diff options
author | Martin Schanzenbach <mschanzenbach@posteo.de> | 2020-10-05 14:51:32 +0200 |
---|---|---|
committer | Martin Schanzenbach <mschanzenbach@posteo.de> | 2020-10-05 14:51:32 +0200 |
commit | 7653d417abc4f30906c252484b003229156ab857 (patch) | |
tree | 22a64623855175dcd5aa343d8714fe7762cfc013 | |
parent | 5bd96ee1fb7a9c7338ee6756a50d9d5e5a690c24 (diff) | |
download | lsd0001-7653d417abc4f30906c252484b003229156ab857.tar.gz lsd0001-7653d417abc4f30906c252484b003229156ab857.zip |
gcm
-rw-r--r-- | draft-schanzen-gns.xml | 63 |
1 files changed, 31 insertions, 32 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index 3ef601b..7f89014 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -552,7 +552,7 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | |||
552 | extraction phase and HMAC-SHA256 for the expansion phase. | 552 | extraction phase and HMAC-SHA256 for the expansion phase. |
553 | The output keying material is 32 octets (256 bits) for the symmetric | 553 | The output keying material is 32 octets (256 bits) for the symmetric |
554 | key and 4 octets (32 bits) for the nonce. | 554 | key and 4 octets (32 bits) for the nonce. |
555 | The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key: | 555 | The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key. |
556 | </t> | 556 | </t> |
557 | <t> | 557 | <t> |
558 | The nonce is combined with a 64-bit initialization vector and a | 558 | The nonce is combined with a 64-bit initialization vector and a |
@@ -722,13 +722,19 @@ SB == R + SHA512(R, zk', M) * A' | |||
722 | <!-- FIXME: here we SHOULD consider standardizing AES-GCM | 722 | <!-- FIXME: here we SHOULD consider standardizing AES-GCM |
723 | instead. Please review this choice when implementing | 723 | instead. Please review this choice when implementing |
724 | EDKEY support! --> | 724 | EDKEY support! --> |
725 | The S-Encrypt() and S-Decrypt() functions use AES in counter mode | 725 | The S-Encrypt() and S-Decrypt() functions use AES in galois |
726 | as defined in <xref target="MODES" /> (CTR-AES-256): | 726 | counter mode as defined in <xref target="GCM" /> (GCM-AES-256): |
727 | </t> | 727 | </t> |
728 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 728 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
729 | RDATA := CTR-AES256(K, IV, BDATA) | 729 | RDATA := GCM-AES-256(K, IV, BDATA) |
730 | BDATA := CTR-AES256(K, IV, RDATA) | 730 | BDATA := C|T = GCM-AES-256(K, IV, RDATA) |
731 | ]]></artwork> | 731 | ]]></artwork> |
732 | <t> | ||
733 | The result of the GCM encryption function is the encrypted | ||
734 | ciphertext "C" concatenated with the GCM authentication tag "T". | ||
735 | Accordingly, the length of BDATA equals the legnth of the | ||
736 | RDATA plus the length of the GCM authentication tag. | ||
737 | </t> | ||
732 | <t> | 738 | <t> |
733 | The key "K" and counter "IV" are derived from | 739 | The key "K" and counter "IV" are derived from |
734 | the record "label" and the zone key "zk" as follows: | 740 | the record "label" and the zone key "zk" as follows: |
@@ -737,39 +743,16 @@ BDATA := CTR-AES256(K, IV, RDATA) | |||
737 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) | 743 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) |
738 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) | 744 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) |
739 | K := HKDF-Expand (PRK_k, label, 256 / 8); | 745 | K := HKDF-Expand (PRK_k, label, 256 / 8); |
740 | NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | 746 | IV := HKDF-Expand (PRK_n, label, 16 / 8) |
741 | ]]></artwork> | 747 | ]]></artwork> |
742 | <t> | 748 | <t> |
743 | HKDF is a hash-based key derivation function as defined in | 749 | HKDF is a hash-based key derivation function as defined in |
744 | <xref target="RFC5869" />. Specifically, HMAC-SHA512 is used for the | 750 | <xref target="RFC5869" />. Specifically, HMAC-SHA512 is used for the |
745 | extraction phase and HMAC-SHA256 for the expansion phase. | 751 | extraction phase and HMAC-SHA256 for the expansion phase. |
746 | The output keying material is 32 octets (256 bits) for the symmetric | 752 | The output keying material is 32 octets (256 bits) for the symmetric |
747 | key and 4 octets (32 bits) for the nonce. | 753 | key and 16 octets (128 bits) for the IV. |
748 | The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key: | 754 | The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key. |
749 | </t> | ||
750 | <t> | ||
751 | The nonce is combined with a 64-bit initialization vector and a | ||
752 | 32-bit block counter as defined in <xref target="RFC3686" />. | ||
753 | The block counter begins with the value of 1, and it is incremented | ||
754 | to generate subsequent portions of the key stream. | ||
755 | The block counter is a 32-bit integer value in network byte order. | ||
756 | The initialization vector is the expiration time of the | ||
757 | resource record block in network byte order. | ||
758 | The resulting counter ("IV") wire format is as follows: | ||
759 | </t> | 755 | </t> |
760 | <figure anchor="figure_hkdf_ivs_edkey"> | ||
761 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
762 | 0 8 16 24 32 | ||
763 | +-----+-----+-----+-----+ | ||
764 | | NONCE | | ||
765 | +-----+-----+-----+-----+ | ||
766 | | EXPIRATION | | ||
767 | | | | ||
768 | +-----+-----+-----+-----+ | ||
769 | | BLOCK COUNTER | | ||
770 | +-----+-----+-----+-----+ | ||
771 | ]]></artwork> | ||
772 | </figure> | ||
773 | </section> | 756 | </section> |
774 | 757 | ||
775 | <section anchor="gnsrecords_gns2dns" numbered="true" toc="default"> | 758 | <section anchor="gnsrecords_gns2dns" numbered="true" toc="default"> |
@@ -2282,6 +2265,22 @@ ee83f0cc79c4c5ea | |||
2282 | </abstract> | 2265 | </abstract> |
2283 | </front> | 2266 | </front> |
2284 | </reference> | 2267 | </reference> |
2268 | <reference anchor="GCM" target="https://doi.org/10.6028/NIST.SP.800-38D"> | ||
2269 | <front> | ||
2270 | <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title> | ||
2271 | <author initials="M." surname="Dworkin" fullname="Morris Dworkin"> | ||
2272 | <organization>NIST</organization> | ||
2273 | </author> | ||
2274 | |||
2275 | <date year="2007" month="November"/> | ||
2276 | <abstract> | ||
2277 | <t> | ||
2278 | This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with associated data, and its specialization, GMAC, for generating a message authentication code (MAC) on data that is not encrypted. GCM and GMAC are modes of operation for an underlying approved symmetric key block cipher. | ||
2279 | </t> | ||
2280 | </abstract> | ||
2281 | </front> | ||
2282 | </reference> | ||
2283 | |||
2285 | <reference anchor="ed25519" target="http://link.springer.com/chapter/10.1007/978-3-642-23951-9_9"> | 2284 | <reference anchor="ed25519" target="http://link.springer.com/chapter/10.1007/978-3-642-23951-9_9"> |
2286 | <front> | 2285 | <front> |
2287 | <title>High-Speed High-Security Signatures</title> | 2286 | <title>High-Speed High-Security Signatures</title> |