lsd0001

LSD0001: GNU Name System
Log | Files | Refs | README
commit ce5d787e524f792b691534e8da3fda119b1957c1
parent 28f1e29b2a5ab3ba1a2549eba647c1cec07b0d33
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
Date:   Mon, 19 Oct 2020 09:38:10 +0200

s/gcm/chacha

Diffstat:

Mdraft-schanzen-gns.xml | 56+++++++++++++++++++++++++++++++++++++++++---------------


1 file changed, 41 insertions(+), 15 deletions(-)

diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -15,6 +15,7 @@
 <!ENTITY RFC6781 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6781.xml">
 <!ENTITY RFC6895 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6895.xml">
 <!ENTITY RFC6979 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6979.xml">
+<!ENTITY RFC7539 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7539.xml">
 <!ENTITY RFC7748 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7748.xml">
 <!ENTITY RFC8032 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8032.xml">
 <!ENTITY RFC8126 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8126.xml">
@@ -733,20 +734,18 @@ S := r + SHA512(R, zk', M) * a' mod L
 SB == R + SHA512(R, zk', M) * A'
            ]]></artwork>
          <t>
-           <!-- FIXME: here we SHOULD consider standardizing AES-GCM
-                instead. Please review this choice when implementing
-                EDKEY support! -->
-           The S-Encrypt() and S-Decrypt() functions use AES in galois
-           counter mode as defined in <xref target="GCM" /> (GCM-AES-256):
+           The S-Encrypt() and S-Decrypt() functions use ChaCha20
+           as defined in <xref target="RFC7539" />
+           (ChaCha20-Poly1305):
          </t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
-RDATA := GCM-AES-256(K, IV, BDATA)
-BDATA := GCM-AES-256(K, IV, RDATA) = CIPHERTEXT | GCM_TAG
+RDATA := ChaCha20(K, IV, BDATA)
+BDATA := ChaCha20(K, IV, RDATA) = CIPHERTEXT | TAG
            ]]></artwork>
          <t>
-           The result of the GCM encryption function is the encrypted
-           ciphertext concatenated with the 128-bit GCM authentication
-           tag "GCM_TAG".
+           The result of the ChaCha20 encryption function is the encrypted
+           ciphertext concatenated with the 128-bit authentication
+           tag "TAG".
            Accordingly, the length of BDATA equals the length of the
            RDATA plus the 16 octets of the authentication tag.
          </t>
@@ -758,17 +757,43 @@ BDATA := GCM-AES-256(K, IV, RDATA) = CIPHERTEXT | GCM_TAG
 PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
 PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
 K := HKDF-Expand (PRK_k, label, 256 / 8);
-IV := HKDF-Expand (PRK_n, label, 96 / 8)
+NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
 ]]></artwork>
          <t>
            HKDF is a hash-based key derivation function as defined in
            <xref target="RFC5869" />. Specifically, HMAC-SHA512 is used for the
            extraction phase and HMAC-SHA256 for the expansion phase.
            The output keying material is 32 octets (256 bits) for the symmetric
-           key and 12 octets (96 bits) for the IV.
-           The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key.
+           key and 4 octets (32 bits) for the NONCE.
+           The symmetric key "K" is a 256-bit ChaCha20
+           <xref target="RFC7539" /> key.
            No additional authenticated data (AAD) is used.
          </t>
+         <t>
+           The nonce is combined with a 64-bit initialization vector and a
+           32-bit block counter.
+           The block counter begins with the value of 1, and it is incremented
+           to generate subsequent portions of the key stream.
+           The block counter is a 32-bit integer value treated as a 32-bit
+           little-endian integer.
+           The initialization vector is the expiration time of the
+           resource record block in network byte order.
+           The resulting counter ("IV") wire format is as follows:
+         </t>
+         <figure anchor="figure_hkdf_ivs_edkey">
+           <artwork name="" type="" align="left" alt=""><![CDATA[
+0     8     16    24    32
++-----+-----+-----+-----+
+|         NONCE         |
++-----+-----+-----+-----+
+|       EXPIRATION      |
+|                       |
++-----+-----+-----+-----+
+|      BLOCK COUNTER    |
++-----+-----+-----+-----+
+           ]]></artwork>
+       </figure>
+
        </section>
 
        <section anchor="gnsrecords_gns2dns" numbered="true" toc="default">
@@ -2207,6 +2232,7 @@ cae1789d
        &RFC6781;
        &RFC6895;
        &RFC6979;
+       &RFC7539;
        &RFC7748;
        &RFC8032;
        &RFC8126;
@@ -2301,7 +2327,7 @@ cae1789d
            </abstract>
          </front>
        </reference>
-       <reference anchor="GCM" target="https://doi.org/10.6028/NIST.SP.800-38D">
+       <!--       <reference anchor="GCM" target="https://doi.org/10.6028/NIST.SP.800-38D">
          <front>
            <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title>
           <author initials="M." surname="Dworkin" fullname="Morris Dworkin">
@@ -2315,7 +2341,7 @@ cae1789d
              </t>
            </abstract>
          </front>
-       </reference>
+       </reference>-->
       <reference anchor="CrockfordB32" target="https://www.crockford.com/base32.html">
          <front>
            <title>Base32</title>