commit 7cd9bf223acec1b0011e275910279f90af714f49
parent 71afc7a586928db9c9b42f179d6652858c7215a1
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Fri, 28 Jul 2023 11:17:35 +0200
More reverse engineering. Propose header for udp box
Diffstat:
1 file changed, 115 insertions(+), 31 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -238,29 +238,57 @@
each peer ID to reject possible replay attacks.
</t>
<t>
- FIXME: Handshake wire format, KX, Flow.
+ Until a shared secret has been established, messages sent from the sender peer to the receiver peer
+ are always encrypted and a key exchange metadata header is prepended.
+ The wire format can be found in <xref target="figure_udp_initialkx"/>.
+ This method of sending messages to a peer can be used indefinitely, but is ineffienct since for every
+ message, a new symmetric key must be established.
</t>
<figure anchor="figure_udp_initialkx" title="The binary representation of the initial key exchange packet.">
<artwork name="" type="" align="left" alt=""><![CDATA[
-0 8 16 24 32 40 48 56
+0 8 16 24
++-----+-----+-----+-----+-----+-----+-----+-----+
+| SIZE | TYPE (0x0X) |
+-----+-----+-----+-----+-----+-----+-----+-----+
| EPHEMERAL PUBLIC KEY |
| |
| |
| |
+| |
+| |
+| |
+| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| GCM TAG |
| |
+| |
+| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| REKEY |
| |
+| |
+| |
++-----+-----+-----+-----+-----+-----+-----+-----+
+/ ENCRYPTED DATA /
+-----+-----+-----+-----+-----+-----+-----+-----+
]]></artwork>
</figure>
<dl>
+ <dt>SIZE</dt>
+ <dd>
+ A 16-bit value containing the length of the message in bytes
+ in network byte order.
+ </dd>
+ <dt>TYPE</dt>
+ <dd>
+ A 16-bit type flag in network byte order. The value of this
+ field <bcp14>MUST</bcp14> be XXXX.
+ </dd>
<dt>EPHEMERAL PUBLIC KEY</dt>
<dd>
- A 256-bit EdDSA public key.
+ A 256-bit EdDSA public key. This key is used as input to a Diffie-Hellman KEM to decapsulate
+ the symmetric secret used to establish a shared secret which can be used to
+ decrypt ENCRYPTED DATA.
</dd>
<dt>GCM TAG</dt>
<dd>
@@ -270,6 +298,69 @@
<dd>
A 128-bit rekey flag. If any bit is set, this indicates a rekey.
</dd>
+ <dt>ENCRYPTED DATA</dt>
+ <dd>
+ The remaining data (as indicated by SIZE) is AES-GCM encrypted using the current session key and authenticated
+ through the GCM TAG.
+ This data contains a confirmation message (<xref target="figure_udp_confirmation"/>).
+ </dd>
+ </dl>
+ <t>
+ FIXME: Explain key schedule/KEM.
+ </t>
+ <t>
+ In order to prevent replay attacks for KX messages, the plaintext resulting from decryption of the ENCRYPTED DATA
+ in the KX message starts with a session-specific confirmation header:
+ </t>
+<figure anchor="figure_udp_confirmation" title="The binary representation of the KX confirmation packet">
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+0 8 16 24 32 40 48 56
++-----+-----+-----+-----+-----+-----+-----+-----+
+| |
+| SENDER PEER ID |
+| |
+| |
++-----+-----+-----+-----+-----+-----+-----+-----+
+| |
+| SIGNATURE |
+| |
+| |
+| |
+| |
+| |
+| |
++-----+-----+-----+-----+-----+-----+-----+-----+
+| MONOTONIC TIMESTAMP |
+| |
+| |
+| |
+| |
+| |
+| |
+| |
++-----+-----+-----+-----+-----+-----+-----+-----+
+/ PAYLOAD /
++-----+-----+-----+-----+-----+-----+-----+-----+
+ ]]></artwork>
+ </figure>
+ <dl>
+ <dt>SENDER PEER ID</dt>
+ <dd>
+ A 256-bit EdDSA public key.
+ </dd>
+ <dt>SIGNATURE</dt>
+ <dd>
+ The EdDSA signature is computed with the peer private key
+ over the session metadata as detailed in <xref target="figure_udp_handshake_sig"/>.
+ </dd>
+ <dt>MONOTONIC TIMESTAMP</dt>
+ <dd>
+ FIXME.
+ </dd>
+ <dt>PAYLOAD</dt>
+ <dd>
+ The message payload data.
+ </dd>
</dl>
<figure anchor="figure_udp_handshake_sig" title="The wire format used for creating the signature of the identification packet.">
<artwork name="" type="" align="left" alt=""><![CDATA[
@@ -344,56 +435,49 @@
A 256-bit random value.
</dd>
</dl>
-<figure anchor="figure_udp_confirmation" title="The binary representation of the KX confirmation packet">
+<figure anchor="figure_udp_box" title="The binary representation of the UDP Box.">
<artwork name="" type="" align="left" alt=""><![CDATA[
-0 8 16 24 32 40 48 56
+0 8 16 24
+-----+-----+-----+-----+-----+-----+-----+-----+
-| |
-| SENDER PEER ID |
-| |
-| |
+| SIZE | TYPE (0x0X) |
+-----+-----+-----+-----+-----+-----+-----+-----+
-| |
-| SIGNATURE |
-| |
-| |
-| |
+| GCM TAG |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
-| MONOTONIC TIMESTAMP |
-| |
-| |
-| |
-| |
+| REKEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
-/ PAYLOAD /
+/ ENCRYPTED DATA /
+-----+-----+-----+-----+-----+-----+-----+-----+
]]></artwork>
</figure>
<dl>
- <dt>SENDER PEER ID</dt>
+ <dt>SIZE</dt>
<dd>
- A 256-bit EdDSA public key.
+ A 16-bit value containing the length of the message in bytes
+ in network byte order.
</dd>
- <dt>SIGNATURE</dt>
+ <dt>PURPOSE</dt>
<dd>
- The EdDSA signature is computed with the peer private key
- over the DER-encoded TLS
- certificate of the peer along with a pseudo-header
- as detailed in <xref target="figure_udp_handshake_sig"/>.
+ A 16-bit type flag in network byte order. The value of this
+ field <bcp14>MUST</bcp14> be XXXX.
</dd>
- <dt>MONOTONIC TIMESTAMP</dt>
+ <dt>GCM TAG</dt>
<dd>
- FIXME.
+ A 128-bit GCM tag used to authenticate the ciphertext immediately following this KX.
</dd>
- <dt>PAYLOAD</dt>
+ <dt>REKEY</dt>
+ <dd>
+ A 128-bit rekey flag. If any bit is set, this indicates a rekey.
+ </dd>
+ <dt>ENCRYPTED DATA</dt>
<dd>
- Optional payload data. FIXME: Not part of this?
+ The remaining data (as indicated by SIZE) is AES-GCM encrypted using the current session key and authenticated
+ through the GCM TAG.
</dd>
</dl>
<t>
