commit 4cd0438bb5b56585137723bd4bbb988aeb18f072
parent b5671012094ca01bcea022bcc13b0ff470dc6fa8
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Fri, 4 Aug 2023 15:06:46 +0200
Update
Diffstat:
1 file changed, 94 insertions(+), 16 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -573,8 +573,76 @@ DeriveKID(MSK,SEQ):
<section anchor="tcp_comm" numbered="true" toc="default">
<name>TCP communicators</name>
<t>
- FIXME
+ The first data from a communicator that is trying to establish a connection
+ is always an ephemeral public key.
+ This key is used to derive an initial symmetric key which is used to decrypt
+ the following data.
+ Let MSK be the symmetric key decapsulated from the ephemeral public key with
+ the receiving peer's private key.
</t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+SetupCipher(MSK):
+ PRK_k := HKDF-Extract ("TCP-key", MSK)
+ K := HKDF-Expand (PRK_k, PEERID, 256 / 8)
+ PRK_i := HKDF-Extract ("TCP-ctr", MSK)
+ IV := HKDF-Expand (PRK_i, PEERID, 128 / 8)
+ PRK_h := HKDF-Extract ("TCP-hmac", MSK)
+ H := HKDF-Expand (PRK_i, PEERID, 512 / 8)
+ return K,IV,H
+ ]]></artwork>
+ <t>
+ The above K and IV are used to decrypt the following 136 bytes of data
+ which are expected to consist of a TCP handshake message as defined in
+ <xref target="tcp_handshake"/> below.
+ </t>
+ <section anchor="tcp_handshake" numbered="true" toc="default">
+ <name>Handshake</name>
+ <figure anchor="figure_tcp_handshake" title="The wire format of a TCP handshake.">
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+0 8 16 24 32 40 48 56
++-----+-----+-----+-----+-----+-----+-----+-----+
+| SENDER PEER ID |
+| |
+| |
+| |
++-----+-----+-----+-----+-----+-----+-----+-----+
+| SIGNATURE |
+| |
+| |
+| |
+| |
+| |
+| |
+| |
++-----+-----+-----+-----+-----+-----+-----+-----+
+| MONOTONIC TIMESTAMP |
++-----+-----+-----+-----+-----+-----+-----+-----+
+| NONCE |
+| |
+| |
+| |
++-----+-----+-----+-----+-----+-----+-----+-----+
+ ]]></artwork>
+ </figure>
+ <dl>
+ <dt>SENDER PEER ID</dt>
+ <dd>
+ A 256-bit EdDSA public key.
+ </dd>
+ <dt>SIGNATURE</dt>
+ <dd>
+ A 512-bit EdDSA signature. The signature is calculated over
+ the data as defined in <xref target="figure_tcp_handshake_sig"/>.
+ </dd>
+ <dt>MONOTONIC TIMESTAMP</dt>
+ <dd>
+ FIXME.
+ </dd>
+ <dt>NONCE</dt>
+ <dd>
+ A 256-bit random value used as a challenge to be signed in a TCP acknowledgment.
+ </dd>
+ </dl>
<figure anchor="figure_tcp_handshake_sig" title="The wire format used for creating the signature of the identification packet.">
<artwork name="" type="" align="left" alt=""><![CDATA[
0 8 16 24 32 40 48 56
@@ -635,7 +703,7 @@ DeriveKID(MSK,SEQ):
<dd>
A 256-bit EdDSA public key.
</dd>
- <dt>EPHEMERAL PEER ID</dt>
+ <dt>EPHEMERAL PUBLIC KEY</dt>
<dd>
A 256-bit EdDSA public key.
</dd>
@@ -648,23 +716,28 @@ DeriveKID(MSK,SEQ):
A 256-bit random value.
</dd>
</dl>
+ <t>
+ If the handshake data is invalid, the connection is dropped. (FIXME define invalid, signature invalid OR sender invalid etc).
+ Otherwise, we send our own TCP handshake to establish a shared secret for outgoing messages and reply with a TCP handshake acknowledgment message.
+ The TCP handshake acknowledgement message is defined in <xref target="figure_tcp_handshake_ack_sig"/> and is encrypted
+ with the
+ </t>
<figure anchor="figure_tcp_handshake_ack_sig" title="The wire format used for creating the response for the identification packet.">
<artwork name="" type="" align="left" alt=""><![CDATA[
-0 8 16 24 32 40 48 56
+0 8 16 24
+-----+-----+-----+-----+-----+-----+-----+-----+
-| SIZE | PURPOSE (0x0X) |
+| SIZE | TYPE (0x0X) |
+-----+-----+-----+-----+-----+-----+-----+-----+
| SENDER PEER ID |
| |
| |
| |
-+-----+-----+-----+-----+-----+-----+-----+-----+
-| RECEIVER PEER ID |
+| |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
-| MONOTONIC TIMESTAMP |
+| RECEIVER PEER ID |
| |
| |
| |
@@ -673,9 +746,13 @@ DeriveKID(MSK,SEQ):
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
-| NONCE |
+| MONOTONIC TIMESTAMP |
| |
++-----+-----+-----+-----+-----+-----+-----+-----+
+| NONCE |
| |
+/ /
+/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
]]></artwork>
@@ -683,17 +760,13 @@ DeriveKID(MSK,SEQ):
<dl>
<dt>SIZE</dt>
<dd>
- A 32-bit value containing the length of the signed data in bytes
+ A 16-bit value containing the length of the message in bytes
in network byte order.
</dd>
- <dt>PURPOSE</dt>
+ <dt>TYPE</dt>
<dd>
- A 32-bit signature purpose flag in network byte order. The value of this
- field <bcp14>MUST</bcp14> be XXXX. It defines the context in which
- the signature is created so that it cannot be reused in other parts
- of the protocol including possible future extensions.
- The value of this field corresponds to an entry in the
- GANA "GNUnet Signature Purpose" registry <xref target="gana"/>.
+ A 16-bit signature type flag in network byte order. The value of this
+ field <bcp14>MUST</bcp14> be XXXX.
</dd>
<dt>SENDER PEER ID</dt>
<dd>
@@ -712,6 +785,11 @@ DeriveKID(MSK,SEQ):
A 256-bit random value.
</dd>
</dl>
+ <t>
+ One outgoing and incoming shared secrets are established, actual payload can be exchanged
+ bi-directionally using TCP Box messages. FIXME hmac, MtE discussion, padding-oracle, etc
+ </t>
+ </section>
</section>
<section anchor="quic_comm" numbered="true" toc="default">
<name>QUIC communicator</name>
