTED --------+
+  +------------ HEADER -------------+   +-------- ENCRYPTED --------+
  /                                   \ /                             \
-+-------------------------------------+------------+----...-----------+------+
-| MAGIC | NICE | SENDER | EPUB | SIGN | SIZE | MAC | CIPHERTEXT | MAC | JUNK |
-+------------------------------/------\------------+----...-----------+------+
-                              /        \
-               +-------------------------------------+
-               | MAGIC | NICE | RCPT | SENDER | EPUB |
-               +-------------------------------------+
++--------------------------------------------+------------+----...-----------+------+
+| MAGIC | NICE | SENDER | RCPT | EPUB | SIGN | SIZE | MAC | CIPHERTEXT | MAC | JUNK |
++-------------------------------------/------\------------+----...-----------+------+
+                                     /        \
+                      +-------------------------------------+
+                      | MAGIC | NICE | SENDER | RCPT | EPUB |
+                      +-------------------------------------+
 @end verbatim
 
 @multitable @columnfractions 0.2 0.3 0.5
-@headitem  @tab XDR type @tab Value
+@headitem @tab XDR type @tab Value
 @item Magic number @tab
     8-byte, fixed length opaque data @tab
-    @verb{|NNCPE0x00x00x01|}
+    @verb{|N N C P E 0x00 0x00 0x01|}
 @item Niceness @tab
     unsigned integer @tab
     1-255, packet @ref{Niceness, niceness} level
 @item Sender @tab
     32-byte, fixed length opaque data @tab
     Sender node's id
+@item Recipient @tab
+    32-byte, fixed length opaque data @tab
+    Recipient node's id
 @item Exchange public key @tab
     32-byte, fixed length opaque data @tab
     Ephemeral curve25519 public key
@@ -99,31 +101,19 @@ Each encrypted packet has the following header:
     ed25519 signature for that packet's header
 @end multitable
 
-Signature is calculated over the following structure:
-
-@itemize
-@item Magic number
-@item Niceness
-@item Recipient (32-byte recipient node's id)
-@item Sender
-@item Exchange public key
-@end itemize
+Signature is calculated over all previous fields.
 
-All following encryption is done using
-@url{https://www.schneier.com/academic/twofish/, Twofish} algorithm with
-256-bit key in
-@url{https://en.wikipedia.org/wiki/Counter_mode#Counter_.28CTR.29, CTR}
-mode of operation with zero initialization vector (because each
-encrypted packet has ephemeral exchange key). @url{https://blake2.net/,
+All following encryption is done using @url{https://cr.yp.to/chacha.html,
+ChaCha20} algorithm. Data is splitted on 128 KiB blocks. Each block is
+encrypted with increasing nonce counter. @url{https://blake2.net/,
 BLAKE2b-256} MAC is appended to the ciphertext.
 
 After the headers comes an encrypted payload size and MAC of that size.
 
 @multitable @columnfractions 0.2 0.3 0.5
-@headitem  @tab XDR type @tab Value
+@headitem @tab XDR type @tab Value
 @item Size @tab
     unsigned hyper integer @tab
-    @verb{|NNCPE0x00x00x01|}
     Payload size.
 @end multitable
 
@@ -140,15 +130,15 @@ When node A want to send encrypted packet to node B, it:
 @item takes remote node's exchange public key and performs
     Diffie-Hellman computation on this remote static public key and
     private ephemeral one
-@item derived ephemeral key is used as an input to
-    @url{https://en.wikipedia.org/wiki/HKDF, HKDF}-BLAKE2b-256 KDF
-@item derives four session keys using
-    @url{https://en.wikipedia.org/wiki/HKDF, HKDF}-BLAKE2b-256 KDF:
+@item derived ephemeral key is used as a key input to
+    @url{https://blake2.net/, BLAKE2Xb} XOF
+@item derives five session keys using output from the XOF above:
     @enumerate
-    @item "Size" encryption (for Twofish) key
+    @item "Size" encryption (for ChaCha20) key
     @item "Size" authentication (for BLAKE2b-MAC) key
     @item Payload encryption key
     @item Payload authentication key
+    @item Optional pad generation key (for ChaCha20)
     @end enumerate
 @item encrypts size, appends its ciphertext to the header
 @item appends MAC tag over that ciphertext