Key negotiation and session encryption
When a node (user or secure device) attempts to join the BlastShield™ network it is cryptographically challenged to prove that it is legitimate, and it must show that it can verify a challenge sent by the network. The process for authenticating a new session is described here.
A node connecting to a network fetches the public key and public IP of the network’s orchestration node(s) from a BlastWave hosted service.
For each new connection a new session-temporary elliptic keypair is generated by both nodes. The temporary public keys are then exchanged and verified together with randomized challenges and ECDSA signatures of both the temporary keys, challenges and timestamps.
Two session symmetric keys are then derived from the temporary key pairs using a combination of Diffie-Hellman and HKDF.
Session encryption and authentication is performed using AES-256-GCM. A node is considered authenticated when a message has been sent using the correct symmetric key for the session.
For each new peer connection which a node creates, a new temporary elliptic key pair is generated and exchanged between the peers using the existing tunnel to the orchestration node. Symmetric session keys for the peer connection are then derived using the mechanism described above.