+
+3. Symmetric cipher
+--------------------
+
+Since the generalized encryption functions of OpenSSL are used, any symmetric
+cipher that is available in OpenSSL could possibly be used. The default however
+will be Blowfish. Blowfish is widely in use and still has not been cracked
+today (as far as we know). It also is one of the faster ciphers available.
+
+4. Detailed "example" of communication
+---------------------------------------
+
+Tinc uses a peer-to-peer protocol, but during the authentication phase we will
+make a distinction between a server (a tinc daemon listening for incoming
+connections) and a client (a tinc daemon that is trying to connect to the tinc
+daemon playing server).
+
+The message strings here are kept short for clarity. The real length of the
+exchanged messages is indicated. The capital words ID, CHALLENGE, CHAL_REPLY
+and ACK are in reality replaced by the numbers 1, 2, 3 and 4 respectively.
+
+daemon message
+--------------------------------------------------------------------------
+server <listening for connection>
+client <tries to connect>
+server <accepts connection>
+client ID client 8 0
+ | | +-> options
+ | +---> version
+ +-------> name of tinc daemon
+server CHALLENGE 57fb4b2ccd70d6bb35a64c142f47e61d
+ \________/\__/
+ | +----> 64 bits initial vector and
+ +-----------> 448 bits symmetric cipher key for meta
+ data sent to the server
+ \______________________________/
+ +-> 2048 bits totally random string, encrypted
+ with client's public RSA key
+client CHAL_REPLY 191e23
+ +-> 160 bits SHA1 value of the complete decrypted
+ CHALLENGE sent by the server
+server ID server 8 0
+ | | +-> options
+ | +---> version
+ +-------> name of tinc daemon
+client CHALLENGE da02add1817c1920989ba6ae2a49cecb
+ \________/\__/
+ | +----> 64 bits initial vector and
+ +-----------> 448 bits symmetric cipher key for meta
+ data sent to the client
+ \______________________________/
+ +-> 2048 bits totally random string, encrypted
+ with server's public RSA key
+server CHAL_REPLY 2bdeed
+ +-> 160 bits SHA1 value of the complete decrypted
+ CHALLENGE sent by the client
+client ACK
+server ACK
+--------------------------------------------------------------------------
+
+When the server receives the ACK from the client, it should prepare itself
+for the fact that any subsequent data will be encrypted with the key the server
+sent itself in the CHALLENGE. Ofcourse, this key is taken from the decrypted
+version of that CHALLENGE, so that we will know for sure only the real client
+can send us messages. The same goes for the client when it receives an ACK.