Previous: Transport protocol, Up: Developer manual
┌──────┐ ┌──────┐ │Client│ │Server│ └──┬───┘ └──┬───┘ │────┐ │ │ │ R=rand(64bit) │ │<───┘ │ │ │ │────┐ │ │ │ CDHPriv=rand(256bit) │ │<───┘ │ │ │ │ R, enc(H(DSAPub), R, CDHPub) │ │ ─────────────────────────────────────────────> │ │ │ │────┐ │ │ │ SDHPriv=rand(256bit) │ │<───┘ │ │ │ │────┐ │ │ │ K=H(DH(SDHPriv, CDHPub)) │ │<───┘ │ │ │ │────┐ │ │ │ RS=rand(64bit) │ │<───┘ │ │ │ │────┐ │ │ │ SS=rand(256bit) │ │<───┘ │ │ │ enc(H(DSAPub), R+1, SDHPub); enc(K, R, RS+SS)│ │ <───────────────────────────────────────────── │ │ │────┐ │ │ │ K=H(DH(CDHPriv, SDHPub)) │ │<───┘ │ │ │ │────┐ │ │ │ RC=rand(64bit); SC=rand(256bit) │ │<───┘ │ │ │ │ enc(K, R+1, RS+RC+SC+Sign(DSAPriv, K)) │ │ ─────────────────────────────────────────────> │ │ │ │────┐ │ │ │ compare(RS) │ │<───┘ │ │ │ │────┐ │ │ │ Verify(DSAPub, Sign(DSAPriv, K), K) │ │<───┘ │ │ │ │────┐ │ │ │ MasterKey=SS XOR SC │ │<───┘ │ │ │ enc(K, R+2, RC) │ │ <───────────────────────────────────────────── │ │ │────┐ │ │ │ compare(RC) │ │<───┘ │ │ │ │────┐ │ │ │ MasterKey=SS XOR SC │ │<───┘ │ ┌──┴───┐ ┌──┴───┐ │Client│ │Server│ └──────┘ └──────┘
Each handshake message ends with so called IDtag
: it is an XTEA
encrypted first 64 bits of each message with client’s Identity as
a key. It is used to transmit identity and to mark packet as handshake
message. Server can determine used identity by trying all possible known
to him keys. It consumes resources, but XTEA is rather fast algorithm
and handshake messages checking is seldom enough event.
Preparation stage:
DSAPub
.
DSAPriv
and
DSAPub
. H()
is HSalsa20 hash function.
CDHPub
and CDHPriv
.
Also it generates random 64-bit R
that is used as a nonce for
symmetric encryption.
Interaction stage:
CDHPub
.
SDHPriv
/SDHPub
.
K = H(DH(SDHPriv, CDHPub))
.
RS
.
SS
.
SDHPub
.
K
.
RS
and SS
.
SS
.
RC
.
SC
.
DSAPriv
key K
.
RS
, RC
, SC
,
Sign(DSAPriv, K)
.
RS
with it’s own one sent before. Server
decrypts RS
, RC
, SC
with key K
, compares
RS
with it’s own one sent before.
K
signature with verifier DSAPub
.
MasterKey=SS XOR SC
.
RC
MasterKey
is high entropy 256-bit key. K
DH-derived one
has 128-bit security margin and that is why are not in use except in
handshake process. R*
are required for handshake randomization
and two-way authentication.
Previous: Transport protocol, Up: Developer manual