Basic encryption module

Security level: Good level of encryption
Type: Symmetric
Cipher: Stream cipher - ChaCha20
Key Exchange: ephemeral ECDH

Introduction

This is the default module for the framework. Although it does not provide the best security, it is robust and the overhead is relatively low only 4 bytes.
At the first round, the secure key exchange is done against the server and the server's public key is hashed. That hash is used as a fingerprint and saved along with the IP into the misc/known_hosts file.
If the fingerprint stored in the file does not match with the server's fingerprint then it could mean that:

• An attacker executed a MITM attack
• The server's key was changed - possible a different encryption module is in use.

If the fingerprint matched the stored hash value then a second key exchange will happen with randomly generated EC keys. From this key exchange the shared key is derived which will be the symmetric key for the encryption.

DISCLAIMER: Although the ChaCha20 stream cipher requires 16 bytes / 128 bits long nonce, in this module the nonce transmitted with the package is only 4 bytes / 32 bits long and it will be extended by the module to the full length. In this way the security of the encryption gets weaker, but the overhead is lower as well. This is a trade-off between security and usability. If you are concerned with this, please use the advanced encryption module.

When to use

This module could be the ideal choice for those modules that have a restricted payload size (e.g. DNS).

Configuration

[Encryption]
module = basic

The fingerprints are stored in the misc/known_hosts file. If a fingerprint needs to be updated or removed, please find it in this file.