{% extends "_layout.html" %} {% block title %}SSU Specification{% endblock %} {% block content %} Updated July 2010 for release 0.8

See the SSU page for an overview of the SSU transport.

Specification

The goal of this protocol is to provide secure, authenticated, semireliable, and unordered message delivery, exposing only a minimal amount of data easily discernible to third parties. It should support high degree communication as well as TCP-friendly congestion control, and may include PMTU detection. It should be capable of efficiently moving bulk data at rates sufficient for home users. In addition, it should support techniques for addressing network obstacles, like most NATs or firewalls.

Addressing and introduction

To contact an SSU peer, one of two sets of information is necessary: a direct address, for when the peer is publicly reachable, or an indirect address, for using a third party to introduce the peer. There is no restriction on the number of addresses a peer may have.

    Direct: ssu://host:port/introKey[?opts=[A-Z]*]
  Indirect: ssu://tag@relayhost:port/relayIntroKey/targetIntroKey[?opts=[A-Z]*]

These introduction keys are delivered through an external channel (the network database, where they are identical to the router Hash for now) and must be used when establishing a session key. For the indirect address, the peer must first contact the relayhost and ask them for an introduction to the peer known at that relayhost under the given tag. If possible, the relayhost sends a message to the addressed peer telling them to contact the requesting peer, and also gives the requesting peer the IP and port on which the addressed peer is located. In addition, the peer establishing the connection must already know the public keys of the peer they are connecting to (but not necessary to any intermediary relay peer).

Each of the addresses may also expose a series of options - special capabilities of that particular peer. For a list of available capabilities, see below.

All UDP datagrams begin with a 16 byte MAC (Message Authentication Code) and a 16 byte IV (Initialization Vector followed by a variable size payload encrypted with the appropriate key. The MAC used is HMAC-MD5, truncated to 16 bytes, while the key is a full 32 byte AES256 key. The specific construct of the MAC is the first 16 bytes from:

  HMAC-MD5(payload || IV || (payloadLength ^ protocolVersion), macKey)

The protocol version is currently 0.

The payload itself is AES256/CBC encrypted with the IV and the sessionKey, with replay prevention addressed within its body, explained below. The payloadLength in the MAC is a 2 byte unsigned integer in 2s complement.

The protocolVersion is a 2 byte unsigned integer in 2s complement, and currently set to 0. Peers using a different protocol version will not be able to communicate with this peer, though earlier versions not using this flag are.

Payload

Within the AES encrypted payload, there is a minimal common structure to the various messages - a one byte flag and a four byte sending timestamp (*seconds* since the unix epoch). The flag byte contains the following bitfields:

  bits 0-3: payload type
     bit 4: rekey?
     bit 5: extended options included
  bits 6-7: reserved

If the rekey flag is set, 64 bytes of keying material follow the timestamp. If the extended options flag is set, a one byte option size value is appended to, followed by that many extended option bytes, which are currently uninterpreted.

When rekeying, the first 32 bytes of the keying material is fed into a SHA256 to produce the new MAC key, and the next 32 bytes are fed into a SHA256 to produce the new session key, though the keys are not immediately used. The other side should also reply with the rekey flag set and that same keying material. Once both sides have sent and received those values, the new keys should be used and the previous keys discarded. It may be useful to keep the old keys around briefly, to address packet loss and reordering.

NOTE: Rekeying is currently unimplemented.

 Header: 37+ bytes
 +----+----+----+----+----+----+----+----+
 |                  MAC                  |
 |                                       |
 +----+----+----+----+----+----+----+----+
 |                   IV                  |
 |                                       |
 +----+----+----+----+----+----+----+----+
 |flag|        time       | (optionally  |
 +----+----+----+----+----+              |
 | this may have 64 byte keying material |
 | and/or a one+N byte extended options) |
 +---------------------------------------|

Messages

There are 8 messages defined:

TypeMessageNotes
0SessionRequest
1SessionCreated
2SessionConfirmed
8SessionDestroyedUnimplemented
3RelayRequest
4RelayResponse
5RelayIntro
6Data
7PeerTest

SessionRequest (type 0)

Peer: Alice to Bob
Data:
  • 256 byte X, to begin the DH agreement
  • 1 byte IP address size
  • that many byte representation of Bob's IP address
  • N bytes, currently uninterpreted (later, for challenges)
Key used: introKey
 +----+----+----+----+----+----+----+----+
 |         X, as calculated from DH      |
 |                                       |
                 .   .   .               
 |                                       |
 +----+----+----+----+----+----+----+----+
 |size| that many byte IP address (4-16) |
 +----+----+----+----+----+----+----+----+
 |           arbitrary amount            |
 |        of uninterpreted data          |
                 .   .   .               
 |                                       |
 +----+----+----+----+----+----+----+----+

SessionCreated (type 1)

Peer: Bob to Alice
Data:
  • 256 byte Y, to complete the DH agreement
  • 1 byte IP address size
  • that many byte representation of Alice's IP address
  • 2 byte port number (unsigned, big endian 2s complement)
  • 4 byte relay tag which Alice can publish (else 0x0)
  • 4 byte timestamp (seconds from the epoch) for use in the DSA signature
  • 40 byte DSA signature of the critical exchanged data (X + Y + Alice's IP + Alice's port + Bob's IP + Bob's port + Alice's new relay tag + Bob's signed on time), encrypted with another layer of encryption using the negotiated sessionKey. The IV is reused here.
  • 8 bytes padding, encrypted with an additional layer of encryption using the negotiated session key as part of the DSA block
  • N bytes, currently uninterpreted (later, for challenges)
Key used: introKey, with an additional layer of encryption over the 40 byte signature and the following 8 bytes padding.
 +----+----+----+----+----+----+----+----+
 |         Y, as calculated from DH      |
 |                                       |
                 .   .   .               
 |                                       |
 +----+----+----+----+----+----+----+----+
 |size| that many byte IP address (4-16) |
 +----+----+----+----+----+----+----+----+
 | Port (A)| public relay tag  |  signed
 +----+----+----+----+----+----+----+----+
   on time |                             |
 +----+----+                             |
 |              DSA signature            |
 |                                       |
 |                                       |
 |                                       |
 |         +----+----+----+----+----+----+
 |         |     (8 bytes of padding) 
 +----+----+----+----+----+----+----+----+
           |                             |
 +----+----+                             |
 |           arbitrary amount            |
 |        of uninterpreted data          |
                 .   .   .               
 |                                       |
 +----+----+----+----+----+----+----+----+

SessionConfirmed (type 2)

Peer: Alice to Bob
Data:
  • 1 byte identity fragment info:
    bits 0-3: current identity fragment #
bits 4-7: total identity fragments
  • 2 byte size of the current identity fragment
  • that many byte fragment of Alice's identity.
  • on the last identity fragment, the signed on time is included after the identity fragment, and the last 40 bytes contain the DSA signature of the critical exchanged data (X + Y + Alice's IP + Alice's port + Bob's IP + Bob's port + Alice's new relay key + Alice's signed on time)
Key used: sessionKey
 Fragment 1 through N-1
 +----+----+----+----+----+----+----+----+
 |info| cursize |                        |
 +----+----+----+                        |
 |      fragment of Alice's full         |
 |            identity keys              |
                 .   .   .               
 |                                       |
 +----+----+----+----+----+----+----+----+
 
 Fragment N:
 +----+----+----+----+----+----+----+----+
 |info| cursize |                        |
 +----+----+----+                        |
 |      fragment of Alice's full         |
 |            identity keys              |
                 .   .   .               
 |                                       |
 +----+----+----+----+----+----+----+----+
 |  signed on time   |                   |
 +----+----+----+----+                   |
 |  arbitrary amount of uninterpreted    |
 |        data, up from the end of the   |
 |  identity key to 40 bytes prior to    |
 |       end of the current packet       |
 +----+----+----+----+----+----+----+----+
 | DSA signature                         |
 |                                       |
 |                                       |
 |                                       |
 |                                       |
 +----+----+----+----+----+----+----+----+

SessionDestroyed (type 8)

Currently unimplemented, scheduled for implementation in version 0.8.1.
Peer: Alice to Bob or Bob to Alice
Data: none
Key used: sessionKey or introKey
 +----+----+----+----+----+----+----+----+
 |              no data                  |
 +----+----+----+----+----+----+----+----+

RelayRequest (type 3)

Peer: Alice to Bob
Data:
  • 4 byte relay tag
  • 1 byte IP address size
  • that many byte representation of Alice's IP address
  • 2 byte port number (of Alice)
  • 1 byte challenge size
  • that many bytes to be relayed to Charlie in the intro
  • Alice's intro key (so Bob can reply with Charlie's info)
  • 4 byte nonce of alice's relay request
  • N bytes, currently uninterpreted
Key used: introKey (or sessionKey, if Alice/Bob is established)
 +----+----+----+----+----+----+----+----+
 |      relay tag    |size| that many    |
 +----+----+----+----+----+         +----|
 | bytes for Alice's IP address     |port
 +----+----+----+----+----+----+----+----+
  (A) |size| that many challenge bytes   |
 +----+----+                             |
 | to be delivered to Charlie            |
 +----+----+----+----+----+----+----+----+
 | Alice's intro key                     |
 |                                       |
 |                                       |
 |                                       |
 +----+----+----+----+----+----+----+----+
 |       nonce       |                   |
 +----+----+----+----+                   |
 | arbitrary amount of uninterpreted data|
 +----+----+----+----+----+----+----+----+

RelayResponse (type 4)

Peer: Bob to Alice
Data:
  • 1 byte IP address size
  • that many byte representation of Charlie's IP address
  • 2 byte port number
  • 1 byte IP address size
  • that many byte representation of Alice's IP address
  • 2 byte port number
  • 4 byte nonce sent by Alice
  • N bytes, currently uninterpreted
Key used: introKey (or sessionKey, if Alice/Bob is established)
 +----+----+----+----+----+----+----+----+
 |size| that many bytes making up        |
 +----+                        +----+----+
 | Charlie's IP address        | Port (C)|
 +----+----+----+----+----+----+----+----+
 |size| that many bytes making up        |
 +----+                        +----+----+
 | Alice's IP address          | Port (A)|
 +----+----+----+----+----+----+----+----+
 |       nonce       |                   |
 +----+----+----+----+                   |
 | arbitrary amount of uninterpreted data|
 +----+----+----+----+----+----+----+----+

RelayIntro (type 5)

Peer: Bob to Charlie
Data:
  • 1 byte IP address size
  • that many byte representation of Alice's IP address
  • 2 byte port number (of Alice)
  • 1 byte challenge size
  • that many bytes relayed from Alice
  • N bytes, currently uninterpreted
Key used: sessionKey
 +----+----+----+----+----+----+----+----+
 |size| that many bytes making up        |
 +----+                        +----+----+
 | Alice's IP address          | Port (A)|
 +----+----+----+----+----+----+----+----+
 |size| that many bytes of challenge     |
 +----+                                  |
 | data relayed from Alice               |
 +----+----+----+----+----+----+----+----+
 | arbitrary amount of uninterpreted data|
 +----+----+----+----+----+----+----+----+

Data (type 6)

Peer: Any
Data:
  • 1 byte flags:
       bit 0: explicit ACKs included
   bit 1: ACK bitfields included
   bit 2: reserved
   bit 3: explicit congestion notification
   bit 4: request previous ACKs
   bit 5: want reply
   bit 6: extended data included
   bit 7: reserved
  • if explicit ACKs are included:
    • a 1 byte number of ACKs
    • that many 4 byte MessageIds being fully ACKed
  • if ACK bitfields are included:
    • a 1 byte number of ACK bitfields
    • that many 4 byte MessageIds + a 1 or more byte ACK bitfield. The bitfield uses the 7 low bits of each byte, with the high bit specifying whether an additional bitfield byte follows it (1 = true, 0 = the current bitfield byte is the last). These sequence of 7 bit arrays represent whether a fragment has been received - if a bit is 1, the fragment has been received. To clarify, assuming fragments 0, 2, 5, and 9 have been received, the bitfield bytes would be as follows:
      byte 0
   bit 0: 1 (further bitfield bytes follow)
   bit 1: 1 (fragment 0 received)
   bit 2: 0 (fragment 1 not received)
   bit 3: 1 (fragment 2 received)
   bit 4: 0 (fragment 3 not received)
   bit 5: 0 (fragment 4 not received)
   bit 6: 1 (fragment 5 received)
   bit 7: 0 (fragment 6 not received)
byte 1
   bit 0: 0 (no further bitfield bytes)
   bit 1: 0 (fragment 7 not received)
   bit 1: 0 (fragment 8 not received)
   bit 1: 1 (fragment 9 received)
   bit 1: 0 (fragment 10 not received)
   bit 1: 0 (fragment 11 not received)
   bit 1: 0 (fragment 12 not received)
   bit 1: 0 (fragment 13 not received)
  • If extended data included:
    • 1 byte data size
    • that many bytes of extended data (currently uninterpreted)
  • 1 byte number of fragments (can be zero)
  • If nonzero, that many message fragments:
    • 4 byte messageId
    • 3 byte fragment info:
        bits 0-6: fragment #
     bit 7: isLast (1 = true)
  bits 8-9: unused
bits 10-23: fragment size
    • that many bytes
  • N bytes padding, uninterpreted
Key used: sessionKey
 +----+----+----+----+----+----+----+----+
 |flag| (additional headers, determined  |
 +----+                                  |
 | by the flags, such as ACKs or         |
 | bitfields                             |
 +----+----+----+----+----+----+----+----+
 |#frg|     messageId     |   frag info  |
 +----+----+----+----+----+----+----+----+
 | that many bytes of fragment data      |
                  .  .  .                                       
 |                                       |
 +----+----+----+----+----+----+----+----+
 |     messageId     |   frag info  |    |
 +----+----+----+----+----+----+----+    |
 | that many bytes of fragment data      |
                  .  .  .                                       
 |                                       |
 +----+----+----+----+----+----+----+----+
 |     messageId     |   frag info  |    |
 +----+----+----+----+----+----+----+    |
 | that many bytes of fragment data      |
                  .  .  .                                       
 |                                       |
 +----+----+----+----+----+----+----+----+
 | arbitrary amount of uninterpreted data|
 +----+----+----+----+----+----+----+----+

PeerTest (type 7)

Peer: Any
Data:
  • 4 byte nonce
  • 1 byte IP address size
  • that many byte representation of Alice's IP address
  • 2 byte port number
  • Alice's introduction key
  • N bytes, currently uninterpreted
Key used: introKey (or sessionKey if the connection has already been established)
 +----+----+----+----+----+----+----+----+
 |    test nonce     |size| that many    |
 +----+----+----+----+----+              |
 |bytes making up Alice's IP address     |
 |----+----+----+----+----+----+----+----+
 | Port (A)| Alice or Charlie's          |
 +----+----+                             |
 | introduction key (Alice's is sent to  |
 | Bob and Charlie, while Charlie's is   |                                      |
 | sent to Alice)                        |
 |         +----+----+----+----+----+----+
 |         | arbitrary amount of         |
 |----+----+                             |
 | uninterpreted data                    |
 +----+----+----+----+----+----+----+----+
{% endblock %}