gcm

author: Martin Schanzenbach <mschanzenbach@posteo.de> 2020-10-05 14:51:32 +0200
committer: Martin Schanzenbach <mschanzenbach@posteo.de> 2020-10-05 14:51:32 +0200
commit: 7653d417abc4f30906c252484b003229156ab857 (patch)
tree: 22a64623855175dcd5aa343d8714fe7762cfc013
parent: 5bd96ee1fb7a9c7338ee6756a50d9d5e5a690c24 (diff)
download: lsd0001-7653d417abc4f30906c252484b003229156ab857.tar.gz
lsd0001-7653d417abc4f30906c252484b003229156ab857.zip
1 files changed, 31 insertions, 32 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index 3ef601b..7f89014 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -552,7 +552,7 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
         extraction phase and HMAC-SHA256 for the expansion phase.
         The output keying material is 32 octets (256 bits) for the symmetric
         key and 4 octets (32 bits) for the nonce.
-         The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key:
+         The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key.
       </t>
       <t>
         The nonce is combined with a 64-bit initialization vector and a
@@ -722,13 +722,19 @@ SB == R + SHA512(R, zk', M) * A'
           <!-- FIXME: here we SHOULD consider standardizing AES-GCM
                instead. Please review this choice when implementing
                EDKEY support! -->
-           The S-Encrypt() and S-Decrypt() functions use AES in counter mode
+           The S-Encrypt() and S-Decrypt() functions use AES in galois
-           as defined in <xref target="MODES" /> (CTR-AES-256):
+           counter mode as defined in <xref target="GCM" /> (GCM-AES-256):
         </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
-RDATA := CTR-AES256(K, IV, BDATA)
+RDATA := GCM-AES-256(K, IV, BDATA)
-BDATA := CTR-AES256(K, IV, RDATA)
+BDATA := C|T = GCM-AES-256(K, IV, RDATA)
-         ]]></artwork>
+           ]]></artwork>
+         <t>
+           The result of the GCM encryption function is the encrypted
+           ciphertext "C" concatenated with the GCM authentication tag "T".
+           Accordingly, the length of BDATA equals the legnth of the
+           RDATA plus the length of the GCM authentication tag.
+         </t>
         <t>
           The key "K" and counter "IV" are derived from
           the record "label" and the zone key "zk" as follows:
@@ -737,39 +743,16 @@ BDATA := CTR-AES256(K, IV, RDATA)
 PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
 PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
 K := HKDF-Expand (PRK_k, label, 256 / 8);
-NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
+IV := HKDF-Expand (PRK_n, label, 16 / 8)
 ]]></artwork>
         <t>
           HKDF is a hash-based key derivation function as defined in
           <xref target="RFC5869" />. Specifically, HMAC-SHA512 is used for the
           extraction phase and HMAC-SHA256 for the expansion phase.
           The output keying material is 32 octets (256 bits) for the symmetric
-           key and 4 octets (32 bits) for the nonce.
+           key and 16 octets (128 bits) for the IV.
-           The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key:
+           The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key.
-         </t>
-         <t>
-           The nonce is combined with a 64-bit initialization vector and a
-           32-bit block counter as defined in <xref target="RFC3686" />.
-           The block counter begins with the value of 1, and it is incremented
-           to generate subsequent portions of the key stream.
-           The block counter is a 32-bit integer value in network byte order.
-           The initialization vector is the expiration time of the
-           resource record block in network byte order.
-           The resulting counter ("IV") wire format is as follows:
         </t>
-         <figure anchor="figure_hkdf_ivs_edkey">
-           <artwork name="" type="" align="left" alt=""><![CDATA[
-0     8     16    24    32
-+-----+-----+-----+-----+
-|         NONCE         |
-+-----+-----+-----+-----+
-|       EXPIRATION      |
-|                       |
-+-----+-----+-----+-----+
-|      BLOCK COUNTER    |
-+-----+-----+-----+-----+
-           ]]></artwork>
-         </figure>
       </section>
       <section anchor="gnsrecords_gns2dns" numbered="true" toc="default">
@@ -2282,6 +2265,22 @@ ee83f0cc79c4c5ea
           </abstract>
         </front>
       </reference>
+       <reference anchor="GCM" target="https://doi.org/10.6028/NIST.SP.800-38D">
+         <front>
+           <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title>
+          <author initials="M." surname="Dworkin" fullname="Morris Dworkin">
+            <organization>NIST</organization>
+          </author>
+           <date year="2007" month="November"/>
+           <abstract>
+             <t>
+               This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with associated data, and its specialization, GMAC, for generating a message authentication code (MAC) on data that is not encrypted. GCM and GMAC are modes of operation for an underlying approved symmetric key block cipher.
+             </t>
+           </abstract>
+         </front>
+       </reference>
      <reference anchor="ed25519" target="http://link.springer.com/chapter/10.1007/978-3-642-23951-9_9">
         <front>
           <title>High-Speed High-Security Signatures</title>
author	Martin Schanzenbach <mschanzenbach@posteo.de>	2020-10-05 14:51:32 +0200
committer	Martin Schanzenbach <mschanzenbach@posteo.de>	2020-10-05 14:51:32 +0200
commit	7653d417abc4f30906c252484b003229156ab857 (patch)
tree	22a64623855175dcd5aa343d8714fe7762cfc013
parent	5bd96ee1fb7a9c7338ee6756a50d9d5e5a690c24 (diff)
download	lsd0001-7653d417abc4f30906c252484b003229156ab857.tar.gz lsd0001-7653d417abc4f30906c252484b003229156ab857.zip