X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=doc%2Fhandshake.texi;h=75a65085f712082136675d6b34dc54860db1cd54;hb=672458a3b692635616c23f92659a4254f188b75d;hp=6f1e37e32a72098cb00abb3b28238fe8ae1cfcf2;hpb=cae1bf7a68f5be04942cdb96f91e5eca44232f5c;p=govpn.git diff --git a/doc/handshake.texi b/doc/handshake.texi index 6f1e37e..75a6508 100644 --- a/doc/handshake.texi +++ b/doc/handshake.texi @@ -1,41 +1,44 @@ -@node Handshake protocol +@node Handshake @section Handshake protocol @verbatiminclude handshake.utxt -Each handshake message ends with so called @code{IDtag}: it is an XTEA -encrypted first 64 bits of each message with client's @ref{Identity} as -a key. It is used to transmit identity and to mark packet as handshake -message. Server can determine used identity by trying all possible known -to him keys. It consumes resources, but XTEA is rather fast algorithm -and handshake messages checking is seldom enough event. +Each handshake message ends with so called @code{IDtag}: it is +BLAKE2b-MAC of the first 64 bits of the handshake message, with client's +@ref{Identity} used as a key. It is used to transmit identity and to +mark packet as handshake message. + +If @ref{Noise, noise} is enabled, then data is padded to fill up packet +to MTU's size. @strong{Preparation stage}: @enumerate @item Client knows only his identity and passphrase written somewhere in the -human. Server knows his identity and +human readable form. Server knows his identity and @ref{Verifier structure, verifier}: @code{DSAPub}. @item Client computes verifier which produces @code{DSAPriv} and -@code{DSAPub}. @code{H()} is @emph{HSalsa20} hash function. +@code{DSAPub}. @code{H()} is @emph{BLAKE2b-256} hash function. @item Client generates DH keypair: @code{CDHPub} and @code{CDHPriv}. Also it generates random 64-bit @code{R} that is used as a nonce for -symmetric encryption. +symmetric encryption. @code{El()} is Elligator point encoding (and vice +versa) algorithm. @end enumerate @strong{Interaction stage}: @enumerate @item -@verb{|R + enc(H(DSAPub), R, CDHPub) + IDtag -> Server|} [48 bytes] +@verb{|R + enc(H(DSAPub), R, El(CDHPub)) + IDtag -> Server|} [48 bytes] @item -@itemize @bullet +@itemize @item Server remembers client address. -@item Decrypts @code{CDHPub}. +@item Decrypts @code{El(CDHPub)}. +@item Inverts @code{El()} encoding and gets @code{CDHPub}. @item Generates DH keypair: @code{SDHPriv}/@code{SDHPub}. @item Computes common shared key @code{K = H(DH(SDHPriv, CDHPub))}. @item Generates 64-bit random number @code{RS}. @@ -43,11 +46,12 @@ symmetric encryption. @end itemize @item -@verb{|enc(H(DSAPub), R+1, SDHPub) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes] +@verb{|enc(H(DSAPub), R+1, El(SDHPub)) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes] @item -@itemize @bullet -@item Client decrypts @code{SDHPub}. +@itemize +@item Client decrypts @code{El(SDHPub)}. +@item Inverts @code{El()} encoding and gets @code{SDHPub}. @item Computes @code{K}. @item Decrypts @code{RS} and @code{SS}. @item Remembers @code{SS}. @@ -60,13 +64,13 @@ symmetric encryption. @verb{|enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server|} [120 bytes] @item -@itemize @bullet +@itemize @item Server decrypts @code{RS}, @code{RC}, @code{SC}, @code{Sign(DSAPriv, K)}. - @item Compares @code{RS} with it's own one sent before. Server + @item Compares @code{RS} with its own one sent before. Server decrypts @code{RS}, @code{RC}, @code{SC} with key @code{K}, compares - @code{RS} with it's own one sent before. + @code{RS} with its own one sent before. @item Verifies @code{K} signature with verifier @code{DSAPub}. @@ -78,9 +82,9 @@ symmetric encryption. @verb{|ENC(K, R+2, RC) + IDtag -> Client|} [16 bytes] @item -@itemize @bullet +@itemize @item Client decrypts @code{RC} -@item Compares with it's own one sent before. +@item Compares with its own one sent before. @item Computes final session encryption key as server did. @end itemize @@ -90,3 +94,6 @@ symmetric encryption. has 128-bit security margin and that is why are not in use except in handshake process. @code{R*} are required for handshake randomization and two-way authentication. + +In @ref{Encless, encryptionless mode} each @code{enc()} is replaced with +AONT and chaffing function over the noised data.