Handshake Flow
DocsProtocol ConceptsHandshake Flow

Handshake Flow

Step-by-step: ClientHello to Secure Channel

The KSP Handshake establishes a secure, encrypted channel using an ephemeral Diffie-Hellman key exchange (X25519) and certifies the identity of the server using Ed25519 signatures.

Message Progression

The handshake requires 1.5 Round Trip Times (RTT) for full channel establishment and certificate verification:

Client                                                         Server
  │                                                               │
  │─── [1] ClientHello ──────────────────────────────────────────→│  (Unencrypted)
  │    - Supported Versions (e.g. v1.0)                           │
  │    - Client Random (32 bytes)                                 │
  │    - Ephemeral X25519 Public Key (Client PK)                  │
  │                                                               │
  │←── [2] ServerHello ───────────────────────────────────────────│  (Unencrypted)
  │    - Selected Version                                         │
  │    - Server Random (32 bytes)                                 │
  │    - Ephemeral X25519 Public Key (Server PK)                  │
  │                                                               │
  │←── [3] Certificate ───────────────────────────────────────────│  (Unencrypted)
  │    - Binary Certificate Format                                │
  │    - MITM Binding Signature (Ed25519 over Handshake Keys)     │
  │                                                               │
  │  ═══════════════ CHANNEL ENCRYPTION IN EFFECT ══════════════  │
  │                                                               │
  │─── [4] AuthRequest (Encrypted) ──────────────────────────────→│  (Encrypted under Session Keys)
  │    - Credentials payload (Argon2id Hash / API Key / JWT)      │
  │                                                               │
  │←── [5] AuthResponse (Encrypted) ──────────────────────────────│  (Encrypted under Session Keys)
  │    - Success / Failure Code                                   │
  │                                                               │
  │─── [6] HandshakeFinish (Encrypted) ──────────────────────────→│  (Transcript digest check)
  │←── [7] HandshakeFinish (Encrypted) ───────────────────────────│  (Transcript digest check)
  │                                                               │
  │  ═════════════════ ACTIVE SECURE SESSION ═══════════════════  │

MITM Binding Signature (Critically Important)

To prevent Man-in-the-Middle (MITM) attacks where an attacker acts as a proxy by negotiating independent keys with both client and server, the server must bind its permanent Ed25519 certificate key to the ephemeral session keys.

The server computes a 64-byte signature over the following concatenated buffer:

binding_data = client_random || server_random || client_ephemeral_pk || server_ephemeral_pk

The client validates this signature using the verified public key extracted from the Server Certificate. If verification fails, the connection must be instantly aborted to prevent spoofing.