1 @node Handshake protocol
2 @section Handshake protocol
4 @verbatiminclude handshake.utxt
6 Each handshake message ends with so called @code{IDtag}: it is an XTEA
7 encrypted first 64 bits of each message with client's @ref{Identity} as
8 a key. It is used to transmit identity and to mark packet as handshake
9 message. Server can determine used identity by trying all possible known
10 to him keys. It consumes resources, but XTEA is rather fast algorithm
11 and handshake messages checking is seldom enough event.
13 @strong{Preparation stage}:
17 Client knows only his identity and passphrase written somewhere in the
18 human. Server knows his identity and
19 @ref{Verifier structure, verifier}: @code{DSAPub}.
21 Client computes verifier which produces @code{DSAPriv} and
22 @code{DSAPub}. @code{H()} is @emph{HSalsa20} hash function.
24 Client generates DH keypair: @code{CDHPub} and @code{CDHPriv}.
25 Also it generates random 64-bit @code{R} that is used as a nonce for
26 symmetric encryption. @code{El()} is Elligator point encoding algorithm.
29 @strong{Interaction stage}:
33 @verb{|R + enc(H(DSAPub), R, El(CDHPub)) + IDtag -> Server|} [48 bytes]
37 @item Server remembers client address.
38 @item Decrypts @code{El(CDHPub)}.
39 @item Inverts @code{El()} encoding and gets @code{CDHPub}.
40 @item Generates DH keypair: @code{SDHPriv}/@code{SDHPub}.
41 @item Computes common shared key @code{K = H(DH(SDHPriv, CDHPub))}.
42 @item Generates 64-bit random number @code{RS}.
43 @item Generates 256-bit pre-master secret @code{SS}.
47 @verb{|enc(H(DSAPub), R+1, El(SDHPub)) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes]
51 @item Client decrypts @code{El(SDHPub)}.
52 @item Inverts @code{El()} encoding and gets @code{SDHPub}.
53 @item Computes @code{K}.
54 @item Decrypts @code{RS} and @code{SS}.
55 @item Remembers @code{SS}.
56 @item Generates 64-bit random number @code{RC}.
57 @item Generates 256-bit pre-master secret @code{SC}.
58 @item Signs with @code{DSAPriv} key @code{K}.
62 @verb{|enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server|} [120 bytes]
66 @item Server decrypts @code{RS}, @code{RC}, @code{SC},
67 @code{Sign(DSAPriv, K)}.
69 @item Compares @code{RS} with its own one sent before. Server
70 decrypts @code{RS}, @code{RC}, @code{SC} with key @code{K}, compares
71 @code{RS} with its own one sent before.
73 @item Verifies @code{K} signature with verifier @code{DSAPub}.
75 @item Computes final session encryption key:
76 @code{MasterKey=SS XOR SC}.
80 @verb{|ENC(K, R+2, RC) + IDtag -> Client|} [16 bytes]
84 @item Client decrypts @code{RC}
85 @item Compares with its own one sent before.
86 @item Computes final session encryption key as server did.
91 @code{MasterKey} is high entropy 256-bit key. @code{K} DH-derived one
92 has 128-bit security margin and that is why are not in use except in
93 handshake process. @code{R*} are required for handshake randomization
94 and two-way authentication.