Authentication
The authentication is QOSST is done in the following way: for each control protocol frame, a digest of the variable length header and the content is computed using SHA256. The digest is then signed, and inserted between after the fixed length header and the variable length header. Upon reception, the digest is computed of the variable length header and the content is computed, and the receiving party will check the digest again the signed digest, in particular that the digest is correct and signed by the authorized party.
However, a lot of message in QOSST will look the same, for instance messages that don’t have any content and just have a code. To avoid this issue, we render every message unique by adding challenges. When one party sends a message, it will request a challenge, that must be included in the response (or next message in general) of the other party. Hence for each control protocol frame, the variable length content should contain the “challenge” string corresponding to the challenge issued by the other party at the previous round and the “next_challenge” string corresponding to the challenge that the other party will have to include for its next challenge.
An authenticator should inherit from the qosst_core.authentication.base.BaseAuthenticator class and should implement the sign_digest and check_digest method. Currently two authenticators are implemented:
the
qosst_core.authentication.base.NoneAuthenticatorwhere thesign_digestis the identity andcheck_digestthe equality test. Indeed this authenticator does not authenticate anything, and can be use for testing.the
qosst_core.authentication.falcon.FalconAuthenticatorwhich uses the modified python implementation of the Falcon algorithm (origin implementation: https://github.com/tprest/falcon.py, modified implementation: https://github.com/nanoy42/falcon). The Falcon algorithm is one of the finalist for implementing post-quantum asymetric cryptography. It requires to generate a secret key and to provide the public key to the other party. As the encryption is only used for signing the digest and not to encrypt the actual data, the encryption just need to hold during the frame exchange. Command line scripts are available to generate Falcon keys in theqosst-corepackage.