Previous: , Up: Developer manual  


Handshake protocol

     ┌──────┐                                       ┌──────┐                                     
     │Client│                                       │Server│                                     
     └──┬───┘                                       └──┬───┘                                     
        │────┐                                         │                                         
        │    │ R=rand(64bit)                           │                                         
        │<───┘                                         │                                         
        │                                              │                                         
        │────┐                                         │                                         
        │    │ CDHPriv=rand(256bit)                    │                                         
        │<───┘                                         │                                         
        │                                              │                                         
        │         R, enc(H(DSAPub), R, CDHPub)         │                                         
        │ ─────────────────────────────────────────────>                                         
        │                                              │                                         
        │                                              │────┐                                    
        │                                              │    │ SDHPriv=rand(256bit)               
        │                                              │<───┘                                    
        │                                              │                                         
        │                                              │────┐                                    
        │                                              │    │ K=H(DH(SDHPriv, CDHPub))           
        │                                              │<───┘                                    
        │                                              │                                         
        │                                              │────┐                                    
        │                                              │    │ RS=rand(64bit)                     
        │                                              │<───┘                                    
        │                                              │                                         
        │                                              │────┐                                    
        │                                              │    │ SS=rand(256bit)                    
        │                                              │<───┘                                    
        │                                              │                                         
        │ enc(H(DSAPub), R+1, SDHPub); enc(K, R, RS+SS)│                                         
        │ <─────────────────────────────────────────────                                         
        │                                              │                                         
        │────┐                                         │                                         
        │    │ K=H(DH(CDHPriv, SDHPub))                │                                         
        │<───┘                                         │                                         
        │                                              │                                         
        │────┐                                         │                                         
        │    │ RC=rand(64bit); SC=rand(256bit)         │                                         
        │<───┘                                         │                                         
        │                                              │                                         
        │    enc(K, R+1, RS+RC+SC+Sign(DSAPriv, K))    │                                         
        │ ─────────────────────────────────────────────>                                         
        │                                              │                                         
        │                                              │────┐                                    
        │                                              │    │ compare(RS)                        
        │                                              │<───┘                                    
        │                                              │                                         
        │                                              │────┐                                    
        │                                              │    │ Verify(DSAPub, Sign(DSAPriv, K), K)
        │                                              │<───┘                                    
        │                                              │                                         
        │                                              │────┐                                    
        │                                              │    │ MasterKey=SS XOR SC                
        │                                              │<───┘                                    
        │                                              │                                         
        │                enc(K, R+2, RC)               │                                         
        │ <─────────────────────────────────────────────                                         
        │                                              │                                         
        │────┐                                         │                                         
        │    │ compare(RC)                             │                                         
        │<───┘                                         │                                         
        │                                              │                                         
        │────┐                                         │                                         
        │    │ MasterKey=SS XOR SC                     │                                         
        │<───┘                                         │                                         
     ┌──┴───┐                                       ┌──┴───┐                                     
     │Client│                                       │Server│                                     
     └──────┘                                       └──────┘                                     

Each handshake message ends with so called IDtag: it is an XTEA encrypted first 64 bits of each message with client’s Identity as a key. It is used to transmit identity and to mark packet as handshake message. Server can determine used identity by trying all possible known to him keys. It consumes resources, but XTEA is rather fast algorithm and handshake messages checking is seldom enough event.

Preparation stage:

  1. Client knows only his identity and passphrase written somewhere in the human. Server knows his identity and verifier: DSAPub.
  2. Client computes verifier which produces DSAPriv and DSAPub. H() is HSalsa20 hash function.
  3. Client generates DH keypair: CDHPub and CDHPriv. Also it generates random 64-bit R that is used as a nonce for symmetric encryption.

Interaction stage:

  1. R + enc(H(DSAPub), R, CDHPub) + IDtag -> Server [48 bytes]
  2. enc(H(DSAPub), R+1, SDHPub) + enc(K, R, RS + SS) + IDtag -> Client [80 bytes]
  3. enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server [120 bytes]
  4. ENC(K, R+2, RC) + IDtag -> Client [16 bytes]

MasterKey is high entropy 256-bit key. K DH-derived one has 128-bit security margin and that is why are not in use except in handshake process. R* are required for handshake randomization and two-way authentication.


Previous: , Up: Developer manual