Protocol explanation

inventionpro · web-flow · commit c07e893d6653 · 2026-02-15T17:42:37.000+01:00
diff --git a/docs/protocol/index.md b/docs/protocol/index.md
@@ -5,4 +5,69 @@ nav_order: 2
 
 # Protocol
 
-Information about the Parley protocol.
+Information about the Parley protocol.
+
+## Accounts
+
+Accounts have 3 values: public/private keypair (Supported: `RSA-OAEP`, label: `parley`) and a passkey\
+The server must only store the public and an encrypted version of the passkey, never receiving the private key.\
+Public/Private key pair must be generated by the client and passkey by the server.\
+The server should verify the client with both the passkey and by decrypting a value encrypted with the public key.
+
+Flow:
+```
+Client                   Server
+|                        |
+| Keypait creation       |
+| /signup -------------> |
+|                        | Challenge value encrypted
+| <----------- Challenge |
+| Decryption             |
+| /challenge ----------> |
+|                        | Verify & Paskey creation
+| <--- Passkey & Session |
+|                        |
+```
+
+## Messages
+
+The users keypairs are used for asymmetric key encryption to pass an ephemeral shared key (Supported: `AES-GCM`) to allow symmetric key encryption of messages.\
+Shared keys should expire after an hour for foward secrecy, this prevents compromised keys from leaking the entire chat.\
+If expired: The next person to send a message must generate a new shared key and encrypt it with each member's public key.\
+Messages additionally are signed with the user's private key as `RSA-PSS` with a salt length of `222` (Signature format: `${message_content}:${channel_id}:${unix_s}`).\
+To send the message it requires the shared key which needs the user's public key to encrypt, and to sign it, the private key.\
+This prevents MitM attacks since changing the public key of a member to be able to read messages would either invalidate the signature or decryption.
+
+Flow:
+```
+**Read:**
+Client                   Server
+|                        |
+| /messages -----------> |
+| <------------ Messages |
+| /key ----------------> |
+| <-------- Specific key |
+| Decrypt shared         |
+| Decrypt message        |
+| Verify message         |
+|                        |
+**Send:**
+Client                   Server
+|                        |
+| /key ----------------> |
+| <------------ Last key |
+|                        |
+If expired:
+|                        |
+| Generate AES key       |
+| Encrypt for each       |
+| /keys ---------------> |
+|                        | Save encrypted keys
+|                        |
+Finally:
+|                        |
+| Encrypt message        |
+| Sign message           |
+| /message ------------> |
+|                        |
+```
