I've written up a discussion I've just had with Scott on #freenet. In the hope
that others will find it useful. It's at
http://freenet.sourceforge.net/fncrypto.pdf. The pdftotext output is included
below - but the PDF is much clearer.
AGL
--paste--
Freenet Cryptographic Layer
Adam Langley, agl at linuxpower.org
The following is based on an IRC chat with Scott
Key Exchange
The key exchage system is temporary. Scott and Oskar expect to switch to a full
public-private key system
at a later date.
The current key exchage system is Diffie-Hellman (Applied Cryptography,
Chapter 22). The following
is quoted from Applied Cryptography.
The math is simple. First, Alice and Bob agree on a large prime, n
and g such that g is primitive
mod n. These two integers don't have to be secret; Alice and Bob can
agree to them over some
insecure channel. They can even be common among a group of users. It
doesn't matter.
Then, the protocol goes as follows:
(1) Alice chooses a random large integer x and sends Bob
X = gx mod n
(2) Bob chooses a random large integer y and sends Alice
Y = gy mod n
(3) Alice computes
k = Y x mod n
(4) Bob computes
k = Xy mod n
Both k and k are equal to gxy mod n. No one listening on the
channel can compute that value;
they only know n, g, X and Y . Unless they can compute the discrete
logarithm and recover x or y, they
do not solve the problem. So, k is the secret key that both Alice and Bob
computed independantly.
Some things still need to be defined. By `send', we mean:
* Send two bytes representing the length of the bigint
* Send the big-endian bytes of the number
Hash the bytes of k plus a single byte m. Initally, m = 0. Each hash generates
20 bytes of key. The length
of the key is dependant on the block cipher being used (currently Twofish). You
increment m by 1 and hash
again, and so generate all the key bits you need. Thus the maximum key length
is currently (20 ? 8) ? 28
which is 40960 bits.
Now both sides have the shared key we switch to sending data with the block
cipher in PCFB mode.
PCFB Mode
PCFB mode is Periodic Cipher Feedback Mode. Each direction is treated as a
different object. The code
is the same but you have one set of data for recving and one for transmitting.
The text below describes one
side only, and remember this happens on both ends
Two buffers are setup, a[] and b[]. In the Java code these are called
feedback register[] and feed -
back buffer[]. The arrays are the size of the cipher's blocksize. Fill a[] with
random bytes and transmit
1
those random bytes to the peer. That's the IV. The peer puts that data into its
a[] and both sides encrypt
a[] and put the results in b[].
To transmit a byte, XOR it with a byte from b[] and also put it in a[]. So
to fill a transmit buffer t[]
from plain text buffer p[] do:
for (i = 0; i < BLOCKSIZE; i++) t[i] = a[i] = p[i] XOR b[i];
The peer can now decrypt t[] by XORing it with b[], the peer also puts t[]
in a[]. In other words, both
ends put the encrypted byte in the feedback register, a[]).
Once you have transmitted a buffers worth of bytes you need to refill the
buffer. To do so, encrypt a[] to
get the new b[]. Note that this uses the block cipher in encryption mode for
both encryption and decryption.
You then continue with the refilled b[].
AGL
--
Just because you don't understand it doesn't mean that it doesn't work
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20000512/653acf26/attachment.pgp>
