commit 9ddceb6211619d0e9e9e8bb2fb8a6426c4290b9c
parent 29f4ab60c50f15e058728f37f2b6709c36100a2d
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 12 Nov 2024 07:32:16 +0100
flow fixes
Diffstat:
1 file changed, 37 insertions(+), 30 deletions(-)
diff --git a/draft-schanzen-cake.xml b/draft-schanzen-cake.xml
@@ -214,7 +214,7 @@ MS | |
]]></artwork>
</figure>
<t>
- The Initiator creates the messages according to <xref target="figure_swimlane"/> and <xref target="figure_key_schedule"/> using:
+ The Initiator creates the first message containing InitiatorHello and the encrypted tuple (pk<sub>I</sub>,ServicesInfo) according to <xref target="figure_swimlane"/> and <xref target="figure_key_schedule"/> using:
</t>
<ol>
<li>(ss<sub>R</sub>,c<sub>R</sub>) <- Encaps(pk<sub>R</sub>)</li>
@@ -225,43 +225,44 @@ MS | |
<!-- FIXME: Discuss IV. We may be able to use data from HKDF-Expand for that -->
</t>
<t>
- R receives the first message, and processes it as defined in the following
- to create and send the second message.
+ I sends to R:
</t>
+ <ol>
+ <li>ReceiverHello <- (c<sub>R</sub>,r<sub>I</sub>)</li>
+ <li>The initiators's pk<sub>I</sub> and ServicesInfo encrypted using ETS.</li>
+ </ol>
<t>
- The encryption key ETS to decrypt the encrypted (pk<sub>I</sub>,<tt>ServicesInfo</tt>), the Handshake and Master Secrets are generated according to <xref target="figure_key_schedule"/> using:
+ R receives the first message, and processes it as defined in the following.
+ The encryption key ETS to decrypt the encrypted tuple (pk<sub>I</sub>,<tt>ServicesInfo</tt>), the Handshake and Master Secrets are generated according to <xref target="figure_key_schedule"/> using:
+ The secrets can also be generated as-needed and not necessarily all at once.
+ Note that IATS cannot be derived (yet) at this point.
</t>
<ol>
+ <li>Verify that the message type is TBD</li>
<li>(ss<sub>R</sub>,c<sub>R</sub>) <- Decaps(sk<sub>R</sub>, c<sub>R</sub>)</li>
<li>(ss<sub>e</sub>,c<sub>e</sub>) <- Encaps(pk<sub>e</sub>)</li>
<li>(ss<sub>I</sub>,c<sub>I</sub>) <- Encaps(pk<sub>I</sub>)</li>
</ol>
<t>
- The secrets can also be generated as-needed and not necessarily all at once.
- Note that IATS cannot be derived (yet) at this point.
- </t>
- <t>
- Build ReceiverFinished message:
+ R sends to I:
</t>
<ol>
- <li>fk<sub>R</sub> <- HKDF-Expand(MS, "r finished", NULL)</li>
- <li>RF <- HMAC(fk<sub>R</sub>, InitiatorHello...ReceiverKemCiphertext)</li>
- <li>ReceiverFinished <- Enc(RHTS, RF) (TLS1.3-style explicit authentication of receiver after 1RTT!)</li>
+ <li>ReceiverHello <- (c<sub>e</sub>,r<sub>R</sub>)</li>
+ <li>The receiver's ServicesInfo encrypted using RTHS.</li>
+ <li>c<sub>I</sub> encrypted with RTHS.</li>
+ <li>ReceiverFinished encrypted with RHTS.</li>
+ <li>Optionally, R may already send application data encrypted with RATS.</li>
</ol>
<t>
- R sends to I the third message consisting of a <tt>MessageHeader</tt>,
- the <tt>InitiatorFinished</tt> message as defined
- in the following.
+ I processes the message received by R:
</t>
<ol>
<li>Verify that the message type is TBD</li>
- <li>Setup remaining keys using ss<sub>e</sub> <- Decaps(sk<sub>e</sub>,c<sub>e</sub>).</li>
- <li>fk<sub>I</sub> <- HKDF-Expand(MS, "i finished", NULL)</li>
- <li>IF <- HMAC(fk<sub>I</sub>, InitiatorHello...ReceiverFinished)</li>
- <li>fk<sub>R</sub> <- HKDF-Expand(MS, "r finished", NULL)</li>
+ <li>Setup remaining keys using ss<sub>e</sub> <- Decaps(sk<sub>e</sub>,c<sub>e</sub>) and ss<sub>I</sub> <- Decaps(sk<sub>I</sub>,c<sub>I</sub>).</li>
<li>RF <- Dec(RHTS, ReceiverFinished)</li>
+ <li>fk<sub>R</sub> <- HKDF-Expand(MS, "r finished", NULL)</li>
<li>assert HMAC(fk<sub>R</sub>, InitiatorHello...ReceiverKemCiphertext) == RF</li>
- <li>InitiatorFinished <- Enc(IHTS, IF)</li>
+ <li>Send InitiatorFinished</li>
</ol>
<t>
At this point we have a secure channel.
@@ -390,21 +391,27 @@ ss_I -> HKDF-Extract = Master Secret (MS)
]]></artwork>
</figure>
</section>
+ <section anchor="initiator_finished" numbered="true" toc="default">
+ <name>InitiatorFinished</name>
+ <t>
+ The InitiatorFinished:
+ </t>
+ <ol>
+ <li>fk<sub>I</sub> <- HKDF-Expand(MS, "i finished", NULL)</li>
+ <li>IF <- HMAC(fk<sub>I</sub>, InitiatorHello...ReceiverFinished)</li>
+ <li>InitiatorFinished <- Enc(IHTS, IF)</li>
+ </ol>
+ </section>
<section anchor="receiver_finished" numbered="true" toc="default">
<name>ReceiverFinished</name>
<t>
The ReceiverFinished:
</t>
- <figure anchor="figure_recvfinished" title="The Wire Format of the ReceiverFinished.">
- <artwork name="" type="" align="left" alt=""><![CDATA[
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | ReceiverFinished |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- ]]></artwork>
- </figure>
+ <ol>
+ <li>fk<sub>R</sub> <- HKDF-Expand(MS, "r finished", NULL)</li>
+ <li>RF <- HMAC(fk<sub>R</sub>, InitiatorHello...ReceiverKemCiphertext)</li>
+ <li>ReceiverFinished <- Enc(RHTS, RF)</li>
+ </ol>
</section>
</section>
<section anchor="open" numbered="true" toc="default">
