commit 0deb4a79c3347b551006fbe51780178f147db8c8
parent 811d0156c59c4acf6ee7e4c451aad249853b14b5
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 13 Nov 2024 14:59:54 +0100
start adding epoch/seq
Diffstat:
1 file changed, 46 insertions(+), 37 deletions(-)
diff --git a/draft-schanzen-cake.xml b/draft-schanzen-cake.xml
@@ -108,29 +108,36 @@
</section>
</section>
<section anchor="terminology">
- <name>Terminology</name>
- <dl>
- <dt>IATS</dt>
- <dd>Initiator Application Traffic Secret Key</dd>
- <dt>RATS</dt> <dd>Receiver Application Traffic Secret Key</dd>
- <dt>dES</dt> <dd>Derived Early Secret Key</dd>
- <dt>dHS</dt> <dd>Derived Handshake Key</dd>
- <dt>ES</dt> <dd>Early Secret Key</dd>
- <dt>ETS</dt> <dd>Early Traffic Secret Key</dd>
- <dt>HS</dt> <dd>Handshake Secret Key</dd>
- <dt>MS</dt> <dd>Main Secret Key</dd>
- <dt>ES</dt> <dd>Early Secret Key</dd>
- <dt>IHTS</dt> <dd>Initiator Handshake Secret Key</dd>
- <dt>RHTS</dt> <dd>Receiver Handshake Secret Key</dd>
- <dt>Foo...Bar</dt> <dd>means the transcript of received/send messages from Foo until Bar. Note that the transcript refers to what is seen on the wire (i.e. potentially encryption) but as shorthand, we only refer to the plaintext message.</dd>
- <dt>Enc/Dec</dt> <dd>This refers to <xref target="RFC8439"/>, the ChaCha20-Poly1305 Authenticated Encryption with Associated Data (AEAD) construction.</dd>
+ <name>Conventions and Terminology</name>
+ <t>
+ While some of the terminology is explicitly re-defined here, the reader is expected
+ to be familiar with TLS 1.3 (<xref target="RFC8446"/>), DTLS 1.3 (<xref target="RFC9147"/>) and HPKE
+ (<xref target="9180"/>).
+ <dl>
+ <dt>inititator:<dt><dd>See client in <xref target="RFC9147"/> Section 2.</dd>
+ <dt>receiver:<dt><dd>See server in <xref target="RFC9147"/> Section 2.</dd>
+ <dt>epoch:</dt><dd>See <xref target="RFC9147"/> Section 2.</dd>
+ <dt>IATS:</dt>
+ <dd>Initiator Application Traffic Secret Key</dd>
+ <dt>RATS:</dt> <dd>Receiver Application Traffic Secret Key</dd>
+ <dt>ES:</dt> <dd>Early Secret Key</dd>
+ <dt>ETS:</dt> <dd>Early Traffic Secret Key</dd>
+ <dt>HS:</dt> <dd>Handshake Secret Key</dd>
+ <dt>MS:</dt> <dd>Main Secret Key</dd>
+ <dt>ES:</dt> <dd>Early Secret Key</dd>
+ <dt>IHTS:</dt> <dd>Initiator Handshake Secret Key</dd>
+ <dt>RHTS:</dt> <dd>Receiver Handshake Secret Key</dd>
+ <dt>Foo...Bar:</dt> <dd>means the transcript of received/send messages from Foo until Bar. Note that the transcript refers to what is seen on the wire (i.e. potentially encryption) but as shorthand, we only refer to the plaintext message.</dd>
+ <dt>'[]'</dt> <dd>indicates encryption with a handshake traffic key and <xref target="RFC8439"/>, the ChaCha20-Poly1305 Authenticated Encryption with Associated Data (AEAD) construction.</dd>
+ <dt>'{}'</dt> <dd>indicates encryption with an application traffic key and <xref target="RFC8439"/>, the ChaCha20-Poly1305 Authenticated Encryption with Associated Data (AEAD) construction.</dd>
</dl>
</section>
- <section anchor="notation" numbered="true" toc="default">
- <name>Notation</name>
+ <section anchor="rationale" numbered="true" toc="default">
+ <name>Design Rationale</name>
<t>
- We use the notation and terminology of <xref target="RFC8439"/> and <xref target="RFC9180"/> throughout
- this document.
+ The design rationale for CAKE is similar to DTLS 1.3 (cf. <xref target="9147"/> Section 3).
+ Except that CAKE does not consider Fragmentation as this is expected to be provided by the
+ transport underlay layer of GNUnet.
</t>
</section>
<section anchor="protocol_flow" numbered="true" toc="default">
@@ -179,7 +186,7 @@ sk_e | |
ES,ETS | |
| |
| InitiatorHello |
- | (pk_I,ServicesInfo)*ETS |
+ | {pk_I,ServicesInfo} |
+---------------------------------------------->|
| | pk_I
| | ES,ETS
@@ -189,10 +196,10 @@ ES,ETS | |
| | [I,R]HTS
| | RATS
| ReceiverHello |
- | (ServicesInfo)*RHTS |
- | (ReceiverKemCiphertext)*RTHS |
- | (ReceiverFinished)*RHTS |
- | [(Application Payload)*RATS] |
+ | {ServicesInfo} |
+ | {ReceiverKemCiphertext} |
+ | {ReceiverFinished} |
+ | [Application Payload] |
|<----------------------------------------------+
dES | |
(d)HS | |
@@ -200,17 +207,15 @@ MS | |
[I,R]HTS | |
[I,R]ATS | |
| |
- | (InitiatorFinished)*IHTS |
- | [(Application Payload)*IATS] |
+ | {InitiatorFinished} |
+ | [Application Payload] |
+---------------------------------------------->|
| | IATS
| |
| |
| |
- | (Application Payload)*RATS |
- |<----------------------------------------------|
- | (Application Payload)*IATS |
- |---------------------------------------------->|
+ | [Application Payload] |
+ |<--------------------------------------------->|
| |
v v
]]></artwork>
@@ -456,15 +461,19 @@ nonce = HKDF-Expand ([I,R][A,H]TS, "iv", 12)
<artwork name="" type="" align="left" alt=""><![CDATA[
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
-| Nonce /
-/ +-----+-----+-----+-----+
-/ | Tag /
-+-----+-----+-----+-----+-----+-----+-----+-----+
-/ | Seq |
+| Epoch | Sequence Number |
+-----+-----+-----+-----+-----+-----+-----+-----+
| Timestamp |
+-----+-----+-----+-----+-----+-----+-----+-----+
- ]]></artwork>
+| Nonce |
+| +-----+-----+-----+-----+
+| | |
++-----+-----+-----+-----+ |
+| Tag |
+| +-----+-----+-----+-----+
+| |
++-----+-----+-----+-----+
+ ]]></artwork>
</figure>
<t>
This is followed by encrypted application data.
