… | |
… | |
146 | SEQNO is a 32-bit sequence number. It is negotiated at every connection |
146 | SEQNO is a 32-bit sequence number. It is negotiated at every connection |
147 | initialization and starts at some random 31 bit value. VPE currently uses |
147 | initialization and starts at some random 31 bit value. VPE currently uses |
148 | a sliding window of 512 packets/sequence numbers to detect reordering, |
148 | a sliding window of 512 packets/sequence numbers to detect reordering, |
149 | duplication and replay attacks. |
149 | duplication and replay attacks. |
150 | |
150 | |
|
|
151 | The encryption is done on RAND+SEQNO+DATA in CBC mode with zero IV (or, |
|
|
152 | equivalently, the IV is RAND+SEQNO, encrypted with the block cipher, |
|
|
153 | unless RAND size is decreased or increased over the default value). |
|
|
154 | |
151 | =head2 The authentication protocol |
155 | =head2 The authentication/key exchange protocol |
152 | |
156 | |
153 | Before nodes can exchange packets, they need to establish authenticity of |
157 | Before nodes can exchange packets, they need to establish authenticity of |
154 | the other side and a key. Every node has a private RSA key and the public |
158 | the other side and a key. Every node has a private RSA key and the public |
155 | RSA keys of all other nodes. |
159 | RSA keys of all other nodes. |
156 | |
160 | |
157 | A host establishes a simplex connection by sending the other node an |
161 | When a node wants to establish a connection to another node, it sends an |
158 | RSA encrypted challenge containing a random challenge (consisting of |
162 | RSA-OEAP-encrypted challenge and an ECDH key. The other node replies with |
159 | the encryption key to use when sending packets, more random data and |
163 | it's own ECDH key and a HKDF of the challange and both ECDH keys to proof |
160 | PKCS1_OAEP padding) and a random 16 byte "challenge-id" (used to detect |
164 | it's identity. |
161 | duplicate auth packets). The destination node will respond by replying |
|
|
162 | with an (unencrypted) RIPEMD160 hash of the decrypted challenge, which |
|
|
163 | will authenticate that node. The destination node will also set the |
|
|
164 | outgoing encryption parameters as given in the packet. |
|
|
165 | |
165 | |
166 | When the source node receives a correct auth reply (by verifying the |
166 | The remote node enganges in exactly the same protocol. When both nodes |
167 | hash and the id, which will expire after 120 seconds), it will start to |
167 | have exchanged their challenge and verified the response, they calculate a |
168 | accept data packets from the destination node. |
168 | cipher key and a HMAC key and start exchanging data packets. |
169 | |
169 | |
170 | This means that a node can only initiate a simplex connection, telling the |
170 | In detail, the challenge consist of: |
171 | other side the key it has to use when it sends packets. The challenge |
|
|
172 | reply is only used to set the current IP address of the other side and |
|
|
173 | protocol parameters. |
|
|
174 | |
171 | |
175 | This protocol is completely symmetric, so to be able to send packets the |
172 | RSA-OAEP (SEQNO MAC CIPHER SALT EXTRA-AUTH) ECDH1 |
176 | destination node must send a challenge in the exact same way as already |
173 | |
177 | described (so, in essence, two simplex connections are created per node |
174 | That is, it encrypts (with the public key of the remote node) an initial |
178 | pair). |
175 | sequence number for data packets, key material for the HMAC key, key |
|
|
176 | material for the cipher key, a salt used by the HKDF (as shown later) and |
|
|
177 | some extra random bytes that are unused except for authentication. It also |
|
|
178 | sends the public key of a curve25519 exchange. |
|
|
179 | |
|
|
180 | The remote node decrypts the RSA data, generates it's own ECDH key (ECDH2), and |
|
|
181 | replies with: |
|
|
182 | |
|
|
183 | HKDF-Expand (HKDF-Extract (ECDH2, RSA), ECDH1, AUTH_DIGEST_SIZE) ECDH2 |
|
|
184 | |
|
|
185 | That is, it extracts from the decrypted RSA challenge, using it's ECDH |
|
|
186 | key as salt, and then expands using the requesting node's ECDH1 key. The |
|
|
187 | resulting has is returned as a proof that the node could decrypt the RSA |
|
|
188 | challenge data, together with the ECDH key. |
|
|
189 | |
|
|
190 | After both nodes have done this to each other, they calculate the shared |
|
|
191 | ECDH secrets, cipher and HMAC keys for the session (each |
|
|
192 | node generates two cipher and HMAC keys, one for sending and one for |
|
|
193 | receiving). |
|
|
194 | |
|
|
195 | The HMAC key for sending is generated as follow: |
|
|
196 | |
|
|
197 | HMAC_KEY = HKDF-Expand (HKDF-Extract (REMOTE_SALT, MAC ECDH_SECRET), info, HMAC_MD_SIZE) |
|
|
198 | |
|
|
199 | It extracts from MAC and ECDH_SECRET using the I<remote> SALT, then |
|
|
200 | expands using a static info string. |
|
|
201 | |
|
|
202 | The cipher key is generated in the same way, except using the CIPHER part |
|
|
203 | of the original challenge. |
|
|
204 | |
|
|
205 | The result of this process is to authenticate each node to the other |
|
|
206 | node, while exchanging keys using both RSA and ECDH, the latter providing |
|
|
207 | perfect forward secrecy. |
179 | |
208 | |
180 | =head2 Retrying |
209 | =head2 Retrying |
181 | |
210 | |
182 | When there is no response to an auth request, the node will send auth |
211 | When there is no response to an auth request, the node will send auth |
183 | requests in bursts with an exponential back-off. After some time it will |
212 | requests in bursts with an exponential back-off. After some time it will |
… | |
… | |
203 | will try to connect every few seconds. |
232 | will try to connect every few seconds. |
204 | |
233 | |
205 | =head2 Routing and Protocol translation |
234 | =head2 Routing and Protocol translation |
206 | |
235 | |
207 | The GVPE routing algorithm is easy: there isn't much routing to speak |
236 | The GVPE routing algorithm is easy: there isn't much routing to speak |
208 | of: When routing packets to another node, GVPE trues the following |
237 | of: When routing packets to another node, GVPE tries the following |
209 | options, in order: |
238 | options, in order: |
210 | |
239 | |
211 | =over 4 |
240 | =over 4 |
212 | |
241 | |
213 | =item If the two nodes should be able to reach each other directly (common |
242 | =item If the two nodes should be able to reach each other directly (common |