lsd0007

LSD0007: GNUnet communicators
Log | Files | Refs
commit 83c5e18af661aaa2e7f4fbfb9572b0403960f590
parent 4cd0438bb5b56585137723bd4bbb988aeb18f072
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date:   Sun, 10 Mar 2024 12:59:31 +0100

-fix

Diffstat:

Mdraft-gnunet-communicators.xml | 23+++++++++++++++++++----


1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -573,6 +573,21 @@ DeriveKID(MSK,SEQ):
    <section anchor="tcp_comm" numbered="true" toc="default">
      <name>TCP communicators</name>
      <t>
+       TCP communicators communicate over and encrypted, bi-directional communication channel.
+       Each direction of the communication is encryption using a dedicated shared secret
+       which is exchanged in initial key exchange handshakes.
+       Once shared secrets are established, regular re-keying occurs after a certain amount of bytes
+       transmitted (FIXME: Currently, hard-coded to 4 GB!).
+     </t>
+     <t>
+       Messages are encrypted using the encrypt-then-mac paradigm. Yes, we <bcp14>MUST</bcp14>
+       use mac-then-encrypt as we want to hide the message size on the wire to achieve a
+       zero-plaintext design.
+       As encryption is done using AES-CTR, padding oracle attacks do not apply (WHY?).
+       Also, due to the use of ephemeral keys in combination with monotonic time stamps any
+       attacker is limited in using the oracle as replay attacks are prevented.
+     </t>
+     <t>
        The first data from a communicator that is trying to establish a connection
        is always an ephemeral public key.
        This key is used to derive an initial symmetric key which is used to decrypt
@@ -586,9 +601,9 @@ SetupCipher(MSK):
   K := HKDF-Expand (PRK_k, PEERID, 256 / 8)
   PRK_i := HKDF-Extract ("TCP-ctr", MSK)
   IV := HKDF-Expand (PRK_i, PEERID, 128 / 8)
-  PRK_h := HKDF-Extract ("TCP-hmac", MSK)
-  H := HKDF-Expand (PRK_i, PEERID, 512 / 8)
-  return K,IV,H
+  PRK_mac := HKDF-Extract ("TCP-hmac", MSK)
+  K_mac := HKDF-Expand (PRK_i, PEERID, 512 / 8)
+  return K,IV,K_mac
   ]]></artwork>
        <t>
          The above K and IV are used to decrypt the following 136 bytes of data
@@ -786,7 +801,7 @@ SetupCipher(MSK):
          </dd>
        </dl>
      <t>
-       One outgoing and incoming shared secrets are established, actual payload can be exchanged
+       Once outgoing and incoming shared secrets are established, actual payload can be exchanged
        bi-directionally using TCP Box messages. FIXME hmac, MtE discussion, padding-oracle, etc
      </t>
      </section>