Ouroboros Tutorial 06 - Authenticated Flows

This tutorial demonstrates setting up and using authenticated flows in Ouroboros with certificate-based authentication.

Tutorial Directory: This tutorial will execute in /tmp/o7s-tut06/. All configuration files, generated certificates, logs, and packet captures will be stored in this directory.

We create a complete PKI (Public Key Infrastructure):

• Root CA (ca.tut.o7s): Self-signed trust anchor
• Intermediate CA (sign.tut.o7s): Signed by root with pathlen:0 constraint
• Server Certificate (sec.oping.tut.o7s): Signed by intermediate CA

All cryptographic operations use ECDSA P-384 with SHA-384 hashing.

Setting Up the Tutorial

To properly understand and debug the authenticated flows, this tutorial uses a debug build of Ouroboros with OAP protocol debugging enabled.

cd /path/to/ouroboros
mkdir build && cd build
cmake -DCMAKE_BUILD_TYPE=Debug -DDEBUG_PROTO_OAP=ON ..
make -j$(nproc)
sudo make install

When built with these options, the IRMd will output detailed OAP protocol information.

Configuration Files

The following three files should be created in the tutorial directory (/tmp/o7s-tut06/) before starting the tutorial:

tut06.conf - IRMd configuration

# Ouroboros Tutorial 06 - Authenticated Flows Configuration
# Uses system-installed certificates at /etc/ouroboros/security/

[name."sec.oping.tut.o7s"]
prog=["/usr/bin/oping"]
args=["--listen"]

[eth-dix.eth-dix-lo]
bootstrap="eth-dix-network"
dev="lo"
reg=["sec.oping.tut.o7s"]

PCAP Trace Analysis

Protocol Overview

This section summarizes the four protocols that work together in the captured packet flow.

Ethernet DIX Frame with EID Header

Ouroboros extends the DIX frame with a flow identifier (EID - Endpoint Identifier) and length field.

Ethernet Flow Allocator - Management Protocol

The Ethernet DIX management protocol handles flow allocation, setup, and teardown. All management frames use destination EID 0x0000.

Management Frame Types:

Note: The 32-byte service hash (SHA3-256) is appended after the management protocol header for NAME_QUERY_* and FLOW_REQ messages to identify which service is being queried or allocated. FLOW_REPLY does not include the service hash; the endpoints are already identified by the allocated EIDs (SEID/DEID).

Ouroboros Flow Allocation Protocol (OAP)

The Ouroboros Application Protocol (OAP) is the flow allocation and authentication protocol. It carries flow negotiation requests, responses, and authentication credentials. OAP frames are encapsulated as data payload over the management protocol.

Frame Layout by Field:

Oping Application Protocol

The Ouroboros Ping (oping) application is a simple echo/reply protocol used to measure round-trip time and validate connectivity between applications. It implements a request/reply pattern similar to ICMP ping.

Frame Layout by Field:

Packet Analysis

Packet 1: NAME_QUERY_REQ (Test 1 - Setup)

Summary: Client sends a NAME_QUERY_REQ message to discover if the service sec.oping.tut.o7s is available. This is a broadcast discovery query sent early in the flow allocation process.

Ethernet DIX Frame with EID Header

Ethernet Flow Allocator - Management Protocol

Packet 2: NAME_QUERY_REPLY (Test 1 - Setup)

Summary: Server responds to the NAME_QUERY_REQ by sending a NAME_QUERY_REPLY for the service hash.

Ethernet DIX Frame with EID Header

Ethernet Flow Allocator - Management Protocol

Packet 3: FLOW_REQ (Test 1 - Unauthenticated + Unencrypted)

Summary: Client initiates a flow allocation request (FLOW_REQ) with minimal OAP headers since no authentication or encryption is being used.

Key observations:

• SEID is 0x0040 (first allocated flow ID for this session)
• Service hash is carried in management protocol payload (32 bytes)
• OAP header is minimal: only ID and timestamp, no optional fields
• No certificate, ephemeral key, data, or signature in this initial request

Packet 4: FLOW_REPLY (Test 1 - Unauthenticated + Unencrypted)

Summary: Server responds to FLOW_REQ by sending FLOW_REPLY with a new DEID (destination endpoint ID 0x0041) to establish the allocated flow for data transfer.

Key observations:

• SEID 0x0041 is the newly allocated server-side flow endpoint
• DEID 0x0040 reflects the client's flow ID, creating a bidirectional mapping
• No service hash included (FLOW_REPLY only needs the EIDs to identify the flow)
• OAP echoes the client's ID and timestamp, confirming the flow allocation
• Response code 0x00000000 indicates success

Packet 5: ECHO_REQUEST (Test 1 - Plaintext Data)

Summary: Client sends an oping ECHO_REQUEST packet to the server using the allocated flow. This is an application-layer ping request to measure latency and connectivity.

Key observations:

• EID 0x0041 shows traffic from server-side flow ID
• This is the first ping request (ID = 0x00000000)
• Timestamp captures when the ping was sent (seconds in network order)
• Default oping payload is 64 bytes total; 24 bytes header + 40 bytes data

Packet 6: ECHO_REPLY (Test 1 - Plaintext Data)

Summary: Server receives the ECHO_REQUEST and immediately sends back an ECHO_REPLY with the same ID and timestamps, echoing the client's message.

Key observations:

• EID 0x0040 shows traffic from client-side flow ID receiving the reply
• Type field changed from 0x00000000 (REQUEST) to 0x00000001 (REPLY)
• ID, timestamps, and payload data are identical to the request (echoed back)
• Round-trip time can be calculated by comparing current time with echoed timestamp
• Ping succeeded on first attempt with minimal latency

Packet 7: FLOW_REQ (Test 2 - Unauthenticated + Encrypted)

Summary: Client initiates flow allocation with encryption enabled. This FLOW_REQ carries an OAP header with an ephemeral ECDHE P-384 public key (91 bytes) for encryption setup.

Key observations:

• Encryption enabled: ephemeral key present (91 bytes)
• Client sends no certificate, allowing anonymous encryption setup
• No signature (unsigned OAP)
• Ephemeral key is ECDHE P-384 for key exchange

Packet 8: FLOW_REPLY (Test 2 - Unauthenticated + Encrypted)

Summary: Server accepts the encrypted flow allocation request. FLOW_REPLY contains the server's ephemeral key but no certificate (since client didn't send one).

Key observations:

• SEID 0x0042 is the new server-side flow endpoint
• Server's ephemeral key matches client's (both 91 bytes)
• Both keys are now exchanged; client and server can derive shared secret
• No authentication (no certificates) but encryption is negotiated
• Response indicates successful allocation

Packet 9: ECHO_REQUEST (Test 2 - Encrypted Data)

Summary: Client sends encrypted ping request after encryption keys are established. The payload is encrypted with the derived shared secret.

Key observations:

• All 96 bytes of oping data (type, ID, timestamps, payload) are encrypted
• No plaintext oping headers visible; entire packet is ciphertext
• Flow IDs (0x0042) identify which encryption context to use
• Ping still works with encryption transparently

Packet 10: ECHO_REPLY (Test 2 - Encrypted Data)

Summary: Server receives encrypted ping request, decrypts it, and sends encrypted ECHO_REPLY.

Key observations:

• EID 0x0040 shows reply going back to client-side flow
• Ciphertext is different from request (different plaintext: type field differs)
• Both encrypted packets are 96 bytes (same size as Packet 9)
• Client receives encrypted reply, decrypts it, verifies ID and timestamps match request
• Encryption is transparent at application layer: oping works exactly as with plaintext flows

Packet 11: FLOW_REQ (Test 3 - Authenticated + Encrypted)

Summary: Client initiates flow allocation with encryption enabled and server certificate present. This is the full authentication + encryption scenario.

Key observations:

• SEID is 0x0040 (same as Test 2 - reusing the same client flow ID)
• No Certificate field because client is not authenticating
• Ephemeral Key present for ECDHE encryption setup
• No Signature because client has no certificate to sign with

Packet 12: FLOW_REPLY (Test 3 - Authenticated + Encrypted)

Summary: Server responds with its certificate for authentication, ephemeral public key for ECDHE encryption, and a digital signature proving ownership of the certificate.

Ouroboros Allocation Protocol (OAP) - FLOW_REPLY Payload with Full Authentication

Key Observations:

1. SEID is 0x0043 - New server-side endpoint ID allocated for this authenticated flow 2. DEID is 0x0040 - Client's flow ID from the FLOW_REQ, establishing the bidirectional flow 3. FLOW_REPLY Message Type - Code field is 0x01, no service hash (already identified in FLOW_REQ) 4. Full Certificate - carrying server's complete X.509 certificate signed by intermediate CA 5. Ephemeral Key Present - with server's ECDHE public key for encryption 6. Signature Included - containing ECDSA digital signature over the entire OAP header 7. Same OAP ID - Server echoes back the exact ID from client's FLOW_REQ to confirm association 8. Large Payload - Total of 825 bytes due to certificate + ephemeral key + signature + overhead 9. Authentication Complete - Client verifies: (1) certificate against CA store, (2) signature over entire response ensures authenticity and integrity, (3) echoed ID binds response to this specific request, (4) timestamp prevents replay attacks

Packet 13: Encrypted ECHO_REQUEST (Test 3 - Auth + Encrypted)

Summary: Client sends encrypted ping request after authentication handshake. All application data is protected by encryption using the ephemeral keys established in Packets 11-12.

Key observations:

• No visible protocol structure - all application data appears as ciphertext
• Uses the same source/destination EID pair (0x0043 → 0x0060) established in the FLOW_REQ/FLOW_REPLY handshake
• Encryption is done using the ephemeral key (91 bytes) exchanged in Packet 11's OAP header
• Unlike Packets 11-12, this packet contains no certificate, public keys, or signatures
• The 110-byte encrypted data corresponds to the original oping ECHO_REQUEST message

Packet 14: Encrypted ECHO_REPLY (Test 3 - Auth + Encrypted)

Summary: Server sends encrypted ping reply. Note that the flow identifiers swap, demonstrating bidirectional encrypted communication.

Key observations:

• The EID in offset 0x00 is now 0x0040 (server's view of client's inbound flow)
• Uses the same ephemeral key material as Packet 13, but encryption direction is reversed
• Both packets use AES-GCM with keys derived from the ECDH exchange
• Timestamp 17:39:59.836930 is only 445 microseconds after Packet 13, indicating server-side processing
• The 110-byte encrypted ECHO_REPLY payload is the same size as the request
• All application data is protected by both authentication (X.509 + ECDSA) and encryption (AES-GCM)

Packet 15: FLOW_REQ (Test 4 - Auth + No Encryption)

Summary: Client initiates flow allocation with authentication enabled but encryption disabled. This FLOW_REQ carries an OAP header but no ephemeral key since encryption is not being used.

Ouroboros Allocation Protocol (OAP) - FLOW_REQ Payload (No Encryption)

Key observations:

• No encryption enabled: ephemeral key absent
• Client requests authentication only
• Server will respond with certificate + signature but no ephemeral key
• Packet is minimal compared to Packet 11 (which includes 91-byte ephemeral key)

Packet 16: FLOW_REPLY (Test 4 - Auth + No Encryption)

Summary: Server accepts the authenticated (but not encrypted) flow allocation request. FLOW_REPLY contains the server's X.509 certificate and ECDSA signature for authentication, but no ephemeral key.

Ouroboros Allocation Protocol (OAP) - FLOW_REPLY Payload with Certificate and Signature (No Ephemeral Key)

Key Observations:

1. SEID is 0x0041 - New server-side endpoint ID allocated for this authenticated flow 2. DEID is 0x0040 - Client's flow ID from Packet 15 FLOW_REQ, establishing the bidirectional flow 3. FLOW_REPLY Message Type - Code field is 0x01, no service hash 4. Certificate Field - carrying server's X.509 certificate signed by intermediate CA 5. Separate Signature Field - with ECDSA signature over entire OAP header 6. No Ephemeral Key - since encryption is not being used in Test 4 7. Same OAP ID - Server echoes back the exact ID from client's FLOW_REQ 8. Complete OAP Structure - Full OAP header with all standard fields, just without ephemeral key data 9. Total Payload - 751 bytes total vs Packet 12's 843 bytes (92-byte difference = missing 91-byte ephemeral key) 10. Authentication Only - Client verifies: (1) certificate against CA store, (2) signature over entire response ensures authenticity and integrity, (3) echoed ID binds response to this specific request, (4) timestamp prevents replay attacks 11. Plaintext Data Exchange - After this FLOW_REPLY, all subsequent application data will be transmitted in plaintext

Packet 17: ECHO_REQUEST (Test 4 - Plaintext Data)

Summary: Client sends plaintext ECHO_REQUEST data through the authenticated (but unencrypted) flow. The oping application's ping request is transmitted directly without encryption, relying on the earlier certificate+signature authentication for security.

Application Data - Oping Echo Request (Plaintext)

Key Observations:

1. EID Pair: 0x0041 → Server Flow - Data is directed to the server's endpoint ID 2. Plaintext Transmission - No encryption layer; oping payload is sent as-is 3. Authenticated Flow - Although plaintext, this data travels on the authenticated flow 4. Application Protocol - Oping ping request with sequence number 0, containing timestamp and probe payload 5. Test 4 Characteristic - Demonstrates authenticated communication without encryption 6. Contrast to Test 3 - Packet 13 was 114 bytes with ciphertext; this packet is 82 bytes of plaintext 7. Fixed-size Payload - 64 bytes of probe data

Packet 18: ECHO_REPLY (Test 4 - Plaintext Data)

Summary: Server responds with plaintext ECHO_REPLY data, echoing back the client's request. This confirms successful bidirectional communication over the authenticated (but unencrypted) flow.

Application Data - Oping Echo Reply (Plaintext)

Key Observations:

1. EID Pair: 0x0040 → Client Flow - Server responds to client's endpoint ID 2. Echo Semantics - Sequence number, timestamp, and probe data are echoed from request 3. Response Code 0x0001 - Indicates successful echo response 4. Plaintext Reply - No encryption; server's response payload is readable 5. Authenticated Channel - Although plaintext, this reply is part of the authenticated flow 6. Test 4 Completion - Demonstrates full bidirectional plaintext communication over an authenticated flow 7. Contrast to Test 3 - Packet 14 was 114 bytes with ciphertext; this packet is 82 bytes of plaintext 8. Fixed-size Payload - Same 64-byte probe structure as request