-
Notifications
You must be signed in to change notification settings - Fork 23
Global Shared Secret
When developing your own applications using the QuantumGate library and API you can configure a Global Shared Secret (GSS) for the local instance through the StartupParameters. The GSS is comparable to a Pre-Shared Key (PSK). You can use your own secure channel outside of QuantumGate to distribute the GSS to anyone who needs to know it, and you can use your own methods for deriving it. For example, it could simply be the result of a passphrase which gets hashed or processed through a key derivation function (HKDF).
Once you have configured the local instance to use a GSS, anyone who connects to your local instance will need to know the GSS and:
- either have their own instance of QuantumGate also use the same GSS by default through the
StartupParameters, or, - specify it when making a connection to your instance through the
ConnectParameters.
The GSS provides an additional method for authentication since only peers that know the secret will be able to connect to the local instance. In addition, when using a GSS the traffic between the peers is securely encrypted (assuming only the peers know the GSS) from the very beginning of communications, even before the primary and secondary key exchange phases of the handshake begin, because QuantumGate derives initial symmetric session keys from the GSS and uses them for encryption until the ephemeral symmetric session keys derived from the key exchange phases become available.
QuantumGate also uses the GSS during the handshake and key update to derive ephemeral symmetric session keys; the GSS gets combined with the shared secrets derived from the key exchange procedure to finally produce the ephemeral symmetric session keys that get used to encrypt communications.
For all incoming connections, QuantumGate uses the GSS that was optionally specified in the StartupParameters for the local instance. For all outgoing connections, QuantumGate will also use the GSS that was optionally specified in the StartupParameters for the local instance, but this can be overridden through the ConnectParameters when the endpoint uses a different GSS (or none).