Add perfect forward secrecy to nterfacer #56
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pandame
changed the title
pandame
force-pushed
the
master+nterfacer-pfs
branch
from
fff032d to
028caba
Compare
This bumps the nterfacer protocol version to 5. The authentication stage of the protocol is modified. In addition to the challenge (from server) or response (from client), the IV and the nonce, both sides send a Curve25519 public key in hex. The new field is added to the end of the challenge/response + IV + nonce line. The resulting shared secret from X25519 is then hashed like so: SHA-256(shared from smult || receiver public key || sender public key). The order for hashing was taken from https://download.libsodium.org/doc/advanced/scalar_multiplication.html. The resulting hash is then used as the client raw key, meaning that the nterfacer rekeying mechanism/subkeying mechanism is untouched from version 4. This adds a Curve25519 implementation (curve25519-donna) to /lib/. Deploying this changeset therefore requires recompiling and restarting newserv. curve25519.c contains helper functions to avoid misuse of the underlying ECDH primitive.
pandame
force-pushed
the
master+nterfacer-pfs
branch
from
028caba to
55f596f
Compare
A configuration option nterfacer:legacy_kex (defaults to 0/false) for backwards compatibility so that migration to the new key exchange can happen in waves. This a separate commit so it can be removed again when the migration to the new key exchange is complete.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This bumps the nterfacer protocol version to 5.
The authentication stage of the protocol is modified. In addition to the
challenge (from server) or response (from client), the IV and the nonce,
both sides send a Curve25519 public key in hex. The new field is added
to the end of the challenge/response + IV + nonce line.
The resulting shared secret from X25519 is then hashed like so:
SHA-256(shared_from_smult || receiver public key || sender public key).
The order for hashing was taken from
https://download.libsodium.org/doc/advanced/scalar_multiplication.html.
The resulting hash is then used as the client raw key, meaning that the
nterfacer rekeying mechanism/subkeying mechanism is untouched from
version 4.
This adds a Curve25519 implementation (curve25519-donna) to /lib/.
Deploying this changeset therefore requires recompiling and restarting
newserv. The header file contains static inline helper functions to
avoid misuse of the underlying ECDH primitive.
This addresses issue #46 in part. The
memcpycalls have not been changed in the interest of keeping this commit focused on one issue.