dkelly/pynkode
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
81829c81b8b7b21669961ec97ddb452c352cb084
pynkode/docs/nkode_over_unencrypted_channel.md
Donovan 81829c81b8 update network assumptions
2025-06-26 13:41:52 -05:00

3.4 KiB
Raw Blame History

nKode Authentication Over Unencrypted Channel in Low-Bandwidth Environments

Low-Bandwidth Architecture

The standard nKode architecture will not work in low-bandwidth environments. Keypad icons are too large to send from the server to the client. To over come this issue, we can move the nKode icons from the server to the users mobile device. The server only sends the indices in which the icons need to be arranged.

sequenceDiagram
    participant User
    participant Mobile Client
    participant Server
    Note over User,Server: Enrollment
    User ->> Server: Initiate Enrollment
    Server ->> Server: Generate Keypad Icons
    Note right of Server: Ideally the icons are generated on the users device.<br/>Since current ML models are too compute intense,<br/>a GPU enabled server must run the models during enrollment.
    Server -->> Mobile Client: Store Icons On Device
    Note right of Server: The Server does not store the icons
    Server ->> Mobile Client: Keypad Index Array
    Mobile Client ->> User: Render Keypad
    User ->> Server: Set nKode
    Server ->> Server: Disperse Keypad
    Server ->> Mobile Client: Keypad Index Array
    Mobile Client ->> User: Render Keypad
    User ->> Server: Confirm nKode
    Note over User,Server: Login
    Server ->> Mobile Client: Keypad Index Array
    Mobile Client ->> User: Render Keypad
    User ->> Server: Successful Login
    Server ->> Server: Split Shuffle Keypad

Chacha20 Deterministic CSPRNG

A ChaCha20 Deterministic CSPRNG is a cryptographically secure pseudorandom number generator that uses the ChaCha20 stream cipher to produce a reproducible sequence of pseudorandom bytes. Given the same 256-bit key and 96-bit public nonce, it will always generate the same output stream, making it deterministic and suitable for use cases that require both security and repeatability.

Secure Low-Bandwidth Architecture

We can modify the architecture above to allow secure authentication over an unencrypted network using ChaCha20.

sequenceDiagram
    participant User
    participant Mobile Client
    participant Server
    Note over User,Server: Enrollment (assume secure network)
    User ->> Server: Initiate Enrollment
    Server ->> Server: Generate Keypad Icons
    Server -->> Mobile Client: Store Icons On Device
    rect rgb(191, 223, 255)
    Server -->> Mobile Client: Store ChaCha20 256-bit key
    end
    Server ->> Mobile Client: Keypad Index Array
    Mobile Client ->> User: Render Keypad
    User ->> Server: Set nKode
    Server ->> Server: Disperse Keypad
    Server ->> Mobile Client: Keypad Index Array
    Mobile Client ->> User: Render Keypad
    User ->> Server: Confirm nKode
    Note over User,Server: Login (assume unsecure network)
    rect rgb(191, 223, 255)
    Server ->> Server: Shuffled Keypad Index Array =<br/>ChaCha20FisherYates(Keypad Index Array, SharedKey, Nonce)
    Server ->> Mobile Client: Shuffled Keypad Index Array + Nonce
    end
    Note right of Server: Server also sends the 96-bit nonce in plain-text.<br/>The Server must never use the same nonce twice.<br/>It must be randonly generated for every authentication.<br/>The only additional overhead is the 96-bit nonce.
    rect rgb(191, 223, 255)
    Mobile Client ->> Mobile Client: Keypad Index Array =<br/>Unshuffle(Shuffled Keypad Index Array, SharedKey, Nonce)
    end
    Mobile Client ->> User: Render Keypad
    User ->> Server: Successful Login
    Server ->> Server: Split Shuffle Keypad