commit 7583f38bc5e6ceff8ae75b51efa23cdc372ef508
parent 4479d21d26a91249fd415fa59f3de8624d579d5f
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Thu, 16 Jun 2022 13:20:28 +0200
add derivation graphic
Diffstat:
1 file changed, 40 insertions(+), 11 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -1733,17 +1733,8 @@ GET(key) -> value
</t>
<t>
Resource records are grouped by their respective labels,
- encrypted and published together in a single resource records block
- (RRBLOCK) in the storage under a key q as illustrated in <xref target="figure_storage_publish"/>.
- The key q is derived from the zone key and the respective
- label of the contained records.
- The required knowledge of both zone key and label in combination
- with the similarly derived symmetric secret keys and blinded zone keys
- ensure query privacy (see <xref target="RFC8324"/>, Section 3.5).
- The storage key derivation and records
- block creation is specified in the following sections.
- The implementation <bcp14>MUST</bcp14> use the PUT storage procedure in order to update
- the zone contents accordingly.
+ encrypted and published together in a single records block
+ (RRBLOCK) in the storage under a storage key q as illustrated in <xref target="figure_storage_publish"/>.
</t>
<figure anchor="figure_storage_publish" title="Management and publication of local zones in the distributed storage.">
<artwork name="" type="" align="left" alt=""><![CDATA[
@@ -1773,6 +1764,44 @@ GET(key) -> value
]]></artwork>
</figure>
+ <t>
+ The storage key is derived from the zone key and the respective
+ label of the contained records.
+ The required knowledge of both zone key and label in combination
+ with the similarly derived symmetric secret keys and blinded zone keys
+ ensure query privacy (see <xref target="RFC8324"/>, Section 3.5).
+ The storage Key derivation and records
+ block creation using is specified in the following sections and a high-level
+ overview is illustrated in <xref target="figure_storage_derivations"/>.
+ The implementation <bcp14>MUST</bcp14> use the PUT storage procedure in order to update the zone contents accordingly.
+ </t>
+ <figure anchor="figure_storage_derivations" title="Storage key and records block creation overview.">
+ <artwork name="" type="" align="left" alt=""><![CDATA[
++----------+ +-------+ +------------+ +-------------+
+| Zone Key | | Label | | Record Set | | Private Key |
++----------+ +-------+ +------------+ +-------------+
+ | | | |
+ | | v |
+ | | +-----------+ |
+ | +---------->| S-Encrypt | |
+ +----------|---------->+-----------+ |
+ | | | | |
+ | | | v v
+ | | | +-------------+
+ | +---------------|-->| SignDerived |
+ | | | +-------------+
+ | | | |
+ | v v v
+ | +------+ +---------------+
+ +----->| ZKDF |------->| Records Block |
+ +------+ +---------------+
+ |
+ v
+ +------+ +-------------+
+ | Hash |------->| Storage Key |
+ +------+ +-------------+
+ ]]></artwork>
+ </figure>
<section anchor="blinding" numbered="true" toc="default">
<name>The Storage Key</name>
<t>
