From a136fb995edb0c46c733d9c19a34e68c64958cdb Mon Sep 17 00:00:00 2001 From: Logan oos Even <46396513+Logan007@users.noreply.github.com> Date: Thu, 7 Jan 2021 20:58:40 +0545 Subject: [PATCH] updated Crypto.md clarification, added details about -k cli option and N2N_KEY --- doc/Crypto.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/doc/Crypto.md b/doc/Crypto.md index f7f4fc6..ca5456b 100644 --- a/doc/Crypto.md +++ b/doc/Crypto.md @@ -11,8 +11,6 @@ Payload encryption currently comes in four different flavors using ciphers of di - ChaCha20 (CTR) (`-A4`) - SPECK in CTR mode (`-A5`) -To renounce encryption, `-A1` enables the so called `null_transform` transmitting all payload data unencryptedly. - The following chart might help to make a quick comparison and decide what cipher to use: | Cipher | Mode | Block Size | Key Size | IV length |Speed | Built-In | Origin | @@ -26,6 +24,12 @@ The two block ciphers Twofish and AES are used in CTS mode. n2n has all four ciphers built-in as basic versions. Some of them optionally compile to faster versions by the means of available hardware support (AES-NI, SSE, AVX – please see the [Building document](./Building.md) for details. Depending on your platform, AES and ChaCha20 might also draw notable acceleration from optionally compiling with openSSL 1.1 support. +The`-k ` command line parameter supplies the key. As even non-privileged users might get to see the command line parameters (try `ps -Af | grep edge`), the key can also be supplied through the `N2N_KEY` environment variable: `sudo N2N_KEY=mysecretpass edge -c mynetwork -a 192.168.100.1 -f -l supernode.ntop.org:7777`. + +Providing `-k ` without specifying any cipher by `-A_` will default to AES encryption. + +To renounce encryption, `-A1` enables the so called `null_transform` transmitting all payload data unencryptedly. Omitting `-A_` and not providing a key through `-k ` shows the same effect. + ### Twofish This implementation prepends a 128 bit random value to the plain text. Its size is adjustable by changing the `TF_PREAMBLE_SIZE` definition found in `src/transform_tf.c`. It defaults to TF_BLOCK_SIZE (== 16). As CTS uses underlying CBC mode, this basically has the same effect as a respectively shorter IV. However, this flexibility does not come for free as an additional block needs to be encrypted.