Encrypted packets are the only files found in spools, in exchangeable storages and that are synchronized between TCP daemons.
Each encrypted packet has the following header:
HEADER +--------------------------------------------+-------...--------+ | MAGIC | NICE | SENDER | EPUB | SIGN | SIZE | CIPHERTEXT | MAC | +------------------------------/------\------+-------...--------+ / \ +--------------------------------------------+ | MAGIC | NICE | RCPT | SENDER | EPUB | SIZE | +--------------------------------------------+
XDR type | Value | |
---|---|---|
Magic number | 8-byte, fixed length opaque data | NNCPE0x10x00x00 |
Niceness | unsigned integer | 1-255, packet niceness level |
Sender | 32-byte, fixed length opaque data | Sender node’s id |
Exchange public key | 32-byte, fixed length opaque data | Ephemeral curve25519 public key |
Signature | 64-byte, fixed length opaque data | ed25519 signature for that packet’s header |
Size | unsigned hyper integer | Encrypted payload size |
Signature is calculated over the following structure:
Actual encrypted payload comes after that header. Payload is encrypted using Twofish algorithm with 256-bit key in CTR mode of operation with zero initialization vector (because each encrypted packet has ephemeral exchange key). Ciphertext’s length is equal to plaintext. BLAKE2b-256 MAC is appended to the ciphertext.
Each node has static exchange and signature keypairs. When node A want to send encrypted packet to node B, it: