From c26576f31f4193fe65a0ad85db4f69af0627af58 Mon Sep 17 00:00:00 2001
From: Rusty Striker <avivr903@tutanota.com>
Date: Fri, 6 Dec 2024 16:44:31 +0200
Subject: [PATCH] protocol updates

---
 protocol.md | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/protocol.md b/protocol.md
index f999141..4bee316 100644
--- a/protocol.md
+++ b/protocol.md
@@ -3,6 +3,29 @@
 All encryptions are made using RSA (key size to be determined), no symmetric encryptions
 are used due to messages being short.
 
+<!-- Maybe yse RSA-256 (or the closest)? if i can assume it is unbreakable that is -->
+## Some problems
+
+Do i need hasing? dont think it will help too much, can just sign-encrypt i think.
+
+When asking for messages, maybe do a little back and forth with the server to make sure
+the request comes from the correct person?
+Maybe keep track of the last message ID every time? then add it to the request,
+	not good, as if there were no new messages an attacker can now use said req.
+Maybe the current timestamp? then the server keeps track of the last request with 
+timestamp for a given user? kinda acts like a better counter i think.
+	I dont think someone can abuse this system. 
+	I think adding this to every request is neccessary to make sure no duplicates are
+	being sent, ie. if an attacker listens on the channel and sees a package sent to
+	the server, it can repeat it and cause mischief (maybe send duplicate messages,
+	or flush the user's messages or something).
+
+	an attacker can also abuse duplicates to see who a user is talking to,
+	simply send the request and encrypt all public keys (gotten in a legitimate way)
+	using the user's public key (as the server would encrypt) and compare the result
+	from the server
+	
+
 ## Registration:
 
 - User sends a register request to server `(phone number, RSA public key)`, 
@@ -27,3 +50,20 @@ request and ultimately signed by A and encrypted using the server's key.
 
 The server will hold on to the message until B will send a `GetMessages` request
 to the server.
+
+## Requests:
+
+legend:
+	- `E(t)` encrypt t
+	- `S(t)` sign t
+	- `ES(t)` signed and encrypted (in that order!)
+	- `HS(t)`/`HS t` hash and sign t 
+All requests are to be encrypted using the server's public key, have the sender phone
+and have a timestamp on them, except when otherwise noted
+
+1. `Register(public key)`, no timestamp
+2. `HS RegisterConfirm(6-digit code)`
+3. `GetMessages`
+4. `GetUserKey(phone - user to get key for)`
+5. `SendMessage(phone - receiver, ES({ message_id, message }))`
+6. `SendMessageACK(phone - ack receiver, ES({ message_id[], ACK/NACK }))`