|
|
|
|
@ -15,7 +15,7 @@ the first 32 bytes are message authentication bytes, h
|
|
|
|
|
the next 32 bytes are nounce for shared secret, n
|
|
|
|
|
the remaining bytes are interpreted as ciphertext, x
|
|
|
|
|
|
|
|
|
|
a shared secret s is generated via TKE(us, them, n)
|
|
|
|
|
a shared secret s is generated via TKE(initiater, recipiant, n)
|
|
|
|
|
next the integrity of the ciphertext is done by checking MDS(n + x, s) == h
|
|
|
|
|
if the ciphertext is valid then the frame is decrypted via SD(s, n, x)
|
|
|
|
|
|
|
|
|
|
@ -37,15 +37,20 @@ handshake:
|
|
|
|
|
|
|
|
|
|
0) intro
|
|
|
|
|
|
|
|
|
|
32 bytes random padding, r (for future handshake use)
|
|
|
|
|
32 bytes hmac, h
|
|
|
|
|
32 bytes nounce, n
|
|
|
|
|
64 bytes elligator sqaured encoded alice's transport public encryption key, a.k
|
|
|
|
|
32 bytes alice's transport public encryption key, a.k
|
|
|
|
|
variadic bytes padding, w0
|
|
|
|
|
|
|
|
|
|
Alice transmits ( h + n + a.k + w0 ) to Bob from the transport address matching
|
|
|
|
|
his public transport encryption key.
|
|
|
|
|
Alice transmits ( r + h + n + a.k + w0 ) to Bob from the transport address matching
|
|
|
|
|
his public transport encryption key (b.k).
|
|
|
|
|
|
|
|
|
|
Bob recieves ( h + n + a.k + w0 )
|
|
|
|
|
w0 = "[insert variable length random padding here]"
|
|
|
|
|
s = TKE(a.k, b.k, n)
|
|
|
|
|
h = MDS(n + a.k, s)
|
|
|
|
|
|
|
|
|
|
Bob recieves ( r + h + n + a.k + w0 )
|
|
|
|
|
|
|
|
|
|
1) intro ack
|
|
|
|
|
|
|
|
|
|
@ -56,12 +61,13 @@ sent in reply to an intro, bob sends an intro ack encrypted to Alice using
|
|
|
|
|
32 bytes ciphertext, x
|
|
|
|
|
variadic bytes padding, w1
|
|
|
|
|
|
|
|
|
|
w1 = "[insert variable length random padding here]"
|
|
|
|
|
token = RAND(32)
|
|
|
|
|
k = TKE(a.k, b.k, n)
|
|
|
|
|
x = SE(k, token, n[0:24])
|
|
|
|
|
h = MDS(n + x, k)
|
|
|
|
|
|
|
|
|
|
Bob transmits ( h + n + x + w1 )
|
|
|
|
|
Bob transmits ( h + n + x + w1 ), r is ignored and discarded
|
|
|
|
|
Alice recieves ( h + n + x + w1 ) and verifies that h == MDS(n + x, k) silently
|
|
|
|
|
dropping if it does not match.
|
|
|
|
|
|
|
|
|
|
@ -74,6 +80,7 @@ Alice sends the token from the intro ack back to Bob
|
|
|
|
|
32 bytes ciphertext, x
|
|
|
|
|
variadic byttes padding, w2
|
|
|
|
|
|
|
|
|
|
w2 = "[insert variable length random padding here]"
|
|
|
|
|
k = TKE(a.k, b.k, n)
|
|
|
|
|
x = SE(k, token, n[0:24])
|
|
|
|
|
h = MDS(n + x, k)
|
|
|
|
|
@ -91,6 +98,7 @@ Bob acks the token that he got from Alice
|
|
|
|
|
32 bytes ciphertext, x
|
|
|
|
|
variadic byttes padding, w3
|
|
|
|
|
|
|
|
|
|
w3 = "[insert variable length random padding here]"
|
|
|
|
|
S = TKE(a.k, b.k, token)
|
|
|
|
|
x = SE(S, token, n[0:24])
|
|
|
|
|
h = MDS(n + x, S)
|
|
|
|
|
@ -117,6 +125,8 @@ plaintext payload: P
|
|
|
|
|
s bytes of data
|
|
|
|
|
N bytes remaining data is discarded
|
|
|
|
|
|
|
|
|
|
Encryption:
|
|
|
|
|
|
|
|
|
|
D = H + P
|
|
|
|
|
x = SE(D, S, n)
|
|
|
|
|
h = MDS(n + x, S)
|
|
|
|
|
@ -129,6 +139,13 @@ Bob checks hmac by verifying h == MDS(n + x, S)
|
|
|
|
|
|
|
|
|
|
if the hmac fails the data is silently dropped
|
|
|
|
|
|
|
|
|
|
Decryption:
|
|
|
|
|
|
|
|
|
|
verify h == MDS(n + x, S)
|
|
|
|
|
D = SD(x, S, n)
|
|
|
|
|
H = D[0:4]
|
|
|
|
|
P = D[4:4+H.s]
|
|
|
|
|
|
|
|
|
|
message types:
|
|
|
|
|
|
|
|
|
|
XMIT = 0x01
|
|
|
|
|
@ -172,6 +189,10 @@ msg_bytes = BE(msg)
|
|
|
|
|
12 bits unsigned int fragment size bytes, s
|
|
|
|
|
4 bits unsigned int nonzero number of fragments, n
|
|
|
|
|
8 bits size of last fragment in bytes, l
|
|
|
|
|
8 bits reserved flags, f
|
|
|
|
|
if f MSB is set then last fragment is included and is l bytes long
|
|
|
|
|
|
|
|
|
|
f's MSB MUST be set as of protocol version 0.
|
|
|
|
|
|
|
|
|
|
msg_bytes is s * (n - 1) + l bytes long
|
|
|
|
|
|
|
|
|
|
|
Jeff Becker
6 years ago