commit 9da42b7fb15fe31b031c14efe7f3e0ff0fa7fd9b
parent efad59fbc01d2be9e4ea1c408d6af7ed23567c06
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 13 Nov 2024 16:41:00 +0100
add nonce derivation, seq encryption
Diffstat:
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/draft-schanzen-cake.xml b/draft-schanzen-cake.xml
@@ -467,14 +467,9 @@ nonce = HKDF-Expand ([I,R][A,H]TS, "iv", 12)
+-----+-----+-----+-----+-----+-----+-----+-----+
| Timestamp |
+-----+-----+-----+-----+-----+-----+-----+-----+
-| Nonce |
-| +-----+-----+-----+-----+
-| | |
-+-----+-----+-----+-----+ |
-| Tag |
-| +-----+-----+-----+-----+
-| |
-+-----+-----+-----+-----+
+| Tag |
+| |
++-----+-----+-----+-----+-----+-----+-----+-----+
]]></artwork>
</figure>
<t>
@@ -483,8 +478,19 @@ nonce = HKDF-Expand ([I,R][A,H]TS, "iv", 12)
preceeding the EncryptedMessage header.
</t>
<t>
- The per-message nonce is generated as defined in <xref target="RFC8446" section="5.3"/>.
- <!-- FIXME sequence number encryption?-->
+ The sequence number is encrypted with the output as defined in <xref target="RFC9147" section="4.2.3"/>
+ for ChaCha20-based AEAD schemes.
+ For clarity, the XOR-based encryption using the 64 byte output of ChaCha20 is as follows:
+ The sequence number is padded to the left such that it is exactly 8 bytes (as if the Epoch field
+ was still present).
+ Then, the first 8 bytes of the output of ChaCha20 are XORed with the resulting byte string.
+ The first 16 bits can be ignored (zeroed).
+ Note that an implementation may simply XOR the first 8 byte of the EncryptedMessage.
+ However, this will include the Epoch field and whatever value it was set to so after
+ the XOR this value will have to be reconstructed or otherwise masked beforehand.
+ </t>
+ <t>
+ The per-message nonce is not transmitted and instead generated as defined in <xref target="RFC8446" section="5.3"/>.
<!-- FIXME the records/encryptions apply to all messages(?)-->
</t>
</section>
