commit 6179949e6901ed6ff1a1c0ed674e8134a83eea10
parent ef8e3b26b9af4ec404d71449cbc8fc576d13d550
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 15 Apr 2025 15:13:30 +0200
fix typos and incorrect names
Diffstat:
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/draft-schanzen-cake.xml b/draft-schanzen-cake.xml
@@ -177,7 +177,7 @@ else
shown respectively.
If a private key of a key pair is known it is implied that the public key is also known.
Messages in brackets are optional.
- Messages in braces are encrypted with the key after "*".
+ Messages in braces are encrypted.
</t>
<figure anchor="figure_swimlane" title="Overview over the Handshake Protocol Flow.">
<artwork name="" type="" align="left" alt=""><![CDATA[
@@ -282,8 +282,8 @@ MS | |
<li>Generate IHTS and RHTS from <xref target="key_schedule"/> and decrypt ServicesInfo, c<sub>I</sub> and ReceiverFinished.</li>
<li>ss<sub>I</sub> <- Decaps(sk<sub>I</sub>,c<sub>I</sub>).</li>
<li>Create ReceiverFinished as per <xref target="cake_hs_proto"/> and check against decrypted payload.</li>
- <li>Create IteratorFinished as per <xref target="cake_hs_proto"/>.</li>
- <li>Send InteratorFinished message encrypted with the key derived from IHTS to R</li>
+ <li>Create InitiatorFinished as per <xref target="cake_hs_proto"/>.</li>
+ <li>Send InitiatorFinished message encrypted with the key derived from IHTS to R</li>
</ol>
<t>
At this point we have a secure channel.
@@ -297,7 +297,7 @@ MS | |
But we only have a single message that contains a payload encrypted with a key
derived from RHTS: ReceiverHello.
We also only have a single message that contains a payload encrypted with a key
- derived from AHTS: InitiatorFinished.
+ derived from IHTS: InitiatorFinished.
Consequently, we do not need any signalling of Epochs until we encrypt data using
*ATS secrets.
The optional application data that may already be sent by the receiver after its first
@@ -318,7 +318,7 @@ MS | |
ss_R -> HKDF-Extract = Early Secret (ES)
|
+-----> HKDF-Expand(., "early data", InitiatorHello*)
- | = Early Transport Secret (ETS)
+ | = Early Transport Secret (ETS)
|
v
HKDF-Expand(., "derived", "") = derived Early Secret (dES)
@@ -349,6 +349,9 @@ ss_I -> HKDF-Extract = Master Secret (MS)
]]></artwork>
</figure>
<t>
+ In general the transcripts are part of the HKDF-Expand calls.
+ The transcript is defined as the messages sent (or to be sent) and received on the wire
+ up until that point.
IMPORTANT: The ETS is derived using the transcript of InitiatorHello*.
This transcript can, for obvious reasons, not yet include the encrypted tuple that
is part of the InitiatorHello.
@@ -417,12 +420,16 @@ nonce = HKDF-Expand ([I,R][A,H]TS, "iv", 12)
</t>
<ol>
<li>fk<sub>I</sub> <- HKDF-Expand(MS, "i finished", NULL)</li>
- <li>InitiatorFinished <- HMAC(fk<sub>I</sub>, InitiatorHello...Hello)</li>
+ <li>InitiatorFinished <- HMAC(fk<sub>I</sub>, InitiatorHello...ReceiverHello)</li>
</ol>
<ol>
<li>fk<sub>R</sub> <- HKDF-Expand(MS, "r finished", NULL)</li>
- <li>ReceiverFinished <- HMAC(fk<sub>R</sub>, InitiatorHello...InitiatorDone)</li>
+ <li>ReceiverFinished <- HMAC(fk<sub>R</sub>, InitiatorHello...ReceiverHello*)</li>
</ol>
+ <t>
+ Observe how the ReceiverFinished transcript used as input into the HMAC cannot include
+ the ReceiverFinished of the ReceiverHello message itself.
+ </t>
</section>
<section anchor="cake_hs_msg_fmt" numbered="true" toc="default">
<name>CAKE Message Format</name>
@@ -488,7 +495,7 @@ nonce = HKDF-Expand ([I,R][A,H]TS, "iv", 12)
]]></artwork>
</figure>
<t>
- The initiator kem challenge c<sub>R</sub>is generated according to <xref target="figure_key_schedule"/> using:
+ The initiator kem challenge c<sub>R</sub> is generated according to <xref target="figure_key_schedule"/> using:
</t>
<ol>
<li>(ss<sub>R</sub>,c<sub>R</sub>) <- Encaps(pk<sub>R</sub>)</li>
