diff options
Diffstat (limited to 'draft-schanzen-gns.xml')
-rw-r--r-- | draft-schanzen-gns.xml | 97 |
1 files changed, 27 insertions, 70 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index 10ba55a..a57ca8f 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -1,4 +1,4 @@ | |||
1 | <?xml version='1.0' encoding='utf-8'?> | 1 | <?xml version='1.0' encoding='utf-8'? |
2 | <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent" [ | 2 | <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent" [ |
3 | <!ENTITY RFC1034 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1034.xml"> | 3 | <!ENTITY RFC1034 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1034.xml"> |
4 | <!ENTITY RFC1035 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml"> | 4 | <!ENTITY RFC1035 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml"> |
@@ -281,8 +281,7 @@ | |||
281 | </dd> | 281 | </dd> |
282 | <dt>Zone Key Derivation Function</dt> | 282 | <dt>Zone Key Derivation Function</dt> |
283 | <dd> | 283 | <dd> |
284 | The zone key derivation function (ZKDF) blinds a key using a label. | 284 | The zone key derivation function (ZKDF) blinds a zone key using a label. |
285 | There are different functions for public and private keys, respectively. | ||
286 | </dd> | 285 | </dd> |
287 | <dt>Zone Owner</dt> | 286 | <dt>Zone Owner</dt> |
288 | <dd> | 287 | <dd> |
@@ -453,15 +452,7 @@ | |||
453 | is a function to generate a new private key d and | 452 | is a function to generate a new private key d and |
454 | the corresponding public zone key zk. | 453 | the corresponding public zone key zk. |
455 | </dd> | 454 | </dd> |
456 | <dt>ZKDF-Private(d,label) -> d'</dt> | 455 | <dt>ZKDF(zk,label) -> zk'</dt> |
457 | <dd> | ||
458 | is a zone key derivation function which blinds a private key d | ||
459 | using label, resulting in another private key which | ||
460 | can be used to create cryptographic signatures. | ||
461 | GNS only requires a signature to be created directly with | ||
462 | d to sign a revocation message for the zone key zk. | ||
463 | </dd> | ||
464 | <dt>ZKDF-Public(zk,label) -> zk'</dt> | ||
465 | <dd> | 456 | <dd> |
466 | is a zone key derivation function which blinds a zone key zk | 457 | is a zone key derivation function which blinds a zone key zk |
467 | using a label. zk and zk' must be unlinkable. Furthermore, | 458 | using a label. zk and zk' must be unlinkable. Furthermore, |
@@ -502,7 +493,7 @@ | |||
502 | <dt>SignDerived(d,label,message) -> signature</dt> | 493 | <dt>SignDerived(d,label,message) -> signature</dt> |
503 | <dd> | 494 | <dd> |
504 | is a function to sign a message (typically encrypted record data) that | 495 | is a function to sign a message (typically encrypted record data) that |
505 | can be verified using the derived zone key zk' := ZKDF-Public(zk,label). | 496 | can be verified using the derived zone key zk' := ZKDF(zk,label). |
506 | In order to leverage performance-enhancing caching features of certain | 497 | In order to leverage performance-enhancing caching features of certain |
507 | underlying storages, in particular DHTs, a deterministic signature | 498 | underlying storages, in particular DHTs, a deterministic signature |
508 | scheme is recommended. | 499 | scheme is recommended. |
@@ -510,7 +501,7 @@ | |||
510 | <dt>VerifyDerived(zk,label,message,signature) -> boolean</dt> | 501 | <dt>VerifyDerived(zk,label,message,signature) -> boolean</dt> |
511 | <dd> | 502 | <dd> |
512 | is function to verify the signature using the derived zone key | 503 | is function to verify the signature using the derived zone key |
513 | zk' := ZKDF-Public(zk,label). | 504 | zk' := ZKDF(zk,label). |
514 | The function returns a boolean value of "TRUE" if the signature is valid, | 505 | The function returns a boolean value of "TRUE" if the signature is valid, |
515 | and otherwise "FALSE". | 506 | and otherwise "FALSE". |
516 | </dd> | 507 | </dd> |
@@ -1068,25 +1059,11 @@ zTLD[126..129].zTLD[63..125].zTLD[0..62] | |||
1068 | The zone type and zone key of a PKEY are 4 + 32 bytes in length. This means that | 1059 | The zone type and zone key of a PKEY are 4 + 32 bytes in length. This means that |
1069 | a zTLD will always fit into a single label and does | 1060 | a zTLD will always fit into a single label and does |
1070 | not need any further conversion. | 1061 | not need any further conversion. |
1071 | </t> | 1062 | Given a label, the output zk' of the ZKDF(zk,label) function is |
1072 | <t> | ||
1073 | Given a label, the output d' of the ZKDF-Private(d,label) function for zone | ||
1074 | key blinding is calculated as follows for PKEY zones: | ||
1075 | </t> | ||
1076 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
1077 | ZKDF-Private(d,label): | ||
1078 | zk := d * G | ||
1079 | PRK_h := HKDF-Extract ("key-derivation", zk) | ||
1080 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) | ||
1081 | d' := (h * d) mod L | ||
1082 | return d' | ||
1083 | ]]></artwork> | ||
1084 | <t> | ||
1085 | Equally, given a label, the output zk' of the ZKDF-Public(zk,label) function is | ||
1086 | calculated as follows for PKEY zones: | 1063 | calculated as follows for PKEY zones: |
1087 | </t> | 1064 | </t> |
1088 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1065 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1089 | ZKDF-Public(zk,label): | 1066 | ZKDF(zk,label): |
1090 | PRK_h := HKDF-Extract ("key-derivation", zk) | 1067 | PRK_h := HKDF-Extract ("key-derivation", zk) |
1091 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) | 1068 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) |
1092 | zk' := (h mod L) * zk | 1069 | zk' := (h mod L) * zk |
@@ -1113,7 +1090,10 @@ ZKDF-Public(zk,label): | |||
1113 | </t> | 1090 | </t> |
1114 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1091 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1115 | SignDerived(d,label,message): | 1092 | SignDerived(d,label,message): |
1116 | d' := ZKDF-Private(d,label) | 1093 | zk := d * G |
1094 | PRK_h := HKDF-Extract ("key-derivation", zk) | ||
1095 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) | ||
1096 | d' := (h * d) mod L | ||
1117 | return Sign(d',message) | 1097 | return Sign(d',message) |
1118 | ]]></artwork> | 1098 | ]]></artwork> |
1119 | <t> | 1099 | <t> |
@@ -1121,7 +1101,7 @@ SignDerived(d,label,message): | |||
1121 | </t> | 1101 | </t> |
1122 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1102 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1123 | VerifyDerived(zk,label,message,signature): | 1103 | VerifyDerived(zk,label,message,signature): |
1124 | zk' := ZKDF-Public(zk,label) | 1104 | zk' := ZKDF(zk,label) |
1125 | return Verify(zk',message,signature) | 1105 | return Verify(zk',message,signature) |
1126 | ]]></artwork> | 1106 | ]]></artwork> |
1127 | <t> | 1107 | <t> |
@@ -1265,37 +1245,11 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
1265 | <t> | 1245 | <t> |
1266 | The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>. | 1246 | The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>. |
1267 | The calculation of a is defined in Section 5.1.5 of <xref target="RFC8032" />. | 1247 | The calculation of a is defined in Section 5.1.5 of <xref target="RFC8032" />. |
1268 | Given a label, the output of the ZKDF-Private function for zone | 1248 | Given a label, the output of the ZKDF function is |
1269 | key blinding is calculated as follows: | ||
1270 | </t> | ||
1271 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
1272 | ZKDF-Private(d,label): | ||
1273 | /* EdDSA clamping */ | ||
1274 | dh := SHA-512 (d) | ||
1275 | a := dh[0..31] | ||
1276 | a[0] &= 248 | ||
1277 | a[31] &= 127 | ||
1278 | a[31] |= 64 | ||
1279 | /* Calculate zk corresponding to d */ | ||
1280 | zk := a * G | ||
1281 | |||
1282 | /* Calculate the blinding factor h */ | ||
1283 | PRK_h := HKDF-Extract ("key-derivation", zk) | ||
1284 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) | ||
1285 | /* Ensure that h == h mod L */ | ||
1286 | h[31] &= 7 | ||
1287 | |||
1288 | a1 := a >> 3 | ||
1289 | a2 := (h * a1) mod L | ||
1290 | d' := a2 << 3 | ||
1291 | return d' | ||
1292 | ]]></artwork> | ||
1293 | <t> | ||
1294 | Equally, given a label, the output of the ZKDF-Public function is | ||
1295 | calculated as follows: | 1249 | calculated as follows: |
1296 | </t> | 1250 | </t> |
1297 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1251 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1298 | ZKDF-Public(zk,label): | 1252 | ZKDF(zk,label): |
1299 | /* Calculate the blinding factor */ | 1253 | /* Calculate the blinding factor */ |
1300 | PRK_h := HKDF-Extract ("key-derivation", zk) | 1254 | PRK_h := HKDF-Extract ("key-derivation", zk) |
1301 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) | 1255 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) |
@@ -1339,9 +1293,9 @@ ZKDF-Public(zk,label): | |||
1339 | be implemented as defined in <xref target="RFC8032" />. | 1293 | be implemented as defined in <xref target="RFC8032" />. |
1340 | </t> | 1294 | </t> |
1341 | <t> | 1295 | <t> |
1342 | Signatures for EDKEY zones using the derived private scalar d' | 1296 | Signatures for EDKEY zones use a derived private scalar d' |
1343 | are not compliant with <xref target="RFC8032" />. | 1297 | which is not compliant with <xref target="RFC8032" />. |
1344 | As the corresponding private key to the derived private scalar d' | 1298 | As the corresponding private key to the derived private scalar |
1345 | is not known, it is not possible to deterministically derive the | 1299 | is not known, it is not possible to deterministically derive the |
1346 | signature part R according to <xref target="RFC8032" />. | 1300 | signature part R according to <xref target="RFC8032" />. |
1347 | Instead, signatures <bcp14>MUST</bcp14> be generated as follows for any given | 1301 | Instead, signatures <bcp14>MUST</bcp14> be generated as follows for any given |
@@ -1368,9 +1322,13 @@ SignDerived(d,label,message): | |||
1368 | /* Calculate blinding factor */ | 1322 | /* Calculate blinding factor */ |
1369 | PRK_h := HKDF-Extract ("key-derivation", zk) | 1323 | PRK_h := HKDF-Extract ("key-derivation", zk) |
1370 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) | 1324 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) |
1325 | /* Ensure that h == h mod L */ | ||
1326 | h[31] &= 7 | ||
1371 | 1327 | ||
1372 | d' := ZKDF-Private(d,label) | ||
1373 | zk' := h * zk | 1328 | zk' := h * zk |
1329 | a1 := a >> 3 | ||
1330 | a2 := (h * a1) mod L | ||
1331 | d' := a2 << 3 | ||
1374 | nonce := SHA-256 (dh[32..63] || h) | 1332 | nonce := SHA-256 (dh[32..63] || h) |
1375 | r := SHA-512 (nonce || message) | 1333 | r := SHA-512 (nonce || message) |
1376 | R := r * G | 1334 | R := r * G |
@@ -1382,7 +1340,7 @@ SignDerived(d,label,message): | |||
1382 | </t> | 1340 | </t> |
1383 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1341 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1384 | VerifyDerived(zk,label,message,signature): | 1342 | VerifyDerived(zk,label,message,signature): |
1385 | zk' := ZKDF-Public(zk,label) | 1343 | zk' := ZKDF(zk,label) |
1386 | (R,S) := signature | 1344 | (R,S) := signature |
1387 | return S * G == R + SHA-512(R, zk', message) * zk' | 1345 | return S * G == R + SHA-512(R, zk', message) * zk' |
1388 | ]]></artwork> | 1346 | ]]></artwork> |
@@ -1779,7 +1737,7 @@ GET(key) -> value | |||
1779 | Given a label, the storage key q is derived as follows: | 1737 | Given a label, the storage key q is derived as follows: |
1780 | </t> | 1738 | </t> |
1781 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1739 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1782 | q := SHA-512 (ZKDF-Public(zk, label)) | 1740 | q := SHA-512 (ZKDF(zk, label)) |
1783 | ]]></artwork> | 1741 | ]]></artwork> |
1784 | <dl> | 1742 | <dl> |
1785 | <dt>label</dt> | 1743 | <dt>label</dt> |
@@ -1851,7 +1809,7 @@ q := SHA-512 (ZKDF-Public(zk, label)) | |||
1851 | </dd> | 1809 | </dd> |
1852 | <dt>ZONE KEY</dt> | 1810 | <dt>ZONE KEY</dt> |
1853 | <dd> | 1811 | <dd> |
1854 | is the blinded zone key "ZKDF-Public(zk, label)" | 1812 | is the blinded zone key "ZKDF(zk, label)" |
1855 | to be used to verify SIGNATURE. | 1813 | to be used to verify SIGNATURE. |
1856 | The length and format of the public key depends on the ztype. | 1814 | The length and format of the public key depends on the ztype. |
1857 | </dd> | 1815 | </dd> |
@@ -1860,9 +1818,8 @@ q := SHA-512 (ZKDF-Public(zk, label)) | |||
1860 | The signature is computed over the EXPIRATION and BDATA fields | 1818 | The signature is computed over the EXPIRATION and BDATA fields |
1861 | as detailed in <xref target="figure_rrsigwithpseudo"/>. | 1819 | as detailed in <xref target="figure_rrsigwithpseudo"/>. |
1862 | The length and format of the signature depends on the ztype. | 1820 | The length and format of the signature depends on the ztype. |
1863 | The signature is created using the Sign() function of | 1821 | The signature is created using the SignDerived() function of |
1864 | the cryptosystem of the zone and the derived private key | 1822 | the cryptosystem of the zone (see <xref target="zones" />). |
1865 | "ZKDF-Private(d, label)" (see <xref target="zones" />). | ||
1866 | </dd> | 1823 | </dd> |
1867 | <dt>EXPIRATION</dt> | 1824 | <dt>EXPIRATION</dt> |
1868 | <dd> | 1825 | <dd> |