Encrypted packet

Encrypted packets are the only files found in spools, in exchangeable storages and that are synchronized between TCP daemons.

Each encrypted packet has the following header:

  +------------ HEADER -------------+   +-------- ENCRYPTED --------+
 /                                   \ /                             \
                                     /        \
                      | MAGIC | NICE | SENDER | RCPT | EPUB |
XDR typeValue
Magic number8-byte, fixed length opaque dataN N C P E 0x00 0x00 0x01
Nicenessunsigned integer1-255, packet niceness level
Sender32-byte, fixed length opaque dataSender node’s id
Recipient32-byte, fixed length opaque dataRecipient node’s id
Exchange public key32-byte, fixed length opaque dataEphemeral curve25519 public key
Signature64-byte, fixed length opaque dataed25519 signature for that packet’s header

Signature is calculated over all previous fields.

All following encryption is done using Twofish algorithm with 256-bit key in CTR mode of operation with zero initialization vector (because each encrypted packet has ephemeral exchange key). BLAKE2b-256 MAC is appended to the ciphertext.

After the headers comes an encrypted payload size and MAC of that size.

XDR typeValue
Sizeunsigned hyper integerPayload size.

Next comes the actual encrypted payload with corresponding MAC.

Each node has static exchange and signature keypairs. When node A want to send encrypted packet to node B, it:

  1. generates ephemeral curve25519 keypair
  2. prepares structure for signing
  3. signs that structure using private ed25519 signature key
  4. takes remote node’s exchange public key and performs Diffie-Hellman computation on this remote static public key and private ephemeral one
  5. derived ephemeral key is used as an input to HKDF-BLAKE2b-256 KDF
  6. derives four session keys using HKDF-BLAKE2b-256 KDF:
    1. "Size" encryption (for Twofish) key
    2. "Size" authentication (for BLAKE2b-MAC) key
    3. Payload encryption key
    4. Payload authentication key
  7. encrypts size, appends its ciphertext to the header
  8. appends MAC tag over that ciphertext
  9. encrypts and appends payload ciphertext
  10. appends MAC tag over that payload ciphertext
  11. possibly appends any kind of "junk" noise data to hide real payload’s size from the adversary