… | |
… | |
134 | |
134 | |
135 | The DATA portion differs between each packet type, naturally, and is the |
135 | The DATA portion differs between each packet type, naturally, and is the |
136 | only part that can be encrypted. Data packets contain more fields, as |
136 | only part that can be encrypted. Data packets contain more fields, as |
137 | shown: |
137 | shown: |
138 | |
138 | |
139 | +------+------+--------+------+-------+------+ |
139 | +------+------+--------+-------+------+ |
140 | | HMAC | TYPE | SRCDST | RAND | SEQNO | DATA | |
140 | | HMAC | TYPE | SRCDST | SEQNO | DATA | |
141 | +------+------+--------+------+-------+------+ |
141 | +------+------+--------+-------+------+ |
142 | |
|
|
143 | RAND is a sequence of fully random bytes, used to increase the entropy of |
|
|
144 | the data for encryption purposes. |
|
|
145 | |
142 | |
146 | SEQNO is a 32-bit sequence number. It is negotiated at every connection |
143 | SEQNO is a 32-bit sequence number. It is negotiated at every connection |
147 | initialization and starts at some random 31 bit value. GVPE currently uses |
144 | initialization and starts at some random 31 bit value. GVPE currently uses |
148 | a sliding window of 512 packets/sequence numbers to detect reordering, |
145 | a sliding window of 512 packets/sequence numbers to detect reordering, |
149 | duplication and replay attacks. |
146 | duplication and replay attacks. |
150 | |
147 | |
151 | The encryption is done on RAND+SEQNO+DATA in CBC mode with zero IV (or, |
148 | The encryption is done on SEQNO+DATA in CTR mode with IV generated from |
152 | equivalently, the IV is RAND+SEQNO, encrypted with the block cipher, |
149 | the seqno (for AES: seqno || seqno || seqno || (u32)0), which ensures |
153 | unless RAND size is decreased or increased over the default value). |
150 | uniqueness for a given key. |
154 | |
|
|
155 | The random prefix itself is generated by using AES in CTR mode with a |
|
|
156 | random key and starting value, which should make them unpredictable even |
|
|
157 | before encrypting them again. The sequence number additionally ensures |
|
|
158 | that the IV is unique. |
|
|
159 | |
151 | |
160 | =head2 The authentication/key exchange protocol |
152 | =head2 The authentication/key exchange protocol |
161 | |
153 | |
162 | Before nodes can exchange packets, they need to establish authenticity of |
154 | Before nodes can exchange packets, they need to establish authenticity of |
163 | the other side and a key. Every node has a private RSA key and the public |
155 | the other side and a key. Every node has a private RSA key and the public |