Skip to content
English
  • There are no suggestions because the search field is empty.

Security: Xona Fabric Cryptography

Table of Contents

  • Overview

  • Xona Fabric Cryptography
    • Symmetric Key Encryption
    • Digital Signatures
    • Secure Hashing
    • Message Authentication
    • Other
  • References

Overview

Xona Fabric runs on encrypted tunnels between the Xona Central Manager (XCM) and Xona Critical System Gateway (CSG) using the Wireguard protocol. The tunnel requires UDP port 39251 from the CSG to the XCM. Below are details on how Xona Fabric uses Symmetric Key Encryption, Digital Signatures, Secure Hashing, Message Authentication, and other cryptographic technologies.

Xona Fabric Cryptography

Symmetric Key Encryption

  • ChaCha20 - Wireguard uses the ChaCha20 stream cipher to encrypt tunnel traffic after shared session keys are established between the Xona XCM and Xona CSG. ChaCha20 is optimized for high performance in software and provides confidentiality by ensuring intercepted packets cannot be read without the correct symmetric key.

Digital Signatures

  • Curve25519 - WireGuard uses Curve25519 elliptic-curve cryptography for authenticated key exchange during the handshake process. Instead of traditional certificate-based signatures, CSGs authenticate to the XCM through public/private key pairs and derive shared secrets using Elliptic Curve Diffie-Hellman (ECDH). This also provides forward secrecy.

Secure Hashing

  • BLAKE2s - WireGuard uses the BLAKE2s cryptographic hash function for hashing handshake data, maintaining cryptographic state, and supporting key derivation operations. It provides strong integrity and collision resistance with high efficiency.
  • HKDF - WireGuard uses HKDF (HMAC-based Key Derivation Function) with BLAKE2s to securely derive multiple session keys from shared secret material generated during the handshake.

Message Authentication

  • Poly1305 - WireGuard uses Poly1305 as a Message Authentication Code (MAC) algorithm alongside ChaCha20 in the ChaCha20-Poly1305 authenticated encryption scheme. Poly1305 verifies packet integrity and authenticity, ensuring data has not been altered in transit.
  • SipHash24 - WireGuard uses SipHash24 internally to protect hash tables and peer/session lookups from collision-based denial-of-service attacks.

Other

  • Noise Protocol Framework - WireGuard’s cryptographic design is built on the Noise Protocol Framework, specifically the Noise_IK pattern, which defines secure peer authentication, session establishment, replay protection, and forward secrecy within a minimal and efficient handshake process.

References

  1. https://support.xonasystems.com/what-are-the-network-requirements
  2. https://www.wireguard.com/
  3. https://cr.yp.to/ecdh.html
  4. https://cr.yp.to/chacha.html
  5. https://cr.yp.to/mac.html
  6. https://www.aumasson.jp/siphash/siphash.pdf
  7. https://blake2.net/
  8. https://eprint.iacr.org/2010/264
  9. https://www.noiseprotocol.org/