-
Notifications
You must be signed in to change notification settings - Fork 161
Protocol spec: TinySS
TinySS is an extremely simple secure sockets protocol in the same vein as TLS. Some features include:
- "Unconfigurable" protocol with sane configuration out of the box
- Always forward-secure
- Fast on all sorts of devices
- Makes PKI responsibility of application layer. Doesn't provide active security by itself, but exposes a DH shared secret that applications should further verify.
Both the server and the client runs the following procedure:
We generate an ephemeral Curve25519 keypair from scratch:
(myEPK, myESK) <- curve25519_generate()
Both ends exchange their ephemeral public keys simultaneously:
in a background thread:
send "TinySS-2"/"TinySS-1" ++ myEPK to remote
"TinySS-2"/"TinySS-1" ++ theirEPK <- wait from network
wait for background thread to end
Both parties first calculate the Curve25519 shared secret:
sharedSec <- curve25519_sharedsecret(myESK, theirEPK)
We then derive two session keys:
sessKey_1 <- hmac_sha256(m=sharedSec, k="tinyss-s1")
sessKey_2 <- hmac_sha256(m=sharedSec, k="tinyss-s2")
where sessKey_1 is used for data flowing from the side with the lexicographically smaller ephemeral public key to the bigger, and sessKey_2 for the other direction:
if myEPK < theirEPK
recvKey = sessKey_1
sendKey = sessKey_2
else
recvKey = sessKey_2
sendKey = sessKey_1
Data is semantically a continuous bytestream, but it is broken up into segments for transmission. The format of the ith segment is:
[ 2 bytes: 16-bit body size ]
[ n bytes: chacha20poly1305(key = sendKey,
message = plaintext,
nonce = i as uint64be,
additional data = "")]
If during handshake TinySS-2 is sent, this means that the first byte of the data stream encodes a single-byte application-layer protocol indicator, and shoud not be treated as part of the application data stream.
To ensure security against active attackers, it's necessary to unforgeably verify the shared secret, which TinySS exposes, in some way. For example, in the application-layer authentication protocol, the server can cryptographically sign a statement including the TinySS shared secret with a PKI-managed signing key.