Here we give a technical overview of how Ames implements cryptography.
Summary
By default, all packets are encrypted with 256-bit AES symmetric key encryption, whose key is obtained by Diffie-Hellman key exchange, with public/private keys generated using elliptic curve Curve25519. The only exception to this are comet self-attestation packets, which are unencrypted.
All packets are also signed using Elliptic Curve Digital Signature Algorithm.
The $ames-state includes a +acru:ames core, an interface
core into which one of the cryptosuites in zuse may be implemented. Some, but
not all, of the calls to cryptography-related tasks (encryption, signing,
decrypting, and authenticating) are peformed utilizing the +acru core.
Packet encryption and authentication
Each Urbit ship possesses two networking keypairs: one for encryption, and one for authentication. We often refer to these two keypairs as though they were a single keypair because they are stored as a single atom. Elliptic Curve Diffie-Hellman is used for encryption, while Elliptic Curve Digital Signature Algorithm is used for authentication
The encrypted payload of each packet is a $shut-packet, which is the +jam of
a cell with the $bone, message number, and message fragment or ack (see
Ames for more information on packet structure). The
message fragment is signed using the authentication key. It is encrypted using
+en:crub:crypto found in
sys/zuse.hoon, which utilizes the 256-bit AES-SIV algorithm.
Diffie-Hellman key exchange
For each foreign ship a given ship has communicated with, $ames-state contains a
$peer-state, inside which the $symmetric-key (an atom which nests under
@uw) is utilized for encrypting all Ames packets shared between the two ships.
The symmetric-key is derived using +shar:ed:crypto found in sys/zuse.hoon,
which is an arm utilized for generating the symmetric key for elliptic curve
Diffie-Hellman key
exchange
with curve25519. Briefly, each ship
in a two-way conversation computes the shared symmetric key for that
conversation by computing the product of their own private key and the public
key of the other party.
Comet self-attestation
Recall that the @p of a comet is the hash of their 128-bit public key cast as
a @p. Since the public key of a comet is not stored on Azimuth, a comet proves
its identity with an "attestation packet". This is an unencrypted packet whose
payload is the comet's signature created with its private key. This is the only
circumstance under which a ship will send an unencrypted packet. The signature
is generated with
+sign:as:crub found in
sys/zuse.hoon.
Upon hearing an attestation packet, the receiving ship will generate a symmetric key for communications with the comet, according to the key exchange protocol.
The fact that the first packet exchanged between a comet and another ship must be an attestation packet is why comets are unable to initiate communication with one another, and also why comets must be the first to initiate communication with a non-comet. This is a technical limitation with a planned workaround.
+acru:ames
The +crypto-core in $ames-state is an +acru:ames core, a
lead
interface core for asymmetric cryptosuites found in sys/lull.hoon which
handles encryption, decryption, signing, and verifying. In practice, the only
cryptosuite in use is +crub:crypto, which implements Suite B
Cryptography.
++ acru $_ ^? :: asym cryptosuite
|% :: opaque object
++ as ^? :: asym ops
|% ++ seal |~([a=pass b=@] *@) :: encrypt to a
++ sign |~(a=@ *@) :: certify as us
++ sure |~(a=@ *(unit @)) :: authenticate from us
++ tear |~([a=pass b=@] *(unit @)) :: accept from a
-- ::as ::
++ de |~([a=@ b=@] *(unit @)) :: symmetric de, soft
++ dy |~([a=@ b=@] *@) :: symmetric de, hard
++ en |~([a=@ b=@] *@) :: symmetric en
++ ex ^? :: export
|% ++ fig *@uvH :: fingerprint
++ pac *@uvG :: default passcode
++ pub *pass :: public key
++ sec *ring :: private key
-- ::ex ::
++ nu ^? :: reconstructors
|% ++ pit |~([a=@ b=@] ^?(..nu)) :: from [width seed]
++ nol |~(a=ring ^?(..nu)) :: from ring
++ com |~(a=pass ^?(..nu)) :: from pass
-- ::nu ::
-- ::acru ::
As the +acru core is merely an interface, the details on how it is implemented
may vary according to the cryptosuite. We summarize what each
core is utilized for here, but see
crub:crypto for more details on
how the specific cryptosuite utilized by Ames is implemented.
+as:acru
This core is used for the standard asymmetric cryptographic operations: encrypting
(+seal), signing (+sign), authenticating (+sure), and decrypting (+tear).
+ex:acru
This core is used to extract keys and their fingerprints. +sec is the secret key (which
may be empty), +pub is the public key associated to the secret key, +pac is
the fingerprint associated to the secret key, and +fig is the fingerprint
associated to the public key. We note that when the core contains both
encryption and authentication keys, they are typically concatenated to be
returned as a single atom.
+nu:acru
This core contains constructors for the +acru core. +pit:nu is used to
construct an +acru core with both a private and public key (i.e. both
+sec:ex and +pub:ex are set) from a bitlength and seed. +nol:nu can then be
called from an +acru core created with +pit:nu to get an +acru core with
only the secret key, while +com:nu can be called to get an +acru core with
only the public key.
+en:acru, +de:acru, and +dy:acru
These arms are for symmetric encryption (+en) and decryption (+de and
+dy). The difference between the decryption arms is that +de returns null
and +dy crashes upon failure.