commit 45181fac38967b6aaf6fdb8ab55bdb5460d1a17f
parent e44d200e5c166d7fbb73a450caabe3029dca2752
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 18 Jun 2024 09:24:08 +0200
merge
Diffstat:
1 file changed, 28 insertions(+), 17 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -430,8 +430,8 @@
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
Key_Gen() := (REC_SK, REC_ID)
-Encap(REC_ID) := (REPR, (K,IV)) = (REPR, SetupCipher(MSK, 0)) = (Enc(G.EPH_SK, rand), SetupCipher(SHA512(X25519(EPH_SK, Ed_To_Curve(REC_ID)))[0:256], 0))
-Decap(REPR) := (K,IV) = SetupCipher(MSK, 0) = SetupCipher(SHA512(X25519(REC_SK, Dec(REPR)))[0:256], 0)
+Encap(REC_ID) := (REPR, (K,IV)) = (Enc(G.EPH_SK, rand), SetupCipher(KDF(X25519(EPH_SK, Ed_To_Curve(REC_ID))), 0))
+Decap(REPR) := (K,IV) = SetupCipher(KDF(X25519(REC_SK, Dec(REPR))), 0)
]]></artwork>
<t>
Both the sending and the receiving peer <bcp14>SHOULD</bcp14> store the master shared secret MSK and attribute it to the corresponding peer.
@@ -464,17 +464,30 @@ Decap(REPR) := (K,IV) = SetupCipher(MSK, 0) = SetupCipher(SHA512(X25519(REC_SK,
from a 32-bit sequence number SEQ (in network byte order).
</t>
<t>
- The KID derivation uses a hash-based key derivation function (HKDF) as defined in <xref target="RFC5869" />, using SHA-512
- <xref target="RFC6234"/> for the extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase. PRK_h is key
- material retrieved using an HKDF using the byte string SEQ as a salt and k as initial keying material. The key K and
- initialization vector IV are the 256 + 96-bit HKDF expansion result. The expansion information input is the string "UDP-IV-KEY":
+ The KEM and KID derivation uses a hash-based key derivation function (HKDF) as defined in
+ <xref target="RFC5869" />, using SHA-256 <xref target="RFC6234"/> for the extraction
+ phase and SHA-256 <xref target="RFC6234"/> for the expansion phase.
+ The secret resulting from the X25519 KEM is derived into a key using
+ the following KDF:
+ </t>
+ <artwork anchor="kdf" name="" type="" align="left" alt=""><![CDATA[
+KDF(A,Z):
+ PRK_h := HKDF-Extract (0, A||Z)
+ MSK := HKDF-Expand (PRK_h, "gnunet-ed25519-x25519-ecdh", (512) / 8)
+ return MSK
+ ]]></artwork>
+ <t>
+ For SetupCipher, PRK_h is key material retrieved using an HKDF using the byte string
+ seq as salt and k as initial keying material.
+ key and initialization vector are the 256 + 96-bit HKDF expansion result.
+ The expansion information input is the string "UDP-IV-KEY":
</t>
<artwork anchor="setup_cipher" name="" type="" align="left" alt=""><![CDATA[
SetupCipher(MSK,SEQ):
PRK_h := HKDF-Extract (SEQ, MSK)
- K,IV := HKDF-Expand (PRK_h, "UDP-IV-KEY", (256 + 96) / 8)
+ K,IV := HKDF-Expand (PRK_h, "gnunet-communicator-udp-key-iv", (256 + 96) / 8)
return K,IV
- ]]></artwork>
+ ]]></artwork>
<t>
With SetupCipher, a 256-bit AES key as well as a 96-bit IV for use in AES-GCM
are derived from the MSK and SEQ.
@@ -486,7 +499,7 @@ SetupCipher(MSK,SEQ):
<artwork anchor="derive_kid" name="" type="" align="left" alt=""><![CDATA[
DeriveKID(MSK,SEQ):
PRK_h := HKDF-Extract (SEQ, MSK)
- KID := HKDF-Expand (PRK_h, "UDP-KID", 256 / 8)
+ KID := HKDF-Expand (PRK_h, "gnunet-communicator-udp-kid", 256 / 8)
return KID
]]></artwork>
<t>
@@ -1007,19 +1020,17 @@ DeriveKID(MSK,SEQ):
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
Key_Gen() := (REC_SK, REC_ID)
-Encap(REC_ID) := (REPR, (K,IV,K_mac)) = (Enc(G.EPH_SK, rand), SetupCipher(SHA512(X25519(EPH_SK, Ed_To_Curve(REC_ID)))[0:256]))
-Decap(REPR) := (K,IV, K_mac) = SetupCipher(SHA512(X25519(REC_SK, Dec(REPR)))[0:255])
+Encap(REC_ID) := (REPR, (K,IV,K_mac)) = (Enc(G.EPH_SK, rand), SetupCipher(KDF(X25519(EPH_SK, Ed_To_Curve(REC_ID)))))
+Decap(REPR) := (K,IV, K_mac) = SetupCipher(X25519(REC_SK, Dec(REPR)))
]]></artwork>
<t>
</t>
<artwork anchor="setup_cipher_tcp" name="" type="" align="left" alt=""><![CDATA[
SetupCipher(MSK):
- PRK_k := HKDF-Extract ("TCP-key", MSK)
- K := HKDF-Expand (PRK_k, PEERID, 256 / 8)
- PRK_i := HKDF-Extract ("TCP-ctr", MSK)
- IV := HKDF-Expand (PRK_i, PEERID, 128 / 8)
- PRK_mac := HKDF-Extract ("TCP-hmac", MSK)
- K_mac := HKDF-Expand (PRK_i, PEERID, 512 / 8)
+ PRK := HKDF-Extract (0, PEERID||MSK)
+ K := HKDF-Expand (PRK, "gnunet-communicator-tcp-key", 256 / 8)
+ IV := HKDF-Expand (PRK, "gnunet-communicator-tcp-ctr, 128 / 8)
+ K_mac := HKDF-Expand (PRK, "gnunet-communicator-tcp-hmac, 512 / 8)
return K,IV,K_mac
]]></artwork>
<t>
