diff options
Diffstat (limited to 'draft-schanzen-gns.xml')
-rw-r--r-- | draft-schanzen-gns.xml | 56 |
1 files changed, 41 insertions, 15 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index 9303458..6e0039f 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -15,6 +15,7 @@ | |||
15 | <!ENTITY RFC6781 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6781.xml"> | 15 | <!ENTITY RFC6781 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6781.xml"> |
16 | <!ENTITY RFC6895 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6895.xml"> | 16 | <!ENTITY RFC6895 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6895.xml"> |
17 | <!ENTITY RFC6979 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6979.xml"> | 17 | <!ENTITY RFC6979 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6979.xml"> |
18 | <!ENTITY RFC7539 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7539.xml"> | ||
18 | <!ENTITY RFC7748 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7748.xml"> | 19 | <!ENTITY RFC7748 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7748.xml"> |
19 | <!ENTITY RFC8032 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8032.xml"> | 20 | <!ENTITY RFC8032 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8032.xml"> |
20 | <!ENTITY RFC8126 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8126.xml"> | 21 | <!ENTITY RFC8126 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8126.xml"> |
@@ -733,20 +734,18 @@ S := r + SHA512(R, zk', M) * a' mod L | |||
733 | SB == R + SHA512(R, zk', M) * A' | 734 | SB == R + SHA512(R, zk', M) * A' |
734 | ]]></artwork> | 735 | ]]></artwork> |
735 | <t> | 736 | <t> |
736 | <!-- FIXME: here we SHOULD consider standardizing AES-GCM | 737 | The S-Encrypt() and S-Decrypt() functions use ChaCha20 |
737 | instead. Please review this choice when implementing | 738 | as defined in <xref target="RFC7539" /> |
738 | EDKEY support! --> | 739 | (ChaCha20-Poly1305): |
739 | The S-Encrypt() and S-Decrypt() functions use AES in galois | ||
740 | counter mode as defined in <xref target="GCM" /> (GCM-AES-256): | ||
741 | </t> | 740 | </t> |
742 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 741 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
743 | RDATA := GCM-AES-256(K, IV, BDATA) | 742 | RDATA := ChaCha20(K, IV, BDATA) |
744 | BDATA := GCM-AES-256(K, IV, RDATA) = CIPHERTEXT | GCM_TAG | 743 | BDATA := ChaCha20(K, IV, RDATA) = CIPHERTEXT | TAG |
745 | ]]></artwork> | 744 | ]]></artwork> |
746 | <t> | 745 | <t> |
747 | The result of the GCM encryption function is the encrypted | 746 | The result of the ChaCha20 encryption function is the encrypted |
748 | ciphertext concatenated with the 128-bit GCM authentication | 747 | ciphertext concatenated with the 128-bit authentication |
749 | tag "GCM_TAG". | 748 | tag "TAG". |
750 | Accordingly, the length of BDATA equals the length of the | 749 | Accordingly, the length of BDATA equals the length of the |
751 | RDATA plus the 16 octets of the authentication tag. | 750 | RDATA plus the 16 octets of the authentication tag. |
752 | </t> | 751 | </t> |
@@ -758,17 +757,43 @@ BDATA := GCM-AES-256(K, IV, RDATA) = CIPHERTEXT | GCM_TAG | |||
758 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) | 757 | PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk) |
759 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) | 758 | PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk) |
760 | K := HKDF-Expand (PRK_k, label, 256 / 8); | 759 | K := HKDF-Expand (PRK_k, label, 256 / 8); |
761 | IV := HKDF-Expand (PRK_n, label, 96 / 8) | 760 | NONCE := HKDF-Expand (PRK_n, label, 32 / 8) |
762 | ]]></artwork> | 761 | ]]></artwork> |
763 | <t> | 762 | <t> |
764 | HKDF is a hash-based key derivation function as defined in | 763 | HKDF is a hash-based key derivation function as defined in |
765 | <xref target="RFC5869" />. Specifically, HMAC-SHA512 is used for the | 764 | <xref target="RFC5869" />. Specifically, HMAC-SHA512 is used for the |
766 | extraction phase and HMAC-SHA256 for the expansion phase. | 765 | extraction phase and HMAC-SHA256 for the expansion phase. |
767 | The output keying material is 32 octets (256 bits) for the symmetric | 766 | The output keying material is 32 octets (256 bits) for the symmetric |
768 | key and 12 octets (96 bits) for the IV. | 767 | key and 4 octets (32 bits) for the NONCE. |
769 | The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key. | 768 | The symmetric key "K" is a 256-bit ChaCha20 |
769 | <xref target="RFC7539" /> key. | ||
770 | No additional authenticated data (AAD) is used. | 770 | No additional authenticated data (AAD) is used. |
771 | </t> | 771 | </t> |
772 | <t> | ||
773 | The nonce is combined with a 64-bit initialization vector and a | ||
774 | 32-bit block counter. | ||
775 | The block counter begins with the value of 1, and it is incremented | ||
776 | to generate subsequent portions of the key stream. | ||
777 | The block counter is a 32-bit integer value treated as a 32-bit | ||
778 | little-endian integer. | ||
779 | The initialization vector is the expiration time of the | ||
780 | resource record block in network byte order. | ||
781 | The resulting counter ("IV") wire format is as follows: | ||
782 | </t> | ||
783 | <figure anchor="figure_hkdf_ivs_edkey"> | ||
784 | <artwork name="" type="" align="left" alt=""><![CDATA[ | ||
785 | 0 8 16 24 32 | ||
786 | +-----+-----+-----+-----+ | ||
787 | | NONCE | | ||
788 | +-----+-----+-----+-----+ | ||
789 | | EXPIRATION | | ||
790 | | | | ||
791 | +-----+-----+-----+-----+ | ||
792 | | BLOCK COUNTER | | ||
793 | +-----+-----+-----+-----+ | ||
794 | ]]></artwork> | ||
795 | </figure> | ||
796 | |||
772 | </section> | 797 | </section> |
773 | 798 | ||
774 | <section anchor="gnsrecords_gns2dns" numbered="true" toc="default"> | 799 | <section anchor="gnsrecords_gns2dns" numbered="true" toc="default"> |
@@ -2207,6 +2232,7 @@ cae1789d | |||
2207 | &RFC6781; | 2232 | &RFC6781; |
2208 | &RFC6895; | 2233 | &RFC6895; |
2209 | &RFC6979; | 2234 | &RFC6979; |
2235 | &RFC7539; | ||
2210 | &RFC7748; | 2236 | &RFC7748; |
2211 | &RFC8032; | 2237 | &RFC8032; |
2212 | &RFC8126; | 2238 | &RFC8126; |
@@ -2301,7 +2327,7 @@ cae1789d | |||
2301 | </abstract> | 2327 | </abstract> |
2302 | </front> | 2328 | </front> |
2303 | </reference> | 2329 | </reference> |
2304 | <reference anchor="GCM" target="https://doi.org/10.6028/NIST.SP.800-38D"> | 2330 | <!-- <reference anchor="GCM" target="https://doi.org/10.6028/NIST.SP.800-38D"> |
2305 | <front> | 2331 | <front> |
2306 | <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title> | 2332 | <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title> |
2307 | <author initials="M." surname="Dworkin" fullname="Morris Dworkin"> | 2333 | <author initials="M." surname="Dworkin" fullname="Morris Dworkin"> |
@@ -2315,7 +2341,7 @@ cae1789d | |||
2315 | </t> | 2341 | </t> |
2316 | </abstract> | 2342 | </abstract> |
2317 | </front> | 2343 | </front> |
2318 | </reference> | 2344 | </reference>--> |
2319 | <reference anchor="CrockfordB32" target="https://www.crockford.com/base32.html"> | 2345 | <reference anchor="CrockfordB32" target="https://www.crockford.com/base32.html"> |
2320 | <front> | 2346 | <front> |
2321 | <title>Base32</title> | 2347 | <title>Base32</title> |