CurveCP: Usable security for the Internet |
|
The CurveCP packet formatThis page describes the four different types of packets that appear in CurveCP: Hello, Cookie, Initiate, and Message.Connection overviewA CurveCP connection begins with a Hello packet from the client, a Cookie packet from the server, and an Initiate packet from the client. The server is free to send any number of Message packets after it sees the Initiate packet. The client is free to send any number of Message packets after it sees the server's first Message packet.If the client does not see a Cookie packet then it will send another Hello packet. The server sends a Cookie packet in response to each Hello packet, rather than limiting the client to one Hello packet. Similarly, the client can send several Initiate packets. The following diagram indicates how these packets are encrypted and summarizes the contents of the packets. Important notation: Box[X](C->S) is a cryptographic box, encrypting and authenticating X from the client's public key C to the server's public key S. The only people who can create or decipher Box[X](C->S) are the people who know the secret key corresponding to C and the people who know the secret key corresponding to S. (Note to readers familiar with BAN logic etc.: Box[X](C->S) should not be confused with the traditional concept {X}_K of something encrypted under secret key K without authentication.)
The cookie K is Box[C',s'](t), where s' is the secret key corresponding to S', and t is a secret "minute key" maintained by the server. This is a cryptographic box that can be created and understood only by t. Summary of the packet formatEach packet begins with an 8-byte identifier of the type of packet. If the packet happens to be delivered to some non-CurveCP application then these bytes will prevent the non-CurveCP application from being confused. A secondary function of this identifier is to allow, e.g., the server to quickly distinguish Hello packets from Initiate packets.Each packet continues with a 16-byte receiver extension and a 16-byte sender extension. Gateways can process these extensions without parsing the rest of the packet. Each packet from the client continues with the client's short-term public key C'. The server reuses this key as an identifier to index active connections. Each packet continues with a cryptographic box (preceded by padding for Hello packets, and preceded by the server's cookie K for Initiate packets), as summarized in the diagram above. A nonce is attached to each cryptographic box, preventing replays and preventing confusion between the boxes in different types of packets; the nonces are not shown in the diagram above. A packet with an unopenable box (i.e., a box that fails cryptographic verification) is discarded by the receiver. Client Hello packet detailsA Hello packet is a 224-byte packet with the following contents:
Current servers enforce the 64-byte length requirement but do not enforce the all-zero requirement. The all-zero bytes in this packet are an anti-amplification mechanism, ensuring that Hello packets are as long as Cookie packets; this is why the 64-byte length requirement is enforced. They are also an extension mechanism, allowing future protocol extensions such as hashcash; this is why the all-zero requirement is not enforced. Clients must nevertheless be careful to follow the all-zero requirement to avoid confusing future servers that support extensions. Server Cookie packet detailsA Cookie packet is a 200-byte packet with the following format:
Client Initiate packet detailsAn Initiate packet is a (544+M)-byte packet with the following contents, where M is a multiple of 16 between 16 and 640:
Server Message packet detailsA Message packet from the server is a (64+M)-byte packet with the following contents, where M is a multiple of 16 between 16 and 1088:
Client Message packet detailsA Message packet from the client is a (96+M)-byte packet with the following contents, where M is a multiple of 16 between 16 and 1088:
VersionThis is version 2011.02.11 of the packets.html web page. |