commit 06acd7036491922701b917f0ede5a2f77a5323f1
parent ffd74189451f6450ade88dddeeb8e6d3a0948483
Author: Schanzenbach, Martin <mschanzenbach@posteo.de>
Date: Fri, 4 Oct 2019 15:49:45 +0200
no need to signature details
Diffstat:
3 files changed, 80 insertions(+), 123 deletions(-)
diff --git a/draft-schanzen-gns.html b/draft-schanzen-gns.html
@@ -1162,32 +1162,34 @@ async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(le
with the ECDSA scheme (<span>[<a href="#RFC6979" class="xref">RFC6979</a>]</span>).
The deterministic property of ECDSA (as opposed to EdDSA) is required
in order to achieve zone privacy.
- Records published in a zone are signed using a derived private key
- as described in <a href="#publish" class="xref">Section 4</a>.
- The public key "zk" is used to uniquely identify and refer to the zone and
- is thus called "zone key".
In the following, we use the following naming convention for out
cryptographic primitives:<a href="#section-2-1" class="pilcrow">¶</a></p>
<dl class="dlParallel" id="section-2-2">
<dt id="section-2-2.1">d</dt>
<dd id="section-2-2.2">
is a private key. It is defined in <span>[<a href="#RFC8032" class="xref">RFC8032</a>]</span> as a b-bit
- string. In our case, b is 256.<a href="#section-2-2.2" class="pilcrow">¶</a>
+ string. In our case, b is 256.
+ In GNS, records are signed using a key derived from "d" as described in
+ <a href="#publish" class="xref">Section 4</a>.<a href="#section-2-2.2" class="pilcrow">¶</a>
</dd>
<dt id="section-2-2.3">p</dt>
<dd id="section-2-2.4">
- is the prime of edwards25519 as defined in <span>[<a href="#RFC8032" class="xref">RFC8032</a>]</span>.<a href="#section-2-2.4" class="pilcrow">¶</a>
+ is the prime of Ed25519 as defined in <span>[<a href="#RFC8032" class="xref">RFC8032</a>]</span>, i.e.
+ 2^255 - 19.<a href="#section-2-2.4" class="pilcrow">¶</a>
</dd>
<dt id="section-2-2.5">B</dt>
<dd id="section-2-2.6">
is the group generator of the elliptic curve as defined in
- <span>[<a href="#RFC8032" class="xref">RFC8032</a>]</span> for EdDSA.<a href="#section-2-2.6" class="pilcrow">¶</a>
+ <span>[<a href="#RFC8032" class="xref">RFC8032</a>]</span> for Ed25519.<a href="#section-2-2.6" class="pilcrow">¶</a>
</dd>
<dt id="section-2-2.7">zk</dt>
<dd id="section-2-2.8">
is the ECDSA public key corresponding to d. It is defined in
<span>[<a href="#RFC6979" class="xref">RFC6979</a>]</span> as the curve point d*B where B is the group
- generator of the elliptic curve.<a href="#section-2-2.8" class="pilcrow">¶</a>
+ generator of the elliptic curve. Note that this is NOT a Ed25519 public
+ key.
+ The public key is used to uniquely identify a GNS zone and is referred to
+ as the "zone key".<a href="#section-2-2.8" class="pilcrow">¶</a>
</dd>
</dl>
</section>
@@ -1492,8 +1494,8 @@ async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(le
<dt id="section-4.1-3.1">PRK_h</dt>
<dd id="section-4.1-3.2">
is key material retrieved using an HKDF using the string
- "key-derivation" as salt and the public zone key "x*P" as initial keying
- material.<a href="#section-4.1-3.2" class="pilcrow">¶</a>
+ "key-derivation" as salt and the public zone key "zk" as initial
+ keying material.<a href="#section-4.1-3.2" class="pilcrow">¶</a>
</dd>
<dt id="section-4.1-3.3">h</dt>
<dd id="section-4.1-3.4">
@@ -1502,28 +1504,25 @@ async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(le
</dd>
<dt id="section-4.1-3.5">d</dt>
<dd id="section-4.1-3.6">
- is the private zone key as defined in <span>[<a href="#RFC8032" class="xref">RFC8032</a>]</span>.<a href="#section-4.1-3.6" class="pilcrow">¶</a>
+ is the private zone key as defined in <a href="#zones" class="xref">Section 2</a>.<a href="#section-4.1-3.6" class="pilcrow">¶</a>
</dd>
- <dt id="section-4.1-3.7">P</dt>
+ <dt id="section-4.1-3.7">label</dt>
<dd id="section-4.1-3.8">
- is the base point of the curve Ed25519 as defined in
- <span>[<a href="#RFC8032" class="xref">RFC8032</a>]</span>.<a href="#section-4.1-3.8" class="pilcrow">¶</a>
+ under wich the resource records are published.<a href="#section-4.1-3.8" class="pilcrow">¶</a>
</dd>
- <dt id="section-4.1-3.9">label</dt>
+ <dt id="section-4.1-3.9">d_h</dt>
<dd id="section-4.1-3.10">
- under wich the resource records are published.<a href="#section-4.1-3.10" class="pilcrow">¶</a>
+ is a private key derived from the "d" using the
+ keying material "h" (512 bit).<a href="#section-4.1-3.10" class="pilcrow">¶</a>
</dd>
- <dt id="section-4.1-3.11">d_h</dt>
+ <dt id="section-4.1-3.11">zk_h</dt>
<dd id="section-4.1-3.12">
- is a private key derived from the zone private key "d" using the
- keying material "h" (512 bit) and "p" is a prime as defined in
- <span>[<a href="#RFC8032" class="xref">RFC8032</a>]</span>.<a href="#section-4.1-3.12" class="pilcrow">¶</a>
+ is a public key derived from the zone key "zk" using the keying
+ material "h" (512 bit).<a href="#section-4.1-3.12" class="pilcrow">¶</a>
</dd>
- <dt id="section-4.1-3.13">zk_h</dt>
+ <dt id="section-4.1-3.13">p</dt>
<dd id="section-4.1-3.14">
- is a public key derived from the zone key "zk" using the keying
- material "h" (512 bit) and "p" is the group order as defined in
- <span>[<a href="#RFC8032" class="xref">RFC8032</a>]</span>.<a href="#section-4.1-3.14" class="pilcrow">¶</a>
+ is the group order as defined in <a href="#zones" class="xref">Section 2</a>.<a href="#section-4.1-3.14" class="pilcrow">¶</a>
</dd>
<dt id="section-4.1-3.15">q</dt>
<dd id="section-4.1-3.16">
@@ -1621,26 +1620,6 @@ async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(le
The encrypted resource records with a total size of SIZE - 16.<a href="#section-4.2-4.12" class="pilcrow">¶</a>
</dd>
</dl>
-<p id="section-4.2-5">
- We note that even though we use a Ed25519 private key, the public key
- is derived using ECDSA as defined in <span>[<a href="#RFC8032" class="xref">RFC8032</a>]</span>.
- Similarly, the ECDSA signature consists of a pair of integers, r and s:<a href="#section-4.2-5" class="pilcrow">¶</a></p>
-<div class="artwork art-text alignLeft" id="section-4.2-6">
-<pre>
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | r |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | s |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- </pre><a href="#section-4.2-6" class="pilcrow">¶</a>
-</div>
</section>
</div>
<section id="section-4.3">
diff --git a/draft-schanzen-gns.txt b/draft-schanzen-gns.txt
@@ -97,15 +97,15 @@ Table of Contents
where d is the private key and zk the corresponding public key. GNS
combines the EC parameters of Ed25519 ([RFC8032]) with the ECDSA
scheme ([RFC6979]). The deterministic property of ECDSA (as opposed
- to EdDSA) is required in order to achieve zone privacy. Records
- published in a zone are signed using a derived private key as
- described in Section 4. The public key "zk" is used to uniquely
- identify and refer to the zone and is thus called "zone key". In the
+ to EdDSA) is required in order to achieve zone privacy. In the
following, we use the following naming convention for out
cryptographic primitives:
d is a private key. It is defined in [RFC8032] as a b-bit string.
- In our case, b is 256.
+ In our case, b is 256. In GNS, records are signed using a key
+ derived from "d" as described in Section 4.
+
+ p is the prime of Ed25519 as defined in [RFC8032], i.e. 2^255 - 19.
@@ -114,14 +114,14 @@ Schanzenbach, et al. Expires 24 January 2020 [Page 2]
Internet-Draft The GNU Name System July 2019
- p is the prime of edwards25519 as defined in [RFC8032].
-
B is the group generator of the elliptic curve as defined in
- [RFC8032] for EdDSA.
+ [RFC8032] for Ed25519.
zk is the ECDSA public key corresponding to d. It is defined in
[RFC6979] as the curve point d*B where B is the group generator of
- the elliptic curve.
+ the elliptic curve. Note that this is NOT a Ed25519 public key.
+ The public key is used to uniquely identify a GNS zone and is
+ referred to as the "zone key".
3. Resource records
@@ -363,25 +363,23 @@ Internet-Draft The GNU Name System July 2019
SHA256 for the expansion phase.
PRK_h is key material retrieved using an HKDF using the string "key-
- derivation" as salt and the public zone key "x*P" as initial
- keying material.
+ derivation" as salt and the public zone key "zk" as initial keying
+ material.
h is the HKDF expansion result. The expansion info is a
concatenation of the label and string "gns".
- d is the private zone key as defined in [RFC8032].
-
- P is the base point of the curve Ed25519 as defined in [RFC8032].
+ d is the private zone key as defined in Section 2.
label under wich the resource records are published.
- d_h is a private key derived from the zone private key "d" using the
- keying material "h" (512 bit) and "p" is a prime as defined in
- [RFC8032].
+ d_h is a private key derived from the "d" using the keying material
+ "h" (512 bit).
zk_h is a public key derived from the zone key "zk" using the keying
- material "h" (512 bit) and "p" is the group order as defined in
- [RFC8032].
+ material "h" (512 bit).
+
+ p is the group order as defined in Section 2.
q Is the DHT key under which the resource records block is
published. It is the SHA512 hash over the public key "zk_h"
@@ -389,6 +387,8 @@ Internet-Draft The GNU Name System July 2019
+
+
Schanzenbach, et al. Expires 24 January 2020 [Page 7]
�
Internet-Draft The GNU Name System July 2019
@@ -467,23 +467,6 @@ Internet-Draft The GNU Name System July 2019
BDATA The encrypted resource records with a total size of SIZE - 16.
- We note that even though we use a Ed25519 private key, the public key
- is derived using ECDSA as defined in [RFC8032]. Similarly, the ECDSA
- signature consists of a pair of integers, r and s:
-
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | r |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | s |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
-
4.3. Block data encryption and decryption
A symmetric encryption scheme is used to en-/decrypt the "BDATA"
@@ -495,17 +478,6 @@ Internet-Draft The GNU Name System July 2019
vector "IV" for the symmetric encryption/decryption are derived as
follows:
-
-
-
-
-
-
-Schanzenbach, et al. Expires 24 January 2020 [Page 9]
-�
-Internet-Draft The GNU Name System July 2019
-
-
PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
PRK_iv := HKDF-Extract ("gns-aes-ctx-iv", zk)
K := HKDF-Expand (PRK_k, label, 512 / 8);
@@ -518,6 +490,22 @@ Internet-Draft The GNU Name System July 2019
the initialization vector. We divide the resulting keying material
"K" into a 256-bit AES key "Kaes" and a 256-bit TWOFISH key "Ktwo":
+
+
+
+
+
+
+
+
+
+
+
+Schanzenbach, et al. Expires 24 January 2020 [Page 9]
+�
+Internet-Draft The GNU Name System July 2019
+
+
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
| AES KEY (Kaes) |
@@ -557,6 +545,18 @@ Internet-Draft The GNU Name System July 2019
+
+
+
+
+
+
+
+
+
+
+
+
Schanzenbach, et al. Expires 24 January 2020 [Page 10]
�
Internet-Draft The GNU Name System July 2019
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -382,8 +382,8 @@
<dt>PRK_h</dt>
<dd>
is key material retrieved using an HKDF using the string
- "key-derivation" as salt and the public zone key "x*P" as initial keying
- material.
+ "key-derivation" as salt and the public zone key "zk" as initial
+ keying material.
</dd>
<dt>h</dt>
<dd>
@@ -392,12 +392,7 @@
</dd>
<dt>d</dt>
<dd>
- is the private zone key as defined in <xref target="RFC8032" />.
- </dd>
- <dt>P</dt>
- <dd>
- is the base point of the curve Ed25519 as defined in
- <xref target="RFC8032" />.
+ is the private zone key as defined in <xref target="zones" />.
</dd>
<dt>label</dt>
<dd>
@@ -405,15 +400,17 @@
</dd>
<dt>d_h</dt>
<dd>
- is a private key derived from the zone private key "d" using the
- keying material "h" (512 bit) and "p" is a prime as defined in
- <xref target="RFC8032" />.
+ is a private key derived from the "d" using the
+ keying material "h" (512 bit).
</dd>
<dt>zk_h</dt>
<dd>
is a public key derived from the zone key "zk" using the keying
- material "h" (512 bit) and "p" is the group order as defined in
- <xref target="RFC8032" />.
+ material "h" (512 bit).
+ </dd>
+ <dt>p</dt>
+ <dd>
+ is the group order as defined in <xref target="zones" />.
</dd>
<dt>q</dt>
<dd>
@@ -504,25 +501,6 @@
The encrypted resource records with a total size of SIZE - 16.
</dd>
</dl>
- <t>
- We note that even though we use a Ed25519 private key, the public key
- is derived using ECDSA as defined in <xref target="RFC8032" />.
- Similarly, the ECDSA signature consists of a pair of integers, r and s:
- </t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | r |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | s |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- ]]></artwork>
</section>
<section numbered="true" toc="default">
<name>Block data encryption and decryption</name>
