commit 4139a9af86f95735d9ccc7acff7d7b4b5a88fdde
parent 4d38f86a2030aecb4d4955c0a076c5c45c1fda52
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 30 Jul 2025 14:49:34 +0200
prefix clarification, label
Diffstat:
1 file changed, 29 insertions(+), 13 deletions(-)
diff --git a/draft-schanzen-cake.xml b/draft-schanzen-cake.xml
@@ -333,30 +333,44 @@ ss_e | |
<artwork name="" type="" align="left" alt=""><![CDATA[
HKDF-Extract(ss_R,0) = Early Secret (ES)
|
- +-----> HKDF-Expand(., "early data", H(T(H(pk_R))))
+ +-----> HKDF-Expand-Label(.,
+ | "early data",
+ | H(T(H(pk_R))))
| = Early Transport Secret (ETS)
|
v
-HKDF-Expand(., "derived", "") = derived Early Secret (dES)
+HKDF-Expand-Label(.,
+ | "derived",
+ | "") = derived Early Secret (dES)
|
v
HKDF-Extract(ss_e,.) = Handshake Secret (HS)
|
- +-----> HKDF-Expand(., "i hs traffic", H(T(r_R)))
+ +-----> HKDF-Expand-Label(.,
+ | "i hs traffic",
+ | H(T(r_R)))
| = IHTS
|
- +-----> HKDF-Expand(., "r hs traffic", H(T(r_R)))
+ +-----> HKDF-Expand-Label(.,
+ | "r hs traffic",
+ | H(T(r_R)))
| = RHTS
v
-HKDF-Expand(., "derived", "") = derived Handshake Secret (dHS)
+HKDF-Expand-Label(.,
+ | "derived",
+ | "") = derived Handshake Secret (dHS)
|
v
HKDF-Extract(ss_I,.) = Master Secret (MS)
|
- +-----> HKDF-Expand(., "i ap traffic", H(T({finished_I})))
+ +-----> HKDF-Expand-Label(.,
+ | "i ap traffic",
+ | H(T({finished_I})))
| = IATS_0
|
- +-----> HKDF-Expand(., "r ap traffic", H(T({finished_R})))
+ +-----> HKDF-Expand-Label(.,
+ "r ap traffic",
+ H(T({finished_R})))
= RATS_0
]]></artwork>
</figure>
@@ -381,8 +395,8 @@ HKDF-Extract(ss_I,.) = Master Secret (MS)
</t>
<figure anchor="figure_traffic_key_derivation" title="Traffic Key Generation.">
<artwork name="" type="" align="left" alt=""><![CDATA[
-key = HKDF-Expand [I,R][A,H]TS, "key", 32)
-nonce = HKDF-Expand ([I,R][A,H]TS, "iv", 24)
+key = HKDF-Expand-Label [I,R][A,H]TS, "key", 32)
+nonce = HKDF-Expand-Label ([I,R][A,H]TS, "iv", 24)
]]></artwork>
</figure>
<t>
@@ -397,7 +411,9 @@ nonce = HKDF-Expand ([I,R][A,H]TS, "iv", 24)
</t>
<figure anchor="figure_traffic_key_derivation_next" title="Traffic Secret Update.">
<artwork name="" type="" align="left" alt=""><![CDATA[
-[I,R]ATS_N+1 = HKDF-Expand ([I,R]ATS_N, "traffic_upd", secret_len)
+[I,R]ATS_N+1 = HKDF-Expand-Label ([I,R]ATS_N,
+ "traffic_upd",
+ secret_len)
]]></artwork>
</figure>
<t>
@@ -422,7 +438,7 @@ nonce = HKDF-Expand ([I,R][A,H]TS, "iv", 24)
<name>Cryptographic Label Prefix</name>
<t>
<xref target="RFC8446" section="7.1"/> specifies that HKDF-Expand-Label uses a label prefix of "tls13 ".
- For CAKE, that label <bcp14>SHALL</bcp14> be "cake ".
+ For CAKE, that label <bcp14>SHALL</bcp14> be "cake10".
This ensures key separation between CAKE, DTLS 1.3 and TLS 1.3.
</t>
</section>
@@ -442,11 +458,11 @@ nonce = HKDF-Expand ([I,R][A,H]TS, "iv", 24)
or finished<sub>R</sub> value:
</t>
<ol>
- <li>fk<sub>I</sub> <- HKDF-Expand(MS, "i finished", NULL)</li>
+ <li>fk<sub>I</sub> <- HKDF-Expand-Label(MS, "i finished", NULL)</li>
<li>finished<sub>I</sub> <- HMAC(fk<sub>I</sub>, H(T({finished<sub>R</sub>})))</li>
</ol>
<ol>
- <li>fk<sub>R</sub> <- HKDF-Expand(MS, "r finished", NULL)</li>
+ <li>fk<sub>R</sub> <- HKDF-Expand-Label(MS, "r finished", NULL)</li>
<li>finished<sub>R</sub> <- HMAC(fk<sub>R</sub>, H(T({svcinfo_R,c_I}))</li>
</ol>
</section>
