07 — Cryptographic Protocols
Protocols combine primitives (ciphers, hashes, signatures) into interactions between parties. Here: TLS, SSH, IPsec, Kerberos, OAuth/OIDC, Signal, MLS, Noise, WireGuard, OPAQUE, and relevant classical protocols.
1. SSL / TLS — evolution
SSL 1.0 (Netscape 1994) ❌
Never released publicly. Elementary flaws discovered internally.
SSL 2.0 (1995) ❌
- MAC and encryption use the same key.
- Header traffic not authenticated.
- Vulnerable to truncation attacks.
- Padding oracle issues.
- Deprecated RFC 6176 (2011). Removed from every browser ~2015.
SSL 3.0 (1996) ❌
- MAC with SHA-1 but does not cover everything.
- CBC vulnerable (BEAST, POODLE).
- POODLE (2014) — Padding Oracle On Downgraded Legacy Encryption. Killed SSL 3.0 in browsers Q4/2014.
TLS 1.0 (RFC 2246, 1999) ❌
Rename of SSL 3.1 (Netscape vs IETF politics). Same algorithms. BEAST (2011) demonstrated a problem with CBC IV chaining.
TLS 1.1 (RFC 4346, 2006) ❌
BEAST fix: explicit IV per record. Fell into disuse; deprecated along with 1.0 in 2020 (RFC 8996).
TLS 1.2 (RFC 5246, 2008) ⚠️
- Supports SHA-256, AES-GCM, AEAD.
- Still allows RSA key transport (no forward secrecy).
- Still allows cipher suites with RC4, 3DES, CBC.
- Secure configuration is possible but requires diligence.
- Status: still dominant. Should be configured with only ECDHE + AEAD cipher suites.
Recommended TLS 1.2 cipher suites:
ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-CHACHA20-POLY1305
TLS 1.3 (RFC 8446, 2018) ✅
Deep redesign:
- Removes RSA key transport (always ECDHE/DHE → forward secrecy mandatory).
- Removes RC4, 3DES, MD5, SHA-1, CBC modes (all), static DH.
- Removes compression (CRIME).
- Removes renegotiation.
- Only 5 cipher suites; all AEAD.
- 0-RTT (zero round-trip resumption) — performance but with replay caveats.
- Handshake encrypted after ServerHello.
- Unified HKDF-based key schedule.
TLS 1.3 cipher suites (all mandatory):
TLS_AES_128_GCM_SHA256TLS_AES_256_GCM_SHA384TLS_CHACHA20_POLY1305_SHA256(mandatory per RFC)TLS_AES_128_CCM_SHA256TLS_AES_128_CCM_8_SHA256
Key exchange groups: secp256r1 (P-256), secp384r1, secp521r1, X25519, X448, plus X25519MLKEM768 (post-quantum hybrid, draft-ietf-tls-hybrid-design).
TLS 1.3 handshake (simplified)
ClientHello [random, cipher_suites, key_share, signature_algorithms, ...]
→
ServerHello [random, cipher_suite, key_share, ...]
{EncryptedExtensions}
{Certificate}
{CertificateVerify}
{Finished}
←
{Certificate*} // optional mTLS
{CertificateVerify*}
{Finished}
→
[Application Data]
⇄{...} = encrypted with handshake traffic secret derived from ECDHE.
Post-quantum migration
- X25519MLKEM768 — Cloudflare/Google rolling out in 2024–2025. ClientHello carries both key_shares; server chooses.
- Traditional servers still on pure ECDHE.
- Complete migration expected 2028–2032.
Historical TLS 1.2/1.3 flaws
| Year | Attack | Impact |
|---|---|---|
| 2011 | BEAST | CBC IV in TLS 1.0 |
| 2012 | CRIME | TLS compression leak |
| 2013 | Lucky 13 | CBC timing |
| 2014 | Heartbleed | OpenSSL bug (not protocol) |
| 2014 | POODLE | SSL 3.0 fallback CBC |
| 2014 | Triple Handshake | Cross-protocol |
| 2015 | FREAK | RSA export grade downgrade |
| 2015 | Logjam | DH 1024 pre-computation |
| 2016 | DROWN | SSLv2 cross-protocol oracle |
| 2016 | Sweet32 | 64-bit block ciphers |
| 2017 | ROBOT | Bleichenbacher revived |
| 2018 | Bleichenbacher in TLS 1.3 0-RTT replay | mitigated |
| 2020 | Raccoon attack | DH timing in TLS 1.2 |
| 2023 | Terrapin | SSH transport (not TLS) |
Useful extensions
- SNI (Server Name Indication, RFC 6066) — host header in ClientHello.
- ALPN (RFC 7301) — Application-Layer Protocol Negotiation (HTTP2, HTTP3).
- ECH (Encrypted Client Hello, draft) — encrypts SNI; replaces ESNI. Uses HPKE.
- Certificate Transparency (RFC 6962) — public logs of cert issuances.
- OCSP Stapling (RFC 6066) — server sends OCSP response, client does not query the CA.
- 0-RTT — TLS 1.3 early data with PSK. Replay risk.
- TLS-PSK — pre-shared key, no cert.
Cert validation chain
Root CA (offline, in HSM)
↓
Intermediate CA (online)
↓
End-entity cert (server)Client loads a Root store (Mozilla NSS, Microsoft, Apple, Google CRLSet). Each intermediate signs the next.
Certificate Transparency (CT) — public append-only signed log. Browsers require an SCT (Signed Certificate Timestamp). Detects mis-issued certs.
2. SSH (Secure Shell)
History
- 1995: Tatu Ylönen (Finland) — SSH-1.
- 1996: OpenSSH fork of SSH-1.2.12 (last free one).
- 1997–2006: IETF standardizes SSH-2 (RFC 4251–4254).
- 2006: SSH-2 mainstream.
SSH-2 layers
- Transport (RFC 4253) — KEX, encryption, MAC, server authentication.
- User auth (RFC 4252) — password, public key, host-based, GSSAPI.
- Connection (RFC 4254) — multiplex channels (shell, exec, port forward, X11).
KEX
- diffie-hellman-group14-sha256 (RFC 8268)
- diffie-hellman-group-exchange-sha256
- ecdh-sha2-nistp256384521
- curve25519-sha256@libssh.org / curve25519-sha256 (modern default)
- sntrup761x25519-sha512@openssh.com (PQC hybrid, OpenSSH 9.0+, April 2022)
Host keys
- ssh-rsa (legacy, broken SHA-1 hash; deprecated as default in OpenSSH 8.2+)
- rsa-sha2-256, rsa-sha2-512
- ecdsa-sha2-nistp256384521
- ssh-ed25519 (recommended, default since 7.x)
User keys
~/.ssh/id_ed25519 recommended instead of id_rsa. RSA 4096 OK as an alternative.
Historical vulnerabilities
- CRC-32 compensation attack (1998, SSH-1) — RC4-MD5.
- Plaintext recovery in CBC mode (Albrecht et al. 2009) — required 8 GB of traffic.
- Roaming feature client bug (CVE-2016-0777, 2016) — leaked the private key.
- Terrapin (CVE-2023-48795, Dec/2023) — truncation attack on SSH BPP. A MITM attacker in the handshake cuts extension negotiation. Mitigated by strict KEX in OpenSSH 9.6+ and libssh 0.10.6+.
Hardening 2026
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin prohibit-password3. IPsec / IKE
Network-layer encryption. RFC 4301 (architecture), RFC 7296 (IKEv2).
Components
- AH (Authentication Header, RFC 4302) — integrity + authenticity (no confidentiality). Rarely used today.
- ESP (Encapsulating Security Payload, RFC 4303) — confidentiality + integrity.
- IKE (Internet Key Exchange) — negotiates SAs (Security Associations) and keys.
Modes
- Transport mode — IP header preserved; payload encrypted. Host-to-host.
- Tunnel mode — IP header encrypted inside; new outer header. Gateway-to-gateway VPN.
IKEv1 ❌
RFC 2409 (1998). Aggressive Mode has PSK offline crack (cipherspark 2018 demo). Main Mode more robust but complex.
IKEv2 ✅
RFC 7296. Radical simplification: 1 RTT setup, mobility (RFC 4555 MOBIKE), EAP auth.
Recommended cipher suites
- AES-GCM-128 or AES-GCM-256 (RFC 4106)
- ChaCha20-Poly1305 (RFC 7634)
- Diffie-Hellman group 19 (256-bit ECP) or 20 (384-bit ECP) or 31 (X25519)
IKE_AUTH with certificates or PSK
Flaws
- CVE-2018-5389 — Aggressive Mode PSK offline.
- strongSwan / Libreswan stack code: several CVEs over the years; keep it updated.
Modern alternative: WireGuard
See §10.
4. Kerberos
MIT Athena Project, 1980s. RFC 4120 (V5, 2005). Backbone of Active Directory.
Components
- KDC (Key Distribution Center): issues tickets.
- AS (Authentication Service): issues the TGT (Ticket-Granting Ticket).
- TGS (Ticket-Granting Service): issues service tickets.
- Principal: identity (user@REALM, host/fqdn@REALM).
Flow
- AS-REQ: client sends username; AS responds with a TGT encrypted with the password hash.
- Client decrypts the TGT with the password; now has a valid TGT (and a session key with the TGS).
- TGS-REQ: client presents the TGT + requested service principal; TGS responds with a service ticket.
- AP-REQ: client presents the service ticket to the service.
Crypto
- DES (deprecated)
- 3DES (deprecated)
- AES-128/256-CTS-HMAC-SHA1-96 (RFC 3962)
- AES-128256-CTS-HMAC-SHA256384-192 (RFC 8009)
Vulnerabilities
- Golden Ticket: compromised the krbtgt hash (the TGS principal); can forge any TGT. AD requires a double rotation to invalidate.
- Silver Ticket: forges a service ticket without talking to the KDC.
- Kerberoasting: requests service tickets with a compromisable SPN, then offline-cracks the key (= the account's password hash).
- AS-REP Roasting: users with
DONT_REQ_PREAUTHallow a dump. - Zerologon (CVE-2020-1472) — Netlogon protocol bug: AES-CFB8 with all-zero IV accepts all-zero plaintext → zeroes the DC's password. Critical in Sep/2020.
5. OAuth 2.0 + OpenID Connect
Not cryptography per se; an access-delegation protocol.
OAuth 2.0 (RFC 6749, 2012)
Roles:
- Resource Owner (user)
- Client (app)
- Authorization Server (Koder ID, Google, etc.)
- Resource Server (API)
Flows:
- Authorization Code + PKCE — current standard for mobileSPAweb.
- Implicit Flow — deprecated (token in URL fragment, leaks).
- Client Credentials — service-to-service.
- Device Authorization Flow (RFC 8628) — TVs, CLIs.
- Refresh Token — long-lived re-auth.
PKCE (RFC 7636)
Random code_verifier; code_challenge = SHA256(verifier). Binds the authorization code to the client session. Mandatory for public clients.
OpenID Connect (OIDC)
Identity layer on top of OAuth 2.0. Server issues an id_token (JWT) with the user's claims.
JWT (RFC 7519)
header.payload.signature- Header: alg, typ.
- Payload: claims (iss, sub, aud, exp, iat, jti, etc.).
- Signature: signature over
header.payload.
Algorithms:
- HS256384512 — HMAC, symmetric (shared secret).
- RS256384512 — RSA-PKCS#1 v1.5 SHA-*.
- PS256384512 — RSA-PSS.
- ES256384512 — ECDSA.
- EdDSA — Ed25519 (RFC 8037).
Common JWT flaws
alg: noneaccepted by careless libs (CVE-2015-9235).alg: HS256with an RSA pubkey as the secret (CVE-2015-2951).- kid path traversal if kid is used as a filename.
- Algorithm confusion between RS256 and HS256.
- JWT note: never trust a JWT that came from the client — always validate the signature, exp, aud, iss.
Koder ID
Stack spec: specs/auth/oauth-flow.kmd — slug koder-id, post-auth dashboard, no local form, deep-link preserve, R1-R12.
6. Signal Protocol
End-to-end encryption messaging. Open Whisper Systems (Moxie Marlinspike, Trevor Perrin) — now the Signal Foundation.
Components
- X3DH (Extended Triple Diffie-Hellman) — initial key agreement with published pre-keys.
- Double Ratchet — DH ratchet (new key per message) + symmetric ratchet (KDF per message) → forward secrecy + post-compromise security.
- Sesame — multi-device session management.
X3DH
Server hosts:
- Long-term identity key (IK_B) — Ed25519.
- Signed pre-key (SPK_B) — rotated weekly.
- One-time pre-keys (OPK_B) — used once.
Alice fetches Bob's bundle. Compute:
DH1 = DH(IK_A, SPK_B)
DH2 = DH(EK_A, IK_B)
DH3 = DH(EK_A, SPK_B)
DH4 = DH(EK_A, OPK_B)
SK = HKDF(DH1 \\\| DH2 \\\| DH3 \\\| DH4)Deniability: anyone with the identity keys could forge — Alice has cryptographic deniability.
Double Ratchet
For each message:
- Symmetric ratchet: \(\text{chain\_key} \to (\text{msg\_key}, \text{chain\_key}')\) via HMAC-SHA256.
- DH ratchet: upon receiving a new message with a new DH pubkey, advance the DH chain: new DH share → new root key → new chain keys.
Result:
- Forward secrecy: an old message is not recoverable even with the current key.
- Post-compromise security: after compromising the state, the next DH ratchet recovers security.
Adoption
- Signal app
- WhatsApp (2016)
- Facebook Messenger Secret Conversations
- Google Allo (discontinued)
- Skype private conversations
- KaKaoTalk
PQXDH (Signal, 2023)
PQC replacement for X3DH. Combines X25519 + ML-KEM-1024. Hybrid model: an attack must break both.
7. MLS — Messaging Layer Security
RFC 9420 (Jul/2023). IETF standardization of E2E for groups.
Motivation
Signal scales poorly to large groups (each message encrypts to N members). MLS uses TreeKEM: a binary tree, each node has a key; a change propagates in \(O(\log n)\).
Components
- Asymmetric Ratchet Tree (RT): a tree with keys at each node.
- TreeKEM: efficient derivation of group keys.
- Welcome message: a new member receives the ratchet state.
- Commit: changes the group state (add, remove, update).
Adoption
- WebEx (Cisco)
- RingCentral
- Wickr (AWS)
- Implementations: OpenMLS (Rust), mlspp (Cisco C++)
8. Noise Protocol Framework
Trevor Perrin, 2015–2018. noiseprotocol.org. A framework for building secure protocols. Not a single protocol.
Patterns
Notation: each handshake = a sequence of tokens (e, s, ee, es, se, ss). Examples:
- N: one-shot encryption to a pre-known recipient.
- K: known recipient + authenticated sender.
- X: full mutual auth + encrypted transport.
- IK (interactive K): used by WireGuard.
- XX: mutual auth, cert exchange.
Used in
- WireGuard: Noise_IKpsk2.
- Lightning Network: Noise_XK.
- WhatsApp protocol stack (parts).
- Nym, Wesh, Slack Connect.
9. WireGuard
Jason Donenfeld, 2015–2018. Merged into the Linux kernel 5.6 (Mar/2020).
Design
- 4000 lines of kernel C (vs 100k+ for the IPsec stack).
- Cryptographic agility: rejected by design. Fixed algorithms:
- Curve25519 (ECDH)
- ChaCha20-Poly1305 (AEAD)
- BLAKE2s (hash)
- HKDF
- No PKI; each peer has its pubkey listed in config.
- UDP only, single port.
Handshake
Noise_IKpsk2 — 2 messages, 1 RTT. Recovers from hibernation with a cookie.
Privacy
No identity in packets. Stateless transport packets are indistinguishable without the correct key.
Limitations
- No dynamic peers (use Tailscale/Headscale on top).
- No TCP fallback (use a TCP-tunneling overlay).
- No PQC (proposed:
boringtunPQ fork experimented in 2023).
10. OPAQUE — PAKE
RFC 9497 (2024). PAKE (Password-Authenticated Key Exchange) that avoids the server storing the password or any derivative.
- Server stores an
OPRF(salt, password)envelope, without ever seeing the password. - Even if the server leaks, offline dictionary attack is impossible.
- Replaces the "send password, server bcrypt-compares" system.
Used experimentally at Cloudflare, ProtonMail planning, future Keybase.
Other PAKEs
- SRP (Secure Remote Password) — old, still used in 1Password until 2024.
- SPAKE2, J-PAKE, CPace — variants.
11. Email & Documents
PGP / OpenPGP
RFC 4880 (legacy), RFC 9580 (2024 — Crypto Refresh).
- Web of trust (vs hierarchical PKI).
- Ciphers: AES, Camellia; hashes: SHA-2, SHA-3; sigs: RSA, ECDSA, EdDSA, Ed25519.
- RFC 9580 adds Curve25519, BLAKE2, Argon2.
Modern criticisms:
- Long-term keys (no forward secrecy).
- Terrible UX.
- Divergent implementations.
- EFAIL (2018) — backchannel via HTML rendering.
- SOP-spec (Stateless OpenPGP) attempts to clean up implementations.
S/MIME (RFC 8551)
PKCS#7 / CMS for email. CA-based PKI. Less popular outside corporate.
age (Filippo Valsorda 2019)
Replaces PGP for file encryption.
- No long-term identities; each file has an ephemeral key.
- X25519 + ChaCha20-Poly1305 + scrypt.
- SSH key compatibility (Ed25519, RSA).
ageCLI, libsodium-style.
12. DNSSEC, DoT, DoH, DoQ
DNSSEC (RFC 4033/4035)
Signs DNS records. DS / DNSKEY chain of trust. Modern algorithms: ECDSA P-256, Ed25519, Ed448. Legacy algorithms still in use: RSA-SHA256, RSA-SHA1 (prohibit).
DNS-over-TLS (DoT, RFC 7858)
Port 853. TLS over a dedicated port. Server cert validated.
DNS-over-HTTPS (DoH, RFC 8484)
Port 443. Over HTTPS. Harder to censor but mixes with web traffic.
DNS-over-QUIC (DoQ, RFC 9250)
DNS over QUIC. Lower latency.
ODoH, Oblivious DoH (RFC 9230)
Privacy: client → proxy → resolver. The resolver does not know the client IP; the proxy does not see the queries.
13. QUIC and HTTP/3
QUIC (RFC 9000–9002, 2021) — transport over UDP with TLS 1.3 built in. Multiplexing without head-of-line blocking. HTTP/3 (RFC 9114) is HTTP over QUIC.
All crypto = TLS 1.3 with an extension to integrate into the QUIC packets.
14. ACME (Let's Encrypt)
RFC 8555 (2019). A protocol for automatic cert issuance. The client proves control of the domain via challenges:
- HTTP-01: serve a token at
/.well-known/acme-challenge/. - DNS-01: create a TXT record
_acme-challenge.example.com. - TLS-ALPN-01: serve a special ALPN cert.
Implementations:
- certbot (EFF, original).
- acme.sh (bash).
- lego (Go, used by Caddy/Traefik).
- dehydrated (bash, minimal).
- Koder Jet native ACME.
Koder Stack: services/foundation/certs on s.khost1:9421 does DNS-01 via the ClouDNS API. LE staging confirmed.
15. WebAuthn / FIDO2
W3C + FIDO Alliance, 2019.
- Public-key authentication with hardware (YubiKey, Titan, Touch ID).
- Resists phishing (origin binding).
- Crypto: ECDSA P-256, Ed25519, optional RSA.
- Optional attestation (proves the authenticator is genuine).
Adoption: Google, Apple, Microsoft Passkeys (2022–) replacing passwords. A Passkey = a WebAuthn credential synced across iCloud / Google account.
16. Tor / mix-nets / Loopix
Anonymity protocols.
- Tor: 3-hop onion routing with layered TLS. AES-128-CTR + DH ECDH. Hidden services .onion.
- I2P: garlic routing.
- Mixnets (Loopix, Nym): cover traffic, mixing nodes. Latency-tolerant.
17. Summary: protocols by use (2026)
| Use | Use |
|---|---|
| HTTPS browser/API | TLS 1.3 only |
| HTTPS legacy compat | TLS 1.2 with ECDHE+AEAD only |
| Remote login | OpenSSH ≥ 9.6 with Ed25519 |
| Site-to-site VPN | WireGuard primary; strongSwan IPsec fallback |
| AD / corporate auth | Kerberos (with AES SHA-2) or OIDC preferred |
| Web app auth | OIDC with PKCE + WebAuthn as 2FA |
| 1:1 E2E messaging | Signal Protocol or MLS |
| Group E2E messaging | MLS |
| E2E email | OpenPGP RFC 9580; or age for files |
| File encryption | age |
| Private DNS | DoT (system-wide) or DoH (browser) |
| Service mesh mTLS | TLS 1.3 with ECDSA-P256 or Ed25519 |
| Hardware-backed login | WebAuthn / FIDO2 / Passkeys |
| Post-quantum transit | TLS 1.3 + X25519MLKEM768 hybrid |
18. Cross-reference
- Primitives used:
04-symmetric.md,05-asymmetric.md,06-hash-and-mac.md. - Attacks against:
11-attacks.md(BEAST, POODLE, FREAK, Logjam, DROWN, Heartbleed, ROBOT, Terrapin). - PQC integration:
08-post-quantum.md. - Identities / certs / CAs:
09-confidential-computing.md+13-incidents.md(DigiNotar, Comodo). - Koder Stack usage:
14-koder-applied.md.