gnunet-handbook

The GNUnet Handbook
Log | Files | Refs
commit 6fc60f4d1356139c36955681d291b88bf1cd94e9
parent e321b8fa65a03a6e6f7c3047867791e05298d95e
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date:   Wed, 23 Oct 2024 18:27:14 +0200

More ordering fixes

Diffstat:

Mdevelopers/apis/cong.rst | 18++++++++----------


1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/developers/apis/cong.rst b/developers/apis/cong.rst
@@ -112,25 +112,22 @@ We assume that the initiator knows pk\ :sub:`R` (pre-distributed through HELLO, 
 
 * Derive Handshake Traffic Encryption Keys:
 
+  * ``ReceiverHello`` <- (c\ :sub:`e`, r\ :sub:`R`, [SelectedAlgs])
   * **IHTS** <- *HKDF-Expand*\ (**HS**, "i hs traffic", ``InitiatorHello...ReceiverHello``)
   * **RHTS** <- *HKDF-Expand*\ (**HS**, "r hs traffic", ``InitiatorHello...ReceiverHello``)
+  * ``ReceiverKemCiphertext`` <- *Enc*\ (**RHTS**, c\ :sub:`I`)
+  * (Optional) ``EncryptedExtensions`` <- *Enc*\ (**RHTS**, SupportedAlgs/Services?)
 
-* Build ``ReceiverFinished`` and ``InitiatorFinished`` plain texts:
+* Build ``ReceiverFinished`` message:
 
-  * fk\ :sub:`I` <- *HKDF-Expand*\ (**MS**, "i finished", ``NULL``)
   * fk\ :sub:`R` <- *HKDF-Expand*\ (**MS**, "r finished", ``NULL``)
   * ``RF`` <- *HMAC*\ (fk\ :sub:`R`, ``InitiatorHello...ReceiverKemCiphertext``)
+  * ``ReceiverFinished`` <- *Enc*\ (**RHTS**, ``RF``) (TLS1.3-style explicit authentication of receiver after 1RTT!)
 
 * Derive Application Traffic Encryption Key:
 
   * **RATS** <- *HKDF-Expand*\ (**MS**, "r ap traffic", ``InitiatorHello...ReceiverFinished``)
 
-* Encrypt messages:
-
-  * ``ReceiverHello`` <- (c\ :sub:`e`, r\ :sub:`R`, [SelectedAlgs])
-  * (Optional) ``EncryptedExtensions`` <- Enc*\ (**RHTS**, SupportedAlgs/Services?)
-  * ``ReceiverKemCiphertext`` <- *Enc*\ (**RHTS**, c\ :sub:`I`)
-  * ``ReceiverFinished`` <- *Enc*\ (**RHTS**, ``RF``) (TLS1.3-style explicit authentication of receiver after 1RTT!)
 
 
 .. admonition:: ``R`` sends to ``I`` (0.5 RTT):
@@ -143,7 +140,7 @@ We assume that the initiator knows pk\ :sub:`R` (pre-distributed through HELLO, 
 
   * (ss\ :sub:`e`) <- *Decaps*\ (sk\ :sub:`e`, c\ :sub:`e`)
   * **dES** <- *HKDF-Expand*\ (**ES**, ``"derived"``, ``NULL``)
-  * **HS** <- *HKDF-Extract*\ (ss\ :sub:`e`, dES)
+  * **HS** <- *HKDF-Extract*\ (ss\ :sub:`e`, **dES**)
   * **dHS** <- *HKDF-Expand*\ (**HS**, "derived", ``NULL``)
   * (ss\ :sub:`I`) <- *Decaps*\ (sk\ :sub:`I`, c\ :sub:`I`)
   * **MS** <- *HKDF-Extract*\ (ss\ :sub:`I`, **dHS**)
@@ -173,7 +170,8 @@ We assume that the initiator knows pk\ :sub:`R` (pre-distributed through HELLO, 
 ``R`` computes:
 
 * ``IF`` <- *Dec*\ (IHTS, ``InitiatorFinished``)
-* assert *HMAC*\ (fk\ :sub:`R`, ``InitiatorHello...ReceiverFinished``) == ``IF``
+* fk\ :sub:`I` <- *HKDF-Expand*\ (**MS**, "i finished", ``NULL``)
+* assert *HMAC*\ (fk\ :sub:`I`, ``InitiatorHello...ReceiverFinished``) == ``IF``
 * **IATS** <- *HKDF-Expand*\ (**MS**, "i ap traffic", ``InitiatorHello...InitiatorFinished``)