Previous: , Up: Developer  


Handshake protocol

     ┌──────┐                                           ┌──────┐                                     
     │Client│                                           │Server│                                     
     └──┬───┘                                           └──┬───┘                                     
        │────┐                                             │                                         
        │    │ R=rand(64bit)                               │                                         
        │<───┘                                             │                                         
        │                                                  │                                         
        │────┐                                             │                                         
        │    │ CDHPriv=rand(256bit)                        │                                         
        │<───┘                                             │                                         
        │                                                  │                                         
        │         R, enc(H(DSAPub), R, El(CDHPub))         │                                         
        │ ─────────────────────────────────────────────────>                                         
        │                                                  │                                         
        │                                                  │────┐                                    
        │                                                  │    │ SDHPriv=rand(256bit)               
        │                                                  │<───┘                                    
        │                                                  │                                         
        │                                                  │────┐                                    
        │                                                  │    │ K=H(DH(SDHPriv, CDHPub))           
        │                                                  │<───┘                                    
        │                                                  │                                         
        │                                                  │────┐                                    
        │                                                  │    │ RS=rand(64bit)                     
        │                                                  │<───┘                                    
        │                                                  │                                         
        │                                                  │────┐                                    
        │                                                  │    │ SS=rand(256bit)                    
        │                                                  │<───┘                                    
        │                                                  │                                         
        │ enc(H(DSAPub), R+1, El(SDHPub)); enc(K, R, RS+SS)│                                         
        │ <─────────────────────────────────────────────────                                         
        │                                                  │                                         
        │────┐                                             │                                         
        │    │ K=H(DH(CDHPriv, SDHPub))                    │                                         
        │<───┘                                             │                                         
        │                                                  │                                         
        │────┐                                             │                                         
        │    │ RC=rand(64bit); SC=rand(256bit)             │                                         
        │<───┘                                             │                                         
        │                                                  │                                         
        │      enc(K, R+1, RS+RC+SC+Sign(DSAPriv, K))      │                                         
        │ ─────────────────────────────────────────────────>                                         
        │                                                  │                                         
        │                                                  │────┐                                    
        │                                                  │    │ compare(RS)                        
        │                                                  │<───┘                                    
        │                                                  │                                         
        │                                                  │────┐                                    
        │                                                  │    │ Verify(DSAPub, Sign(DSAPriv, K), K)
        │                                                  │<───┘                                    
        │                                                  │                                         
        │                                                  │────┐                                    
        │                                                  │    │ MasterKey=SS XOR SC                
        │                                                  │<───┘                                    
        │                                                  │                                         
        │                  enc(K, R+2, RC)                 │                                         
        │ <─────────────────────────────────────────────────                                         
        │                                                  │                                         
        │────┐                                             │                                         
        │    │ compare(RC)                                 │                                         
        │<───┘                                             │                                         
        │                                                  │                                         
        │────┐                                             │                                         
        │    │ MasterKey=SS XOR SC                         │                                         
        │<───┘                                             │                                         
     ┌──┴───┐                                           ┌──┴───┐                                     
     │Client│                                           │Server│                                     
     └──────┘                                           └──────┘                                     

Each handshake message ends with so called IDtag: it is an XTEA encrypted first 64 bits of each message with client’s Identity as a key. It is used to transmit identity and to mark packet as handshake message.

If Noise is enabled, then junk data is inserted before IDtag to full up packet to MTU’s size.

Preparation stage:

  1. Client knows only his identity and passphrase written somewhere in the human. Server knows his identity and verifier: DSAPub.
  2. Client computes verifier which produces DSAPriv and DSAPub. H() is HSalsa20 hash function.
  3. Client generates DH keypair: CDHPub and CDHPriv. Also it generates random 64-bit R that is used as a nonce for symmetric encryption. El() is Elligator point encoding algorithm.

Interaction stage:

  1. R + enc(H(DSAPub), R, El(CDHPub)) + IDtag -> Server [48 bytes]
  2. enc(H(DSAPub), R+1, El(SDHPub)) + enc(K, R, RS + SS) + IDtag -> Client [80 bytes]
  3. enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server [120 bytes]
  4. ENC(K, R+2, RC) + IDtag -> Client [16 bytes]

MasterKey is high entropy 256-bit key. K DH-derived one has 128-bit security margin and that is why are not in use except in handshake process. R* are required for handshake randomization and two-way authentication.


Previous: , Up: Developer