| … | |
… | |
| 6 | protocol which is used to authenticate tunnels and send encrypted data |
6 | protocol which is used to authenticate tunnels and send encrypted data |
| 7 | packets. This protocol is described in more detail the second part of this |
7 | packets. This protocol is described in more detail the second part of this |
| 8 | document. |
8 | document. |
| 9 | |
9 | |
| 10 | The first part of this document describes the transport protocols which |
10 | The first part of this document describes the transport protocols which |
| 11 | are used by GVPE to send it's data packets over the network. |
11 | are used by GVPE to send its data packets over the network. |
| 12 | |
12 | |
| 13 | =head1 PART 1: Transport protocols |
13 | =head1 PART 1: Transport protocols |
| 14 | |
14 | |
| 15 | GVPE offers a wide range of transport protocols that can be used to |
15 | GVPE offers a wide range of transport protocols that can be used to |
| 16 | interchange data between nodes. Protocols differ in their overhead, speed, |
16 | interchange data between nodes. Protocols differ in their overhead, speed, |
| … | |
… | |
| 54 | It should be used if RAW IP is not available. |
54 | It should be used if RAW IP is not available. |
| 55 | |
55 | |
| 56 | =head2 TCP |
56 | =head2 TCP |
| 57 | |
57 | |
| 58 | This protocol is a very bad choice, as it not only has high overhead (more |
58 | This protocol is a very bad choice, as it not only has high overhead (more |
| 59 | than 60 bytes), but the transport also retries on it's own, which leads |
59 | than 60 bytes), but the transport also retries on its own, which leads |
| 60 | to congestion when the link has moderate packet loss (as both the TCP |
60 | to congestion when the link has moderate packet loss (as both the TCP |
| 61 | transport and the tunneled traffic will retry, increasing congestion more |
61 | transport and the tunneled traffic will retry, increasing congestion more |
| 62 | and more). It also has high latency and is quite inefficient. |
62 | and more). It also has high latency and is quite inefficient. |
| 63 | |
63 | |
| 64 | It's only useful when tunneling through firewalls that block better |
64 | It's only useful when tunneling through firewalls that block better |
| … | |
… | |
| 120 | +------+------+--------+------+ |
120 | +------+------+--------+------+ |
| 121 | | HMAC | TYPE | SRCDST | DATA | |
121 | | HMAC | TYPE | SRCDST | DATA | |
| 122 | +------+------+--------+------+ |
122 | +------+------+--------+------+ |
| 123 | |
123 | |
| 124 | The HMAC field is present in all packets, even if not used (e.g. in auth |
124 | The HMAC field is present in all packets, even if not used (e.g. in auth |
| 125 | request packets), in which case it is set to all zeroes. The checksum |
125 | request packets), in which case it is set to all zeroes. The MAC itself is |
| 126 | itself is calculated over the TYPE, SRCDST and DATA fields in all cases. |
126 | calculated over the TYPE, SRCDST and DATA fields in all cases. |
| 127 | |
127 | |
| 128 | The TYPE field is a single byte and determines the purpose of the packet |
128 | The TYPE field is a single byte and determines the purpose of the packet |
| 129 | (e.g. RESET, COMPRESSED/UNCOMPRESSED DATA, PING, AUTH REQUEST/RESPONSE, |
129 | (e.g. RESET, COMPRESSED/UNCOMPRESSED DATA, PING, AUTH REQUEST/RESPONSE, |
| 130 | CONNECT REQUEST/INFO etc.). |
130 | CONNECT REQUEST/INFO etc.). |
| 131 | |
131 | |
| … | |
… | |
| 134 | |
134 | |
| 135 | The DATA portion differs between each packet type, naturally, and is the |
135 | The DATA portion differs between each packet type, naturally, and is the |
| 136 | only part that can be encrypted. Data packets contain more fields, as |
136 | only part that can be encrypted. Data packets contain more fields, as |
| 137 | shown: |
137 | shown: |
| 138 | |
138 | |
| 139 | +------+------+--------+------+-------+------+ |
139 | +------+------+--------+-------+------+ |
| 140 | | HMAC | TYPE | SRCDST | RAND | SEQNO | DATA | |
140 | | HMAC | TYPE | SRCDST | SEQNO | DATA | |
| 141 | +------+------+--------+------+-------+------+ |
141 | +------+------+--------+-------+------+ |
| 142 | |
|
|
| 143 | RAND is a sequence of fully random bytes, used to increase the entropy of |
|
|
| 144 | the data for encryption purposes. |
|
|
| 145 | |
142 | |
| 146 | SEQNO is a 32-bit sequence number. It is negotiated at every connection |
143 | SEQNO is a 32-bit sequence number. It is negotiated at every connection |
| 147 | initialization and starts at some random 31 bit value. GVPE currently uses |
144 | initialization and starts at some random 31 bit value. GVPE currently uses |
| 148 | a sliding window of 512 packets/sequence numbers to detect reordering, |
145 | a sliding window of 512 packets/sequence numbers to detect reordering, |
| 149 | duplication and replay attacks. |
146 | duplication and replay attacks. |
| 150 | |
147 | |
| 151 | The encryption is done on RAND+SEQNO+DATA in CBC mode with zero IV (or, |
148 | The encryption is done on SEQNO+DATA in CTR mode with IV generated from |
| 152 | equivalently, the IV is RAND+SEQNO, encrypted with the block cipher, |
149 | the seqno (for AES: seqno || seqno || seqno || (u32)0), which ensures |
| 153 | unless RAND size is decreased or increased over the default value). |
150 | uniqueness for a given key. |
| 154 | |
|
|
| 155 | The random prefix itself is generated by using AES in CTR mode with a |
|
|
| 156 | random key and starting value, which should make them unpredictable even |
|
|
| 157 | before encrypting them again. The sequence number additionally ensures |
|
|
| 158 | that the IV is unique. |
|
|
| 159 | |
151 | |
| 160 | =head2 The authentication/key exchange protocol |
152 | =head2 The authentication/key exchange protocol |
| 161 | |
153 | |
| 162 | Before nodes can exchange packets, they need to establish authenticity of |
154 | Before nodes can exchange packets, they need to establish authenticity of |
| 163 | the other side and a key. Every node has a private RSA key and the public |
155 | the other side and a key. Every node has a private RSA key and the public |
| 164 | RSA keys of all other nodes. |
156 | RSA keys of all other nodes. |
| 165 | |
157 | |
| 166 | When a node wants to establish a connection to another node, it sends an |
158 | When a node wants to establish a connection to another node, it sends an |
| 167 | RSA-OEAP-encrypted challenge and an ECDH key. The other node replies with |
159 | RSA-OEAP-encrypted challenge and an ECDH (curve25519) key. The other node |
| 168 | it's own ECDH key and a HKDF of the challange and both ECDH keys to proof |
160 | replies with its own ECDH key and a HKDF of the challenge and both ECDH |
| 169 | it's identity. |
161 | keys to prove its identity. |
| 170 | |
162 | |
| 171 | The remote node enganges in exactly the same protocol. When both nodes |
163 | The remote node enganges in exactly the same protocol. When both nodes |
| 172 | have exchanged their challenge and verified the response, they calculate a |
164 | have exchanged their challenge and verified the response, they calculate a |
| 173 | cipher key and a HMAC key and start exchanging data packets. |
165 | cipher key and a HMAC key and start exchanging data packets. |
| 174 | |
166 | |
| … | |
… | |
| 180 | sequence number for data packets, key material for the HMAC key, key |
172 | sequence number for data packets, key material for the HMAC key, key |
| 181 | material for the cipher key, a salt used by the HKDF (as shown later) and |
173 | material for the cipher key, a salt used by the HKDF (as shown later) and |
| 182 | some extra random bytes that are unused except for authentication. It also |
174 | some extra random bytes that are unused except for authentication. It also |
| 183 | sends the public key of a curve25519 exchange. |
175 | sends the public key of a curve25519 exchange. |
| 184 | |
176 | |
| 185 | The remote node decrypts the RSA data, generates it's own ECDH key (ECDH2), and |
177 | The remote node decrypts the RSA data, generates its own ECDH key (ECDH2), |
| 186 | replies with: |
178 | and replies with: |
| 187 | |
179 | |
| 188 | HKDF-Expand (HKDF-Extract (ECDH2, RSA), ECDH1, AUTH_DIGEST_SIZE) ECDH2 |
180 | HKDF-Expand (HKDF-Extract (ECDH2, RSA), ECDH1, AUTH_DIGEST_SIZE) ECDH2 |
| 189 | |
181 | |
| 190 | That is, it extracts from the decrypted RSA challenge, using it's ECDH |
182 | That is, it extracts from the decrypted RSA challenge, using its ECDH |
| 191 | key as salt, and then expands using the requesting node's ECDH1 key. The |
183 | key as salt, and then expands using the requesting node's ECDH1 key. The |
| 192 | resulting has is returned as a proof that the node could decrypt the RSA |
184 | resulting hash is returned as a proof that the node could decrypt the RSA |
| 193 | challenge data, together with the ECDH key. |
185 | challenge data, together with the ECDH key. |
| 194 | |
186 | |
| 195 | After both nodes have done this to each other, they calculate the shared |
187 | After both nodes have done this to each other, they calculate the shared |
| 196 | ECDH secrets, cipher and HMAC keys for the session (each |
188 | ECDH secret, cipher and HMAC keys for the session (each node generates two |
| 197 | node generates two cipher and HMAC keys, one for sending and one for |
189 | cipher and HMAC keys, one for sending and one for receiving). |
| 198 | receiving). |
|
|
| 199 | |
190 | |
| 200 | The HMAC key for sending is generated as follow: |
191 | The HMAC key for sending is generated as follow: |
| 201 | |
192 | |
| 202 | HMAC_KEY = HKDF-Expand (HKDF-Extract (REMOTE_SALT, MAC ECDH_SECRET), info, HMAC_MD_SIZE) |
193 | HMAC_KEY = HKDF-Expand (HKDF-Extract (REMOTE_SALT, MAC ECDH_SECRET), info, HMAC_MD_SIZE) |
| 203 | |
194 | |
| … | |
… | |
| 212 | perfect forward secrecy. |
203 | perfect forward secrecy. |
| 213 | |
204 | |
| 214 | The protocol has been overdesigned where this was possible without |
205 | The protocol has been overdesigned where this was possible without |
| 215 | increasing implementation complexity, in an attempt to protect against |
206 | increasing implementation complexity, in an attempt to protect against |
| 216 | implementation or protocol failures. For example, if the ECDH challenge |
207 | implementation or protocol failures. For example, if the ECDH challenge |
| 217 | was found to be flawed, perfect forward secrecy would be lost, but |
208 | was found to be flawed, perfect forward secrecy would be lost, but the |
| 218 | the data would still be protected. Likewise, standard algorithms and |
209 | data would likely still be protected. Likewise, standard algorithms and |
| 219 | implementations are used where possible. |
210 | implementations are used where possible. |
| 220 | |
211 | |
| 221 | =head2 Retrying |
212 | =head2 Retrying |
| 222 | |
213 | |
| 223 | When there is no response to an auth request, the node will send auth |
214 | When there is no response to an auth request, the node will send auth |
| … | |
… | |
| 271 | |
262 | |
| 272 | =item Failing all that, the packet will be dropped. |
263 | =item Failing all that, the packet will be dropped. |
| 273 | |
264 | |
| 274 | =back |
265 | =back |
| 275 | |
266 | |
| 276 | A host can usually declare itself unreachable directly by setting it's |
267 | A host can usually declare itself unreachable directly by setting its |
| 277 | port number(s) to zero. It can declare other hosts as unreachable by using |
268 | port number(s) to zero. It can declare other hosts as unreachable by using |
| 278 | a config-file that disables all protocols for these other hosts. Another |
269 | a config-file that disables all protocols for these other hosts. Another |
| 279 | option is to disable all protocols on that host in the other config files. |
270 | option is to disable all protocols on that host in the other config files. |
| 280 | |
271 | |
| 281 | If two hosts cannot connect to each other because their IP address(es) |
272 | If two hosts cannot connect to each other because their IP address(es) |
| … | |
… | |
| 287 | connection to the other peer, which is usually possible even when both |
278 | connection to the other peer, which is usually possible even when both |
| 288 | hosts are behind a NAT gateway. |
279 | hosts are behind a NAT gateway. |
| 289 | |
280 | |
| 290 | Routing via other nodes works because the SRCDST field is not encrypted, |
281 | Routing via other nodes works because the SRCDST field is not encrypted, |
| 291 | so the router can just forward the packet to the destination host. Since |
282 | so the router can just forward the packet to the destination host. Since |
| 292 | each host uses it's own private key, the router will not be able to |
283 | each host uses its own private key, the router will not be able to |
| 293 | decrypt or encrypt packets, it will just act as a simple router and |
284 | decrypt or encrypt packets, it will just act as a simple router and |
| 294 | protocol translator. |
285 | protocol translator. |
| 295 | |
286 | |
| 296 | |
287 | |
