commit 7b7bce3f1a3ab5f2d14a605fde85b361062c19cd
parent 6179949e6901ed6ff1a1c0ed674e8134a83eea10
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 15 Apr 2025 15:53:51 +0200
clarification receiverfinished
Diffstat:
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/draft-schanzen-cake.xml b/draft-schanzen-cake.xml
@@ -205,8 +205,7 @@ ES,ETS | |
| ReceiverHello: |
| c_e |
| r_R |
- | {ServicesInfo} |
- | {c_I} |
+ | {ServicesInfo,c_I} |
| {ReceiverFinished} |
| *[Application Payload] |
|<----------------------------------------------+
@@ -269,8 +268,9 @@ MS | |
</t>
<ol>
<li>r<sub>R</sub> <- RandomUInt64()</li>
+ <li>Encrypt ServicesInfo and c<sub>I</sub> the key derived from RHTS.</li>
<li>Create ReceiverFinished as per <xref target="cake_hs_proto"/>.</li>
- <li>Encrypt ServicesInfo, c<sub>I</sub> and ReceiverFinished with a key derived from RHTS.</li>
+ <li>Encrypt ReceiverFinished with RHTS.</li>
<li>Optionally, R may now already send application data encrypted with RATS.</li>
</ol>
<t>
@@ -522,12 +522,14 @@ nonce = HKDF-Expand ([I,R][A,H]TS, "iv", 12)
+-----+-----+-----+-----+-----+-----+-----+-----+
| r_R |
+-----+-----+-----+-----+-----+-----+-----+-----+
- / {ServicesInfo,c_I,Finished} /
+ / {ServicesInfo,c_I}{ReceiverFinished} /
]]></artwork>
</figure>
<t>
The protected fields after the nonce are encrypted using a key derived from AHTS.
- They are not encrypted individually but as a single payload.
+ The ReceiverFinished is encrypted individually.
+ This is because the transcript of the ReceiverHello to generate the
+ ReceiverFinished must end before it.
</t>
</section>
<section anchor="handshake_finished" numbered="true" toc="default">
