Next: , Previous: , Up: Packet format  


Encrypted packet

Encrypted packets are the only files found in spools, in exchangeable storages and that are synchronized between TCP daemons.

Each encrypted packet has the following header:

  +------------ HEADER --------------------+   +------------- ENCRYPTED -------------+
 /                                          \ /                                       \
+--------------------------------------------+------+---------+----------...---+------+
| MAGIC | NICE | SENDER | RCPT | EPUB | SIGN | SIZE | BLOCK 0 | BLOCK 1  ...   | JUNK |
+-------------------------------------/------\------+---------+----------...---+------+
                                     /        \
                      +-------------------------------------+
                      | MAGIC | NICE | SENDER | RCPT | EPUB |
                      +-------------------------------------+
XDR typeValue
Magic number8-byte, fixed length opaque dataN N C P E 0x00 0x00 0x05
Nicenessunsigned integer1-255, packet niceness level
Sender32-byte, fixed length opaque dataSender node’s id
Recipient32-byte, fixed length opaque dataRecipient node’s id
Exchange public key32-byte, fixed length opaque dataEphemeral curve25519 public key
Signature64-byte, fixed length opaque dataed25519 signature for that packet’s header over all previous fields.

All following encryption is done in AEAD mode using ChaCha20-Poly1305 algorithms. Authenticated data is BLAKE3-256 hash of the unsigned portion of the header (the same data used in the signature). Size is XDR-encoded unsigned hyper integer, carrying the payload size, encrypted as a single AEAD-block (with the tag) independently from the following blocks. It is encoded with the zero nonce.

Payload with possible padding is divided on 128 KiB blocks blocks. They are encrypted with the same authenticated data and increasing big-endian 64-bit nonce, starting at 1.

Each node has static exchange and signature keypairs. When node A want to send encrypted packet to node B, it:

  1. generates ephemeral curve25519 keypair
  2. prepares structure for signing
  3. signs that structure using private ed25519 signature key
  4. takes remote node’s exchange public key and performs Diffie-Hellman computation on this remote static public key and private ephemeral one
  5. derives 32-bytes AEAD encryption key with BLAKE3 derivation function. Source key is the derived ephemeral key. Context is N N C P E 0x00 0x00 0x05 magic number
  6. calculates authenticated data: it is BLAKE3-256 hash of the unsigned header (same used for signing)
  7. encrypts size, appends its authenticated ciphertext to the header (with authenticated data, nonce=0)
  8. encrypts each payload block, appending its authenticated ciphertext (with authenticated data, nonce starting at 1, increasing with each block)
  9. possibly appends any kind of "junk" noise data to hide real payload’s size from the adversary (generated using BLAKE3 XOF, with the key derived from the ephemeral one and context string of N N C P E 0x00 0x00 0x05 <SP> P A D)

Next: Encrypted area packet, Previous: Plain packet, Up: Packet format