commit e321b8fa65a03a6e6f7c3047867791e05298d95e
parent 8c9481ac45bc06379586a752df2730668dae0d51
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 23 Oct 2024 18:22:27 +0200
Fix ordering
Diffstat:
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/developers/apis/cong.rst b/developers/apis/cong.rst
@@ -110,31 +110,32 @@ We assume that the initiator knows pk\ :sub:`R` (pre-distributed through HELLO,
* (ss\ :sub:`I`,c\ :sub:`I`) <- ``Encaps``\ (pk\ :sub:`I`)
* **MS** <- *HKDF-Extract*\ (ss\ :sub:`I`, **dHS**)
+* Derive Handshake Traffic Encryption Keys:
+
+ * **IHTS** <- *HKDF-Expand*\ (**HS**, "i hs traffic", ``InitiatorHello...ReceiverHello``)
+ * **RHTS** <- *HKDF-Expand*\ (**HS**, "r hs traffic", ``InitiatorHello...ReceiverHello``)
+
* Build ``ReceiverFinished`` and ``InitiatorFinished`` plain texts:
* fk\ :sub:`I` <- *HKDF-Expand*\ (**MS**, "i finished", ``NULL``)
* fk\ :sub:`R` <- *HKDF-Expand*\ (**MS**, "r finished", ``NULL``)
* ``RF`` <- *HMAC*\ (fk\ :sub:`R`, ``InitiatorHello...ReceiverKemCiphertext``)
- * ``IF`` <- *HMAC*\ (fk\ :sub:`I`, ``InitiatorHello...ReceiverFinished``)
-* Derive Traffic Encryption Keys:
+* Derive Application Traffic Encryption Key:
- * **IHTS** <- *HKDF-Expand*\ (**HS**, "i hs traffic", ``InitiatorHello...ReceiverHello``)
- * **RHTS** <- *HKDF-Expand*\ (**HS**, "r hs traffic", ``InitiatorHello...ReceiverHello``)
* **RATS** <- *HKDF-Expand*\ (**MS**, "r ap traffic", ``InitiatorHello...ReceiverFinished``)
* Encrypt messages:
* ``ReceiverHello`` <- (c\ :sub:`e`, r\ :sub:`R`, [SelectedAlgs])
- * (Optional) ``EncryptedExtensions`` <- Enc*\ (**SHTS**, SupportedAlgs/Services?)
- * ``ReceiverKemCiphertext`` <- *Enc*\ (**SHTS**, c\ :sub:`I`)
+ * (Optional) ``EncryptedExtensions`` <- Enc*\ (**RHTS**, SupportedAlgs/Services?)
+ * ``ReceiverKemCiphertext`` <- *Enc*\ (**RHTS**, c\ :sub:`I`)
* ``ReceiverFinished`` <- *Enc*\ (**RHTS**, ``RF``) (TLS1.3-style explicit authentication of receiver after 1RTT!)
.. admonition:: ``R`` sends to ``I`` (0.5 RTT):
- ``ReceiverHello``, ``EncryptedExtensions``, ``ReceiverKemCiphertext``, ``ReceiverFinished``
-.. note:: From now on, application payload can be sent encrypted using **RATS**.
+ ``ReceiverHello``, ``EncryptedExtensions``, ``ReceiverKemCiphertext``, ``ReceiverFinished`` and optionally application payload encrypted using **RATS**.
``I`` computes:
@@ -167,16 +168,14 @@ We assume that the initiator knows pk\ :sub:`R` (pre-distributed through HELLO,
.. admonition:: ``I`` sends to ``R`` (1.5 RTT):
- ``InitiatorFinished``
-
-.. attention:: From now on, application payload can be sent encrypted using **IATS**. Received payload can be decrypted using **RATS**.
+ ``InitiatorFinished`` and optionally application payload encrypted using **IATS**. ``I`` can now decrypt received payload using **RATS**.
``R`` computes:
+* ``IF`` <- *Dec*\ (IHTS, ``InitiatorFinished``)
+* assert *HMAC*\ (fk\ :sub:`R`, ``InitiatorHello...ReceiverFinished``) == ``IF``
* **IATS** <- *HKDF-Expand*\ (**MS**, "i ap traffic", ``InitiatorHello...InitiatorFinished``)
-.. attention:: From now on, application payload can be decrypted using **IATS**.
-
Glossary:
