# SCHA/STSP
**Copyright (C) 2017 xdrm-brackets**
[](https://golang.org/doc/go1.10) [](https://goreportcard.com/report/git.xdrm.io/logauth/schastsp) [](https://godoc.org/git.xdrm.io/logauth/schastsp)
## Overview
----
This software defines and uses its own protocol which bundles 2 technologies :
- Stateless Cyclic Hash Algorithm
- Stateless Time Scrambling Protocol
It is meant to be used over request/response stateless networking and has been designed with HTTP in mind. The protocol only covers the generation and management of a pair of *tokens* which are hexadecimal strings. These are sent inside each request and a pair also has to be sent back to the sender. These tokens are mainly sent in the HTTP `Authorization` header for HTTP requests and responses.
**Features**
Beyond security issues, this protocol has some additional features :
- **Trust Chain** - Each exchange between the server and the client is bound to the previous one. Each request is unique and can only give information about previous ones, not future ones. This principle ensures the server that no-one can be faking the client (unless someone has access to its key).
> If an attacker can guess (*e.g. bruteforce*) a successful request and gain access to the server - if he hasn't the client's key - it is fairly impossible that he also guesses the next request.
> A resynchronization protocol is featured in this package in order for a client to regain ownership on the trust chain if lost (by network issue or by an attack).
- **Time-awareness** - A request is only valid a short amount of time after its generation. This amount is usually the maximum transmission time.
> Any MITM that catches the client's request to change its content only has a minimum time to forward it. As a result - if the amount is well chosen - any request modification is blocked by the time it takes.
- [TODO]
**Security**
The aim of this package is to provide a **secure** authentication system between a server and its clients. Secure is defined as follows :
- No *man-in-the-middle* (MITM) can gather enough information to fake any client. Every data sent over the network is the result of one or more one-way algorithms.
- Neither a protocol understanding nor the source code can help an attacker fake a client or find useful information among requests.
- The server has no secret key other than the synchronization key (used once to bind the client). The server has no clue what each client's key is, in fact it knows as much as a *MITM*.
## Requirements
----
You need a recent machine with `go` installed.
> This package has not been tested under the version **1.10**.
## Installation
----
Download the package with `go get` :
```bash
go get git.xdrm.io/logauth/schastsp
```
Build the executables :
```bash
go install git.xdrm.io/logauth/schastsp/cmd/client;
go install git.xdrm.io/logauth/schastsp/cmd/server;
```
The executables are now available in your `$GOBIN` (*i.e. `$GOPATH/bin`*) folder.
## Client
----
### 1. Usage
```bash
client [options]
```
Available commands are :
- `-req` generates a new request into standard output
- `-res` reads and manages a response from standard input
- `-sync` generates a synchronization key into standard output (*i.e. resets the system*)
Available options are :
- `-file` sets the folder where the keys are (or will be) stored.
- `-win` sets the window value (in milliseconds). Typically the maximum transmission time.
- `-min` sets the minimum cyclic-hash depth.
- `-max` sets the maximum cyclic-hash depth.
- `-thr` sets the cyclic-hash threshold. This value represents at which offset of the key's TTL the key will be generated. It also corresponds to the number of time the client can desynchronize before becoming impossible to synchronize again.