3 @cindex Transport protocol
10 @section Transport protocol
13 TAG || ENCRYPTED || NONCE --> PACKET
20 +--< AUTH(AUTH_KEY, ENCRYPTED || NONCE)
23 +------------------------+ |
27 +--< ENCRYPT(KEY, NONCE, PAYLOAD)
30 | +--< DATA || PAD [|| ZEROS]
32 +--< PRP(PRP_KEY, SERIAL)
35 @code{SERIAL} is message's serial number. Odds are reserved for
36 client (to server) messages, evens for server (to client) messages.
38 @code{PRP} is XTEA block cipher algorithm used here as PRP (pseudo
39 random permutation function) to obfuscate @code{SERIAL}. Plaintext
40 @code{SERIAL} state is kept in peers internal state, but encrypted
43 XTEA's encryption key @code{PRP_KEY} is the first 128-bit of Salsa20's
44 output with established common key and zero nonce (message nonces start
48 PRP_KEY = 128bit(ENCRYPT(KEY, 0))
51 @code{ENCRYPT} is Salsa20 stream cipher, with established session
52 @code{KEY} and obfuscated @code{SERIAL} used as a nonce. 512 bit of
53 Salsa20's output is ignored and only remaining is XORed with ther data,
56 @code{DATA} is padded with @code{PAD} (0x80 byte). Optional @code{ZEROS}
57 may follow, to fill up packet to conceal payload packet length.
59 @code{AUTH} is Poly1305 authentication function. First 256 bits of
60 Salsa20's output are used as a one-time key for @code{AUTH}.
63 AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE))
66 To prevent replay attacks we must remember received @code{SERIAL}s and
67 drop when receiving duplicate ones.
69 In @ref{Encless, encryptionless mode} this scheme is slightly different:
72 PACKET = ENCODED || NONCE
73 ENCODED = ENCLESS(DATA || PAD || ZEROS)
74 NONCE = PRP(PRP_KEY, SERIAL)
77 @code{ENCLESS} is AONT and chaffing function. There is no need in
78 explicit separate authentication.