commit 2eca74793c79c0ff6f861d18c535b1221a96bc5b
parent 944774d070ac97181252d8723a28e8dc338c80f5
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 23 Oct 2024 15:08:52 +0200
cleanup handshake
Diffstat:
1 file changed, 76 insertions(+), 63 deletions(-)
diff --git a/developers/apis/cong.rst b/developers/apis/cong.rst
@@ -66,6 +66,8 @@ HMAC use in ``gnunet-service-core_kx.c`` including the respective keys and IVs.
Handshake Protocol (Draft)
^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. todo:: Discuss role selection
+
This protocol is derived from `KEMTLS <https://thomwiggers.nl/publication/thesis/thesis.pdf>`_ (page 81ff).
We assume that the peers have semi-*static* (as opposed to ephemeral) key pairs.
@@ -76,97 +78,108 @@ We assume that the initiator knows pk\ :sub:`R` (pre-distributed through HELLO,
``I`` calculates:
- * (pk\ :sub:`e`,sk\ :sub:`e`) <- ``KeyGen``\ ()
- * (ss\ :sub:`R`,c\ :sub:`R`) <- ``Encaps``\ (pk\ :sub:`R`)
- * ``ES`` <- ``HKDF-Extract``\ (ss\ :sub:`R`, 0)
- * ``ETS`` <- ``HKDF-Expand``\ (``ES``, ``"early data"``, ``InitiatorHello``)
+* (pk\ :sub:`e`,sk\ :sub:`e`) <- ``KeyGen``\ ()
+* (ss\ :sub:`R`,c\ :sub:`R`) <- ``Encaps``\ (pk\ :sub:`R`)
+* ``ES`` <- *HKDF-Extract*\ (ss\ :sub:`R`, 0)
+* ``ETS`` <- *HKDF-Expand*\ (``ES``, ``"early data"``, ``InitiatorHello``)
``I`` sends to ``R`` (0.5 RTT):
- * ``InitiatorHello``:
+* ``InitiatorHello``:
+
+ * pk\ :sub:`e`
+ * c\ :sub:`R`
+ * H(pk\ :sub:`R`) ?
+ * Supported algs/services?
+ * r\ :sub:`I`?
+
+.. note:: Unclear to me if the need the nonce r or the hash of the receiver pk
+
+
- * pk\ :sub:`e`
- * c\ :sub:`R`
- * H(pk\ :sub:`R`) ?
- * Supported algs/services?
- * r\ :sub:`I`?
- * ``InitiatorCert``:
+* ``InitiatorCert``:
- * AEAD(ETS, cert [pk\ :sub:`I`])
+ * *Enc*\ (``ETS``, cert [pk\ :sub:`I`])
+.. note:: We may encode capabilities/supported class in the *cert*
``R`` calculates:
- * (ss\ :sub:`R`) <- Decaps(sk\ :sub:`R`, c\ :sub:`R`)
- * ``ES`` <- ``HKDF-Extract``\ (ss\ :sub:`R`, 0)
- * ``ETS`` <- ``HKDF-Expand``\ (``ES``, "early data", ``InitiatorHello``)
- * ``dES`` <- ``HKDF-Expand``\ (``ES``, "derived", ``NULL``)
- * (ss\ :sub:`e`,c\ :sub:`e`) <- ``Encaps``\ (pk\ :sub:`e`)
- * ``HS`` <- ``HKDF-Extract``\ (ss\ :sub:`e`, dES)
- * ``IHTS`` <- ``HKDF-Expand``\ (``HS``, "i hs traffic", ``InitiatorHello...ReceiverHello``)
- * ``RHTS`` <- ``HKDF-Expand``\ (``HS``, "r hs traffic", ``InitiatorHello...ReceiverHello``)
- * ``dHS`` <- ``HKDF-Expand``\ (``HS``, "derived", ``NULL``)
- * (ss\ :sub:`I`,c\ :sub:`I`) <- ``Encaps``\ (pk\ :sub:`I`)
- * ``MS`` <- ``HKDF-Extract``\ (ss\ :sub:`I`, dHS)
- * fk\ :sub:`I` <- ``HKDF-Expand``\ (``MS``, "i finished", ``NULL``)
- * fk\ :sub:`R` <- ``HKDF-Expand``\ (``MS``, "r finished", ``NULL``)
- * ``RF`` <- ``HMAC``\ (fk\ :sub:`R`, ``InitiatorHello...ReceiverKemCiphertext``)
- * ``RATS`` <- ``HKDF-Expand``\ (MS, "r ap traffic", ``InitiatorHello...ReceiverFinished``)
- * ``IF`` <- ``HMAC``\ (fk\ :sub:`I`, ``InitiatorHello...ReceiverFinished``)
+* (ss\ :sub:`R`) <- Decaps(sk\ :sub:`R`, c\ :sub:`R`)
+* ``ES`` <- *HKDF-Extract*\ (ss\ :sub:`R`, 0)
+* ``ETS`` <- *HKDF-Expand*\ (``ES``, "early data", ``InitiatorHello``)
+* ``dES`` <- *HKDF-Expand*\ (``ES``, "derived", ``NULL``)
+* (ss\ :sub:`e`,c\ :sub:`e`) <- ``Encaps``\ (pk\ :sub:`e`)
+* ``HS`` <- *HKDF-Extract*\ (ss\ :sub:`e`, ``dES``)
+* ``IHTS`` <- *HKDF-Expand*\ (``HS``, "i hs traffic", ``InitiatorHello...ReceiverHello``)
+* ``RHTS`` <- *HKDF-Expand*\ (``HS``, "r hs traffic", ``InitiatorHello...ReceiverHello``)
+* ``dHS`` <- *HKDF-Expand*\ (``HS``, "derived", ``NULL``)
+* cert [pk\ :sub:`I`] <- *Dec*\ (``ETS``, ``InitiatorCert``)
+* (ss\ :sub:`I`,c\ :sub:`I`) <- ``Encaps``\ (pk\ :sub:`I`)
+* ``MS`` <- *HKDF-Extract*\ (ss\ :sub:`I`, ``dHS``)
+* fk\ :sub:`I` <- *HKDF-Expand*\ (``MS``, "i finished", ``NULL``)
+* fk\ :sub:`R` <- *HKDF-Expand*\ (``MS``, "r finished", ``NULL``)
+* ``RF`` <- ``HMAC``\ (fk\ :sub:`R`, ``InitiatorHello...ReceiverKemCiphertext``)
+* ``RATS`` <- *HKDF-Expand*\ (``MS``, "r ap traffic", ``InitiatorHello...ReceiverFinished``)
+* ``IF`` <- ``HMAC``\ (fk\ :sub:`I`, ``InitiatorHello...ReceiverFinished``)
``R`` sends to ``I`` (0.5 RTT):
- * ``ReceiverHello``
+* ``ReceiverHello``
- * c\ :sub:`e` to ``I``
- * r\ :sub:`R`?
- * Selected algs here?
- * EncryptedExtensions
+ * c\ :sub:`e` to ``I``
+ * r\ :sub:`R`?
+ * Selected algs here?
+* EncryptedExtensions
- * AEAD(SHTS, SupportedAlgs/Services?)
- * ``ReceiverKemCiphertext``
+ * AEAD(SHTS, SupportedAlgs/Services?)
+* ``ReceiverKemCiphertext``
- * AEAD(SHTS, c\ :sub:`I`)
- * ``ReceiverFinished``
+ * AEAD(SHTS, c\ :sub:`I`)
+* ``ReceiverFinished``
- * AEAD(SHTS, RF) (TLS1.3-style explicit authentication of receiver after 1RTT!)
+ * *Enc*\ (``RHTS``, ``RF``) (TLS1.3-style explicit authentication of receiver after 1RTT!)
- * Payload:
+* Payload:
- * AEAD(KDF(RATS), ...)
+ * Payload can be sent encrypted using ``RATS``.
``I`` computes:
- * (ss\ :sub:`e`) <- Decaps(sk\ :sub:`e`, c\ :sub:`e`)
- * ``dES`` <- ``HKDF-Expand``\ (``ES``, ``"derived"``, ``NULL``)
- * HS <- HKDF-Extract(ss\ :sub:`e`, dES)
- * IHTS <- HKDF-Expand(HS, "i hs traffic", ``InitiatorHello...ReceiverHello``)
- * RHTS <- HKDF-Expand(HS, "r hs traffic", ``InitiatorHello...ReceiverHello``)
- * dHS <- HKDF-Expand(HS, "derived", NULL)
- * (ss\ :sub:`I`) <- Decaps(sk\ :sub:`I`, c\ :sub:`I`)
- * MS <- HKDF-Extract(ss\ :sub:`I`, dHS)
- * fk\ :sub:`I` <- HKDF-Expand(MS, "i finished", NULL)
- * fk\ :sub:`R` <- HKDF-Expand(MS, "r finished", NULL)
- * Decrypt RF from ``ReceiverFinished`` using RHTS
- * RF <- HMAC(fk\ :sub:`R`, ``InitiatorHello...ReceiverKemCiphertext``)
- * assert HMAC(fk\ :sub:`R`, ``InitiatorHello...ReceiverKemCiphertext``) == RF
- * RATS <- HKDF-Expand(MS, "r ap traffic", ``InitiatorHello...ReceiverFinished``)
- * IF <- HMAC(fk\ :sub:`I`, ``InitiatorHello...ReceiverFinished``)
- * IATS <- HKDF-Expand(MS, "i ap traffic", ``InitiatorHello...InitiatorFinished``)
+* (ss\ :sub:`e`) <- *Decaps*\ (sk\ :sub:`e`, c\ :sub:`e`)
+* ``dES`` <- *HKDF-Expand*\ (``ES``, ``"derived"``, ``NULL``)
+* ``HS`` <- *HKDF-Extract*\ (ss\ :sub:`e`, dES)
+* ``IHTS`` <- *HKDF-Expand*\ (``HS``, "i hs traffic", ``InitiatorHello...ReceiverHello``)
+* ``RHTS`` <- *HKDF-Expand*\ (``HS``, "r hs traffic", ``InitiatorHello...ReceiverHello``)
+* ``dHS`` <- *HKDF-Expand*\ (``HS``, "derived", ``NULL``)
+* (ss\ :sub:`I`) <- *Decaps*\ (sk\ :sub:`I`, c\ :sub:`I`)
+* ``MS`` <- *HKDF-Extract*\ (ss\ :sub:`I`, ``dHS``)
+* fk\ :sub:`I` <- *HKDF-Expand*\ (``MS``, "i finished", NULL)
+* fk\ :sub:`R` <- *HKDF-Expand*\ (``MS``, "r finished", NULL)
+* ``RF`` <- ``Dec``\ (RHTS, ``ReceiverFinished``)
+* assert *HMAC*\ (fk\ :sub:`R`, ``InitiatorHello...ReceiverKemCiphertext``) == RF
+* RATS <- *HKDF-Expand*\ (``MS``, "r ap traffic", ``InitiatorHello...ReceiverFinished``)
+* IF <- *HMAC*\ (fk\ :sub:`I`, ``InitiatorHello...ReceiverFinished``)
+* IATS <- *HKDF-Expand*\ (``MS``, "i ap traffic", ``InitiatorHello...InitiatorFinished``)
``I`` sends to ``R`` (1.5 RTT):
- * ``InitiatorFinished``
-
- * AEAD(IHTS, IF)
-
+* ``InitiatorFinished``
- * Payload
+ * AEAD(IHTS, IF)
+
+
+* Payload
- * AEAD(KDF(IATS), ``payload/application data``)
+ * Payload can be sent encrypted using ``IATS``.
+ * Received payload can be decrypted using ``RATS``.
``R`` computes:
- * IATS <- HKDF-Expand(MS, "i ap traffic", ``InitiatorHello...InitiatorFinished``)
+* IATS <- *HKDF-Expand*\ (``MS``, "i ap traffic", ``InitiatorHello...InitiatorFinished``)
+* Payload
+
+ * Received payload can be decrypted using ``IATS``.
+
Glossary:
