commit 5cc9711efffd621b871a129e7cac2d828718df31
parent c7503e54cb9190d3a3692e6fd6590ff13ed74e27
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 19 Jun 2024 09:36:35 +0200
more cleanup
Diffstat:
1 file changed, 23 insertions(+), 42 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -552,7 +552,7 @@ Decaps(x, A):
<artwork anchor="setup_cipher" name="" type="" align="left" alt=""><![CDATA[
SetupCipher(MSK,SEQ):
PRK := HKDF-Extract (SEQ, MSK)
- K,IV := HKDF-Expand (PRK, "gnunet-communicator-udp-key-iv", 32 + 12)
+ K,IV := HKDF-Expand (PRK, "gnunet-communicator-udp-key-iv", 44)
return K,IV
]]></artwork>
<t>
@@ -759,7 +759,7 @@ DeriveKID(MSK,SEQ):
<name>Handshake</name>
<t>
The main purpose of the handshake is to establish shared key material for each direction of the communication
- channel. The initiating TCP Communicator starts the handshake by sending an ephemeral Curve25519 public key,
+ channel. The initiating TCP Communicator starts the handshake by sending an ephemeral X25519 public key,
which is necessary to perform the X25519-based key exchange defined in <xref target="tcp_KEM"/>. As the
public key can not be encrypted at this stage of the communication channel it <bcp14>MUST</bcp14> be encoded
using the Elligator encoding function.
@@ -884,7 +884,7 @@ DeriveKID(MSK,SEQ):
</dd>
<dt>REPRESENTATIVE</dt>
<dd>
- A serialized Elligator encoded 256-bit Curve25519 public key. This encoded
+ A serialized Elligator encoded 256-bit X25519 public key. This encoded
public key can be decoded and than used as part of an X25519-based key
exchange to establish a shared secret.
</dd>
@@ -1061,53 +1061,34 @@ DeriveKID(MSK,SEQ):
<section anchor="tcp_KEM" numbered="true" toc="default">
<name>Key exchange</name>
<t>
- During the initial handshake, each communication channel performs an X25519-based KEM, which provides the key material
- for the use of AES-CTR and HMAC-SHA512. Later, further key exchanges are performed during each rekeying process. More
- about the initial handshake and rekeying can be found in <xref target="tcp_handshake"/> and
+ During the initial handshake, each communication channel performs the Elligator KEM defined in
+ <xref target="elligator_kem"/>.
+ The resulting shared secret us used in an AES-CTR encryption with HMAC-SHA512.
+ Subsequent key exchanges are performed with each rekeying.
+ More about the initial handshake and rekeying can be found in <xref target="tcp_handshake"/> and
<xref target="tcp_rekeying"/> respectively.
</t>
<t>
- The TCP communicator doesn't follow the standard X25519-KEM as described in
- section 6.1 of <xref target="RFC7748"/> because Curve25519 public keys are recognisable by an outside observer. In a
- censored environment, this could lead to the interception of such messages and ultimately prevent communication
- between peers. We circumvent this issue by encoding public keys using Elligator, a mathematical method to encode curve points
- into random-looking byte streams (referred to as the "representative").
- Since all data, apart from the public keys, is only sent encrypted, all the data send over the communication channel
- is indistinguishable from a random byte stream. This forces a censor to choose between taking no action or intercepting all
- random-looking TCP packets, thereby significantly disrupting a large portion of modern internet communication.
- For more information about elligator and its usage, please refer to <xref target="Elligator"/>.
- </t>
- <t>
- Let G be the basepoint of Curve25519, Ed_To_Curve() a function which converts Ed25519 points to their corresponding
- Curve25519 points, Enc() Elligator's encoding function, Dec() Elligator's decoding function, REC_ID the receiver's peer
- identity (a 256-bit EdDSA public key), REC_SK the corresponding secret key, EPH_SK a 256-bit ephemeral secret key and
- SetupCipher() the HKDF defined in <xref target="setup_cipher_tcp"/>. We can then define the TCP communicator’s key
- exchange as a KEM:
+ Let (REC_SK, REC_ID) be the receiver peer's EdDSA key pair.
+ The sender peer initiates the key exchange using the Elligator KEM from <xref target="elligator_kem"/>
+ resulting in an encapsulation and initial master secret key MSK.
+ MSK is used to derive a symmetric encryption and HMAC key as well as an initialization vector using
+ the procedure "SetupCipher":
</t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
- (REC_SK, REC_ID) := KeyGenEd25519()
- # Sender calls
- REPR, MSK := EncapsElligator(REC_ID)
- # Receiver calls
- MSK := DecapsElligator(REC_SK, REPR)
- # Key derivation
- (K,IV,M_mac) := SetupCipher(REC_ID,MSK)
- ]]></artwork>
- <t>
- </t>
<artwork anchor="setup_cipher_tcp" name="" type="" align="left" alt=""><![CDATA[
-SetupCipher(PEERID, MSK):
- PRK := HKDF-Extract (0, PEERID||MSK)
- K := HKDF-Expand (PRK, "gnunet-communicator-tcp-key", 256 / 8)
- IV := HKDF-Expand (PRK, "gnunet-communicator-tcp-ctr, 128 / 8)
- K_mac := HKDF-Expand (PRK, "gnunet-communicator-tcp-hmac, 512 / 8)
+SetupCipher(REC_ID, MSK):
+ PRK := HKDF-Extract (0, REC_ID||MSK)
+ K := HKDF-Expand (PRK, "gnunet-communicator-tcp-key", 32)
+ IV := HKDF-Expand (PRK, "gnunet-communicator-tcp-ctr, 16)
+ K_mac := HKDF-Expand (PRK, "gnunet-communicator-tcp-hmac, 64)
return K,IV,K_mac
]]></artwork>
<t>
- Note that the initiating TCP communicator can already perform the encapsulation step after generating the ephemeral
- key pair and immediately encrypt the TCP handshake message before sending it. As soon as the receiving TCP communicator
- receives and decodes the ephemeral public key, it can perform the decapsulation step of the KEM and decrypt the
- following TCP handshake message. The same applies for the TCP handshake message send by the receiving TCP communicator.
+ Note that the initiating TCP communicator can immediately encrypt the first TCP handshake message when
+ sending it.
+ As soon as the receiving TCP communicator receives and decapsulates the repsentative, it can decrypt the
+ following TCP handshake message.
+ The same applies for the TCP handshake message send by the receiving TCP communicator.
</t>
</section>
<section anchor="tcp_message_exchange" numbered="true" toc="default">
