feat: add strandlock protocol to smp and messages

Author: chadsec1

core/trad_crypto.py

@@ -67,7 +67,7 @@ def derive_key_argon2id(password: bytes, salt: bytes = None, output_length: int
     ), salt
 
 
-def encrypt_xchacha20poly1305(key: bytes, plaintext: bytes, counter: int = None, counter_safety: int = 2 ** 32) -> tuple[bytes, bytes]:
+def encrypt_xchacha20poly1305(key: bytes, plaintext: bytes, nonce: bytes = None, counter: int = None, counter_safety: int = 2 ** 32) -> tuple[bytes, bytes]:
     """
     Encrypt plaintext using ChaCha20Poly1305.
 
@@ -83,7 +83,9 @@ def encrypt_xchacha20poly1305(key: bytes, plaintext: bytes, counter: int = None,
         - nonce: The randomly generated AES-GCM nonce.
         - ciphertext: The encrypted data including the authentication tag.
     """
-    nonce = secrets.token_bytes(XCHACHA20POLY1305_NONCE_LEN)
+    if nonce is None:
+        nonce = sha3_512(secrets.token_bytes(XCHACHA20POLY1305_NONCE_LEN))[:XCHACHA20POLY1305_NONCE_LEN]
+
     if counter is not None:
         if counter > counter_safety:
             raise ValueError("ChaCha counter has overflowen")

logic/contacts.py

@@ -87,7 +87,9 @@ def save_contact(user_data: dict, user_data_lock, contact_id: str) -> None:
                     }
                 },
                 "our_strand_key": None,
-                "contact_strand_key": None,
+                "our_next_strand_nonce": None,
+                "contact_next_strand_key": None,
+                "contact_strand_nonce": None,
                 "our_pads": {
                     "hash_chain": None,
                     "pads": None

logic/message.py

@@ -72,7 +72,8 @@ def generate_and_send_pads(user_data, user_data_lock, contact_id: str, ui_queue)
 
     otp_batch_signature = create_signature(ML_DSA_87_NAME, kyber_ciphertext_blob + mceliece_ciphertext_blob, our_lt_private_key)
 
-    hash_chain_seed = secrets.token_bytes(MESSAGE_HASH_CHAIN_LEN)
+    hash_chain_seed = sha3_512(secrets.token_bytes(MESSAGE_HASH_CHAIN_LEN))
+
     ciphertext_nonce, ciphertext_blob = encrypt_xchacha20poly1305(
             our_strand_key, 
             b"\x00" + hash_chain_seed + otp_batch_signature + kyber_ciphertext_blob + mceliece_ciphertext_blob
@@ -90,9 +91,12 @@ def generate_and_send_pads(user_data, user_data_lock, contact_id: str, ui_queue)
 
     pads, _ = one_time_pad(kyber_shared_secrets, mceliece_shared_secrets)
 
+
+    our_strand_key = sha3_512(pads[:32])[:32]
+
     # We update & save only at the end, so if request fails, we do not desync our state.
     with user_data_lock:
-        user_data["contacts"][contact_id]["our_strand_key"]         = pads[:32]
+        user_data["contacts"][contact_id]["our_strand_key"]         = our_strand_key
         user_data["contacts"][contact_id]["our_pads"]["pads"]       = pads[32:]
 
         user_data["contacts"][contact_id]["our_pads"]["hash_chain"] = hash_chain_seed
@@ -294,7 +298,7 @@ def messages_data_handler(user_data: dict, user_data_lock, user_data_copied: dic
             return
 
         contact_pads, _ = one_time_pad(contact_kyber_pads, contact_mceliece_pads)
-        contact_strand_key = contact_pads[:32]
+        contact_strand_key = sha3_512(contact_pads[:32])[:32]
         contact_pads = contact_pads[32:]
 
 

logic/smp.py

@@ -110,14 +110,18 @@ def smp_step_2(user_data: dict, user_data_lock, contact_id: str, message: dict,
 
     signing_private_key, signing_public_key = generate_sign_keys()
 
-    our_nonce = secrets.token_bytes(SMP_NONCE_LENGTH)
+    our_nonce = sha3_512(secrets.token_bytes(SMP_NONCE_LENGTH))[:SMP_NONCE_LENGTH]
 
     key_ciphertext, chacha_key = encap_shared_secret(contact_kem_public_key, ML_KEM_1024_NAME)
     chacha_key = sha3_512(chacha_key)[:32]
 
+    our_next_strand_nonce     = sha3_512(secrets.token_bytes(XCHACHA20POLY1305_NONCE_LEN))[:XCHACHA20POLY1305_NONCE_LEN]
+    contact_next_strand_nonce = sha3_512(secrets.token_bytes(XCHACHA20POLY1305_NONCE_LEN))[:XCHACHA20POLY1305_NONCE_LEN]
+
+
     ciphertext_nonce, ciphertext_blob = encrypt_xchacha20poly1305(
             chacha_key, 
-            signing_public_key + our_nonce, 
+            signing_public_key + our_nonce + our_next_strand_nonce + contact_next_strand_nonce, 
             counter = 2
         )
 
@@ -146,6 +150,9 @@ def smp_step_2(user_data: dict, user_data_lock, contact_id: str, message: dict,
         user_data["contacts"][contact_id]["lt_sign_keys"]["our_keys"]["public_key"]  = signing_public_key
 
         user_data["contacts"][contact_id]["lt_sign_key_smp"]["smp_step"] = 4
+        
+        user_data["contacts"][contact_id]["our_next_strand_nonce"]     = our_next_strand_nonce
+        user_data["contacts"][contact_id]["contact_next_strand_nonce"] = contact_next_strand_nonce
 
 
 def smp_step_3(user_data: dict, user_data_lock: threading.Lock, contact_id: str, message: dict, ui_queue: queue.Queue()) -> None:
@@ -173,9 +180,12 @@ def smp_step_3(user_data: dict, user_data_lock: threading.Lock, contact_id: str,
         )
 
     contact_signing_public_key = smp_plaintext[:ML_DSA_87_PK_LEN]
-    contact_nonce              = smp_plaintext[ML_DSA_87_PK_LEN:]
+    contact_nonce              = smp_plaintext[ML_DSA_87_PK_LEN: ML_DSA_87_PK_LEN + SMP_NONCE_LENGTH]
 
-    our_nonce = secrets.token_bytes(SMP_NONCE_LENGTH)
+    contact_next_strand_nonce  = smp_plaintext[ML_DSA_87_PK_LEN + SMP_NONCE_LENGTH: ML_DSA_87_PK_LEN + SMP_NONCE_LENGTH + XCHACHA20POLY1305_NONCE_LEN]
+    our_next_strand_nonce      = smp_plaintext[ML_DSA_87_PK_LEN + SMP_NONCE_LENGTH + XCHACHA20POLY1305_NONCE_LEN:]
+
+    our_nonce = sha3_512(secrets.token_bytes(SMP_NONCE_LENGTH))[:SMP_NONCE_LENGTH]
 
     signing_private_key, signing_public_key = generate_sign_keys()
 
@@ -190,17 +200,19 @@ def smp_step_3(user_data: dict, user_data_lock: threading.Lock, contact_id: str,
     our_proof = hmac.new(answer_secret, our_proof, hashlib.sha3_512).digest()
 
     logger.debug("Our proof of contact (%s) public-key fingerprint: %s", contact_id, our_proof)
+
 
-    ciphertext_nonce, ciphertext_blob = encrypt_xchacha20poly1305(
+    our_new_strand_nonce = sha3_512(secrets.token_bytes(XCHACHA20POLY1305_NONCE_LEN))[:XCHACHA20POLY1305_NONCE_LEN]
+    _, ciphertext_blob = encrypt_xchacha20poly1305(
             chacha_key, 
-            signing_public_key + our_nonce + our_proof + question.encode("utf-8"), 
-            counter = 3
+            our_new_strand_nonce + signing_public_key + our_nonce + our_proof + question.encode("utf-8"),
+            nonce = our_next_strand_nonce
         )
 
 
     try:
         http_request(f"{server_url}/smp/step", "POST", payload = {
-            "ciphertext_blob": b64encode(ciphertext_nonce + ciphertext_blob).decode(),
+            "ciphertext_blob": b64encode(ciphertext_blob).decode(),
             "recipient": contact_id
 
         }, auth_token=auth_token)
@@ -214,34 +226,51 @@ def smp_step_3(user_data: dict, user_data_lock: threading.Lock, contact_id: str,
     with user_data_lock:
         user_data["contacts"][contact_id]["lt_sign_keys"]["contact_public_key"] = contact_signing_public_key
 
-        user_data["contacts"][contact_id]["lt_sign_key_smp"]["contact_nonce"]   = b64encode(contact_nonce).decode() 
-        user_data["contacts"][contact_id]["lt_sign_key_smp"]["our_nonce"]       = b64encode(our_nonce).decode()
-        user_data["contacts"][contact_id]["lt_sign_key_smp"]["tmp_key"]         = b64encode(chacha_key).decode()
+        user_data["contacts"][contact_id]["lt_sign_key_smp"]["contact_nonce"] = b64encode(contact_nonce).decode() 
+        user_data["contacts"][contact_id]["lt_sign_key_smp"]["our_nonce"]     = b64encode(our_nonce).decode()
+        user_data["contacts"][contact_id]["lt_sign_key_smp"]["tmp_key"]       = b64encode(chacha_key).decode()
 
         user_data["contacts"][contact_id]["lt_sign_keys"]["our_keys"]["private_key"] = signing_private_key
         user_data["contacts"][contact_id]["lt_sign_keys"]["our_keys"]["public_key"]  = signing_public_key
 
+        user_data["contacts"][contact_id]["our_next_strand_nonce"]     = our_new_strand_nonce
+        user_data["contacts"][contact_id]["contact_next_strand_nonce"] = contact_next_strand_nonce
+
+
         user_data["contacts"][contact_id]["lt_sign_key_smp"]["smp_step"] = 5
 
 
 def smp_step_4_request_answer(user_data, user_data_lock, contact_id, message, ui_queue) -> None:
     with user_data_lock:
         tmp_key = b64decode(user_data["contacts"][contact_id]["lt_sign_key_smp"]["tmp_key"])
 
+        our_next_strand_nonce      = user_data["contacts"][contact_id]["our_next_strand_nonce"]
+        contact_next_strand_nonce  = user_data["contacts"][contact_id]["contact_next_strand_nonce"]
+
+
     ciphertext_blob = b64decode(message["ciphertext_blob"], validate = True)
-    smp_plaintext = decrypt_xchacha20poly1305(tmp_key, ciphertext_blob[:XCHACHA20POLY1305_NONCE_LEN], ciphertext_blob[XCHACHA20POLY1305_NONCE_LEN:])
+
+
+    smp_plaintext = decrypt_xchacha20poly1305(tmp_key, contact_next_strand_nonce, ciphertext_blob)
+
+    contact_new_strand_nonce = smp_plaintext[:XCHACHA20POLY1305_NONCE_LEN]
 
-    contact_signing_public_key = smp_plaintext[:ML_DSA_87_PK_LEN]
-    contact_nonce = b64encode(smp_plaintext[ML_DSA_87_PK_LEN : SMP_NONCE_LENGTH + ML_DSA_87_PK_LEN]).decode()
-    contact_proof = b64encode(smp_plaintext[SMP_NONCE_LENGTH + ML_DSA_87_PK_LEN : SMP_NONCE_LENGTH + SMP_PROOF_LENGTH + ML_DSA_87_PK_LEN]).decode()
-    question      = smp_plaintext[SMP_NONCE_LENGTH + SMP_PROOF_LENGTH + ML_DSA_87_PK_LEN:].decode("utf-8")
+    contact_signing_public_key = smp_plaintext[XCHACHA20POLY1305_NONCE_LEN : ML_DSA_87_PK_LEN + XCHACHA20POLY1305_NONCE_LEN]
+
+    contact_nonce = b64encode(smp_plaintext[XCHACHA20POLY1305_NONCE_LEN + ML_DSA_87_PK_LEN : SMP_NONCE_LENGTH + ML_DSA_87_PK_LEN + XCHACHA20POLY1305_NONCE_LEN]).decode()
+
+    contact_proof = b64encode(smp_plaintext[XCHACHA20POLY1305_NONCE_LEN + SMP_NONCE_LENGTH + ML_DSA_87_PK_LEN : SMP_NONCE_LENGTH + SMP_PROOF_LENGTH + ML_DSA_87_PK_LEN + XCHACHA20POLY1305_NONCE_LEN]).decode()
+
+    question      = smp_plaintext[SMP_NONCE_LENGTH + XCHACHA20POLY1305_NONCE_LEN + SMP_PROOF_LENGTH + ML_DSA_87_PK_LEN:].decode("utf-8")
+
 
 
     with user_data_lock: 
         user_data["contacts"][contact_id]["lt_sign_key_smp"]["question"] = question
         user_data["contacts"][contact_id]["lt_sign_key_smp"]["tmp_proof"] = contact_proof
         # user_data["contacts"][contact_id]["lt_sign_key_smp"]["smp_step"] = 5
 
+        user_data["contacts"][contact_id]["contact_next_strand_nonce"] = contact_new_strand_nonce
 
         user_data["contacts"][contact_id]["lt_sign_key_smp"]["contact_nonce"] = contact_nonce
 
@@ -269,6 +298,8 @@ def smp_step_4_answer_provided(user_data, user_data_lock, contact_id, answer, ui
 
         our_signing_public_key = user_data["contacts"][contact_id]["lt_sign_keys"]["our_keys"]["public_key"]
 
+        our_next_strand_nonce = user_data["contacts"][contact_id]["our_next_strand_nonce"]
+
         tmp_key = b64decode(user_data["contacts"][contact_id]["lt_sign_key_smp"]["tmp_key"])
 
     answer = normalize_answer(answer)
@@ -286,10 +317,11 @@ def smp_step_4_answer_provided(user_data, user_data_lock, contact_id, answer, ui
     logger.debug("SMP Proof sent to us: %s", contact_proof)
     logger.debug("Our compute message: %s", our_proof)
 
+
     # Verify Contact's version of our public-key fingerprint matches our actual public-key fingerprint
     # We compare using compare_digest to prevent timing analysis by avoiding content-based short circuiting behaviour
     if not hmac.compare_digest(our_proof, contact_proof):
-        logger.warning("SMP Verification failed")
+        logger.warning("SMP Verification failed at step 4")
         smp_failure_notify_contact(user_data, user_data_lock, contact_id, ui_queue)
         return
 
@@ -300,19 +332,21 @@ def smp_step_4_answer_provided(user_data, user_data_lock, contact_id, answer, ui
     our_proof = contact_nonce + our_nonce + contact_key_fingerprint
     our_proof = hmac.new(answer_secret, our_proof, hashlib.sha3_512).digest()
 
-    our_strand_key     = secrets.token_bytes(32)
-    contact_strand_key = secrets.token_bytes(32)
 
-    ciphertext_nonce, ciphertext_blob = encrypt_xchacha20poly1305(
+    our_strand_key     = sha3_512(secrets.token_bytes(32))[:32]
+    contact_strand_key = sha3_512(secrets.token_bytes(32))[:32]
+
+    our_new_strand_nonce = sha3_512(secrets.token_bytes(XCHACHA20POLY1305_NONCE_LEN))[:XCHACHA20POLY1305_NONCE_LEN]
+    _, ciphertext_blob = encrypt_xchacha20poly1305(
             tmp_key, 
-            our_proof + our_strand_key + contact_strand_key, 
-            counter = 4
+            our_new_strand_nonce + our_proof + our_strand_key + contact_strand_key,
+            nonce = our_next_strand_nonce
         )
 
 
     try:
         http_request(f"{server_url}/smp/step", "POST", payload = {
-            "ciphertext_blob": b64encode(ciphertext_nonce + ciphertext_blob).decode(),
+            "ciphertext_blob": b64encode(ciphertext_blob).decode(),
             "recipient": contact_id
         }, auth_token=auth_token)
     except Exception:
@@ -326,10 +360,11 @@ def smp_step_4_answer_provided(user_data, user_data_lock, contact_id, answer, ui
 
     with user_data_lock:
         user_data["contacts"][contact_id]["lt_sign_key_smp"]["answer"] = answer
-        user_data["contacts"][contact_id]["our_strand_key"]     = our_strand_key
-        user_data["contacts"][contact_id]["contact_strand_key"] = contact_strand_key
 
+        user_data["contacts"][contact_id]["our_next_strand_nonce"]     = our_new_strand_nonce
 
+        user_data["contacts"][contact_id]["our_strand_key"]     = our_strand_key
+        user_data["contacts"][contact_id]["contact_strand_key"] = contact_strand_key
 
 
 
@@ -347,7 +382,8 @@ def smp_step_5(user_data, user_data_lock, contact_id, message, ui_queue) -> None
         contact_nonce      = b64decode(user_data["contacts"][contact_id]["lt_sign_key_smp"]["contact_nonce"], validate=True)
 
         tmp_key = b64decode(user_data["contacts"][contact_id]["lt_sign_key_smp"]["tmp_key"])
-    
+        contact_next_strand_nonce  = user_data["contacts"][contact_id]["contact_next_strand_nonce"]
+
 
     our_key_fingerprint = sha3_512(our_signing_public_key + our_kem_public_key)
 
@@ -360,25 +396,32 @@ def smp_step_5(user_data, user_data_lock, contact_id, message, ui_queue) -> None
     our_proof = hmac.new(answer_secret, our_proof, hashlib.sha3_512).digest()
 
     ciphertext_blob = b64decode(message["ciphertext_blob"], validate = True)
-    smp_plaintext = decrypt_xchacha20poly1305(tmp_key, ciphertext_blob[:XCHACHA20POLY1305_NONCE_LEN], ciphertext_blob[XCHACHA20POLY1305_NONCE_LEN:])
 
-    contact_proof      = smp_plaintext[:SMP_PROOF_LENGTH]
-    contact_strand_key = smp_plaintext[SMP_PROOF_LENGTH : SMP_PROOF_LENGTH + 32]
-    our_strand_key     = smp_plaintext[SMP_PROOF_LENGTH + 32:]
+
+    smp_plaintext = decrypt_xchacha20poly1305(tmp_key, contact_next_strand_nonce, ciphertext_blob)
 
+    contact_new_strand_nonce = smp_plaintext[:XCHACHA20POLY1305_NONCE_LEN]
+
+    contact_proof = smp_plaintext[XCHACHA20POLY1305_NONCE_LEN : SMP_PROOF_LENGTH + XCHACHA20POLY1305_NONCE_LEN]
+
+    contact_strand_key = smp_plaintext[XCHACHA20POLY1305_NONCE_LEN + SMP_PROOF_LENGTH : XCHACHA20POLY1305_NONCE_LEN + SMP_PROOF_LENGTH + 32]
+    our_strand_key     = smp_plaintext[XCHACHA20POLY1305_NONCE_LEN + SMP_PROOF_LENGTH + 32:] 
 
     logger.debug("SMP Proof sent to us: %s", contact_proof)
     logger.debug("Our compute message: %s", our_proof)
 
 
+
     # Verify Contact's version of our public-key fingerprint matches our actual public-key fingerprint
     # We compare using compare_digest to prevent timing analysis by avoiding content-based short circuiting behaviour
     if not hmac.compare_digest(our_proof, contact_proof):
-        logger.warning("SMP Verification failed")
+        logger.warning("SMP Verification failed at step 5")
         smp_failure_notify_contact(user_data, user_data_lock, contact_id, ui_queue)
         return
 
     with user_data_lock:
+        user_data["contacts"][contact_id]["contact_next_strand_nonce"] = contact_new_strand_nonce
+
         user_data["contacts"][contact_id]["our_strand_key"]     = our_strand_key
         user_data["contacts"][contact_id]["contact_strand_key"] = contact_strand_key
 
@@ -480,6 +523,12 @@ def smp_data_handler(user_data, user_data_lock, user_data_copied, ui_queue, mess
     except Exception:
         smp_step = 2
 
+
+    if "failure" in message:
+        # Delete SMP state for contact
+        smp_failure(user_data, user_data_lock, contact_id, ui_queue)
+        return
+
     # Check if we don't have this contact saved
     if contact_id not in user_data_copied["contacts"]:
         # We assume it has to be step 1 because the contact did not exist before
@@ -508,10 +557,6 @@ def smp_data_handler(user_data, user_data_lock, user_data_copied, ui_queue, mess
     elif smp_step == 2:
         smp_step_2(user_data, user_data_lock, contact_id, message, ui_queue)
 
-    elif "failure" in message:
-        # Delete SMP state for contact
-        smp_failure(user_data, user_data_lock, contact_id, ui_queue)
-
     elif smp_step == 3:
         if (not user_data_copied["contacts"][contact_id]["lt_sign_key_smp"]["pending_verification"]): 
             logger.error("Contact (%s) is not pending verification, yet they sent us a SMP request. Ignoring it.", contact_id)

logic/storage.py

@@ -91,6 +91,13 @@ def load_account_data(password = None) -> dict:
         except TypeError:
             pass
 
+        try:
+            user_data["contacts"][contact_id]["our_next_strand_nonce"]     = b64decode(user_data["contacts"][contact_id]["our_next_strand_nonce"], validate=True)
+            user_data["contacts"][contact_id]["contact_next_strand_nonce"] = b64decode(user_data["contacts"][contact_id]["contact_next_strand_nonce"], validate=True)
+        except TypeError:
+            pass
+
+
 
         try:
             user_data["contacts"][contact_id]["our_pads"]["pads"] = b64decode(user_data["contacts"][contact_id]["our_pads"]["pads"], validate=True)
@@ -179,6 +186,13 @@ def save_account_data(user_data: dict, user_data_lock, password = None) -> None:
         except TypeError:
             pass
 
+        try:
+            user_data["contacts"][contact_id]["our_next_strand_nonce"]     = b64encode(user_data["contacts"][contact_id]["our_next_strand_nonce"]).decode()
+            user_data["contacts"][contact_id]["contact_next_strand_nonce"] = b64encode(user_data["contacts"][contact_id]["contact_next_strand_nonce"]).decode()
+        except TypeError:
+            pass
+
+
 
         try:
             user_data["contacts"][contact_id]["our_pads"]["pads"] = b64encode(user_data["contacts"][contact_id]["our_pads"]["pads"]).decode()