Document the obfs4 NaCl secretbox nonce generation.

Forgot to include this in the spec, though it was documented as a comment in the framing code.
author: Yawning Angel <yawning@torproject.org> 2015-01-14 20:49:56 +0000
committer: Yawning Angel <yawning@torproject.org> 2015-01-14 20:49:56 +0000
commit: 0f038ca4fa4c175d427251838cfee6fb6d6b9e2f (patch)
tree: 0dbaf8451fa62f869fae20e3ed6e966ad7089593 /doc
parent: cdeda5724124ca393c87be6d01c84fe4f906d612 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/doc/obfs4-spec.txt b/doc/obfs4-spec.txt
index 0e844a1..7d54ffc 100644
--- a/doc/obfs4-spec.txt
+++ b/doc/obfs4-spec.txt
@@ -269,6 +269,17 @@
    The maximum allowed frame length is 1448 bytes, which allows up to 1427
    bytes of useful payload to be transmitted per "frame".
 
+   The NaCl secretbox (Poly1305/XSalsa20) nonce format is:
+
+      uint8_t[24] prefix (Fixed)
+      uint64_t    counter (Big endian)
+
+   The counter is initialized to 1, and is incremented on each frame.  Since
+   the protocol is designed to be used over a reliable medium, the nonce is not
+   transmitted over the wire as both sides of the conversation know the prefix
+   and the initial counter value.  It is imperative that the counter does not
+   wrap, and sessions MUST terminate before 2^64 frames are sent.
+
    If unsealing a secretbox ever fails (due to a Tag mismatch), implementations
    MUST drop the connection.
author	Yawning Angel <yawning@torproject.org>	2015-01-14 20:49:56 +0000
committer	Yawning Angel <yawning@torproject.org>	2015-01-14 20:49:56 +0000
commit	0f038ca4fa4c175d427251838cfee6fb6d6b9e2f (patch)
tree	0dbaf8451fa62f869fae20e3ed6e966ad7089593 /doc
parent	cdeda5724124ca393c87be6d01c84fe4f906d612 (diff)