diff options
author | Martin Schanzenbach <schanzen@gnunet.org> | 2022-02-04 16:44:19 +0100 |
---|---|---|
committer | Martin Schanzenbach <schanzen@gnunet.org> | 2022-02-04 16:44:19 +0100 |
commit | 6a39c87f29c77328cf016908a290d9ea379ae4af (patch) | |
tree | 228cff805fd90c345d3b90f19158425dbf3bd1ad | |
parent | 84069e53addee337aedad320eb8c5d02b5a702c3 (diff) | |
download | lsd0001-6a39c87f29c77328cf016908a290d9ea379ae4af.tar.gz lsd0001-6a39c87f29c77328cf016908a290d9ea379ae4af.zip |
draft senc
-rw-r--r-- | draft-schanzen-gns.xml | 37 |
1 files changed, 28 insertions, 9 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index dfdde70..26d0d70 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -87,6 +87,7 @@ | |||
87 | GNS is a decentralized and censorship-resistant name | 87 | GNS is a decentralized and censorship-resistant name |
88 | system that provides a privacy-enhancing alternative to the Domain | 88 | system that provides a privacy-enhancing alternative to the Domain |
89 | Name System (DNS). | 89 | Name System (DNS). |
90 | <!-- GNS is more. it is also extensible and more flexible --> | ||
90 | </t> | 91 | </t> |
91 | <t> | 92 | <t> |
92 | This document defines the normative wire format of resource records, | 93 | This document defines the normative wire format of resource records, |
@@ -118,7 +119,7 @@ | |||
118 | and integrity of information on the Internet. | 119 | and integrity of information on the Internet. |
119 | </t> | 120 | </t> |
120 | <t> | 121 | <t> |
121 | DNS was not designed with security as a goal. This makes it very | 122 | DNS was not designed with security in mind. This makes it very |
122 | vulnerable, especially to attackers that have the technical capabilities | 123 | vulnerable, especially to attackers that have the technical capabilities |
123 | of an entire nation state at their disposal. | 124 | of an entire nation state at their disposal. |
124 | While a wider discussion of this issue is out of scope for this document, | 125 | While a wider discussion of this issue is out of scope for this document, |
@@ -228,7 +229,12 @@ | |||
228 | <dt>Blinded Zone Key</dt> | 229 | <dt>Blinded Zone Key</dt> |
229 | <dd> | 230 | <dd> |
230 | A blinded zone key is derived from the zone key and a label. | 231 | A blinded zone key is derived from the zone key and a label. |
231 | The zone key and the blinded zone key are unlinkable without knowing the label. | 232 | The zone key and the blinded zone key are unlinkable without knowledge of the label. |
233 | </dd> | ||
234 | <dt>Zone Key Derivation Function</dt> | ||
235 | <dd> | ||
236 | The zone key derivation function (ZKDF) blinds a key using a label. | ||
237 | There are different functions for public and private keys, respectively. | ||
232 | </dd> | 238 | </dd> |
233 | <dt>Zone Owner</dt> | 239 | <dt>Zone Owner</dt> |
234 | <dd> | 240 | <dd> |
@@ -352,7 +358,7 @@ | |||
352 | <dl> | 358 | <dl> |
353 | <dt>KeyGen() -> d, zk</dt> | 359 | <dt>KeyGen() -> d, zk</dt> |
354 | <dd> | 360 | <dd> |
355 | is a function to generate a fresh private key d and | 361 | is a function to generate a new private key d and |
356 | the corresponding public zone key zk. | 362 | the corresponding public zone key zk. |
357 | </dd> | 363 | </dd> |
358 | <dt>ZKDF-Private(d,label) -> d'</dt> | 364 | <dt>ZKDF-Private(d,label) -> d'</dt> |
@@ -368,22 +374,22 @@ | |||
368 | is a zone key derivation function which blinds a zone key zk | 374 | is a zone key derivation function which blinds a zone key zk |
369 | using a label. zk and zk' must be unlinkable. Furthermore, | 375 | using a label. zk and zk' must be unlinkable. Furthermore, |
370 | blinding zk with different values for the label must result | 376 | blinding zk with different values for the label must result |
371 | in unlinkable zk' values. | 377 | in different, unlinkable zk' values. |
372 | </dd> | 378 | </dd> |
373 | <dt>S-Encrypt(zk,label,nonce,expiration,message) -> ciphertext</dt> | 379 | <dt>S-Encrypt(zk,label,expiration,message) -> ciphertext</dt> |
374 | <dd> | 380 | <dd> |
375 | is a symmetric encryption function which encrypts the record | 381 | is a symmetric encryption function which encrypts the record |
376 | data based on key material derived from the zone key, | 382 | data based on key material derived from the zone key, |
377 | a label, a nonce and an expiration. | 383 | a label, and an expiration timestamp. |
378 | In order to leverage performance-enhancing caching features of certain | 384 | In order to leverage performance-enhancing caching features of certain |
379 | underlying storages, in particular DHTs, a deterministic encryption | 385 | underlying storages, in particular DHTs, a deterministic encryption |
380 | scheme is recommended. | 386 | scheme is recommended. |
381 | </dd> | 387 | </dd> |
382 | <dt>S-Decrypt(zk,label,nonce,expiration,ciphertext) -> message</dt> | 388 | <dt>S-Decrypt(zk,label,expiration,ciphertext) -> message</dt> |
383 | <dd> | 389 | <dd> |
384 | is a symmetric decryption function which decrypts the encrypted record | 390 | is a symmetric decryption function which decrypts the encrypted record |
385 | data based on key material derived from the zone key, | 391 | data based on key material derived from the zone key, |
386 | a label, a nonce and an expiration. | 392 | a label, and an expiration timestamp. |
387 | </dd> | 393 | </dd> |
388 | <dt>Sign(d,message) -> signature, Sign(d',message) -> signature</dt> | 394 | <dt>Sign(d,message) -> signature, Sign(d',message) -> signature</dt> |
389 | <dd> | 395 | <dd> |
@@ -508,7 +514,7 @@ zTLD := zkl[126..129].zkl[63..125].zkl[0..62] | |||
508 | published. | 514 | published. |
509 | This message MUST be signed using the private key. | 515 | This message MUST be signed using the private key. |
510 | The revocation message is broadcast to the network. | 516 | The revocation message is broadcast to the network. |
511 | The specification of the broadcast mechanism is out of scope of this | 517 | The specification of the broadcast mechanism is out of scope for this |
512 | document. | 518 | document. |
513 | A possible broadcast mechanism for efficient flooding in a distributed | 519 | A possible broadcast mechanism for efficient flooding in a distributed |
514 | network is implemented in <xref target="GNUnet"/>. | 520 | network is implemented in <xref target="GNUnet"/>. |
@@ -1047,6 +1053,19 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | |||
1047 | ]]></artwork> | 1053 | ]]></artwork> |
1048 | </figure> | 1054 | </figure> |
1049 | <t>The Block Counter Wire Format.</t> | 1055 | <t>The Block Counter Wire Format.</t> |
1056 | <figure anchor="figure_senc_pkey"> | ||
1057 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
1058 | S-Encrypt(zk,label,expiration,message): | ||
1059 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) | ||
1060 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) | ||
1061 | K := HKDF-Expand (PRK_k, label, 256 / 8); | ||
1062 | NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | ||
1063 | IV := NONCE | expiration | 0x0000000000000001 | ||
1064 | CIPHERTEXT := CTR-AES256(K, IV, DATA) | ||
1065 | DATA := CTR-AES256(K, IV, CIPHERTEXT) | ||
1066 | ]]></artwork> | ||
1067 | </figure> | ||
1068 | <t>The PKEY S-Encrypt Procedure.</t> | ||
1050 | </section> | 1069 | </section> |
1051 | <section anchor="gnsrecords_edkey" numbered="true" toc="default"> | 1070 | <section anchor="gnsrecords_edkey" numbered="true" toc="default"> |
1052 | <name>EDKEY</name> | 1071 | <name>EDKEY</name> |