commit 944774d070ac97181252d8723a28e8dc338c80f5
parent 553eb971be704e447810243a4155c62eed3ef1b5
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 23 Oct 2024 14:28:36 +0200
more kemtls
Diffstat:
1 file changed, 65 insertions(+), 30 deletions(-)
diff --git a/developers/apis/cong.rst b/developers/apis/cong.rst
@@ -63,12 +63,10 @@ Proposal:
We will have to replace the use of ``GNUNET_CRYPTO_symmetric_encrypt`` and
HMAC use in ``gnunet-service-core_kx.c`` including the respective keys and IVs.
-..
- TODO Maybe we want to use KEMTLS at some point: https://thomwiggers.nl/publication/thesis/thesis.pdf
-
+Handshake Protocol (Draft)
+^^^^^^^^^^^^^^^^^^^^^^^^^^
-Next Steps (Draft)
-^^^^^^^^^^^^^^^^^^
+This protocol is derived from `KEMTLS <https://thomwiggers.nl/publication/thesis/thesis.pdf>`_ (page 81ff).
We assume that the peers have semi-*static* (as opposed to ephemeral) key pairs.
Let (pk\ :sub:`I`,sk\ :sub:`I`) be the key pair of the initiator ``I`` and (pk\ :sub:`R`,sk\ :sub:`R`) the
@@ -78,10 +76,10 @@ We assume that the initiator knows pk\ :sub:`R` (pre-distributed through HELLO,
``I`` calculates:
- * (pk\ :sub:`e`,sk\ :sub:`e`) <- KeyGen()
- * (ss\ :sub:`R`,c\ :sub:`R`) <- Encaps(pk\ :sub:`S`)
- * ES <- HKDF-Extract(ss\ :sub:`R`, 0)
- * ETS <- HKDF-Expand(ES, "early data", ``InitiatorHello``)
+ * (pk\ :sub:`e`,sk\ :sub:`e`) <- ``KeyGen``\ ()
+ * (ss\ :sub:`R`,c\ :sub:`R`) <- ``Encaps``\ (pk\ :sub:`R`)
+ * ``ES`` <- ``HKDF-Extract``\ (ss\ :sub:`R`, 0)
+ * ``ETS`` <- ``HKDF-Expand``\ (``ES``, ``"early data"``, ``InitiatorHello``)
``I`` sends to ``R`` (0.5 RTT):
@@ -99,20 +97,21 @@ We assume that the initiator knows pk\ :sub:`R` (pre-distributed through HELLO,
``R`` calculates:
* (ss\ :sub:`R`) <- Decaps(sk\ :sub:`R`, c\ :sub:`R`)
- * ES <- HKDF-Extract(ss\ :sub:`R`, 0)
- * ETS <- HKDF-Expand(ES, "early data", ``InitiatorHello``)
- * dES <- HKDF-Expand(ES, "derived", NULL)
- * (ss\ :sub:`e`,c\ :sub:`e`) <- Encaps(pk\ :sub:`e`)
- * HS <- HKDF-Extract(ss\ :sub:`e`, dES)
- * CHTS <- HKDF-Expand(HS, "i hs traffic", ``InitiatorHello``||``ReceiverHello``)
- * SHTS <- HKDF-Expand(HS, "r hs traffic", ``InitiatorHello``||``ReceiverHello``)
- * dHS <- HKDF-Expand(HS, "derived", NULL)
- * (ss\ :sub:`I`,c\ :sub:`I`) <- Encaps(pk\ :sub:`I`)
- * MS <- HKDF-Extract(ss\ :sub:`I`, dHS)
- * fk\ :sub:`I` <- HKDF-Expand(MS, "i finished", NULL)
- * fk\ :sub:`R` <- HKDF-Expand(MS, "r finished", NULL)
- * SF <- HMAC(fk\ :sub:`R`, ``InitiatorHello``||``ReceiverKemCiphertext``)
- * SATS <- HKDF-Expand(MS, "r ap traffic", ``InitiatorHello``||SF)
+ * ``ES`` <- ``HKDF-Extract``\ (ss\ :sub:`R`, 0)
+ * ``ETS`` <- ``HKDF-Expand``\ (``ES``, "early data", ``InitiatorHello``)
+ * ``dES`` <- ``HKDF-Expand``\ (``ES``, "derived", ``NULL``)
+ * (ss\ :sub:`e`,c\ :sub:`e`) <- ``Encaps``\ (pk\ :sub:`e`)
+ * ``HS`` <- ``HKDF-Extract``\ (ss\ :sub:`e`, dES)
+ * ``IHTS`` <- ``HKDF-Expand``\ (``HS``, "i hs traffic", ``InitiatorHello...ReceiverHello``)
+ * ``RHTS`` <- ``HKDF-Expand``\ (``HS``, "r hs traffic", ``InitiatorHello...ReceiverHello``)
+ * ``dHS`` <- ``HKDF-Expand``\ (``HS``, "derived", ``NULL``)
+ * (ss\ :sub:`I`,c\ :sub:`I`) <- ``Encaps``\ (pk\ :sub:`I`)
+ * ``MS`` <- ``HKDF-Extract``\ (ss\ :sub:`I`, dHS)
+ * fk\ :sub:`I` <- ``HKDF-Expand``\ (``MS``, "i finished", ``NULL``)
+ * fk\ :sub:`R` <- ``HKDF-Expand``\ (``MS``, "r finished", ``NULL``)
+ * ``RF`` <- ``HMAC``\ (fk\ :sub:`R`, ``InitiatorHello...ReceiverKemCiphertext``)
+ * ``RATS`` <- ``HKDF-Expand``\ (MS, "r ap traffic", ``InitiatorHello...ReceiverFinished``)
+ * ``IF`` <- ``HMAC``\ (fk\ :sub:`I`, ``InitiatorHello...ReceiverFinished``)
``R`` sends to ``I`` (0.5 RTT):
@@ -129,25 +128,61 @@ We assume that the initiator knows pk\ :sub:`R` (pre-distributed through HELLO,
* AEAD(SHTS, c\ :sub:`I`)
* ``ReceiverFinished``
- * AEAD(SHTS, SF) (TLS1.3-style explicit authentication of receiver after 1RTT!)
+ * AEAD(SHTS, RF) (TLS1.3-style explicit authentication of receiver after 1RTT!)
* Payload:
- * AEAD(KDF(SATS), ...)
+ * AEAD(KDF(RATS), ...)
``I`` computes:
* (ss\ :sub:`e`) <- Decaps(sk\ :sub:`e`, c\ :sub:`e`)
- * K\ :sub:`1` <- KDF(ss\ :sub:`e` || ss\ :sub:`R`)
- * K\ :sub:`2`,K\ :sub:`2`\ :sup:`´`,K\ :sub:`2`\ :sup:`´´`,K\ :sub:`2`\ :sup:`´´´` <- KDF(ss\ :sub:`e` || ss\ :sub:`R` || ss\ :sub:`I`)
+ * ``dES`` <- ``HKDF-Expand``\ (``ES``, ``"derived"``, ``NULL``)
+ * HS <- HKDF-Extract(ss\ :sub:`e`, dES)
+ * IHTS <- HKDF-Expand(HS, "i hs traffic", ``InitiatorHello...ReceiverHello``)
+ * RHTS <- HKDF-Expand(HS, "r hs traffic", ``InitiatorHello...ReceiverHello``)
+ * dHS <- HKDF-Expand(HS, "derived", NULL)
+ * (ss\ :sub:`I`) <- Decaps(sk\ :sub:`I`, c\ :sub:`I`)
+ * MS <- HKDF-Extract(ss\ :sub:`I`, dHS)
+ * fk\ :sub:`I` <- HKDF-Expand(MS, "i finished", NULL)
+ * fk\ :sub:`R` <- HKDF-Expand(MS, "r finished", NULL)
+ * Decrypt RF from ``ReceiverFinished`` using RHTS
+ * RF <- HMAC(fk\ :sub:`R`, ``InitiatorHello...ReceiverKemCiphertext``)
+ * assert HMAC(fk\ :sub:`R`, ``InitiatorHello...ReceiverKemCiphertext``) == RF
+ * RATS <- HKDF-Expand(MS, "r ap traffic", ``InitiatorHello...ReceiverFinished``)
+ * IF <- HMAC(fk\ :sub:`I`, ``InitiatorHello...ReceiverFinished``)
+ * IATS <- HKDF-Expand(MS, "i ap traffic", ``InitiatorHello...InitiatorFinished``)
``I`` sends to ``R`` (1.5 RTT):
- * AEAD(K\ :sub:`2`, ``key confirmation``)
- * AEAD(K\ :sub:`2`\ :sup:`´`, ``payload/application data``)
+ * ``InitiatorFinished``
+
+ * AEAD(IHTS, IF)
+
+
+ * Payload
+
+ * AEAD(KDF(IATS), ``payload/application data``)
+
+``R`` computes:
+
+ * IATS <- HKDF-Expand(MS, "i ap traffic", ``InitiatorHello...InitiatorFinished``)
+Glossary:
-``key confirmation`` and ``cert`` must be defined.
+ * ``IATS``: Initiator Application Traffic Secret Key
+ * ``RATS``: Receiver Application Traffic Secret Key
+ * ``dES``: Derived Early Secret Key
+ * ``dHS``: Derived Handshake Key
+ * ``ES``: Early Secret Key
+ * ``ETS``: Early Traffic Secret Key
+ * ``HS``: Handshake Secret Key
+ * ``MS``: Main Secret Key
+ * ``ES``: Early Secret Key
+ * ``IHTS``: Initiator Handshake Secret Key
+ * ``RHTS``: Receiver Handshake Secret Key
+ * ``Foo...Bar`` means the transcript of received/send messages from ``Foo`` until ``Bar``
+
Unified Address Format for L2O and libp2p
-----------------------------------------
