Advanced encryption module

Security level: Great level of encryption
Type: Symmetric
Cipher: Stream cipher - ChaCha20+Poly1305
Key Exchange: ephemeral ECDH

Introduction

This is the most secure encryption module that is shipped with the framework by default. It provides better security than the default (basic) module, but this comes with the price of the higher overhead. The overhead in this case is 12 bytes long nonce that is prepended to the packet and another 16 bytes that are appended to the ciphertext to provide authenticity and integrity for the message.

At the first round, the secure key exchange is done against the server and the server's public key is hashed. That hash is used as a fingerprint and saved along with the IP into the misc/known_hosts file.
If the fingerprint stored in the file does not match with the server's fingerprint then it could mean that:

• An attacker executed a MITM attack
• The server's key was changed - possible a different encryption module is in use.

If the fingerprint matched the stored hash value then a second key exchange will happen with randomly generated EC keys. From this key exchange the shared key is derived which will be the symmetric key for the encryption.

When to use

Feel free to use this module whenever you like, but please note that in some cases (for example with the DNS module) it could make the communication fail. Because of the overhead an empty message would be at least 28bytes, which is a luxury in some edge cases, for example when you can only send 50 bytes.

Configuration

[Encryption]
module = advanced

The fingerprints are stored in the misc/known_hosts file. If a fingerprint needs to be updated or removed, please find it in this file.