Skip to content

Cryptography

Ken Tobias edited this page Jun 17, 2026 · 2 revisions

Cryptography

etr's security is provided by QUIC with TLS 1.3, delegating all cryptography to rustls and quinn. There is no custom crypto code.

TLS 1.3 and certificate pinning

etr uses an ephemeral self-signed certificate generated fresh for each session by rcgen. The certificate is transmitted to the client over the SSH-encrypted bootstrap channel. The client pins exactly this certificate — no CA or PKI is involved. This is directly analogous to SSH host-key trust: the out-of-band channel (SSH) authenticates the key.

The TLS 1.3 cipher suite is negotiated by rustls based on platform capability. The set includes:

Suite Key exchange AEAD
TLS_AES_256_GCM_SHA384 X25519 ECDH AES-256-GCM
TLS_AES_128_GCM_SHA256 X25519 ECDH AES-128-GCM
TLS_CHACHA20_POLY1305_SHA256 X25519 ECDH ChaCha20-Poly1305

Passkey authentication

Each session generates a random 32-character passkey sent to the server via the SSH-encrypted bootstrap channel. The client includes this passkey in its SessionOpen message on the QUIC control stream. The server verifies it before accepting the session. This prevents a network attacker who can reach the QUIC port from hijacking a session even if they somehow bypass TLS (defense in depth).

Forward secrecy

TLS 1.3 always uses ephemeral key exchange (X25519), providing forward secrecy: session keys are not derivable from any long-term secret. A new TLS handshake occurs on every reconnect, generating a fresh session key each time.

Post-quantum key exchange

The current TLS 1.3 configuration uses classical X25519 ECDH. Post-quantum key exchange (X25519MLKEM768 hybrid, via rustls-post-quantum) can be added in a future release once it stabilises in the TLS standardisation pipeline.

Crates used

Role Crate
QUIC transport quinn
TLS 1.3 rustls
Certificate generation rcgen

Clone this wiki locally