diff options
-rw-r--r-- | draft-schanzen-gns.xml | 276 | ||||
-rw-r--r-- | ietf/secdispatch/gns.tex | 2 |
2 files changed, 180 insertions, 98 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index a0edad4..ce0a183 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -133,43 +133,170 @@ | |||
133 | <section anchor="zones" numbered="true" toc="default"> | 133 | <section anchor="zones" numbered="true" toc="default"> |
134 | <name>Zones</name> | 134 | <name>Zones</name> |
135 | <t> | 135 | <t> |
136 | A zone in GNS is defined by a public/private ECDSA key pair (d,zk), | 136 | A GNS zone is established by creating a zone key pair. |
137 | where d is the private key and zk the corresponding public key. | 137 | GNS is extensible with respect to the cryptographic scheme used. |
138 | GNS employs the curve parameters of the twisted edwards representation | 138 | The two zone key schemes specified within this document are |
139 | of Curve25519 <xref target="RFC7748" /> (a.k.a. edwards25519) | 139 | called PKEY and EDKEY, respectively. |
140 | with the ECDSA scheme (<xref target="RFC6979" />). | ||
141 | In the following, we use the following naming convention for our | ||
142 | cryptographic primitives: | ||
143 | </t> | 140 | </t> |
144 | <dl> | 141 | <section anchor="zone_privacy" numbered="true" toc="default"> |
145 | <dt>d</dt> | 142 | <name>Privacy</name> |
146 | <dd> | 143 | <t> |
147 | is a 256-bit ECDSA private key. | 144 | In GNS, the contents of a zone are cryptographically signed before |
148 | In GNS, records are signed using a key derived from "d" as described in | 145 | publishing. Instead of the zone private key "d", the signature MUST |
149 | <xref target="publish" />. | 146 | be created using a blinded public/private key pair d' and zk'. |
150 | </dd> | 147 | This blinding is realized using a Hierarchical Deterministic Key |
151 | <dt>p</dt> | 148 | Derivation (HDKD) scheme. |
152 | <dd> | 149 | Such a scheme allows the zone owner to derivate a private d' and a |
153 | is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e. | 150 | resolver to derive the corresponding public key zk' in a deterministic |
154 | 2^255 - 19. | 151 | manner from the original public and private zone keys as well as a |
155 | </dd> | 152 | label. |
156 | <dt>B</dt> | 153 | </t> |
157 | <dd> | 154 | <t> |
158 | is the group generator (X(P),Y(P)) of edwards25519 as defined in | 155 | We define that for any type of zone key material the function |
159 | <xref target="RFC7748" />. | 156 | "HDKD-Private" must be defined as: |
160 | </dd> | 157 | </t> |
161 | <dt>L</dt> | 158 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
162 | <dd> | 159 | HDKD-Private(d, label) -> d' |
163 | is the prime-order subgroup of edwards25519 in <xref target="RFC7748" />. | 160 | ]]></artwork> |
164 | </dd> | 161 | <t> |
165 | <dt>zk</dt> | 162 | where: |
166 | <dd> | 163 | </t> |
167 | is the ECDSA public key corresponding to d. It is defined in | 164 | <dl> |
168 | <xref target="RFC6979" /> as the curve point d*B where B is the group | 165 | <dt>d</dt> |
169 | generator of the elliptic curve. The public key is used to uniquely | 166 | <dd> |
170 | identify a GNS zone and is referred to as the "zone key". | 167 | Is the private zone key input. |
171 | </dd> | 168 | </dd> |
172 | </dl> | 169 | <dt>label</dt> |
170 | <dd> | ||
171 | Is the resource record label. | ||
172 | </dd> | ||
173 | <dt>d'</dt> | ||
174 | <dd> | ||
175 | Is the derived (blinded) private zone key. | ||
176 | </dd> | ||
177 | </dl> | ||
178 | <t> | ||
179 | Correspondingly, the function "HDKD-Public" must be defined as: | ||
180 | </t> | ||
181 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
182 | HDKD-Public(zk, label) -> zk' | ||
183 | ]]></artwork> | ||
184 | <t> | ||
185 | where: | ||
186 | </t> | ||
187 | <dl> | ||
188 | <dt>zk</dt> | ||
189 | <dd> | ||
190 | Is the public zone key input. | ||
191 | </dd> | ||
192 | <dt>label</dt> | ||
193 | <dd> | ||
194 | Is the resource record label. | ||
195 | </dd> | ||
196 | <dt>d'</dt> | ||
197 | <dd> | ||
198 | Is the derived (blinded) public zone key. | ||
199 | </dd> | ||
200 | </dl> | ||
201 | </section> | ||
202 | <section anchor="zone_types" numbered="true" toc="default"> | ||
203 | <name>Zone Types</name> | ||
204 | <section anchor="zone_type_pkey" numbered="true" toc="default"> | ||
205 | <name>PKEY Zone</name> | ||
206 | <t> | ||
207 | A PKEY zone in GNS is defined by a public/private ECDSA key pair (d,zk), | ||
208 | where d is the private key and zk the corresponding public key. | ||
209 | GNS employs the curve parameters of the twisted edwards representation | ||
210 | of Curve25519 <xref target="RFC7748" /> (a.k.a. edwards25519) | ||
211 | with the ECDSA scheme (<xref target="RFC6979" />). | ||
212 | In the following, we use the following naming convention for our | ||
213 | cryptographic primitives: | ||
214 | </t> | ||
215 | <dl> | ||
216 | <dt>d</dt> | ||
217 | <dd> | ||
218 | is a 256-bit ECDSA private key. | ||
219 | </dd> | ||
220 | <dt>p</dt> | ||
221 | <dd> | ||
222 | is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e. | ||
223 | 2^255 - 19. | ||
224 | </dd> | ||
225 | <dt>B</dt> | ||
226 | <dd> | ||
227 | is the group generator (X(P),Y(P)) of edwards25519 as defined in | ||
228 | <xref target="RFC7748" />. | ||
229 | </dd> | ||
230 | <dt>L</dt> | ||
231 | <dd> | ||
232 | is the prime-order subgroup of edwards25519 in <xref target="RFC7748" />. | ||
233 | </dd> | ||
234 | <dt>zk</dt> | ||
235 | <dd> | ||
236 | is the ECDSA public key corresponding to d. It is defined in | ||
237 | <xref target="RFC6979" /> as the curve point d*B where B is the group | ||
238 | generator of the elliptic curve. The public key is used to uniquely | ||
239 | identify a GNS zone and is referred to as the "zone key". | ||
240 | </dd> | ||
241 | </dl> | ||
242 | <t> | ||
243 | Given a label, the output of the HDKD-Private function is | ||
244 | calculated as follows for PKEY zones: | ||
245 | </t> | ||
246 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
247 | zk := d * B | ||
248 | PRK_h := HKDF-Extract ("key-derivation", zk) | ||
249 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | ||
250 | d' := h * d mod L | ||
251 | ]]></artwork> | ||
252 | <t> | ||
253 | Equally, given a label, the output of the HDKD-Public function is | ||
254 | calculated as follows for PKEY zones: | ||
255 | </t> | ||
256 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
257 | PRK_h := HKDF-Extract ("key-derivation", zk) | ||
258 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | ||
259 | zk' := h mod L * zk | ||
260 | ]]></artwork> | ||
261 | <t> | ||
262 | We use a hash-based key derivation function (HKDF) as defined in | ||
263 | <xref target="RFC5869" />. We use HMAC-SHA512 for the extraction | ||
264 | phase and HMAC-SHA256 for the expansion phase. | ||
265 | </t> | ||
266 | <dl> | ||
267 | <dt>PRK_h</dt> | ||
268 | <dd> | ||
269 | is key material retrieved using an HKDF using the string | ||
270 | "key-derivation" as salt and the public zone key "zk" as initial | ||
271 | keying material. | ||
272 | </dd> | ||
273 | <dt>h</dt> | ||
274 | <dd> | ||
275 | is the 512-bit HKDF expansion result. The expansion info input is a | ||
276 | concatenation of the label and string "gns". | ||
277 | </dd> | ||
278 | <dt>d</dt> | ||
279 | <dd> | ||
280 | is the 256-bit private zone key as defined in <xref target="zone_type_pkey" />. | ||
281 | </dd> | ||
282 | <dt>label</dt> | ||
283 | <dd>is a UTF-8 string under which the resource records are published. | ||
284 | </dd> | ||
285 | <dt>L</dt> | ||
286 | <dd> | ||
287 | is the prime-order subgroup as defined in <xref target="zone_type_pkey" />. | ||
288 | </dd> | ||
289 | </dl> | ||
290 | <t> | ||
291 | We point out that the multiplication of "zk" with "h" is a point multiplication, | ||
292 | while the multiplication of "d" with "h" is a scalar multiplication. | ||
293 | </t> | ||
294 | </section> | ||
295 | <section anchor="zone_type_edkey" numbered="true" toc="default"> | ||
296 | <name>EDKEY Zone</name> | ||
297 | <t>TODO: Do the same as the above with a Schnorr variant</t> | ||
298 | </section> | ||
299 | </section> | ||
173 | </section> | 300 | </section> |
174 | <section anchor="rrecords" numbered="true" toc="default"> | 301 | <section anchor="rrecords" numbered="true" toc="default"> |
175 | <name>Resource Records</name> | 302 | <name>Resource Records</name> |
@@ -537,7 +664,6 @@ | |||
537 | </dl> | 664 | </dl> |
538 | </section> | 665 | </section> |
539 | </section> | 666 | </section> |
540 | |||
541 | <section anchor="publish" numbered="true" toc="default"> | 667 | <section anchor="publish" numbered="true" toc="default"> |
542 | <name>Publishing Records</name> | 668 | <name>Publishing Records</name> |
543 | <t> | 669 | <t> |
@@ -550,67 +676,28 @@ | |||
550 | label of the contained records. | 676 | label of the contained records. |
551 | </t> | 677 | </t> |
552 | <section anchor="blinding" numbered="true" toc="default"> | 678 | <section anchor="blinding" numbered="true" toc="default"> |
553 | <name>Key Derivations</name> | 679 | <name>DHT Key Derivations</name> |
554 | <t> | 680 | <t> |
555 | Given a label, the DHT key "q" is derived as follows: | 681 | Given a label, the DHT key "q" is derived as follows: |
556 | </t> | 682 | </t> |
557 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 683 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
558 | PRK_h := HKDF-Extract ("key-derivation", zk) | 684 | q := SHA512 (HDKD-Public(zk, label)) |
559 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | ||
560 | d_h := h * d mod L | ||
561 | zk_h := h mod L * zk | ||
562 | q := SHA512 (zk_h) | ||
563 | ]]></artwork> | 685 | ]]></artwork> |
564 | <t> | ||
565 | We use a hash-based key derivation function (HKDF) as defined in | ||
566 | <xref target="RFC5869" />. We use HMAC-SHA512 for the extraction | ||
567 | phase and HMAC-SHA256 for the expansion phase. | ||
568 | </t> | ||
569 | <dl> | 686 | <dl> |
570 | <dt>PRK_h</dt> | ||
571 | <dd> | ||
572 | is key material retrieved using an HKDF using the string | ||
573 | "key-derivation" as salt and the public zone key "zk" as initial | ||
574 | keying material. | ||
575 | </dd> | ||
576 | <dt>h</dt> | ||
577 | <dd> | ||
578 | is the 512-bit HKDF expansion result. The expansion info input is a | ||
579 | concatenation of the label and string "gns". | ||
580 | </dd> | ||
581 | <dt>d</dt> | ||
582 | <dd> | ||
583 | is the 256-bit private zone key as defined in <xref target="zones" />. | ||
584 | </dd> | ||
585 | <dt>label</dt> | 687 | <dt>label</dt> |
586 | <dd>is a UTF-8 string under which the resource records are published. | 688 | <dd>is a UTF-8 string under which the resource records are published. |
587 | </dd> | 689 | </dd> |
588 | <dt>d_h</dt> | 690 | <dt>zk</dt> |
589 | <dd> | ||
590 | is a 256-bit private key derived from the "d" using the | ||
591 | keying material "h". | ||
592 | </dd> | ||
593 | <dt>zk_h</dt> | ||
594 | <dd> | ||
595 | is a 256-bit public key derived from the zone key "zk" using the | ||
596 | keying material "h". | ||
597 | </dd> | ||
598 | <dt>L</dt> | ||
599 | <dd> | 691 | <dd> |
600 | is the prime-order subgroup as defined in <xref target="zones" />. | 692 | is the public zone key. |
601 | </dd> | 693 | </dd> |
602 | <dt>q</dt> | 694 | <dt>q</dt> |
603 | <dd> | 695 | <dd> |
604 | Is the 512-bit DHT key under which the resource records block is | 696 | Is the 512-bit DHT key under which the resource records block is |
605 | published. | 697 | published. |
606 | It is the SHA512 hash over the public key "zk_h" corresponding to the | 698 | It is the SHA512 hash over the derived public zone key. |
607 | derived private key "d_h". | ||
608 | </dd> | 699 | </dd> |
609 | </dl> | 700 | </dl> |
610 | <t> | ||
611 | We point out that the multiplication of "zk" with "h" is a point multiplication, | ||
612 | while the multiplication of "d" with "h" is a scalar multiplication. | ||
613 | </t> | ||
614 | </section> | 701 | </section> |
615 | <section anchor="wire" numbered="true" toc="default"> | 702 | <section anchor="wire" numbered="true" toc="default"> |
616 | <name>Resource Records Block</name> | 703 | <name>Resource Records Block</name> |
@@ -630,18 +717,16 @@ q := SHA512 (zk_h) | |||
630 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 717 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
631 | 0 8 16 24 32 40 48 56 | 718 | 0 8 16 24 32 40 48 56 |
632 | +-----+-----+-----+-----+-----+-----+-----+-----+ | 719 | +-----+-----+-----+-----+-----+-----+-----+-----+ |
720 | | ZONE TYPE | | ||
721 | +-----+-----+-----+-----+-----+-----+-----+-----+ | ||
633 | | SIGNATURE | | 722 | | SIGNATURE | |
634 | | | | 723 | / / |
635 | | | | 724 | / / |
636 | | | | ||
637 | | | | ||
638 | | | | ||
639 | | | | ||
640 | | | | 725 | | | |
641 | +-----+-----+-----+-----+-----+-----+-----+-----+ | 726 | +-----+-----+-----+-----+-----+-----+-----+-----+ |
642 | | PUBLIC KEY | | 727 | | PUBLIC KEY | |
643 | | | | 728 | / / |
644 | | | | 729 | / / |
645 | | | | 730 | | | |
646 | +-----+-----+-----+-----+-----+-----+-----+-----+ | 731 | +-----+-----+-----+-----+-----+-----+-----+-----+ |
647 | | SIZE | PURPOSE | | 732 | | SIZE | PURPOSE | |
@@ -658,17 +743,14 @@ q := SHA512 (zk_h) | |||
658 | <dl> | 743 | <dl> |
659 | <dt>SIGNATURE</dt> | 744 | <dt>SIGNATURE</dt> |
660 | <dd> | 745 | <dd> |
661 | A 512-bit ECDSA deterministic signature compliant with | 746 | The signature is computed over the data following |
662 | <xref target="RFC6979" />. The signature is computed over the data | 747 | the PUBLIC KEY field. |
663 | following the PUBLIC KEY field. | 748 | The signature is created using the derived private key "d'" (see |
664 | The signature is created using the derived private key "d_h" (see | 749 | <xref target="zone_types" />). |
665 | <xref target="publish" />). | ||
666 | </dd> | 750 | </dd> |
667 | <dt>PUBLIC KEY</dt> | 751 | <dt>PUBLIC KEY</dt> |
668 | <dd> | 752 | <dd> |
669 | is the 256-bit public key "zk_h" to be used to verify SIGNATURE. The | 753 | is the public key "zk'" to be used to verify SIGNATURE. |
670 | wire format of this value is defined in <xref target="RFC8032" />, | ||
671 | Section 5.1.5. | ||
672 | </dd> | 754 | </dd> |
673 | <dt>SIZE</dt> | 755 | <dt>SIZE</dt> |
674 | <dd> | 756 | <dd> |
diff --git a/ietf/secdispatch/gns.tex b/ietf/secdispatch/gns.tex index 00c9151..2f9269c 100644 --- a/ietf/secdispatch/gns.tex +++ b/ietf/secdispatch/gns.tex | |||
@@ -10,7 +10,7 @@ | |||
10 | \usepackage{multirow} | 10 | \usepackage{multirow} |
11 | \title{The GNU Name System\\\small{secdispatch -- IETF 108}\\\small{\url{https://datatracker.ietf.org/doc/draft-schanzen-gns/}}} | 11 | \title{The GNU Name System\\\small{secdispatch -- IETF 108}\\\small{\url{https://datatracker.ietf.org/doc/draft-schanzen-gns/}}} |
12 | \date{30/7/2020} | 12 | \date{30/7/2020} |
13 | \author{Martin Schanzenbach} | 13 | \author{Martin Schanzenbach\\Christian Grothoff\\Bernd Fix} |
14 | \institute{\hfill\large{GNUnet} \includegraphics[trim={0cm 1.5cm 0cm 0cm},clip,width=4em]{gnunet}} | 14 | \institute{\hfill\large{GNUnet} \includegraphics[trim={0cm 1.5cm 0cm 0cm},clip,width=4em]{gnunet}} |
15 | \begin{document} | 15 | \begin{document} |
16 | \metroset{block=fill,sectionpage=progressbar,numbering=counter} | 16 | \metroset{block=fill,sectionpage=progressbar,numbering=counter} |