commit f986376a5c49eb2b1e4ba4a9d632429a78b1c472
parent 7b7bce3f1a3ab5f2d14a605fde85b361062c19cd
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 15 Apr 2025 22:14:39 +0200
rework how transcript hash is worded
Diffstat:
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/draft-schanzen-cake.xml b/draft-schanzen-cake.xml
@@ -129,9 +129,9 @@
<dt>ES:</dt> <dd>Early Secret Key</dd>
<dt>IHTS:</dt> <dd>Initiator Handshake Secret Key</dd>
<dt>RHTS:</dt> <dd>Receiver Handshake Secret Key</dd>
- <dt>Foo...Bar:</dt> <dd>means the transcript of received/send messages from Foo until Bar. Note that the transcript refers to what is seen on the wire (i.e. potentially encryption) but as shorthand, we only refer to the plaintext message.</dd>
- <dt>'{}'</dt> <dd>indicates encryption with a handshake traffic key and <xref target="RFC8439"/>, the ChaCha20-Poly1305 Authenticated Encryption with Associated Data (AEAD) construction.</dd>
- <dt>'[]'</dt> <dd>indicates encryption with an application traffic key and <xref target="RFC8439"/>, the ChaCha20-Poly1305 Authenticated Encryption with Associated Data (AEAD) construction.</dd>
+ <dt>TH(M):</dt> <dd>means the transcript hash of a concatenation of received/sent messages starting from the InitiatorHello until and including M. Note that the transcript refers to what is seen on the wire (i.e. potentially encryption). The hash function used is TBD (Blake2b?)</dd>
+ <dt>'{}K'</dt> <dd>indicates encryption with a handshake traffic key K and <xref target="RFC8439"/>, the ChaCha20-Poly1305 Authenticated Encryption with Associated Data (AEAD) construction.</dd>
+ <dt>'[]K'</dt> <dd>indicates encryption with an application traffic key K and <xref target="RFC8439"/>, the ChaCha20-Poly1305 Authenticated Encryption with Associated Data (AEAD) construction.</dd>
</dl>
</section>
<section anchor="rationale" numbered="true" toc="default">
@@ -192,8 +192,7 @@ ES,ETS | |
| c_R |
| r_I |
| H(pk_R) |
- | {pk_I} |
- | {ServicesInfo} |
+ | {pk_I,ServicesInfo}ETS |
+---------------------------------------------->|
| | pk_I
| | ES,ETS
@@ -205,9 +204,9 @@ ES,ETS | |
| ReceiverHello: |
| c_e |
| r_R |
- | {ServicesInfo,c_I} |
- | {ReceiverFinished} |
- | *[Application Payload] |
+ | {ServicesInfo,c_I}RHTS |
+ | {ReceiverFinished}RHTS |
+ | *[Application Payload]RATS |
|<----------------------------------------------+
dES | |
(d)HS | |
@@ -215,8 +214,8 @@ MS | |
[I,R]HTS | |
[I,R]ATS | |
| InitiatorDone: |
- | {InitiatorFinished} |
- | *[Application Payload] |
+ | {InitiatorFinished}IHTS |
+ | *[Application Payload]IATS |
+---------------------------------------------->|
| | IATS
| |
@@ -317,7 +316,8 @@ MS | |
v
ss_R -> HKDF-Extract = Early Secret (ES)
|
- +-----> HKDF-Expand(., "early data", InitiatorHello*)
+ +-----> HKDF-Expand(., "early data",
+ | TH(H(pk_R)))
| = Early Transport Secret (ETS)
|
v
@@ -327,11 +327,11 @@ ss_R -> HKDF-Extract = Early Secret (ES)
ss_e -> HKDF-Extract = Handshake Secret (HS)
|
+-----> HKDF-Expand(., "i hs traffic",
- | InitiatorHello...ReceiverHello)
+ | TH(r_R))
| = IHTS
|
+-----> HKDF-Expand(., "r hs traffic",
- | InitiatorHello...ReceiverHello)
+ | RH(r_R))
| = RHTS
v
HKDF-Expand(., "derived", "") = derived Handshake Secret (dHS)
@@ -340,18 +340,20 @@ ss_e -> HKDF-Extract = Handshake Secret (HS)
ss_I -> HKDF-Extract = Master Secret (MS)
|
+-----> HKDF-Expand(., "i ap traffic",
- | InitiatorHello...InitiatorDone)
+ | TH({InitiatorFinished}))
| = IATS_0
|
+-----> HKDF-Expand(., "r ap traffic",
- InitiatorHello...ReceiverHello)
+ TH({ReceiverFinished}))
= RATS_0
]]></artwork>
</figure>
<t>
- In general the transcripts are part of the HKDF-Expand calls.
- The transcript is defined as the messages sent (or to be sent) and received on the wire
+ In general the transcript hashes are part of the HKDF-Expand calls.
+ The transcript hash is defined as the hash over the message parts sent (or to be sent) and received on the wire
up until that point.
+ </t>
+ <t>
IMPORTANT: The ETS is derived using the transcript of InitiatorHello*.
This transcript can, for obvious reasons, not yet include the encrypted tuple that
is part of the InitiatorHello.
