commit c889e5d46a66f97c09c15505778040be9e7f8063
parent bf8ff19e15df6d1c65401ba3c3f4e10fc0d193f5
Author: Schanzenbach, Martin <mschanzenbach@posteo.de>
Date: Sun, 8 Sep 2019 13:33:53 +0200
test for record crypto
Diffstat:
2 files changed, 91 insertions(+), 74 deletions(-)
diff --git a/draft-schanzen-gns.txt b/draft-schanzen-gns.txt
@@ -2,10 +2,10 @@
-Independent Stream M. Schanzenbach
+Independent Stream M.S. Schanzenbach
Internet-Draft GNUnet e.V.
-Intended status: Informational July 23, 2019
-Expires: January 24, 2020
+Intended status: Informational 23 July 2019
+Expires: 24 January 2020
The GNU Name System Specification
@@ -31,7 +31,7 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on January 24, 2020.
+ This Internet-Draft will expire on 24 January 2020.
Copyright Notice
@@ -39,21 +39,21 @@ Copyright Notice
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
- Provisions Relating to IETF Documents
- (https://trustee.ietf.org/license-info) in effect on the date of
- publication of this document. Please review these documents
- carefully, as they describe your rights and restrictions with respect
- to this document. Code Components extracted from this document must
- include Simplified BSD License text as described in Section 4.e of
- the Trust Legal Provisions and are provided without warranty as
- described in the Simplified BSD License.
+ Provisions Relating to IETF Documents (https://trustee.ietf.org/
+ license-info) in effect on the date of publication of this document.
+ Please review these documents carefully, as they describe your rights
+ and restrictions with respect to this document. Code Components
+ extracted from this document must include Simplified BSD License text
+ as described in Section 4.e of the Trust Legal Provisions and are
+ provided without warranty as described in the Simplified BSD License.
-Schanzenbach Expires January 24, 2020 [Page 1]
+
+Schanzenbach Expires 24 January 2020 [Page 1]
�
Internet-Draft The GNU Name System July 2019
@@ -61,13 +61,13 @@ Internet-Draft The GNU Name System July 2019
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
- 2. Resource Records . . . . . . . . . . . . . . . . . . . . . . 2
- 2.1. Record blocks . . . . . . . . . . . . . . . . . . . . . . 2
- 2.1.1. BDATA SET cryptography . . . . . . . . . . . . . . . 3
- 2.2. Record data . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. GNS resource records . . . . . . . . . . . . . . . . . . . . 2
+ 2.1. GNS record blocks . . . . . . . . . . . . . . . . . . . . 2
+ 2.1.1. GNS record block data cryptography . . . . . . . . . 3
+ 2.2. GNS records . . . . . . . . . . . . . . . . . . . . . . . 4
2.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4
- 2.4. Serialization format . . . . . . . . . . . . . . . . . . 4
- 2.5. Internationalization and Character Encoding . . . . . . . 4
+ 2.4. Serialization format . . . . . . . . . . . . . . . . . . 5
+ 2.5. Internationalization and Character Encoding . . . . . . . 5
2.6. Security Considerations . . . . . . . . . . . . . . . . . 5
3. Record Resolution . . . . . . . . . . . . . . . . . . . . . . 5
4. Namespace Revocation . . . . . . . . . . . . . . . . . . . . 5
@@ -85,14 +85,14 @@ Table of Contents
resolution processes, cryptographic routines and security
considerations for use by implementors.
-2. Resource Records
-
-2.1. Record blocks
- TODO
+2. GNS resource records
+2.1. GNS record blocks
+ TODO
+ A GNS record block has the following format:
@@ -109,13 +109,11 @@ Table of Contents
-Schanzenbach Expires January 24, 2020 [Page 2]
+Schanzenbach Expires 24 January 2020 [Page 2]
�
Internet-Draft The GNU Name System July 2019
- A GNS resource record has the following format:
-
0 1 2 3 4 5 6 7
+-----+-----+-----+-----+-----+-----+-----+-----+
| SIGNATURE |
@@ -127,48 +125,60 @@ Internet-Draft The GNU Name System July 2019
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
- | ECDH PUBLIC KEY |
+ | PUBLIC KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
- | BDATA SET SIZE | PURPOSE |
+ | BDATA SIZE | PURPOSE |
+-----+-----+-----+-----+-----+-----+-----+-----+
| EXPIRATION |
+-----+-----+-----+-----+-----+-----+-----+-----+
- / BDATA SET /
+ / BDATA /
/ /
+-----+-----+-----+-----+-----+-----+-----+-----+
- Figure 1
+ Figure 1
-2.1.1. BDATA SET cryptography
+ where:
- TEST
-
- h := H(l,P)
- d := h*x mod n
- k := HKDF (P,l)
-
-2.2. Record data
+ SIGNATURE The GNS record block signature.
+ PUBLIC KEY A public key which is used to verify SIGNATURE. This key
+ is not the public key of the namespace.
+ BDATA SIZE The GNS record block data length.
+ PURPOSE The signature purpose.
+ EXPIRATION The GNS record block expiration.
+ BDATA The GNS record block data
+2.1.1. GNS record block data cryptography
+ Given a GNS record block a symmetric key "k" is used to en-/decrypt
+ "BDATA". The key is derived from the record label "l" and the public
+ key "P". Both "l" and "P" are implicity known by the GNS resolver.
+ "k" is a 256-bit AES key which is derived as follows.
+Schanzenbach Expires 24 January 2020 [Page 3]
+�
+Internet-Draft The GNU Name System July 2019
+ h := SHA512 (l,P)
+ d := h*x mod n
+ k := HKDF (P,l)
-Schanzenbach Expires January 24, 2020 [Page 3]
-�
-Internet-Draft The GNU Name System July 2019
+ "HKDF" is a hash-based key derivation function which derives the
+ symmetric AES key "k" from the public key "P" and the record label
+ "l".
+2.2. GNS records
A single entry in the decrypted BDATA SET has the following format:
@@ -190,7 +200,7 @@ Internet-Draft The GNU Name System July 2019
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
- Figure 2
+ Figure 2
The a PKEY RDATA has the following format:
@@ -202,29 +212,27 @@ Internet-Draft The GNU Name System July 2019
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
- Figure 3
+ Figure 3
2.3. Examples
TODO
-2.4. Serialization format
- TODO (Is this not the same as wire format?)
-
-2.5. Internationalization and Character Encoding
-
- TODO
+Schanzenbach Expires 24 January 2020 [Page 4]
+�
+Internet-Draft The GNU Name System July 2019
+2.4. Serialization format
+ TODO (Is this not the same as wire format?)
-Schanzenbach Expires January 24, 2020 [Page 4]
-�
-Internet-Draft The GNU Name System July 2019
+2.5. Internationalization and Character Encoding
+ TODO
2.6. Security Considerations
@@ -254,8 +262,8 @@ Author's Address
Martin Schanzenbach
GNUnet e.V.
Boltzmannstrasse 3
- Garching 85748
- DE
+ 85748 Garching
+ Germany
Email: schanzen@gnunet.org
@@ -269,12 +277,4 @@ Author's Address
-
-
-
-
-
-
-
-
-Schanzenbach Expires January 24, 2020 [Page 5]
+Schanzenbach Expires 24 January 2020 [Page 5]
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -54,9 +54,9 @@
</t>
</section>
<section anchor="rrecords" numbered="true" toc="default">
- <name>Resource Records</name>
+ <name>GNS resource records</name>
<section anchor="wire" numbered="true" toc="default">
- <name>Record blocks</name>
+ <name>GNS record blocks</name>
<t>
TODO
</t>
@@ -74,16 +74,16 @@
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
- | ECDH PUBLIC KEY |
+ | PUBLIC KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
- | BDATA SET SIZE | PURPOSE |
+ | BDATA SIZE | PURPOSE |
+-----+-----+-----+-----+-----+-----+-----+-----+
| EXPIRATION |
+-----+-----+-----+-----+-----+-----+-----+-----+
- / BDATA SET /
+ / BDATA /
/ /
+-----+-----+-----+-----+-----+-----+-----+-----+
]]></artwork>
@@ -91,22 +91,39 @@
<t>where:</t>
<dl>
<dt>SIGNATURE</dt>
- <dd>A signature</dd>
+ <dd>The GNS record block signature.</dd>
+ <dt>PUBLIC KEY</dt>
+ <dd>A public key which is used to verify SIGNATURE. This key is not the public key of the namespace.</dd>
+ <dt>BDATA SIZE</dt>
+ <dd>The GNS record block data length.</dd>
+ <dt>PURPOSE</dt>
+ <dd>The signature purpose.</dd>
+ <dt>EXPIRATION</dt>
+ <dd>The GNS record block expiration.</dd>
+ <dt>BDATA</dt>
+ <dd>The GNS record block data</dd>
</dl>
<section numbered="true" toc="default">
- <name>BDATA SET cryptography</name>
+ <name>GNS record block data cryptography</name>
<t>
- TEST
+ Given a GNS record block a symmetric key "k" is used to
+ en-/decrypt "BDATA". The key is derived from the record label "l" and
+ the public key "P". Both "l" and "P" are implicity known by the
+ GNS resolver. "k" is a 256-bit AES key which is derived as follows.
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
- h := H(l,P)
+ h := SHA512 (l,P)
d := h*x mod n
k := HKDF (P,l)
- ]]></artwork>
+ ]]></artwork>
+ <t>
+ "HKDF" is a hash-based key derivation function which derives the
+ symmetric AES key "k" from the public key "P" and the record label "l".
+ </t>
</section>
</section>
<section numbered="true" toc="default">
- <name>Record data</name>
+ <name>GNS records</name>
<t>A single entry in the decrypted BDATA SET has the following format:</t>
<figure anchor="figure_gnsrecord">
<artwork name="" type="" align="left" alt=""><