README
¶
P2P Key Exchange
P2P Key Exchange is an authenticated key exchange built using the Noise Protocol Framework (NPF). It depends on a message based transport beneath it, and provides security, and at-most-once delivery of messages to callers. It makes no assumptions about the underlying transport, which can be anything that delivers datagrams larger than the per packet overhead.
Goals
- Secure any message based transport without knowing anything about the underlying transport protocol. This would make it useful on ethernet, IP, and UDP, as well as in overlay networks.
- Be Composable. Layer well on top of protocols and beneath protocols. Never assume the protocol is running on the bottom or top of the stack. This means small headers, and minimal communication not explicitly directed by the layer above.
- Work with signing keys.
- Simple. Use private and public keys directly, no certificates.
Compared to Other Protocols
| P2PKE | WireGuard | QUIC | DTLS 1.2 | |
|---|---|---|---|---|
| Secure Datagrams | ✅ | ✅ | ⚠️️ Draft Spec | ✅ |
| P2P | ✅ | ✅ | ⚠️ Connection IDs | ❌ Client/Server |
| Transport Agnostic | ✅ | ❌ UDP | ❌ UDP | ❌ UDP |
| PKI Complexity | ✅ Public Keys | ✅ Public Keys | ❌ x509 Certificates | ❌ x509 Certificates |
| Algorithm Choice | Signing Keys | None | Lots | Lots |
Why not {DTLS, QUIC, WireGuard} instead?
- In practice, all of the mentioned protocols make assumptions about UDP being beneath them. Even if the spec doesn't, the implementations usually do. Wireguard for example, assumes it has access to the IP address and UDP port of incoming messages.
- QUIC and DTLS are client server, so Wireguard is really the only protocol designed for p2p communication. QUIC does have connection IDs which solves the problem of both sides initiating connections simultaneously.
- QUIC doesn't provide a way to send Datagrams that doesn't assume it is running on UDP. You can't send a datagram larger than the max UDP size, for example.
- QUIC and DTLS require x509 certificates which are complicated. There are almost a dozen parameters that a user needs to understand to create a self signed cert. Contrast that with Wireguard which passes around base64 encoded public keys.
Cryptography
P2PKE uses the Noise Protocol Framework's NN Handshake with the suite (X25519, ChaCha20Poly1309, BLAKE2b) to establish a secure channel.
The channel binding is signed using a long-lived public signing key to authenticate the connection.
There is no way to configure the cryptography used to establish the secure session.
There is a choice of signing algorithm, a few types of signing key are supported.
P2PKE uses the p2p.Sign and p2p.Verify functions, which support RSA, DSA, and Ed25519 keys.
The signature scheme includes an extra layer of hashing with CSHAKE256 which includes an application specific purpose tag.
Wire Protocol
Sessions pass messages between one another consisting of a 4 byte header. The header is a single 32 bit integer containing the counter used for the message. The rest of the message is called the body herein.
Certain low counter values are reserved for the handshake messages, and the rest are used as nonces for symmetric encryption. The counter values are considered when noise calculates an authentication tag for a message. The counter values are also used for replay protection.
Message Types
InitHello
This message has a counter value of 0. The message body is an NPF handshake message containing a protocol buffer, and an appended 16 bit big endian integer which is the length of the protocol buffer data. This makes it possible to parse an InitHello from the end of the message regardless of the size of the public key which noise has prepended.
The protocol buffer contains the initiators signing key, and a signature of a timestamp.
RespHello
This message has a counter value of 1. The message body is an NPF handshake message containing a protocol buffer.
The protocol buffer contains the responders signing key, and a signature of the channel binding.
InitDone
This message has a counter value of 2. The message body is an NPF symmetric message containing a protocol buffer.
The protocol buffer contains a signature of the channel binding from the initiator.
RespDone
This message has a counter value of 3. The message body is an NPF symmetric message containing an empty payload.
Data
Data messages have counter values >= 16 and <= 2^32 - 2. The non-counter portion is an NPF message containing application data.
Sessions
A Session encapsulates the handshake state machine, the symmetric ciphers, outbound counter, and replay filter. The idea is that you can just keep delivering messages to a session and it will either give you an error, or some data to send back, or data to deliver to the application.
The session has no internal timers or background goroutines. It only knows what time it is based on what the caller tells it. Sessions have a tree-like state machine, without any cycles, starting in an initial state and eventually expiring due to a handshake failure, or message count or time conditions. Sessions have a short lifecycle. They are bounded both by a maximum number of messages (2^32-2) and a maximum age (3 minutes).
Handshake
The Session handshake state machine looks like this:
INITIATOR RESPONDER
0 SendingInitHello/AwaitingRespHello AwaitingInitHello
1 SendingResponseHello/AwaitingInitDone
2 SendingInitDone/AwaitingRespDone
3 HandshakeComplete
4 HandshakeComplete
In each of these states except HandshakeComplete, the sessions will respond to the preceeding handshake messages with the next handshake message, even if they have already done so. This allows for retries.
The Initiator has authenticated the Responder after RespHello is received, but it cannot send until the Responder has authenticated it, or it risks having its messages dropped. The Responder will not buffer messages which it cannot authenticate. So the Initiator must wait until it receives application data or (more likely) the RespDone message.
The Responder has authenticated the Initiator after it has received the InitDone, but will respond to handshake messages until application data has been sent.
Channels
Channels are a long lived secure channel between two parties. Channels manage creating and discarding sessions as they expire. Once a channel has established a session all future sessions must have the same remote key.
The Channel API:
// NewChannel creates a channel, there is no distinction between initiator or responder
NewChannel(ChannelConfig) *Channel
// Send is used to send an encrypted message across the channel, it may need to create a session.
Send(ctx context.Context, x []byte) error
// Deliver is used to deliver inbound messages to the channel.
Deliver(out, x []byte) ([]byte, error)
Parameters (Required)
PrivateKey: PrivateKeyThe signing key to use when authenticating the Channel.Send: func([]byte)A function which is called by the Channel to send data.AcceptKey: func(PublicKey) boolA function which determines whether to connect to a party identifying as a given public key.
Versions
P2PKE is a versioned protocol; the InitHello message has a version field. The version determines all the cryptographic parameters in the protocol. There is no version negotiation. The initiator dictates what protocol to use, and the responder can respond with an error if it does not support that protocol. So if and when a version 2 shows up, peers will prefer version 2, but accept version 1, and then eventually reject version 1 completely.
Documentation
¶
Index ¶
- Constants
- Variables
- func IsHello(x []byte) bool
- func IsInitHello(x []byte) bool
- func IsPostHandshake(x []byte) bool
- func IsRespHello(x []byte) bool
- func PrettyPrint(msg Message) string
- type Channel
- func (c *Channel) Close() error
- func (c *Channel) Deliver(out, x []byte) ([]byte, error)
- func (c *Channel) LastReceived() time.Time
- func (c *Channel) LastSent() time.Time
- func (c *Channel) LocalKey() x509.PublicKey
- func (c *Channel) RemoteKey() x509.PublicKey
- func (c *Channel) Send(ctx context.Context, x p2p.IOVec) error
- func (c *Channel) WaitReady(ctx context.Context) error
- type ChannelConfig
- type Direction
- type ErrDecryptionFailure
- type ErrEarlyData
- type ErrSessionExpired
- type InitDone
- type InitHello
- func (*InitHello) Descriptor() ([]byte, []int)deprecated
- func (x *InitHello) GetKeyX509() []byte
- func (x *InitHello) GetSig() []byte
- func (x *InitHello) GetTimestampTai64N() []byte
- func (x *InitHello) GetVersion() uint32
- func (*InitHello) ProtoMessage()
- func (x *InitHello) ProtoReflect() protoreflect.Message
- func (x *InitHello) Reset()
- func (x *InitHello) String() string
- type Message
- type RespHello
- type SendFunc
- type Session
- func (s *Session) Deliver(out []byte, incoming []byte, now time.Time) (bool, []byte, error)
- func (s *Session) ExpiresAt() time.Time
- func (s *Session) Handshake(out []byte) []byte
- func (s *Session) InitHelloTime() tai64.TAI64N
- func (s *Session) IsInit() bool
- func (s *Session) IsReady() bool
- func (s *Session) LocalKey() x509.PublicKey
- func (s *Session) RemoteKey() x509.PublicKey
- func (s *Session) Send(out, ptext []byte, now time.Time) ([]byte, error)
- func (s *Session) String() string
- type SessionConfig
- type Timer
Constants ¶
const ( // Overhead is the per message overhead taken up by P2PKE. Overhead = 4 + 16 // MaxMessageLen is the maximum message size that applications can send through the channel. MaxMessageLen = noise.MaxMsgLen - Overhead // MaxNonce is the maxmium number of messages that can be sent through a channel. MaxNonce = math.MaxUint32 - 1 // RekeyAfterTime is the default. RekeyAfterTime = 120 * time.Second // RejectAfterTime is the default. RejectAfterTime = 180 * time.Second // RekeyAfterMessages is the number of messages that can be sent over a session before a rekey is triggered. RekeyAfterMessages = MaxNonce / 2 // KeepAliveTimeout is the default. KeepAliveTimeout = 15 * time.Second // HandshakeBackoff is the default. HandshakeBackoff = 250 * time.Millisecond )
const ( InitToResp = Direction(iota) RespToInit )
Variables ¶
var File_p2pke_proto protoreflect.FileDescriptor
Functions ¶
func IsInitHello ¶
IsInitHello returns true if x contains an InitHello message
func IsPostHandshake ¶
func IsRespHello ¶
IsRespHello returns true if x contains a RespHello message
func PrettyPrint ¶
Types ¶
type Channel ¶
type Channel struct {
// contains filtered or unexported fields
}
func NewChannel ¶
func NewChannel(params ChannelConfig) *Channel
func (*Channel) Close ¶
Close releases all resources associated with the channel. send will not be called after Close completes.
func (*Channel) Deliver ¶
Deliver decrypts the payload in x if it contains application data, and appends it to out. if err != nil, then an error occured. The Channel is capable of recovering. if out != nil, then it is application data. if out == nil, then the message was either invalid or contained a handshake message and there is nothing more for the caller to do.
e.g. out, err := c.Deliver(nil, input)
if err != nil {
// handle the error
} else if out != nil {
// deliver application data
} else {
// nothing to do
}
func (*Channel) LastReceived ¶
LastReceived returns the time that a message was received
func (*Channel) LocalKey ¶
LocalKey returns the public key used by the local party to authenticate. It will correspond to the private key passed to NewChannel.
func (*Channel) RemoteKey ¶
RemoteKey returns the public key used by the remote party to authenticate. It can be nil, if there has been no successful handshake.
type ChannelConfig ¶
type ChannelConfig struct {
Registry x509.Registry
// PrivateKey is the signing key used to prove identity to the other party in the channel.
// *REQUIRED*
PrivateKey x509.PrivateKey
// Send is used to send p2pke protocol messages including ciphertexts and handshake messages.
// *REQUIRED*
Send SendFunc
// AcceptKey is used to check if a key is allowed before connecting
// *REQUIRED*.
AcceptKey func(*x509.PublicKey) bool
// Logger is used for logging, nil disables logs.
Logger *zap.Logger
// KeepAliveTimeout is the amount of time to consider a session alive wihtout receiving a message
// through it.
KeepAliveTimeout time.Duration
// HandshakeBackoff is the amount of time to wait between sending handshake messages.
HandshakeBackoff time.Duration
// RekeyAfterTime is the amount of time between rekeying a session.
RekeyAfterTime time.Duration
// RejectAfterTime is the duration after session creation when the session will send and
// received messages.
RejectAfterTime time.Duration
}
type ErrDecryptionFailure ¶
ErrDecryptionFailure is returned by a Session when a message failed to decrypt.
func (ErrDecryptionFailure) Error ¶
func (e ErrDecryptionFailure) Error() string
type ErrEarlyData ¶
ErrEarlyData is returned by the session when application data arrives early. There is no way to verify this data without a
func (ErrEarlyData) Error ¶
func (e ErrEarlyData) Error() string
type ErrSessionExpired ¶
ErrSessionExpired is returned when the session is too old to be used anymore and needs to be put down.
func (ErrSessionExpired) Error ¶
func (e ErrSessionExpired) Error() string
type InitDone ¶
type InitDone struct {
Sig []byte `protobuf:"bytes,1,opt,name=sig,proto3" json:"sig,omitempty"`
// contains filtered or unexported fields
}
func (*InitDone) Descriptor
deprecated
func (*InitDone) ProtoMessage ¶
func (*InitDone) ProtoMessage()
func (*InitDone) ProtoReflect ¶
func (x *InitDone) ProtoReflect() protoreflect.Message
type InitHello ¶
type InitHello struct {
Version uint32 `protobuf:"varint,1,opt,name=version,proto3" json:"version,omitempty"`
TimestampTai64N []byte `protobuf:"bytes,2,opt,name=timestamp_tai64n,json=timestampTai64n,proto3" json:"timestamp_tai64n,omitempty"`
KeyX509 []byte `protobuf:"bytes,3,opt,name=key_x509,json=keyX509,proto3" json:"key_x509,omitempty"`
Sig []byte `protobuf:"bytes,4,opt,name=sig,proto3" json:"sig,omitempty"`
// contains filtered or unexported fields
}
func (*InitHello) Descriptor
deprecated
func (*InitHello) GetKeyX509 ¶
func (*InitHello) GetTimestampTai64N ¶
func (*InitHello) GetVersion ¶
func (*InitHello) ProtoMessage ¶
func (*InitHello) ProtoMessage()
func (*InitHello) ProtoReflect ¶
func (x *InitHello) ProtoReflect() protoreflect.Message
type RespHello ¶
type RespHello struct {
KeyX509 []byte `protobuf:"bytes,1,opt,name=key_x509,json=keyX509,proto3" json:"key_x509,omitempty"`
Sig []byte `protobuf:"bytes,2,opt,name=sig,proto3" json:"sig,omitempty"`
// contains filtered or unexported fields
}
func (*RespHello) Descriptor
deprecated
func (*RespHello) GetKeyX509 ¶
func (*RespHello) ProtoMessage ¶
func (*RespHello) ProtoMessage()
func (*RespHello) ProtoReflect ¶
func (x *RespHello) ProtoReflect() protoreflect.Message
type SendFunc ¶
type SendFunc func([]byte)
SendFunc is the type of functions called to send messages by the channel.
type Session ¶
type Session struct {
// contains filtered or unexported fields
}
func NewSession ¶
func NewSession(params SessionConfig) *Session
func (*Session) Deliver ¶
Deliver gives the session a message. If there is data in the message it will be returned as a non nil slice, appended to out. If there is not data, then a nil slice, and nil error will be returned.
isApp, out, err := s.Deliver(out, incoming, now)
if err != nil {
// handle err
}
if !isApp && len(out) > 0 {
} else if isApp {
}
func (*Session) Handshake ¶
Handshake appends the current handshake message to out. Handshake returns nil if there is no handshake message to send.
Source Files