diff options
author | Martin Schanzenbach <schanzen@gnunet.org> | 2022-02-04 20:33:49 +0100 |
---|---|---|
committer | Martin Schanzenbach <schanzen@gnunet.org> | 2022-02-04 20:33:49 +0100 |
commit | c972b4c4f0d6fcbd2c3dd4aef66543da7b5d5c6e (patch) | |
tree | 20d7ea4385f3dc83e293e553795522c2b0beca79 | |
parent | 41437cd20299d6c7c6b90841e143e338bd8b5440 (diff) | |
download | lsd0001-c972b4c4f0d6fcbd2c3dd4aef66543da7b5d5c6e.tar.gz lsd0001-c972b4c4f0d6fcbd2c3dd4aef66543da7b5d5c6e.zip |
better procedure definitions
-rw-r--r-- | draft-schanzen-gns.xml | 170 |
1 files changed, 89 insertions, 81 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index 640e135..c79feb7 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -977,19 +977,23 @@ zTLD := zkl[126..129].zkl[63..125].zkl[0..62] | |||
977 | key blinding is calculated as follows for PKEY zones: | 977 | key blinding is calculated as follows for PKEY zones: |
978 | </t> | 978 | </t> |
979 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 979 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
980 | zk := d * G | 980 | ZKDF-Private(d,label): |
981 | PRK_h := HKDF-Extract ("key-derivation", zk) | 981 | zk := d * G |
982 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | 982 | PRK_h := HKDF-Extract ("key-derivation", zk) |
983 | d' := (h * d) mod L | 983 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) |
984 | d' := (h * d) mod L | ||
985 | return d' | ||
984 | ]]></artwork> | 986 | ]]></artwork> |
985 | <t> | 987 | <t> |
986 | Equally, given a label, the output zk' of the ZKDF-Public(zk,label) function is | 988 | Equally, given a label, the output zk' of the ZKDF-Public(zk,label) function is |
987 | calculated as follows for PKEY zones: | 989 | calculated as follows for PKEY zones: |
988 | </t> | 990 | </t> |
989 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 991 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
990 | PRK_h := HKDF-Extract ("key-derivation", zk) | 992 | ZKDF-Public(zk,label) |
991 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | 993 | PRK_h := HKDF-Extract ("key-derivation", zk) |
992 | zk' := (h mod L) * zk | 994 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) |
995 | zk' := (h mod L) * zk | ||
996 | return zk' | ||
993 | ]]></artwork> | 997 | ]]></artwork> |
994 | <t> | 998 | <t> |
995 | The PKEY cryptosystem uses a hash-based key derivation function (HKDF) as defined in | 999 | The PKEY cryptosystem uses a hash-based key derivation function (HKDF) as defined in |
@@ -1010,28 +1014,41 @@ zk' := (h mod L) * zk | |||
1010 | The Sign() and Verify() functions | 1014 | The Sign() and Verify() functions |
1011 | for PKEY zones are implemented using 512-bit ECDSA deterministic | 1015 | for PKEY zones are implemented using 512-bit ECDSA deterministic |
1012 | signatures as specified in <xref target="RFC6979" />. | 1016 | signatures as specified in <xref target="RFC6979" />. |
1017 | The same functions can be used for derived keys. | ||
1013 | </t> | 1018 | </t> |
1014 | <t> | 1019 | <t> |
1015 | The S-Encrypt() and S-Decrypt() functions use AES in counter mode | 1020 | The S-Encrypt() and S-Decrypt() functions use AES in counter mode |
1016 | as defined in <xref target="MODES" /> (CTR-AES-256): | 1021 | as defined in <xref target="MODES" /> (CTR-AES-256): |
1017 | </t> | 1022 | </t> |
1018 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1023 | <figure anchor="figure_senc_pkey"> |
1019 | CIPHERTEXT := CTR-AES256(K, IV, DATA) | 1024 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1020 | DATA := CTR-AES256(K, IV, CIPHERTEXT) | 1025 | S-Encrypt(zk,label,expiration,plaintext): |
1021 | ]]></artwork> | 1026 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) |
1027 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) | ||
1028 | K := HKDF-Expand (PRK_k, label, 256 / 8) | ||
1029 | NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | ||
1030 | IV := NONCE | expiration | 0x0000000000000001 | ||
1031 | return CTR-AES256(K, IV, plaintext) | ||
1032 | ]]></artwork> | ||
1033 | </figure> | ||
1034 | <t>The PKEY S-Encrypt Procedure.</t> | ||
1035 | <figure anchor="figure_sdec_pkey"> | ||
1036 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
1037 | S-Decrypt(zk,label,expiration,ciphertext): | ||
1038 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) | ||
1039 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) | ||
1040 | K := HKDF-Expand (PRK_k, label, 256 / 8) | ||
1041 | NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | ||
1042 | IV := NONCE | expiration | 0x0000000000000001 | ||
1043 | return CTR-AES256(K, IV, ciphertext) | ||
1044 | ]]></artwork> | ||
1045 | </figure> | ||
1046 | <t>The PKEY S-Decrypt Procedure.</t> | ||
1022 | <t> | 1047 | <t> |
1023 | The key K and counter IV are derived from | 1048 | The key K and counter IV are derived from |
1024 | the record label and the zone key zk as follows: | 1049 | the record label and the zone key zk using a hash-based key |
1025 | </t> | 1050 | derivation function (HDKF) as defined in <xref target="RFC5869" />. |
1026 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1051 | SHA-512 <xref target="RFC6234"/> is used for the |
1027 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) | ||
1028 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) | ||
1029 | K := HKDF-Expand (PRK_k, label, 256 / 8); | ||
1030 | NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | ||
1031 | ]]></artwork> | ||
1032 | <t> | ||
1033 | HKDF is a hash-based key derivation function as defined in | ||
1034 | <xref target="RFC5869" />. Specifically, SHA-512 <xref target="RFC6234"/> is used for the | ||
1035 | extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase. | 1052 | extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase. |
1036 | The output keying material is 32 bytes (256 bits) for the symmetric | 1053 | The output keying material is 32 bytes (256 bits) for the symmetric |
1037 | key and 4 bytes (32 bits) for the nonce. | 1054 | key and 4 bytes (32 bits) for the nonce. |
@@ -1062,31 +1079,6 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | |||
1062 | ]]></artwork> | 1079 | ]]></artwork> |
1063 | </figure> | 1080 | </figure> |
1064 | <t>The Block Counter Wire Format.</t> | 1081 | <t>The Block Counter Wire Format.</t> |
1065 | <figure anchor="figure_senc_pkey"> | ||
1066 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
1067 | S-Encrypt(zk,label,expiration,message): | ||
1068 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) | ||
1069 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) | ||
1070 | K := HKDF-Expand (PRK_k, label, 256 / 8); | ||
1071 | NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | ||
1072 | IV := NONCE | expiration | 0x0000000000000001 | ||
1073 | return CTR-AES256(K, IV, DATA) | ||
1074 | ]]></artwork> | ||
1075 | </figure> | ||
1076 | <t>The PKEY S-Encrypt Procedure.</t> | ||
1077 | <figure anchor="figure_sdec_pkey"> | ||
1078 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
1079 | S-Decrypt(zk,label,expiration,ciphertext): | ||
1080 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) | ||
1081 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) | ||
1082 | K := HKDF-Expand (PRK_k, label, 256 / 8); | ||
1083 | NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | ||
1084 | IV := NONCE | expiration | 0x0000000000000001 | ||
1085 | return CTR-AES256(K, IV, ciphertext) | ||
1086 | ]]></artwork> | ||
1087 | </figure> | ||
1088 | <t>The PKEY S-Decrypt Procedure.</t> | ||
1089 | <!-- FIXME: Explicit precedures would be nicer Appendix?--> | ||
1090 | </section> | 1082 | </section> |
1091 | <section anchor="gnsrecords_edkey" numbered="true" toc="default"> | 1083 | <section anchor="gnsrecords_edkey" numbered="true" toc="default"> |
1092 | <name>EDKEY</name> | 1084 | <name>EDKEY</name> |
@@ -1176,23 +1168,27 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
1176 | key blinding is calculated as follows for EDKEY zones: | 1168 | key blinding is calculated as follows for EDKEY zones: |
1177 | </t> | 1169 | </t> |
1178 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1170 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1179 | zk := a * G | 1171 | ZKDF-Private(d,label): |
1180 | PRK_h := HKDF-Extract ("key-derivation", zk) | 1172 | zk := a * G |
1181 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | 1173 | PRK_h := HKDF-Extract ("key-derivation", zk) |
1182 | h[31] &= 7 | 1174 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) |
1183 | a1 := a >> 3 | 1175 | h[31] &= 7 |
1184 | a2 := (h * a1) mod L | 1176 | a1 := a >> 3 |
1185 | a' = a2 << 3 | 1177 | a2 := (h * a1) mod L |
1178 | a' = a2 << 3 | ||
1179 | return a' | ||
1186 | ]]></artwork> | 1180 | ]]></artwork> |
1187 | <t> | 1181 | <t> |
1188 | Equally, given a label, the output of the ZKDF-Public function is | 1182 | Equally, given a label, the output of the ZKDF-Public function is |
1189 | calculated as follows for PKEY zones: | 1183 | calculated as follows for PKEY zones: |
1190 | </t> | 1184 | </t> |
1191 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1185 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1192 | PRK_h := HKDF-Extract ("key-derivation", zk) | 1186 | ZKDF-Public(zk,label): |
1193 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | 1187 | PRK_h := HKDF-Extract ("key-derivation", zk) |
1194 | h[31] &= 7 // Implies h mod L == h | 1188 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) |
1195 | zk' := h * zk | 1189 | h[31] &= 7 // Implies h mod L == h |
1190 | zk' := h * zk | ||
1191 | return zk' | ||
1196 | ]]></artwork> | 1192 | ]]></artwork> |
1197 | <t> | 1193 | <t> |
1198 | We note that implementers SHOULD employ a constant time scalar | 1194 | We note that implementers SHOULD employ a constant time scalar |
@@ -1226,36 +1222,44 @@ zk' := h * zk | |||
1226 | co-factor are integer operations. | 1222 | co-factor are integer operations. |
1227 | </t> | 1223 | </t> |
1228 | <t> | 1224 | <t> |
1225 | The Sign(d,message) and Verify(zk,message,signature) procedures MUST | ||
1226 | be implemented as defined in <xref target="ed25519" />. | ||
1227 | </t> | ||
1228 | <t> | ||
1229 | Signatures for EDKEY zones using the derived private key a' | 1229 | Signatures for EDKEY zones using the derived private key a' |
1230 | are not compliant with <xref target="ed25519" />. | 1230 | are not compliant with <xref target="ed25519" />. |
1231 | As the corresponding private key to the derived private scalar a' | 1231 | As the corresponding private key to the derived private scalar a' |
1232 | is not known, it is not possible to deterministically derive the | 1232 | is not known, it is not possible to deterministically derive the |
1233 | signature part R according to <xref target="ed25519" />. | 1233 | signature part R according to <xref target="ed25519" />. |
1234 | Instead, signatures MUST be generated as follows for any given | 1234 | Instead, signatures MUST be generated as follows for any given |
1235 | message M: | 1235 | message and private zone key: |
1236 | A nonce is calculated from the highest 32 bytes of the | 1236 | A nonce is calculated from the highest 32 bytes of the |
1237 | expansion of the private key d and the blinding factor h. | 1237 | expansion of the private key d and the blinding factor h. |
1238 | The nonce is then hashed with the message M to r. | 1238 | The nonce is then hashed with the message to r. |
1239 | This way, we include the full derivation path in the calculation | 1239 | This way, we include the full derivation path in the calculation |
1240 | of the R value of the signature, ensuring that it is never reused | 1240 | of the R value of the signature, ensuring that it is never reused |
1241 | for two different derivation paths or messages. | 1241 | for two different derivation paths or messages. |
1242 | </t> | 1242 | </t> |
1243 | <!-- Blinded key signatures need a different method signature | 1243 | <!-- Blinded key signatures need a different method signature |
1244 | FIXME Should we use a' | 1244 | FIXME Should we use a' |
1245 | nonce := SHA-256 (a')? | 1245 | nonce := SHA-256 (a')? Changed for now. Unclear if ok. |
1246 | --> | 1246 | --> |
1247 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1247 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1248 | dh := SHA-512 (d) | 1248 | Sign(d,message): |
1249 | nonce := SHA-256 (dh[32..63] | h) | 1249 | dh := SHA-512 (d) |
1250 | r := SHA-512 (nonce | M) | 1250 | nonce := SHA-256 (dh[32..63] | h) |
1251 | R := r * G | 1251 | r := SHA-512 (nonce | message) |
1252 | S := r + SHA-512(R | zk' | M) * a' mod L | 1252 | R := r * G |
1253 | S := r + SHA-512(R | zk' | message) * a' mod L | ||
1254 | return (R,S) | ||
1253 | ]]></artwork> | 1255 | ]]></artwork> |
1254 | <t> | 1256 | <t> |
1255 | A signature (R,S) is valid if the following holds: | 1257 | A signature (R,S) is valid if the following holds: |
1256 | </t> | 1258 | </t> |
1257 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1259 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1258 | S * G == R + SHA-512(R, zk', M) * zk' | 1260 | Verify(zk',message,signature): |
1261 | (R,S) := signature | ||
1262 | return S * G == R + SHA-512(R, zk', message) * zk' | ||
1259 | ]]></artwork> | 1263 | ]]></artwork> |
1260 | <t> | 1264 | <t> |
1261 | The S-Encrypt() and S-Decrypt() functions use XSalsa20 | 1265 | The S-Encrypt() and S-Decrypt() functions use XSalsa20 |
@@ -1263,8 +1267,19 @@ S * G == R + SHA-512(R, zk', M) * zk' | |||
1263 | (XSalsa20-Poly1305): | 1267 | (XSalsa20-Poly1305): |
1264 | </t> | 1268 | </t> |
1265 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1269 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1266 | CIPHERTEXT := XSalsa20-Poly1305(K, IV, DATA) | 1270 | S-Encrypt(zk,label,expiration,message): |
1267 | DATA := XSalsa20-Poly1305(K, IV, CIPHERTEXT) | 1271 | PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk) |
1272 | PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk) | ||
1273 | K := HKDF-Expand (PRK_k, label, 256 / 8); | ||
1274 | NONCE := HKDF-Expand (PRK_n, label, 128 / 8) | ||
1275 | return XSalsa20-Poly1305(K, IV, message) | ||
1276 | |||
1277 | S-Decrypt(zk,label,expiration,ciphertext): | ||
1278 | PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk) | ||
1279 | PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk) | ||
1280 | K := HKDF-Expand (PRK_k, label, 256 / 8); | ||
1281 | NONCE := HKDF-Expand (PRK_n, label, 128 / 8) | ||
1282 | return XSalsa20-Poly1305(K, IV, ciphertext) | ||
1268 | ]]></artwork> | 1283 | ]]></artwork> |
1269 | <t> | 1284 | <t> |
1270 | The result of the XSalsa20-Poly1305 encryption function is the encrypted | 1285 | The result of the XSalsa20-Poly1305 encryption function is the encrypted |
@@ -1275,17 +1290,10 @@ DATA := XSalsa20-Poly1305(K, IV, CIPHERTEXT) | |||
1275 | </t> | 1290 | </t> |
1276 | <t> | 1291 | <t> |
1277 | The key K and counter IV are derived from | 1292 | The key K and counter IV are derived from |
1278 | the record label and the zone key zk as follows: | 1293 | the record label and the zone key zk using a hash-based key |
1279 | </t> | 1294 | derivation function (HKDF) as defined in |
1280 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1295 | <xref target="RFC5869" />. |
1281 | PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk) | 1296 | SHA-512 <xref target="RFC6234"/> is used for the |
1282 | PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk) | ||
1283 | K := HKDF-Expand (PRK_k, label, 256 / 8); | ||
1284 | NONCE := HKDF-Expand (PRK_n, label, 128 / 8) | ||
1285 | ]]></artwork> | ||
1286 | <t> | ||
1287 | HKDF is a hash-based key derivation function as defined in | ||
1288 | <xref target="RFC5869" />. Specifically, SHA-512 <xref target="RFC6234"/> is used for the | ||
1289 | extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase. | 1297 | extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase. |
1290 | The output keying material is 32 bytes (256 bits) for the symmetric | 1298 | The output keying material is 32 bytes (256 bits) for the symmetric |
1291 | key and 16 bytes (128 bits) for the NONCE. | 1299 | key and 16 bytes (128 bits) for the NONCE. |