commit db761dab3d7f38bf1d9e09cdfd5033f4c33529b7
parent 9ddceb6211619d0e9e9e8bb2fb8a6426c4290b9c
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 12 Nov 2024 07:45:37 +0100
change to chacha20 ietf
Diffstat:
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/draft-schanzen-cake.xml b/draft-schanzen-cake.xml
@@ -26,6 +26,7 @@
<!ENTITY RFC8174 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml">
<!ENTITY RFC8244 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8244.xml">
<!ENTITY RFC8324 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8324.xml">
+<!ENTITY RFC8439 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8439.xml">
<!ENTITY RFC8446 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8446.xml">
<!ENTITY RFC8499 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8499.xml">
<!ENTITY RFC9106 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9106.xml">
@@ -122,6 +123,7 @@
<dt>IHTS</dt> <dd>Initiator Handshake Secret Key</dd>
<dt>RHTS</dt> <dd>Receiver Handshake Secret Key</dd>
<dt>Foo...Bar</dt> <dd>means the transcript of received/send messages from Foo until Bar</dd>
+ <dt>Enc/Dec</dt> <dd>This refers to <xref target="RFC8439"/>, the ChaCha20-Poly1305 Authenticated Encryption with Associated Data (AEAD) construction.</dd>
</dl>
</section>
<section anchor="notation" numbered="true" toc="default">
@@ -221,7 +223,7 @@ MS | |
</ol>
<t>
pk<sub>I</sub> and <tt>ServicesInfo</tt> are encrypted using the early secret ETS
- using XChaCha20-Poly1305 (citation to IETF RFC).
+ using ChaCha20-Poly1305 <xref target="RFC8439"/>.
<!-- FIXME: Discuss IV. We may be able to use data from HKDF-Expand for that -->
</t>
<t>
@@ -311,6 +313,13 @@ ss_I -> HKDF-Extract = Master Secret (MS)
= RATS
]]></artwork>
</figure>
+ <t>
+ SHA-512 is used as the underlying hash function for HKDF.
+ Since we only require 32 byte encryption keys, the remaining
+ 32 byte output of the HKDF-Expand is used as nonce.
+ For each re-use of the key this nonce <bcp14>MUST</bcp14> be
+ incremented.
+ </t>
</section>
<section anchor="wire_formats" numbered="true" toc="default">
<name>Wire Formats</name>
@@ -360,7 +369,7 @@ ss_I -> HKDF-Extract = Master Secret (MS)
<li>(ss<sub>R</sub>,c<sub>R</sub>) <- Encaps(pk<sub>R</sub>)</li>
</ol>
<t>
- The pk<sub>I</sub> and <tt>ServiceInfo</tt> are encrypted using XChaCha20-Poly1305 (citation to IETF RFC).
+ The pk<sub>I</sub> and <tt>ServiceInfo</tt> are encrypted using ChaCha20-Poly1305 <xref target="RFC8439"/>.
<!-- FIXME: Discuss IV. We may be able to use data from HKDF-Expand for that -->
</t>
</section>
@@ -420,6 +429,9 @@ ss_I -> HKDF-Extract = Master Secret (MS)
Rekey
</t>
<t>
+ We must discuss EdDSA vs X25519 KEM usage. Maybe see Communicator draft for this.
+ </t>
+ <t>
We must discuss ChaCha20 vs XChaCha20.
For XChaCha20 (currently implemented) we can use fresh nonces when the key is re-used.
With ChaCha20, we should increment the nonce.
@@ -465,6 +477,7 @@ ss_I -> HKDF-Extract = Master Secret (MS)
<name>Normative References</name>
&RFC2119;
&RFC8174;
+ &RFC8439;
&RFC8446;
&RFC9180;
