--
You received this message because you are subscribed to the Google Groups "Cap'n Proto" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capnproto+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/capnproto/fe6b6564-3f08-478e-af5c-2bf461ea0e81n%40googlegroups.com.
C++ implementation of the SecretHandshake protocol for the awesome Cap’n Proto RPC library. This lets you upgrade your network connections with encryption and mutual authentication, without all the overhead of OpenSSL.
(You don’t actually need Cap’n Proto to use this, but if so you’ll need to provide your own networking code.)
SecretHandshake is “a mutually authenticating key agreement handshake, with forward secure identity metadata.” It was designed by Dominic Tarr and is used in the Secure Scuttlebutt P2P social network.
It’s based on 256-bit elliptic Ed25519 key-pairs. The peers each maintain a long-term key pair, whose public key serves as a global identifier. The peer making the connection (“client”) must know the public key of the other peer (“server”) to be able to connect, and the server learns the client’s public key during the handshake. Each peer receives proof that the other has the matching private key. Much more detail is available in the design paper.
The handshake also produces two session keys, which are then used to encrypt the channel with the 256-bit symmetric XSalsa20 cipher. (This is not strictly speaking part of the SecretHandshake protocol, which ends after key agreement. Scuttlebutt uses a different encryption scheme based on libSodium’s “secret box”.)
The handshake also produces two session keys, which are then used to encrypt the channel with the 256-bit symmetric XSalsa20 cipher. (This is not strictly speaking part of the SecretHandshake protocol, which ends after key agreement. Scuttlebutt uses a different encryption scheme based on libSodium’s “secret box”.)
Yeah, there are no integrity checks in the data stream, and I agree that’s a weakness*. Adding MACs requires adding a block- or message-oriented layer on top, like SecretBox, the way that Scuttlebutt does. This feels like redundant effort since Cap’nP also is itself message-oriented; my guess is that there’s a higher level API inside Cap’nP that exposes the message framing, and the MAC could be added there, but I have not yet delved deeper into the way Cap’nP works. (Hints welcome.)
Hmm if you're using a plain xsalsa20 stream and not secret boxes, does that mean you're implementing only encryption, not authentication? Note that XSalsa20 and related ciphers work by generating a random stream, and then XORing it with the plaintext.