X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=doc%2Fhandshake.texi;h=75a65085f712082136675d6b34dc54860db1cd54;hb=672458a3b692635616c23f92659a4254f188b75d;hp=c15e45643857004d2ae4f07b3fe97339fcff7ef8;hpb=4a58ee4c1365408452e03535ca68146aa9cf3540;p=govpn.git diff --git a/doc/handshake.texi b/doc/handshake.texi index c15e456..75a6508 100644 --- a/doc/handshake.texi +++ b/doc/handshake.texi @@ -3,28 +3,29 @@ @verbatiminclude handshake.utxt -Each handshake message ends with so called @code{IDtag}: it is an XTEA -encrypted first 64 bits of each message with client's @ref{Identity} as -a key. It is used to transmit identity and to mark packet as handshake -message. +Each handshake message ends with so called @code{IDtag}: it is +BLAKE2b-MAC of the first 64 bits of the handshake message, with client's +@ref{Identity} used as a key. It is used to transmit identity and to +mark packet as handshake message. -If @ref{Noise} is enabled, then junk data is inserted before -@code{IDtag} to full up packet to MTU's size. +If @ref{Noise, noise} is enabled, then data is padded to fill up packet +to MTU's size. @strong{Preparation stage}: @enumerate @item Client knows only his identity and passphrase written somewhere in the -human. Server knows his identity and +human readable form. Server knows his identity and @ref{Verifier structure, verifier}: @code{DSAPub}. @item Client computes verifier which produces @code{DSAPriv} and -@code{DSAPub}. @code{H()} is @emph{HSalsa20} hash function. +@code{DSAPub}. @code{H()} is @emph{BLAKE2b-256} hash function. @item Client generates DH keypair: @code{CDHPub} and @code{CDHPriv}. Also it generates random 64-bit @code{R} that is used as a nonce for -symmetric encryption. @code{El()} is Elligator point encoding algorithm. +symmetric encryption. @code{El()} is Elligator point encoding (and vice +versa) algorithm. @end enumerate @strong{Interaction stage}: @@ -34,7 +35,7 @@ symmetric encryption. @code{El()} is Elligator point encoding algorithm. @verb{|R + enc(H(DSAPub), R, El(CDHPub)) + IDtag -> Server|} [48 bytes] @item -@itemize @bullet +@itemize @item Server remembers client address. @item Decrypts @code{El(CDHPub)}. @item Inverts @code{El()} encoding and gets @code{CDHPub}. @@ -48,7 +49,7 @@ symmetric encryption. @code{El()} is Elligator point encoding algorithm. @verb{|enc(H(DSAPub), R+1, El(SDHPub)) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes] @item -@itemize @bullet +@itemize @item Client decrypts @code{El(SDHPub)}. @item Inverts @code{El()} encoding and gets @code{SDHPub}. @item Computes @code{K}. @@ -63,7 +64,7 @@ symmetric encryption. @code{El()} is Elligator point encoding algorithm. @verb{|enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server|} [120 bytes] @item -@itemize @bullet +@itemize @item Server decrypts @code{RS}, @code{RC}, @code{SC}, @code{Sign(DSAPriv, K)}. @@ -81,7 +82,7 @@ symmetric encryption. @code{El()} is Elligator point encoding algorithm. @verb{|ENC(K, R+2, RC) + IDtag -> Client|} [16 bytes] @item -@itemize @bullet +@itemize @item Client decrypts @code{RC} @item Compares with its own one sent before. @item Computes final session encryption key as server did. @@ -93,3 +94,6 @@ symmetric encryption. @code{El()} is Elligator point encoding algorithm. has 128-bit security margin and that is why are not in use except in handshake process. @code{R*} are required for handshake randomization and two-way authentication. + +In @ref{Encless, encryptionless mode} each @code{enc()} is replaced with +AONT and chaffing function over the noised data.