Encrypted packet

Encrypted packets are the only files found in spools, in exchangeable storages and that are synchronized between TCP daemons.

Each encrypted packet has the following header:

  +------------ HEADER --------------------+   +-------- ENCRYPTED --------+
 /                                          \ /                             \
                                     /        \
                      | MAGIC | NICE | SENDER | RCPT | EPUB |
XDR typeValue
Magic number8-byte, fixed length opaque dataN N C P E 0x00 0x00 0x03
Nicenessunsigned integer1-255, packet niceness level
Sender32-byte, fixed length opaque dataSender node’s id
Recipient32-byte, fixed length opaque dataRecipient node’s id
Exchange public key32-byte, fixed length opaque dataEphemeral curve25519 public key
Signature64-byte, fixed length opaque dataed25519 signature for that packet’s header

Signature is calculated over all previous fields.

All following encryption is done using ChaCha20 algorithm. Data is splitted on 128 KiB blocks. Each block is encrypted with increasing nonce counter. BLAKE2b-256 MAC is appended to the ciphertext.

After the headers comes an encrypted payload size and MAC of that size.

XDR typeValue
Sizeunsigned hyper integerPayload size.

Next comes the actual encrypted payload with corresponding MAC.

Each node has static exchange and signature keypairs. When node A want to send encrypted packet to node B, it:

  1. generates ephemeral curve25519 keypair
  2. prepares structure for signing
  3. signs that structure using private ed25519 signature key
  4. takes remote node’s exchange public key and performs Diffie-Hellman computation on this remote static public key and private ephemeral one
  5. derive the keys:
    1. initialize BLAKE2Xb XOF with derived ephemeral key and 224-byte output length
    2. feed N N C P E 0x00 0x00 0x03 magic number to XOF
    3. read 32-bytes of "size" encryption key (for ChaCha20)
    4. read 64-bytes of "size" authentication key (for BLAKE2b-MAC)
    5. read 32-bytes of payload encryption key
    6. read 64-bytes of payload authentication key
    7. optionally read 32-bytes pad generation key (for ChaCha20)
  6. encrypts size, appends its ciphertext to the header
  7. appends MAC tag over that ciphertext
  8. encrypts and appends payload ciphertext
  9. appends MAC tag over that payload ciphertext
  10. possibly appends any kind of "junk" noise data to hide real payload’s size from the adversary