commit be5ca2ad88b9e91c62e59afef3c3a810442d1bd8
parent 45181fac38967b6aaf6fdb8ab55bdb5460d1a17f
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 18 Jun 2024 16:10:49 +0200
organize
Diffstat:
1 file changed, 54 insertions(+), 28 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -200,7 +200,34 @@
not attempt to retransmit them.
</t>
</section>
- <section anchor="udp_comm" numbered="true" toc="default">
+ <section anchor="Primitives" numbered="true" toc="default">
+ <name>General purpose primitives</name>
+ <t>
+ We use a hash-based key derivation function (HKDF) as defined in
+ <xref target="RFC5869" />, using SHA-256 <xref target="RFC6234"/> for the extraction
+ phase and SHA-256 <xref target="RFC6234"/> for the expansion phase.
+ </t>
+ <t>
+ Communicators use a modified version of the standard X25519 key exchange described in
+ section 6.1 of <xref target="RFC7748"/>.
+ We refer to the the ephemeral key pair as "a" and "A := a*G" where G is the generator of
+ the curve.
+ It deviates in that we use the Ed25519 key pair "x","X = x*G" of the peer identity as X25519 scalars
+ and curve points, respectively.
+ This use of a KEM and its safety has been investigated by <xref target="T21"/>.
+ </t>
+ <t>
+ We define the key derivation function (KDF) used to derive a uniform symmetric key
+ from the X25519 result "Z" and the ephemeral public key "A":
+ </t>
+ <artwork anchor="kdf" name="" type="" align="left" alt=""><![CDATA[
+KDF(A,Z):
+ PRK_h := HKDF-Extract (0, A||Z)
+ MSK := HKDF-Expand (PRK_h, "gnunet-ed25519-x25519-ecdh", (512) / 8)
+ return MSK
+ ]]></artwork>
+ </section>
+ <section anchor="udp_comm" numbered="true" toc="default">
<name>UDP communicator</name>
<t>
The UDP communicator implements an encryption layer that protects both the payload and the communicator's
@@ -237,8 +264,7 @@
<name>Key exchange</name>
<t>
Independent of the type of message queue, an X25519-based key exchange is at least initiated once by the sending peer. In cases
- where the receiving peer cannot acknowledge the reception of messages, a key exchange is performed for every message. The UDP
- communicator uses a modified version of the standard X25519 key exchange described in section 6.1 of <xref target="RFC7748"/>.
+ where the receiving peer cannot acknowledge the reception of messages, a key exchange is performed for every message.
The two key pair needed for such a key exchange is an ephemeral key pair generated by the initiating communiciator and the peer
identity of the receiving communciator. The ephemeral public key is transfered via a key exchange (KX) message as defined in
<xref target="figure_udp_initialkx"/>.
@@ -425,18 +451,35 @@
<t>
Let G be the basepoint of Curve25519, Ed_To_Curve() a function which converts Ed25519 points to their corresponding Curve25519
points, Enc() Elligator's encoding function, Dec() Elligator's decoding function, REC_ID the receiver's peer identity (a 256-bit EdDSA public key),
- REC_SK the corresponding secret key, EPH_SK a 256-bit ephemeral secret key and SetupCipher() the HKDF defined in <xref target="setup_cipher"/>.
- We can then define the UDP communicator’s key exchange for the first message as a KEM:
+ REC_SK the corresponding secret key, EPH_SK a 256-bit ephemeral secret key and SetupCipher() the HKDF defined in <xref target="setup_cipher"/>. Observe that:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-Key_Gen() := (REC_SK, REC_ID)
-Encap(REC_ID) := (REPR, (K,IV)) = (Enc(G.EPH_SK, rand), SetupCipher(KDF(X25519(EPH_SK, Ed_To_Curve(REC_ID))), 0))
-Decap(REPR) := (K,IV) = SetupCipher(KDF(X25519(REC_SK, Dec(REPR))), 0)
+ (REC_SK, REC_ID) := KeyGenEd25519()
+ (EPH_SK, EPH_PUB) := KeyGenX25519()
+ Z := X25519(EPH_SK, EdToCurve25519(REC_ID)) = X25519(REC_SK, EPH_PUB)
]]></artwork>
<t>
+ We can then define the UDP communicator’s key exchange for the first message as a KEM:
+ </t>
+ <artwork anchor="encaps" name="" type="" align="left" alt=""><![CDATA[
+Encaps(REC_ID):
+ (EPH_SK, EPH_PUB) := KeyGenX25519()
+ Z := X25519(EPH_SK, EdToCurve25519(REC_ID)
+ MSK := KDF(EPH_PUB,Z)
+ REPR := Enc(EPH_PUB, rand)
+ return REPR, MSK
+ ]]></artwork>
+ <artwork anchor="decaps" name="" type="" align="left" alt=""><![CDATA[
+Decaps(REPR):
+ EPH_PUB := Dec(REPR)
+ Z := X25519(REC_SK, EPH_PUB)
+ MSK := KDF(EPH_PUB,Z)
+ return MSK
+ ]]></artwork>
+ <t>
+ The resulting MSK is used to derive symmetric encryption key K and initialization vector IV using SetupCipher(MSQ,SEQ).
Both the sending and the receiving peer <bcp14>SHOULD</bcp14> store the master shared secret MSK and attribute it to the corresponding peer.
- In case of an acknowledgment from the receiving peer, the established MSK can be reused by iterativly increasing the sequence number SEQ for
- SetupCipher(MSK, SEQ).
+ In case of an acknowledgment from the receiving peer, the established MSK can be reused by iterativly increasing the sequence number SEQ for SetupCipher(MSK, SEQ).
</t>
<t>
Note that the exchange of the receiver peer identity is not within the scope of the UDP communicator's key exchange and is already
@@ -452,10 +495,6 @@ Decap(REPR) := (K,IV) = SetupCipher(KDF(X25519(REC_SK, Dec(REPR))), 0)
shared secret to switch to the more efficient queue. The details about the acknowledgment process and subsequent message exchange can be
found in <xref target="udp_message_exchange"/>.
</t>
- <t>
- We want emphasize, that the use of the peer identities for both Ed25519 signatures and the X25519-based KEM has been proven to be safe.
- For further details, refer to the paper <xref target="T21"/>.
- </t>
</section>
<section anchor="udp_key_schedule" numbered="true" toc="default">
<name>Key schedule</name>
@@ -463,20 +502,7 @@ Decap(REPR) := (K,IV) = SetupCipher(KDF(X25519(REC_SK, Dec(REPR))), 0)
Once a shared secret MSK is established through within the Diffie-Hellman KEM, symmetric keys are derived according to a key schedule
from a 32-bit sequence number SEQ (in network byte order).
</t>
- <t>
- The KEM and KID derivation uses a hash-based key derivation function (HKDF) as defined in
- <xref target="RFC5869" />, using SHA-256 <xref target="RFC6234"/> for the extraction
- phase and SHA-256 <xref target="RFC6234"/> for the expansion phase.
- The secret resulting from the X25519 KEM is derived into a key using
- the following KDF:
- </t>
- <artwork anchor="kdf" name="" type="" align="left" alt=""><![CDATA[
-KDF(A,Z):
- PRK_h := HKDF-Extract (0, A||Z)
- MSK := HKDF-Expand (PRK_h, "gnunet-ed25519-x25519-ecdh", (512) / 8)
- return MSK
- ]]></artwork>
- <t>
+ <t>
For SetupCipher, PRK_h is key material retrieved using an HKDF using the byte string
seq as salt and k as initial keying material.
key and initialization vector are the 256 + 96-bit HKDF expansion result.
