┌──────┐ ┌──────┐ │Client│ │Server│ └──┬───┘ └──┬───┘ │────┐ │ │ │ R=rand(64bit) │ │<───┘ │ │ │ │────┐ │ │ │ CDHPriv=rand(256bit) │ │<───┘ │ │ │ │ R, enc(H(DSAPub), R, El(CDHPub)) │ │ ─────────────────────────────────────────────────> │ │ │ │────┐ │ │ │ SDHPriv=rand(256bit) │ │<───┘ │ │ │ │────┐ │ │ │ K=H(DH(SDHPriv, CDHPub)) │ │<───┘ │ │ │ │────┐ │ │ │ RS=rand(64bit) │ │<───┘ │ │ │ │────┐ │ │ │ SS=rand(256bit) │ │<───┘ │ │ │ enc(H(DSAPub), R+1, El(SDHPub)); enc(K, R, RS+SS)│ │ <───────────────────────────────────────────────── │ │ │────┐ │ │ │ K=H(DH(CDHPriv, SDHPub)) │ │<───┘ │ │ │ │────┐ │ │ │ RC=rand(64bit); SC=rand(256bit) │ │<───┘ │ │ │ │ enc(K, R+1, RS+RC+SC+Sign(DSAPriv, K)) │ │ ─────────────────────────────────────────────────> │ │ │ │────┐ │ │ │ compare(RS) │ │<───┘ │ │ │ │────┐ │ │ │ Verify(DSAPub, Sign(DSAPriv, K), K) │ │<───┘ │ │ │ │────┐ │ │ │ MasterKey=SS XOR SC │ │<───┘ │ │ │ enc(K, R+2, RC) │ │ <───────────────────────────────────────────────── │ │ │────┐ │ │ │ compare(RC) │ │<───┘ │ │ │ │────┐ │ │ │ MasterKey=SS XOR SC │ │<───┘ │ ┌──┴───┐ ┌──┴───┐ │Client│ │Server│ └──────┘ └──────┘
Each handshake message ends with so called IDtag
: it is an XTEA
encrypted first 64 bits of each message with client’s Identity as
a key. It is used to transmit identity and to mark packet as handshake
message.
If Noise is enabled, then junk data is inserted before
IDtag
to full up packet to MTU’s size.
Preparation stage:
DSAPub
.
DSAPriv
and
DSAPub
. H()
is HSalsa20 hash function.
CDHPub
and CDHPriv
.
Also it generates random 64-bit R
that is used as a nonce for
symmetric encryption. El()
is Elligator point encoding algorithm.
Interaction stage:
El(CDHPub)
.
El()
encoding and gets CDHPub
.
SDHPriv
/SDHPub
.
K = H(DH(SDHPriv, CDHPub))
.
RS
.
SS
.
El(SDHPub)
.
El()
encoding and gets SDHPub
.
K
.
RS
and SS
.
SS
.
RC
.
SC
.
DSAPriv
key K
.
RS
, RC
, SC
,
Sign(DSAPriv, K)
.
RS
with its own one sent before. Server
decrypts RS
, RC
, SC
with key K
, compares
RS
with its own one sent before.
K
signature with verifier DSAPub
.
MasterKey=SS XOR SC
.
RC
MasterKey
is high entropy 256-bit key. K
DH-derived one
has 128-bit security margin and that is why are not in use except in
handshake process. R*
are required for handshake randomization
and two-way authentication.