From e05b093608f7af0192c3727538ccab7647b916c8 Mon Sep 17 00:00:00 2001 From: Martin Schanzenbach Date: Tue, 21 Dec 2021 16:25:51 +0100 Subject: move revocation --- draft-schanzen-gns.xml | 483 +++++++++++++++++++++++++------------------------ 1 file changed, 242 insertions(+), 241 deletions(-) diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index ff6e2b2..641894b 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml @@ -1309,6 +1309,248 @@ q := SHA512 (HDKD-Public(zk, label)) +
+ Zone Revocation + + Whenever a recursive resolver encounters a new GNS zone, it MUST + check against the local revocation list whether the respective + zone key has been revoked. If the zone key was revoked, the + resolution MUST fail with an empty result set. + + + In order to revoke a zone key, a signed revocation object MUST be + published. + This object MUST be signed using the private zone key. + The revocation object is flooded in the overlay network. To prevent + flooding attacks, the revocation message MUST contain a proof of work + (PoW). + The revocation message including the PoW MAY be calculated + ahead of time to support timely revocation. + + + For all occurences below, "Argon2id" is the Password-based Key + Derivation Function as defined in . For the + PoW calculations the algorithm is instantiated with the + following parameters: + +
+
S
+
The salt. Fixed 16-byte string: "GnsRevocationPow".
+
t
+
Number of iterations: 3
+
m
+
Memory size in KiB: 1024
+
T
+
Output length of hash in bytes: 64
+
p
+
Parallelization parameter: 1
+
v
+
Algorithm version: 0x13
+
y
+
Algorithm type (Argon2id): 2
+
X
Unused
+
K
Unused
+
+ + illustrates the wire format + of the message string "P" on which the PoW is calculated. + +
+ +
+ The Wire Format of the PoW Message String. +
+
POW
+
+ A 64-bit solution to the PoW. In network byte order. +
+
TIMESTAMP
+
+ denotes the absolute 64-bit date when the revocation was computed. + In microseconds since midnight (0 hour), January 1, 1970 in network + byte order. +
+
PUBLIC KEY
+
+ is the 256-bit public key zk of the zone which is being revoked and + the key to be used to verify SIGNATURE. The + wire format of this value is defined in , + Section 5.1.5. +
+
+ + Traditionally, PoW schemes require to find a POW such that + at least D leading zeroes are found in the hash result. + D is then referred to as the difficulty of the PoW. + In order to reduce the variance in time it takes to calculate the + PoW, we require that a number Z different PoWs must be + found that on average have D leading zeroes. + + + The resulting proofs may then published and disseminated. The concrete + dissemination and publication methods are out of scope of this + document. Given an average difficulty of D, the proofs have an + expiration time of EPOCH. With each additional bit difficulty, the + lifetime of the proof is prolonged for another EPOCH. + Consequently, by calculating a more difficult PoW, the lifetime of the + proof can be increased on demand by the zone owner. + + + The parameters are defined as follows: + +
+
Z
+
The number of PoWs required is fixed at 32.
+
D
+
The difficulty is fixed at 22.
+
EPOCH
+
A single epoch is fixed at 365 days.
+
+ + The revocation message wire format is illustrated in + . + +
+ +
+ The Revocation Message Wire Format. +
+
TIMESTAMP
+
+ denotes the absolute 64-bit date when the revocation was computed. + In microseconds since midnight (0 hour), January 1, 1970 in network + byte order. This is the same value as the timestamp used in the + individual PoW calculations. +
+
TTL
+
+ denotes the relative 64-bit time to live of of the record in + microseconds also in network byte order. This field is informational + for a verifier. The verifier may discard revocation if the TTL + indicates that it is already expired. However, the actual TTL of the + revocation must be determined by examining the leading zeros in the + proof of work calculation. +
+
POW_i
+
+ The values calculated as part of the PoW, in network byte order. + Each POW_i MUST be unique in the set of POW values. + To facilitate fast verification + of uniqueness, the POW values must be given in strictly + monotonically increasing order in the message. +
+
ZONE TYPE
+
+ The 32-bit zone type corresponding to the zone public key. +
+
ZONE PUBLIC KEY
+
+ is the public key zk of the zone which is being revoked and + the key to be used to verify SIGNATURE. +
+
SIGNATURE
+
+ A signature over a timestamp and the public zone zk of the zone + which is revoked and corresponds to the key used in the PoW. + The signature is created using the Sign() function of + the cryptosystem of the zone and the private zone key + (see ). +
+
+ + The signature over the public key covers a 32-bit pseudo header + conceptually prefixed to the public key. The pseudo header includes + the key length and signature purpose. The wire format is illustrated + in . + +
+ +
+ The Wire Format of the Revocation Data for Signing. +
+
SIZE
+
+ A 32-bit value containing the length of the signed data in bytes + in network byte order. +
+
PURPOSE
+
+ A 32-bit signature purpose flag. This field MUST be 3 (in network + byte order). +
+
ZONE TYPE
+
+ The 32-bit zone type corresponding to the zone public key. +
+
ZONE PUBLIC KEY / TIMESTAMP
+
Both values as defined in the revocation data object above.
+
+ + In order to verify a revocation the following steps must be taken, + in order: + +
    +
  1. The current time MUST be between TIMESTAMP and + TIMESTAMP+TTL.
    2. +
  2. The signature MUST match the public key.
    3. +
  3. The set of POW values MUST NOT contain duplicates.
    4. +
  4. The average number of leading zeroes resulting from the provided + POW values D' MUST be greater than D.
    5. +
  5. The validation period (TTL) of the revocation is calculated as + (D'-D) * EPOCH * 1.1. The EPOCH is extended by + 10% in order to deal with unsynchronized clocks. + The TTL added on top of the TIMESTAMP yields the + expiration date.
    6. +
+
+
Name Resolution @@ -1666,247 +1908,6 @@ NICK: john (Supplemental)
-
- Zone Revocation - - Whenever a recursive resolver encounters a new GNS zone, it MUST - check against the local revocation list whether the respective - zone key has been revoked. If the zone key was revoked, the - resolution MUST fail with an empty result set. - - - In order to revoke a zone key, a signed revocation object MUST be - published. - This object MUST be signed using the private zone key. - The revocation object is flooded in the overlay network. To prevent - flooding attacks, the revocation message MUST contain a proof of work - (PoW). - The revocation message including the PoW MAY be calculated - ahead of time to support timely revocation. - - - For all occurences below, "Argon2id" is the Password-based Key - Derivation Function as defined in . For the - PoW calculations the algorithm is instantiated with the - following parameters: - -
-
S
-
The salt. Fixed 16-byte string: "GnsRevocationPow".
-
t
-
Number of iterations: 3
-
m
-
Memory size in KiB: 1024
-
T
-
Output length of hash in bytes: 64
-
p
-
Parallelization parameter: 1
-
v
-
Algorithm version: 0x13
-
y
-
Algorithm type (Argon2id): 2
-
X
Unused
-
K
Unused
-
- - illustrates the wire format - of the message string "P" on which the PoW is calculated. - -
- -
- The Wire Format of the PoW Message String. -
-
POW
-
- A 64-bit solution to the PoW. In network byte order. -
-
TIMESTAMP
-
- denotes the absolute 64-bit date when the revocation was computed. - In microseconds since midnight (0 hour), January 1, 1970 in network - byte order. -
-
PUBLIC KEY
-
- is the 256-bit public key zk of the zone which is being revoked and - the key to be used to verify SIGNATURE. The - wire format of this value is defined in , - Section 5.1.5. -
-
- - Traditionally, PoW schemes require to find a POW such that - at least D leading zeroes are found in the hash result. - D is then referred to as the difficulty of the PoW. - In order to reduce the variance in time it takes to calculate the - PoW, we require that a number Z different PoWs must be - found that on average have D leading zeroes. - - - The resulting proofs may then published and disseminated. The concrete - dissemination and publication methods are out of scope of this - document. Given an average difficulty of D, the proofs have an - expiration time of EPOCH. With each additional bit difficulty, the - lifetime of the proof is prolonged for another EPOCH. - Consequently, by calculating a more difficult PoW, the lifetime of the - proof can be increased on demand by the zone owner. - - - The parameters are defined as follows: - -
-
Z
-
The number of PoWs required is fixed at 32.
-
D
-
The difficulty is fixed at 22.
-
EPOCH
-
A single epoch is fixed at 365 days.
-
- - The revocation message wire format is illustrated in - . - -
- -
- The Revocation Message Wire Format. -
-
TIMESTAMP
-
- denotes the absolute 64-bit date when the revocation was computed. - In microseconds since midnight (0 hour), January 1, 1970 in network - byte order. This is the same value as the timestamp used in the - individual PoW calculations. -
-
TTL
-
- denotes the relative 64-bit time to live of of the record in - microseconds also in network byte order. This field is informational - for a verifier. The verifier may discard revocation if the TTL - indicates that it is already expired. However, the actual TTL of the - revocation must be determined by examining the leading zeros in the - proof of work calculation. -
-
POW_i
-
- The values calculated as part of the PoW, in network byte order. - Each POW_i MUST be unique in the set of POW values. - To facilitate fast verification - of uniqueness, the POW values must be given in strictly - monotonically increasing order in the message. -
-
ZONE TYPE
-
- The 32-bit zone type corresponding to the zone public key. -
-
ZONE PUBLIC KEY
-
- is the public key zk of the zone which is being revoked and - the key to be used to verify SIGNATURE. -
-
SIGNATURE
-
- A signature over a timestamp and the public zone zk of the zone - which is revoked and corresponds to the key used in the PoW. - The signature is created using the Sign() function of - the cryptosystem of the zone and the private zone key - (see ). -
-
- - The signature over the public key covers a 32-bit pseudo header - conceptually prefixed to the public key. The pseudo header includes - the key length and signature purpose. The wire format is illustrated - in . - -
- -
- The Wire Format of the Revocation Data for Signing. -
-
SIZE
-
- A 32-bit value containing the length of the signed data in bytes - in network byte order. -
-
PURPOSE
-
- A 32-bit signature purpose flag. This field MUST be 3 (in network - byte order). -
-
ZONE TYPE
-
- The 32-bit zone type corresponding to the zone public key. -
-
ZONE PUBLIC KEY / TIMESTAMP
-
Both values as defined in the revocation data object above.
-
- - In order to verify a revocation the following steps must be taken, - in order: - -
    -
  1. The current time MUST be between TIMESTAMP and - TIMESTAMP+TTL.
    2. -
  2. The signature MUST match the public key.
    3. -
  3. The set of POW values MUST NOT contain duplicates.
    4. -
  4. The average number of leading zeroes resulting from the provided - POW values D' MUST be greater than D.
    5. -
  5. The validation period (TTL) of the revocation is calculated as - (D'-D) * EPOCH * 1.1. The EPOCH is extended by - 10% in order to deal with unsynchronized clocks. - The TTL added on top of the TIMESTAMP yields the - expiration date.
    6. -
-
Internationalization and Character Encoding -- cgit v1.2.3