dkelly/pynkode
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'add nkode over unecrypted channel' (#2) from NKodeLowBandwidthDoc into main

Browse Source 
Reviewed-on: https://git.infra.nkode.tech/dkelly/pynkode/pulls/2
This commit is contained in:
dkelly
2025-06-26 17:58:50 +00:00
parent 8edf291cfa 75168955fa
commit 203973effa
2 changed files with 88 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -1,3 +1,5 @@
.idea
__pycache__
.ipynb_checkpoints
.DS_Store

86
docs/nkode_over_unencrypted_channel.md Normal file
View File

@@ -0,0 +1,86 @@
# nKode Authentication Over Unencrypted Channel in Low-Bandwidth Environments
## Low-Bandwidth Architecture
The standard nKode architecture will not work in low-bandwidth environments.
Keypad icons are too large to send from the sever to the client.
To over come this issue, we can move the nKode icons from the serve to the users mobile device.
The server only sends the indices in which the icons need to be arranged.
```mermaid
sequenceDiagram
participant User
participant Mobile Client
participant Server
Note over User,Server: Enrollment
User ->> Server: Initiate Enrollment
Server ->> Server: Generate Keypad Icons
Server -->> Mobile Client: Store Icons On Device
Note right of Server: Server does not store the icons and does not know what they are
Server ->> Mobile Client: Keypad Index Array
Mobile Client ->> User: Render Keypad
User ->> Server: Set nKode
Server ->> Server: Disperse Keypad
Server ->> Mobile Client: Keypad Index Array
Mobile Client ->> User: Render Keypad
User ->> Server: Confirm nKode
Note over User,Server: Login
Server ->> Mobile Client: Keypad Index Array
Mobile Client ->> User: Render Keypad
User ->> Server: Successful Login
Server ->> Server: Split Shuffle Keypad
```
## Chacha20 Deterministic CSPRNG
A ChaCha20 Deterministic CSPRNG is a cryptographically secure pseudorandom number generator that uses the ChaCha20 stream cipher to produce a reproducible sequence of pseudorandom bytes. Given the same 256-bit key and 96-bit public nonce, it will always generate the same output stream, making it deterministic and suitable for use cases that require both security and repeatability.
## Secure Low-Bandwidth Architecture
We can modify the architecture above to allow secure authentication over an unencrypted network
```mermaid
sequenceDiagram
participant User
participant Mobile Client
participant Server
Note over User,Server: Enrollment
User ->> Server: Initiate Enrollment
Server ->> Server: Generate Keypad Icons
Server -->> Mobile Client: Store Icons On Device
Note right of Server: Server does not store the icons and does not know what they are
rect rgb(191, 223, 255)
Server -->> Mobile Client: Store ChaCha20 256-bit key
end
rect rgb(191, 223, 255)
Server ->> Server: Ciphered Keypad Index Array =<br/>ChaCha20FisherYates(Keypad Index Array, SharedKey, Nonce)
Server ->> Mobile Client: Ciphered Keypad Index Array + Nonce
end
Note right of Server: Server also sends the 96-bit nonce in plain-text.<br/>The Serve must never use the same nonce twice.<br/>It must be randonly generated for every authentication.<br/>The only additional overhead is the 96-bit nonce.
rect rgb(191, 223, 255)
Mobile Client ->> Mobile Client: Keypad Index Array =<br/>Reverse(Ciphered Keypad Index Array, SharedKey, Nonce)
end
Mobile Client ->> User: Render Keypad
User ->> Server: Set nKode
Server ->> Server: Disperse Keypad
rect rgb(191, 223, 255)
Server ->> Server: Ciphered Keypad Index Array =<br/>ChaCha20FisherYates(Keypad Index Array, SharedKey, Nonce)
Server ->> Mobile Client: Ciphered Keypad Index Array + Nonce
end
rect rgb(191, 223, 255)
Mobile Client ->> Mobile Client: Keypad Index Array =<br/>Reverse(Ciphered Keypad Index Array, SharedKey, Nonce)
end
Mobile Client ->> User: Render Keypad
User ->> Server: Confirm nKode
Note over User,Server: Login
rect rgb(191, 223, 255)
Server ->> Server: Ciphered Keypad Index Array =<br/>ChaCha20FisherYates(Keypad Index Array, SharedKey, Nonce)
Server ->> Mobile Client: Ciphered Keypad Index Array + Nonce
end
rect rgb(191, 223, 255)
Mobile Client ->> Mobile Client: Keypad Index Array =<br/>Reverse(Ciphered Keypad Index Array, SharedKey, Nonce)
end
Mobile Client ->> User: Render Keypad
User ->> Server: Successful Login
Server ->> Server: Split Shuffle Keypad
```