commit 6dbf133fca8ad8d8826c60b864ba0090da94484e
parent ef0496e0e8816b0937ccb6db51898bc5037c0891
Author: Schanzenbach, Martin <mschanzenbach@posteo.de>
Date: Tue, 10 Sep 2019 19:28:25 +0200
sectioning
Diffstat:
3 files changed, 303 insertions(+), 305 deletions(-)
diff --git a/draft-schanzen-gns.html b/draft-schanzen-gns.html
@@ -1083,34 +1083,32 @@ async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(le
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-boilerplate.3-1.4.2.1">
<p id="section-boilerplate.3-1.4.2.1.1"><a href="#section-4.1" class="xref">4.1</a>. <a href="#name-resource-records-block" class="xref">Resource records block</a><a href="#section-boilerplate.3-1.4.2.1.1" class="pilcrow">¶</a></p>
-<ul class="toc ulEmpty">
-<li class="toc ulEmpty" id="section-boilerplate.3-1.4.2.1.2.1">
- <p id="section-boilerplate.3-1.4.2.1.2.1.1"><a href="#section-4.1.1" class="xref">4.1.1</a>. <a href="#name-block-data-encryption" class="xref">Block data encryption</a><a href="#section-boilerplate.3-1.4.2.1.2.1.1" class="pilcrow">¶</a></p>
-</li>
- </ul>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.4.2.2">
- <p id="section-boilerplate.3-1.4.2.2.1"><a href="#section-4.2" class="xref">4.2</a>. <a href="#name-internationalization-and-ch" class="xref">Internationalization and Character Encoding</a><a href="#section-boilerplate.3-1.4.2.2.1" class="pilcrow">¶</a></p>
-</li>
- <li class="toc ulEmpty" id="section-boilerplate.3-1.4.2.3">
- <p id="section-boilerplate.3-1.4.2.3.1"><a href="#section-4.3" class="xref">4.3</a>. <a href="#name-security-considerations" class="xref">Security Considerations</a><a href="#section-boilerplate.3-1.4.2.3.1" class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.4.2.2.1"><a href="#section-4.2" class="xref">4.2</a>. <a href="#name-block-data-encryption" class="xref">Block data encryption</a><a href="#section-boilerplate.3-1.4.2.2.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.5">
- <p id="section-boilerplate.3-1.5.1"><a href="#section-5" class="xref">5</a>. <a href="#name-record-resolution" class="xref">Record Resolution</a><a href="#section-boilerplate.3-1.5.1" class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.5.1"><a href="#section-5" class="xref">5</a>. <a href="#name-internationalization-and-ch" class="xref">Internationalization and Character Encoding</a><a href="#section-boilerplate.3-1.5.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.6">
- <p id="section-boilerplate.3-1.6.1"><a href="#section-6" class="xref">6</a>. <a href="#name-namespace-revocation" class="xref">Namespace Revocation</a><a href="#section-boilerplate.3-1.6.1" class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.6.1"><a href="#section-6" class="xref">6</a>. <a href="#name-security-considerations" class="xref">Security Considerations</a><a href="#section-boilerplate.3-1.6.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.7">
- <p id="section-boilerplate.3-1.7.1"><a href="#section-7" class="xref">7</a>. <a href="#name-iana-considerations" class="xref">IANA Considerations</a><a href="#section-boilerplate.3-1.7.1" class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.7.1"><a href="#section-7" class="xref">7</a>. <a href="#name-record-resolution" class="xref">Record Resolution</a><a href="#section-boilerplate.3-1.7.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.8">
- <p id="section-boilerplate.3-1.8.1"><a href="#section-8" class="xref">8</a>. <a href="#name-normative-references" class="xref">Normative References</a><a href="#section-boilerplate.3-1.8.1" class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.8.1"><a href="#section-8" class="xref">8</a>. <a href="#name-namespace-revocation" class="xref">Namespace Revocation</a><a href="#section-boilerplate.3-1.8.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.9">
- <p id="section-boilerplate.3-1.9.1"><a href="#section-appendix.a" class="xref"></a> <a href="#name-authors-address" class="xref">Author's Address</a><a href="#section-boilerplate.3-1.9.1" class="pilcrow">¶</a></p>
+ <p id="section-boilerplate.3-1.9.1"><a href="#section-9" class="xref">9</a>. <a href="#name-iana-considerations" class="xref">IANA Considerations</a><a href="#section-boilerplate.3-1.9.1" class="pilcrow">¶</a></p>
+</li>
+ <li class="toc ulEmpty" id="section-boilerplate.3-1.10">
+ <p id="section-boilerplate.3-1.10.1"><a href="#section-10" class="xref">10</a>. <a href="#name-normative-references" class="xref">Normative References</a><a href="#section-boilerplate.3-1.10.1" class="pilcrow">¶</a></p>
+</li>
+ <li class="toc ulEmpty" id="section-boilerplate.3-1.11">
+ <p id="section-boilerplate.3-1.11.1"><a href="#section-appendix.a" class="xref"></a> <a href="#name-authors-address" class="xref">Author's Address</a><a href="#section-boilerplate.3-1.11.1" class="pilcrow">¶</a></p>
</li>
</ul>
</nav>
@@ -1388,179 +1386,179 @@ async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(le
The encrypted resource records with a total size of "BDATA SIZE".<a href="#section-4.1-4.12" class="pilcrow">¶</a>
</dd>
</dl>
-<section id="section-4.1.1">
- <h4 id="name-block-data-encryption">
-<a href="#section-4.1.1" class="section-number selfRef">4.1.1. </a><a href="#name-block-data-encryption" class="section-name selfRef">Block data encryption</a>
- </h4>
-<p id="section-4.1.1-1">
- Given a GNS record block a symmetric encryption scheme is used to
- en-/decrypt "BDATA". The keys are derived from the record label "l"
- and a public key "d*P", where "d" is an ECDSA private key and "P"
- is the EC generator. "d" and "dG" are derived from the
- public/private key pair "x,y" of a GNS zone.
- Both "l" and "P" are implicity known by the GNS resolver.
- The key material "K" and initialization vector "IV"
- are derived as follows:<a href="#section-4.1.1-1" class="pilcrow">¶</a></p>
-<div class="artwork art-text alignLeft" id="section-4.1.1-2">
+</section>
+</div>
+<section id="section-4.2">
+ <h3 id="name-block-data-encryption">
+<a href="#section-4.2" class="section-number selfRef">4.2. </a><a href="#name-block-data-encryption" class="section-name selfRef">Block data encryption</a>
+ </h3>
+<p id="section-4.2-1">
+ Given a GNS record block a symmetric encryption scheme is used to
+ en-/decrypt "BDATA". The keys are derived from the record label "l"
+ and a public key "d*P", where "d" is an ECDSA private key and "P"
+ is the EC generator. "d" and "dG" are derived from the
+ public/private key pair "x,y" of a GNS zone.
+ Both "l" and "P" are implicity known by the GNS resolver.
+ The key material "K" and initialization vector "IV"
+ are derived as follows:<a href="#section-4.2-1" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-4.2-2">
<pre>
- h := HKDF ("key-derivation", l|y|"gns")
- d := h*x mod p
- K := HKDF (d*P, l|"gns-aes-ctx-key")
- IV := HKDF (d*P, l|"gns-aes-ctx-iv")
- </pre><a href="#section-4.1.1-2" class="pilcrow">¶</a>
+ h := HKDF ("key-derivation", l|y|"gns")
+ d := h*x mod p
+ K := HKDF (d*P, l|"gns-aes-ctx-key")
+ IV := HKDF (d*P, l|"gns-aes-ctx-iv")
+ </pre><a href="#section-4.2-2" class="pilcrow">¶</a>
</div>
-<p id="section-4.1.1-3">
- "HKDF" is a hash-based key derivation function as defined in
- <span>[<a href="#RFC5869" class="xref">RFC5869</a>]</span>. We use HMAC-SHA512 for the extraction
- phase and HMAC-SHA256 for the expansion phase as proposed in
- (paper). The first argument for HKDF is the salt and the second
- argument is the concatenated, serialized source key material.
- We divide the resulting 512-bit "K" into a 256-bit AES key "Kaes"
- and a 256-bit TWOFISH key "Ktwo":<a href="#section-4.1.1-3" class="pilcrow">¶</a></p>
+<p id="section-4.2-3">
+ "HKDF" is a hash-based key derivation function as defined in
+ <span>[<a href="#RFC5869" class="xref">RFC5869</a>]</span>. We use HMAC-SHA512 for the extraction
+ phase and HMAC-SHA256 for the expansion phase as proposed in
+ (paper). The first argument for HKDF is the salt and the second
+ argument is the concatenated, serialized source key material.
+ We divide the resulting 512-bit "K" into a 256-bit AES key "Kaes"
+ and a 256-bit TWOFISH key "Ktwo":<a href="#section-4.2-3" class="pilcrow">¶</a></p>
<div id="figure_hkdf_keys">
<figure id="figure-5">
- <div class="artwork art-text alignLeft" id="section-4.1.1-4.1">
+ <div class="artwork art-text alignLeft" id="section-4.2-4.1">
<pre>
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | AES KEY (Kaes) |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | TWOFISH KEY (Ktwo) |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- </pre>
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | AES KEY (Kaes) |
+ | |
+ | |
+ | |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | TWOFISH KEY (Ktwo) |
+ | |
+ | |
+ | |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ </pre>
</div>
<figcaption><a href="#figure-5" class="selfRef">Figure 5</a></figcaption></figure>
</div>
-<p id="section-4.1.1-5">
- Similarly, we divide "IV" into a 128-bit initialization vector IVaes
- and a 128-bit initialization vector IVtwo:<a href="#section-4.1.1-5" class="pilcrow">¶</a></p>
+<p id="section-4.2-5">
+ Similarly, we divide "IV" into a 128-bit initialization vector IVaes
+ and a 128-bit initialization vector IVtwo:<a href="#section-4.2-5" class="pilcrow">¶</a></p>
<div id="figure_hkdf_ivs">
<figure id="figure-6">
- <div class="artwork art-text alignLeft" id="section-4.1.1-6.1">
+ <div class="artwork art-text alignLeft" id="section-4.2-6.1">
<pre>
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | AES IV (IVaes) |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | TWOFISH IV (IVtwo) |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- </pre>
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | AES IV (IVaes) |
+ | |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | TWOFISH IV (IVtwo) |
+ | |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ </pre>
</div>
<figcaption><a href="#figure-6" class="selfRef">Figure 6</a></figcaption></figure>
</div>
-<p id="section-4.1.1-7">
- The symmetric keys and IVs are used for a AES+TWOFISH combined
- cipher. Both ciphers are used in CFB (ref) mode.<a href="#section-4.1.1-7" class="pilcrow">¶</a></p>
-<div class="artwork art-text alignLeft" id="section-4.1.1-8">
+<p id="section-4.2-7">
+ The symmetric keys and IVs are used for a AES+TWOFISH combined
+ cipher. Both ciphers are used in CFB (ref) mode.<a href="#section-4.2-7" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-4.2-8">
<pre>
- RDATA := AES(Kaes, IVaes, TWOFISH(Ktwo, IVtwo, BDATA))
- BDATA := TWOFISH(Ktwo, IVtwo, AES(Kaes, IVaes, RDATA))
- </pre><a href="#section-4.1.1-8" class="pilcrow">¶</a>
+ RDATA := AES(Kaes, IVaes, TWOFISH(Ktwo, IVtwo, BDATA))
+ BDATA := TWOFISH(Ktwo, IVtwo, AES(Kaes, IVaes, RDATA))
+ </pre><a href="#section-4.2-8" class="pilcrow">¶</a>
</div>
-<p id="section-4.1.1-9">
- The decrypted RDATA has the following format:<a href="#section-4.1.1-9" class="pilcrow">¶</a></p>
+<p id="section-4.2-9">
+ The decrypted RDATA has the following format:<a href="#section-4.2-9" class="pilcrow">¶</a></p>
<div id="figure_rdata">
<figure id="figure-7">
- <div class="artwork art-text alignLeft" id="section-4.1.1-10.1">
+ <div class="artwork art-text alignLeft" id="section-4.2-10.1">
<pre>
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | RR COUNT | EXPIRA- /
- +-----+-----+-----+-----+-----+-----+-----+-----+
- / -TION | DATA SIZE |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | TYPE | FLAGS |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | DATA /
- / /
- / |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | EXPIRATION |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | DATA SIZE | TYPE |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | FLAGS | DATA /
- +-----+-----+-----+-----+ /
- / /
- / /
- / /
- </pre>
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | RR COUNT | EXPIRA- /
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ / -TION | DATA SIZE |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | TYPE | FLAGS |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | DATA /
+ / /
+ / |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | EXPIRATION |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | DATA SIZE | TYPE |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | FLAGS | DATA /
+ +-----+-----+-----+-----+ /
+ / /
+ / /
+ / /
+ </pre>
</div>
<figcaption><a href="#figure-7" class="selfRef">Figure 7</a></figcaption></figure>
</div>
-<p id="section-4.1.1-11">where:<a href="#section-4.1.1-11" class="pilcrow">¶</a></p>
-<dl class="dlParallel" id="section-4.1.1-12">
- <dt id="section-4.1.1-12.1">RR COUNT</dt>
- <dd id="section-4.1.1-12.2">
- A 32-bit value containing the number of resource records which are
- following.<a href="#section-4.1.1-12.2" class="pilcrow">¶</a>
+<p id="section-4.2-11">where:<a href="#section-4.2-11" class="pilcrow">¶</a></p>
+<dl class="dlParallel" id="section-4.2-12">
+ <dt id="section-4.2-12.1">RR COUNT</dt>
+ <dd id="section-4.2-12.2">
+ A 32-bit value containing the number of resource records which are
+ following.<a href="#section-4.2-12.2" class="pilcrow">¶</a>
</dd>
- <dt id="section-4.1.1-12.3">RR</dt>
- <dd id="section-4.1.1-12.4">
- A set of resoure records as defined in <a href="#rrecords" class="xref">Section 3</a>.<a href="#section-4.1.1-12.4" class="pilcrow">¶</a>
+ <dt id="section-4.2-12.3">RR</dt>
+ <dd id="section-4.2-12.4">
+ A set of resoure records as defined in <a href="#rrecords" class="xref">Section 3</a>.<a href="#section-4.2-12.4" class="pilcrow">¶</a>
</dd>
- </dl>
+ </dl>
</section>
</section>
</div>
<div id="encoding">
-<section id="section-4.2">
- <h3 id="name-internationalization-and-ch">
-<a href="#section-4.2" class="section-number selfRef">4.2. </a><a href="#name-internationalization-and-ch" class="section-name selfRef">Internationalization and Character Encoding</a>
- </h3>
-<p id="section-4.2-1">
- TODO<a href="#section-4.2-1" class="pilcrow">¶</a></p>
+<section id="section-5">
+ <h2 id="name-internationalization-and-ch">
+<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-internationalization-and-ch" class="section-name selfRef">Internationalization and Character Encoding</a>
+ </h2>
+<p id="section-5-1">
+ TODO<a href="#section-5-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="security">
-<section id="section-4.3">
- <h3 id="name-security-considerations">
-<a href="#section-4.3" class="section-number selfRef">4.3. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
- </h3>
-<p id="section-4.3-1">
- TODO<a href="#section-4.3-1" class="pilcrow">¶</a></p>
-</section>
-</div>
+<section id="section-6">
+ <h2 id="name-security-considerations">
+<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
+ </h2>
+<p id="section-6-1">
+ TODO<a href="#section-6-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="resolution">
-<section id="section-5">
+<section id="section-7">
<h2 id="name-record-resolution">
-<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-record-resolution" class="section-name selfRef">Record Resolution</a>
+<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-record-resolution" class="section-name selfRef">Record Resolution</a>
</h2>
-<p id="section-5-1">
- TODO<a href="#section-5-1" class="pilcrow">¶</a></p>
+<p id="section-7-1">
+ TODO<a href="#section-7-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="revocation">
-<section id="section-6">
+<section id="section-8">
<h2 id="name-namespace-revocation">
-<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-namespace-revocation" class="section-name selfRef">Namespace Revocation</a>
+<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-namespace-revocation" class="section-name selfRef">Namespace Revocation</a>
</h2>
-<p id="section-6-1">
- TODO<a href="#section-6-1" class="pilcrow">¶</a></p>
+<p id="section-8-1">
+ TODO<a href="#section-8-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="iana">
-<section id="section-7">
+<section id="section-9">
<h2 id="name-iana-considerations">
-<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
+<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
</h2>
-<p id="section-7-1">
- This will be fun<a href="#section-7-1" class="pilcrow">¶</a></p>
+<p id="section-9-1">
+ This will be fun<a href="#section-9-1" class="pilcrow">¶</a></p>
</section>
</div>
-<section id="section-8">
+<section id="section-10">
<h2 id="name-normative-references">
-<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
+<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
</h2>
<dl class="references">
<dt id="RFC1035">[RFC1035]</dt>
diff --git a/draft-schanzen-gns.txt b/draft-schanzen-gns.txt
@@ -67,13 +67,13 @@ Table of Contents
3.2. GNS resource record types . . . . . . . . . . . . . . . . 4
4. Publishing records . . . . . . . . . . . . . . . . . . . . . 4
4.1. Resource records block . . . . . . . . . . . . . . . . . 5
- 4.1.1. Block data encryption . . . . . . . . . . . . . . . . 6
- 4.2. Internationalization and Character Encoding . . . . . . . 8
- 4.3. Security Considerations . . . . . . . . . . . . . . . . . 8
- 5. Record Resolution . . . . . . . . . . . . . . . . . . . . . . 8
- 6. Namespace Revocation . . . . . . . . . . . . . . . . . . . . 8
- 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
- 8. Normative References . . . . . . . . . . . . . . . . . . . . 8
+ 4.2. Block data encryption . . . . . . . . . . . . . . . . . . 6
+ 5. Internationalization and Character Encoding . . . . . . . . . 8
+ 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
+ 7. Record Resolution . . . . . . . . . . . . . . . . . . . . . . 8
+ 8. Namespace Revocation . . . . . . . . . . . . . . . . . . . . 8
+ 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
+ 10. Normative References . . . . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
@@ -156,9 +156,9 @@ Internet-Draft The GNU Name System July 2019
resource record:
... 5 4 3 2 1 0
- ------+--------+--------+--------+--------+--------+
- / ... | SHADOW | EXPREL | / | PRIVATE| / |
- ------+--------+--------+--------+--------+--------+
+ ------+--------+--------+--------+--------+--------+
+ / ... | SHADOW | EXPREL | / | PRIVATE| / |
+ ------+--------+--------+--------+--------+--------+
Figure 2
@@ -186,13 +186,13 @@ Internet-Draft The GNU Name System July 2019
The a PKEY DATA entry has the following format:
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | PUBLIC KEY |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | PUBLIC KEY |
+ | |
+ | |
+ | |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
Figure 3
@@ -205,9 +205,9 @@ Internet-Draft The GNU Name System July 2019
the contained records. Given a label "l", the DHT key "q" is derived
as follows:
- h := HKDF ("key-derivation", l|y|"gns")
- d := h*x mod p
- q := sha512 (d*P)
+ h := HKDF ("key-derivation", l|y|"gns")
+ d := h*x mod p
+ q := sha512 (d*P)
where:
@@ -233,30 +233,30 @@ Internet-Draft The GNU Name System July 2019
a symmetric encryption scheme. A GNS resource records block has the
following format:
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | SIGNATURE |
- | |
- | |
- | |
- | |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | PUBLIC KEY |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | BDATA SIZE | PURPOSE |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | EXPIRATION |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | BDATA /
- / /
- / |
- +-----+-----+-----+-----+-----+-----+-----+-----+
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | SIGNATURE |
+ | |
+ | |
+ | |
+ | |
+ | |
+ | |
+ | |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | PUBLIC KEY |
+ | |
+ | |
+ | |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | BDATA SIZE | PURPOSE |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | EXPIRATION |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | BDATA /
+ / /
+ / |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
Figure 4
@@ -291,7 +291,7 @@ Internet-Draft The GNU Name System July 2019
BDATA The encrypted resource records with a total size of "BDATA
SIZE".
-4.1.1. Block data encryption
+4.2. Block data encryption
Given a GNS record block a symmetric encryption scheme is used to
en-/decrypt "BDATA". The keys are derived from the record label "l"
@@ -399,27 +399,27 @@ Internet-Draft The GNU Name System July 2019
RR A set of resoure records as defined in Section 3.
-4.2. Internationalization and Character Encoding
+5. Internationalization and Character Encoding
TODO
-4.3. Security Considerations
+6. Security Considerations
TODO
-5. Record Resolution
+7. Record Resolution
TODO
-6. Namespace Revocation
+8. Namespace Revocation
TODO
-7. IANA Considerations
+9. IANA Considerations
This will be fun
-8. Normative References
+10. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -282,133 +282,133 @@
The encrypted resource records with a total size of "BDATA SIZE".
</dd>
</dl>
- <section numbered="true" toc="default">
- <name>Block data encryption</name>
- <t>
- Given a GNS record block a symmetric encryption scheme is used to
- en-/decrypt "BDATA". The keys are derived from the record label "l"
- and a public key "d*P", where "d" is an ECDSA private key and "P"
- is the EC generator. "d" and "dG" are derived from the
- public/private key pair "x,y" of a GNS zone.
- Both "l" and "P" are implicity known by the GNS resolver.
- The key material "K" and initialization vector "IV"
- are derived as follows:
- </t>
+ </section>
+ <section numbered="true" toc="default">
+ <name>Block data encryption</name>
+ <t>
+ Given a GNS record block a symmetric encryption scheme is used to
+ en-/decrypt "BDATA". The keys are derived from the record label "l"
+ and a public key "d*P", where "d" is an ECDSA private key and "P"
+ is the EC generator. "d" and "dG" are derived from the
+ public/private key pair "x,y" of a GNS zone.
+ Both "l" and "P" are implicity known by the GNS resolver.
+ The key material "K" and initialization vector "IV"
+ are derived as follows:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+ h := HKDF ("key-derivation", l|y|"gns")
+ d := h*x mod p
+ K := HKDF (d*P, l|"gns-aes-ctx-key")
+ IV := HKDF (d*P, l|"gns-aes-ctx-iv")
+ ]]></artwork>
+ <t>
+ "HKDF" is a hash-based key derivation function as defined in
+ <xref target="RFC5869" />. We use HMAC-SHA512 for the extraction
+ phase and HMAC-SHA256 for the expansion phase as proposed in
+ (paper). The first argument for HKDF is the salt and the second
+ argument is the concatenated, serialized source key material.
+ We divide the resulting 512-bit "K" into a 256-bit AES key "Kaes"
+ and a 256-bit TWOFISH key "Ktwo":
+ </t>
+ <figure anchor="figure_hkdf_keys">
<artwork name="" type="" align="left" alt=""><![CDATA[
- h := HKDF ("key-derivation", l|y|"gns")
- d := h*x mod p
- K := HKDF (d*P, l|"gns-aes-ctx-key")
- IV := HKDF (d*P, l|"gns-aes-ctx-iv")
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | AES KEY (Kaes) |
+ | |
+ | |
+ | |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | TWOFISH KEY (Ktwo) |
+ | |
+ | |
+ | |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
]]></artwork>
- <t>
- "HKDF" is a hash-based key derivation function as defined in
- <xref target="RFC5869" />. We use HMAC-SHA512 for the extraction
- phase and HMAC-SHA256 for the expansion phase as proposed in
- (paper). The first argument for HKDF is the salt and the second
- argument is the concatenated, serialized source key material.
- We divide the resulting 512-bit "K" into a 256-bit AES key "Kaes"
- and a 256-bit TWOFISH key "Ktwo":
- </t>
- <figure anchor="figure_hkdf_keys">
- <artwork name="" type="" align="left" alt=""><![CDATA[
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | AES KEY (Kaes) |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | TWOFISH KEY (Ktwo) |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- ]]></artwork>
- <!-- <postamble>which is a very simple example.</postamble>-->
- </figure>
- <t>
- Similarly, we divide "IV" into a 128-bit initialization vector IVaes
- and a 128-bit initialization vector IVtwo:
- </t>
- <figure anchor="figure_hkdf_ivs">
- <artwork name="" type="" align="left" alt=""><![CDATA[
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | AES IV (IVaes) |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | TWOFISH IV (IVtwo) |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- ]]></artwork>
- <!-- <postamble>which is a very simple example.</postamble>-->
- </figure>
-
- <t>
- The symmetric keys and IVs are used for a AES+TWOFISH combined
- cipher. Both ciphers are used in CFB (ref) mode.
- </t>
+ <!-- <postamble>which is a very simple example.</postamble>-->
+ </figure>
+ <t>
+ Similarly, we divide "IV" into a 128-bit initialization vector IVaes
+ and a 128-bit initialization vector IVtwo:
+ </t>
+ <figure anchor="figure_hkdf_ivs">
<artwork name="" type="" align="left" alt=""><![CDATA[
- RDATA := AES(Kaes, IVaes, TWOFISH(Ktwo, IVtwo, BDATA))
- BDATA := TWOFISH(Ktwo, IVtwo, AES(Kaes, IVaes, RDATA))
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | AES IV (IVaes) |
+ | |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | TWOFISH IV (IVtwo) |
+ | |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
]]></artwork>
- <t>
- The decrypted RDATA has the following format:
- </t>
- <figure anchor="figure_rdata">
- <artwork name="" type="" align="left" alt=""><![CDATA[
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | RR COUNT | EXPIRA- /
- +-----+-----+-----+-----+-----+-----+-----+-----+
- / -TION | DATA SIZE |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | TYPE | FLAGS |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | DATA /
- / /
- / |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | EXPIRATION |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | DATA SIZE | TYPE |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | FLAGS | DATA /
- +-----+-----+-----+-----+ /
- / /
- / /
- / /
- ]]></artwork>
- <!-- <postamble>which is a very simple example.</postamble>-->
- </figure>
- <t>where:</t>
- <dl>
- <dt>RR COUNT</dt>
- <dd>
- A 32-bit value containing the number of resource records which are
- following.
- </dd>
- <dt>RR</dt>
- <dd>
- A set of resoure records as defined in <xref target="rrecords" />.
- </dd>
- </dl>
+ <!-- <postamble>which is a very simple example.</postamble>-->
+ </figure>
- </section>
- </section>
- <section anchor="encoding" numbered="true" toc="default">
- <name>Internationalization and Character Encoding</name>
<t>
- TODO
+ The symmetric keys and IVs are used for a AES+TWOFISH combined
+ cipher. Both ciphers are used in CFB (ref) mode.
</t>
- </section>
- <section anchor="security" numbered="true" toc="default">
- <name>Security Considerations</name>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+ RDATA := AES(Kaes, IVaes, TWOFISH(Ktwo, IVtwo, BDATA))
+ BDATA := TWOFISH(Ktwo, IVtwo, AES(Kaes, IVaes, RDATA))
+ ]]></artwork>
<t>
- TODO
+ The decrypted RDATA has the following format:
</t>
+ <figure anchor="figure_rdata">
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+ 0 8 16 24 32 40 48 56
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | RR COUNT | EXPIRA- /
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ / -TION | DATA SIZE |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | TYPE | FLAGS |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | DATA /
+ / /
+ / |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | EXPIRATION |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | DATA SIZE | TYPE |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | FLAGS | DATA /
+ +-----+-----+-----+-----+ /
+ / /
+ / /
+ / /
+ ]]></artwork>
+ <!-- <postamble>which is a very simple example.</postamble>-->
+ </figure>
+ <t>where:</t>
+ <dl>
+ <dt>RR COUNT</dt>
+ <dd>
+ A 32-bit value containing the number of resource records which are
+ following.
+ </dd>
+ <dt>RR</dt>
+ <dd>
+ A set of resoure records as defined in <xref target="rrecords" />.
+ </dd>
+ </dl>
+
</section>
</section>
+ <section anchor="encoding" numbered="true" toc="default">
+ <name>Internationalization and Character Encoding</name>
+ <t>
+ TODO
+ </t>
+ </section>
+ <section anchor="security" numbered="true" toc="default">
+ <name>Security Considerations</name>
+ <t>
+ TODO
+ </t>
+ </section>
<section anchor="resolution" numbered="true" toc="default">
<name>Record Resolution</name>
<t>
