diff options
author | Mikolai Gütschow <mikolai.guetschow@tu-dresden.de> | 2024-03-28 16:52:40 +0100 |
---|---|---|
committer | Mikolai Gütschow <mikolai.guetschow@tu-dresden.de> | 2024-03-28 16:52:40 +0100 |
commit | 267fb8ebe469a235205c834b9a36166c16b0c6c1 (patch) | |
tree | 4e67e9818f6262c58f1f147eed2d6b355ea0b48a /draft-guetschow-taler-protocol.xml | |
parent | eea4a515ece86fa181e89758d5153fea769edec5 (diff) | |
download | lsd0009-master.tar.gz lsd0009-master.zip |
Diffstat (limited to 'draft-guetschow-taler-protocol.xml')
-rw-r--r-- | draft-guetschow-taler-protocol.xml | 238 |
1 files changed, 222 insertions, 16 deletions
diff --git a/draft-guetschow-taler-protocol.xml b/draft-guetschow-taler-protocol.xml index eab6d50..891e5e7 100644 --- a/draft-guetschow-taler-protocol.xml +++ b/draft-guetschow-taler-protocol.xml | |||
@@ -38,7 +38,7 @@ | |||
38 | <abstract> | 38 | <abstract> |
39 | 39 | ||
40 | 40 | ||
41 | <?line 37?> | 41 | <?line 41?> |
42 | 42 | ||
43 | <t>[ TBW ]</t> | 43 | <t>[ TBW ]</t> |
44 | 44 | ||
@@ -53,12 +53,131 @@ | |||
53 | <middle> | 53 | <middle> |
54 | 54 | ||
55 | 55 | ||
56 | <?line 41?> | 56 | <?line 45?> |
57 | 57 | ||
58 | <section anchor="introduction"><name>Introduction</name> | 58 | <section anchor="introduction"><name>Introduction</name> |
59 | 59 | ||
60 | <t>[ TBW ]</t> | 60 | <t>[ TBW ]</t> |
61 | 61 | ||
62 | <t>Beware that this document is still work-in-progress and may contain errors. | ||
63 | Use at your own risk!</t> | ||
64 | |||
65 | </section> | ||
66 | <section anchor="notation"><name>Notation</name> | ||
67 | |||
68 | <t><list style="symbols"> | ||
69 | <t><spanx style="verb">a | b</spanx> denotes the concatenation of a with b</t> | ||
70 | </list></t> | ||
71 | |||
72 | </section> | ||
73 | <section anchor="cryptographic-primitives"><name>Cryptographic Primitives</name> | ||
74 | |||
75 | <section anchor="cryptographic-hash-functions"><name>Cryptographic Hash Functions</name> | ||
76 | |||
77 | <section anchor="sha256"><name>SHA-256</name> | ||
78 | |||
79 | <t>Taler uses SHA-256 as defined in Section 5.1 of <xref target="RFC6234"></xref>.</t> | ||
80 | |||
81 | </section> | ||
82 | <section anchor="sha512"><name>SHA-512</name> | ||
83 | |||
84 | <t>Taler uses SHA-512 as defined in Section 5.2 of <xref target="RFC6234"></xref>.</t> | ||
85 | |||
86 | </section> | ||
87 | <section anchor="sha512-trunc"><name>Truncated SHA-512</name> | ||
88 | |||
89 | </section> | ||
90 | </section> | ||
91 | <section anchor="key-derivation-functions"><name>Key Derivation Functions</name> | ||
92 | |||
93 | <section anchor="hkdf"><name>HKDF</name> | ||
94 | |||
95 | <t>The Hashed Key Derivation Function (HKDF) used in Taler is an instantiation of <xref target="RFC5869"></xref> | ||
96 | with two different hash functions for the Extract and Expand step as suggested in <xref target="HKDF"></xref>. | ||
97 | HMAC-SHA512 (HMAC <xref target="RFC2104"></xref> instantiated with SHA-512, cf. <xref target="sha512"/>) is used for <spanx style="verb">HKDF-Extract</spanx>. | ||
98 | HMAC-SHA256 (HMAC <xref target="RFC2104"></xref> instantiated with SHA-256, cf. <xref target="sha256"/>) is used for <spanx style="verb">HKDF-Expand</spanx>.</t> | ||
99 | |||
100 | <figure><artwork><![CDATA[ | ||
101 | HKDF(salt, IKM, info, L) -> OKM | ||
102 | |||
103 | Inputs: | ||
104 | salt optional salt value (a non-secret random value); | ||
105 | if not provided, it is set to a string of 64 zeros. | ||
106 | IKM input keying material | ||
107 | info optional context and application specific information | ||
108 | (can be a zero-length string) | ||
109 | L length of output keying material in octets | ||
110 | (<= 255*32 = 8160) | ||
111 | |||
112 | Output: | ||
113 | OKM output keying material (of L octets) | ||
114 | ]]></artwork></figure> | ||
115 | |||
116 | <t>The output OKM is calculated as follows:</t> | ||
117 | |||
118 | <figure><artwork><![CDATA[ | ||
119 | PRK = HKDF-Extract(salt, IKM) with Hash = SHA-512, HashLen = 64 | ||
120 | OKM = HKDF-Expand(PRK, info, L) with Hash = SHA-256, HashLen = 32 | ||
121 | ]]></artwork></figure> | ||
122 | |||
123 | </section> | ||
124 | <section anchor="hkdf-mod"><name>HKDF-Mod</name> | ||
125 | |||
126 | <t>Based on the HKDF defined in <xref target="hkdf"/>, this function returns an OKM that is smaller than a given big number N.</t> | ||
127 | |||
128 | <figure><artwork><![CDATA[ | ||
129 | HKDF-Mod(N, salt, IKM, info) -> OKM | ||
130 | |||
131 | Inputs: | ||
132 | N big number; Nbits denotes the length of N in bits | ||
133 | salt optional salt value (a non-secret random value); | ||
134 | if not provided, it is set to a string of 64 zeros. | ||
135 | IKM input keying material | ||
136 | info optional context and application specific information | ||
137 | (can be a zero-length string) | ||
138 | |||
139 | Output: | ||
140 | OKM output keying material (smaller than N) | ||
141 | ]]></artwork></figure> | ||
142 | |||
143 | <t>The output OKM is calculated as follows:</t> | ||
144 | |||
145 | <figure><artwork><![CDATA[ | ||
146 | Nlen = ceil(Nbits / 8) | ||
147 | while true: | ||
148 | counter = 0 | ||
149 | c = 2 least significant octets of counter in network-byte order | ||
150 | x = HKDF(salt, IKM, info | c, NLen) | ||
151 | reset all but lower Nbits bits in x | ||
152 | if x < N: | ||
153 | OKM = x | ||
154 | break | ||
155 | counter += 1 | ||
156 | ]]></artwork></figure> | ||
157 | |||
158 | </section> | ||
159 | </section> | ||
160 | <section anchor="non-blind-signatures"><name>Non-Blind Signatures</name> | ||
161 | |||
162 | <section anchor="ed25519"><name>Ed25519</name> | ||
163 | |||
164 | </section> | ||
165 | </section> | ||
166 | <section anchor="blind-signatures"><name>Blind Signatures</name> | ||
167 | |||
168 | <section anchor="fdh-rsa"><name>FDH-RSA</name> | ||
169 | |||
170 | </section> | ||
171 | <section anchor="clause-schnorr"><name>Clause-Schnorr</name> | ||
172 | |||
173 | </section> | ||
174 | </section> | ||
175 | </section> | ||
176 | <section anchor="the-taler-crypto-protocol"><name>The Taler Crypto Protocol</name> | ||
177 | |||
178 | <section anchor="withdrawal"><name>Withdrawal</name> | ||
179 | |||
180 | </section> | ||
62 | </section> | 181 | </section> |
63 | <section anchor="security-considerations"><name>Security Considerations</name> | 182 | <section anchor="security-considerations"><name>Security Considerations</name> |
64 | 183 | ||
@@ -77,10 +196,74 @@ | |||
77 | <back> | 196 | <back> |
78 | 197 | ||
79 | 198 | ||
199 | <references title='Normative References' anchor="sec-normative-references"> | ||
200 | |||
201 | |||
202 | |||
203 | <reference anchor="RFC2104"> | ||
204 | <front> | ||
205 | <title>HMAC: Keyed-Hashing for Message Authentication</title> | ||
206 | <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/> | ||
207 | <author fullname="M. Bellare" initials="M." surname="Bellare"/> | ||
208 | <author fullname="R. Canetti" initials="R." surname="Canetti"/> | ||
209 | <date month="February" year="1997"/> | ||
210 | <abstract> | ||
211 | <t>This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind</t> | ||
212 | </abstract> | ||
213 | </front> | ||
214 | <seriesInfo name="RFC" value="2104"/> | ||
215 | <seriesInfo name="DOI" value="10.17487/RFC2104"/> | ||
216 | </reference> | ||
217 | |||
218 | <reference anchor="RFC5869"> | ||
219 | <front> | ||
220 | <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title> | ||
221 | <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/> | ||
222 | <author fullname="P. Eronen" initials="P." surname="Eronen"/> | ||
223 | <date month="May" year="2010"/> | ||
224 | <abstract> | ||
225 | <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> | ||
226 | </abstract> | ||
227 | </front> | ||
228 | <seriesInfo name="RFC" value="5869"/> | ||
229 | <seriesInfo name="DOI" value="10.17487/RFC5869"/> | ||
230 | </reference> | ||
231 | |||
232 | <reference anchor="RFC6234"> | ||
233 | <front> | ||
234 | <title>US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)</title> | ||
235 | <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/> | ||
236 | <author fullname="T. Hansen" initials="T." surname="Hansen"/> | ||
237 | <date month="May" year="2011"/> | ||
238 | <abstract> | ||
239 | <t>Federal Information Processing Standard, FIPS</t> | ||
240 | </abstract> | ||
241 | </front> | ||
242 | <seriesInfo name="RFC" value="6234"/> | ||
243 | <seriesInfo name="DOI" value="10.17487/RFC6234"/> | ||
244 | </reference> | ||
245 | |||
246 | <reference anchor="HKDF"> | ||
247 | <front> | ||
248 | <title>Cryptographic Extraction and Key Derivation: The HKDF Scheme</title> | ||
249 | <author fullname="Hugo Krawczyk" initials="H." surname="Krawczyk"> | ||
250 | <organization/> | ||
251 | </author> | ||
252 | <date year="2010"/> | ||
253 | </front> | ||
254 | <seriesInfo name="Advances in Cryptology – CRYPTO 2010" value="pp. 631-648"/> | ||
255 | <seriesInfo name="DOI" value="10.1007/978-3-642-14623-7_34"/> | ||
256 | <seriesInfo name="ISBN" value="["9783642146220", "9783642146237"]"/> | ||
257 | <refcontent>Springer Berlin Heidelberg</refcontent></reference> | ||
258 | |||
259 | |||
260 | |||
261 | |||
262 | </references> | ||
80 | 263 | ||
81 | 264 | ||
82 | 265 | ||
83 | <?line 57?> | 266 | <?line 160?> |
84 | 267 | ||
85 | <section anchor="change-log"><name>Change log</name> | 268 | <section anchor="change-log"><name>Change log</name> |
86 | 269 | ||
@@ -98,19 +281,42 @@ Education and Research (BMBF) within the project Concrete Contracts.</t> | |||
98 | </back> | 281 | </back> |
99 | 282 | ||
100 | <!-- ##markdown-source: | 283 | <!-- ##markdown-source: |
101 | H4sIAAAAAAAAA22TzW7UMBDH736K0XKBg7NpkZAaCYm2SwuHVgi24kA5eO3Z | 284 | H4sIAAAAAAAAA+1X23LbNhB9x1dsnRepNWVJvsRm6k59jT225YwvkwfH00Ak |
102 | xKxjR/ZkVwH1zbjxYoydQrWCS+SMfzPznw9LKcW+gZdCkCWHDSzWHcL17R2s | 285 | RKKCAA4IWlZc58v61h/rLkBJli8zbZ+bycggsNjrOctlFEXsLoZVxpx0SsSw |
103 | lcMIH2KgoINbCBO0Vz0TJqotyXZESroLB0kZlMMjKLQibEOcGrB+G4SwQ2yA | 286 | dJUL+Ni7hiuuhIVP1jiTGLXEUpNoPkKJ1PKBi7JKuDLJzThyJBgVtSBLuBOZ |
104 | 4pjotK7P6lNxCHHXxjAOmTA4IH88iUQRVX9s2+HEtGkEgISSp5x0nAYKbVRD | 287 | sZMYpB4YxmRhY3C2Kl233d5qd9nY2GFmTVWQRCoKgT/asdJZwUeLe0MxQek0 |
105 | NxUDapW6chrU1LNnEuIZ7NGP2PABIOIQGuiIhtQsl62lqvWjR6pCbJcumZql | 288 | ZgAReDt+ldhJ4UxmeZFP/IZIeJn7VcEnI7xZMvYO7oSuRIwLACsKE0PuXFHG |
106 | VWxeFtpxCYmeeAb+wy+FUCN1IbI8yckB5v7c2F1wysL1r59zh8odOzawvlvB | 289 | KyuZdK1MV1q4lrHZiirTNrrWwu0VL60whNLN5VHgFfkVxnjlcmPRvQiNA4T8 |
107 | KmLi4uDO2z3GZGmCsIU16s4HF9qp0GqzibjPDn/4Ys49Qhb2Dl3fBUff2VDB | 290 | nMmhUVzCx7/+DBnyZ3gxhqvrfdi3osTg4FrLO2FL6SZgBnAlklwbZbKJl+b9 |
108 | SV0uNYdqjnAdDOtZyfqkfnX2aBk95dlcY+yVn5Nhr6xroJ91V38n+4ZGaeZw | 291 | vhV3dGEq77cpRwIdOxJqlBvlvuFGCzptf5igqnhBPDEp+rMftTvtja16p9KO |
109 | lUEhfGAfYtUNT5Vn+/QnpJSsmdUoTULcf4H1xWe4/zpf9NYYh3ki7zl5MKMm | 292 | avNR2BHXwZgYcaliGAW/W7PK/uqqKA3qWqlgTBu849BrqsfF4V63016rl+ub |
110 | G/wRli8/oR5jbsdl8MkajCpj6ZFbFY5DnN+e/0PcBo/VnGyj9C5zl53yLQJ3 | 293 | G1v1cqO76nePTvYP0fj5cavTxv/t9ytb7zej1WhjrRt11lAqev/b6hriA1Ey |
111 | NP+d650PB4emnbfjR+PHfoMRzevFVrmEi4ejPOvOJsiLCgeVII3DECKh4eXk | 294 | 08tYFEUYPcbFE8fYlxu42v0MX27DwUimqRJU22MMw6RV4qTRC2K7YsytAJdz |
112 | DYsEmwkov5PSRbjCrMXx5L3lHuSBirdcZpEHyhv4iAlV1B08v7i5uHoBB0sd | 295 | hz+yBMRtRZAAXJdOKgUEwEhqgmyG4ZXAdQojPsHsaMelBmGtsWWLXZcCUM3E |
113 | x8ox+OF8Q025Jh2RMB9KH1MlfgM5XuVzngMAAA== | 296 | VBbMWIOV5fAHst4zjgfLEXzl8Af0vwJmySBs0KggRUQD7YWovBzG0uXQp8t7 |
297 | c/TKBAkmR5KCJ8g+PzxCWMNhpX2YXuAdXB7tRN31DXh4V+YcF4+MBapWJVqf | ||
298 | nnIMXAykFikSCi6F1wDrrQ55c1OX6bY1V7ne6QaVuHipkk7fUtl9TeWVrXwK | ||
299 | 0hfKI0dHjz7aEzGBfWHlXUjUs0gJQXgtH6YD8gjzSvlAlW9cgwbdaJLX3sUQ | ||
300 | g6T64mPpuHZyVpGbGrW3zFfGjQ2kcjAQlqCSU94HU28AAerLenDvYenxcnBf | ||
301 | 0J/SiYIyU1ZZhj0jGL4hPzATR2c7exHGT+E36MFbJdrcPnEI73gX6kQtQzJo | ||
302 | wcNDXYrHJkXgQyI3vpLqqHbk69wE1fyfmUDJJyYIQG+YoPjQAvv+/TujrUbJ | ||
303 | lVuG45OzZd/al+G0CdEvcH5yxtixLipXxqFLoRz4nldQ/rgKO3dcVQIaHLTR | ||
304 | USkSKxxYtGFG4aj5wd+e/5MDFHWANL2TqUjRaiAx3nMGKYVNQuqMirmxBt+E | ||
305 | NUhZuoce1grIKcCXCIlhi0HIcMXCycAsukjcF/ehtrwolEwCVMpCJHKAXJz1 | ||
306 | KaOf+dlIEGB9bBXeiUgJnWGug3dNL3s6Fa3P0GVTuVecI/SYxGEDfm7j523o | ||
307 | rq//uNqFbdjsbLSbjJ17FSHn59OY39DbQJOnteqmL6knVC1NtzGzCVdJpTxc | ||
308 | OKFeKTPGmnrxTxcnaPkp+uZ4aAZ0+W61PccxPZ/im24b68PIxOw+QauBGp8A | ||
309 | 6bkGD9O5htVucHraF6Izk2Kz5wRarBKx07eLJx3q4cF3jsfl8B6Y0hlnAVdZ | ||
310 | 7bsCOeXfFASrEVfUL/BZYykzbMlYVZmBrkZ93O89oQJZb/SW4RkjXqdDb1rD | ||
311 | ubIP0OtLVy68M+bQ6JH3dP4/m16w6d+BfqGmvf+E+57y+EuEVI1QtBXYbLJx | ||
312 | LpWgsVbE88EKLW1DPYzhqos15aWDUmaagsZeXDOQsjy9gbXGwdLPJP2JQ9ds | ||
313 | 6sdcgPuaMM8bL84byTL0kBihu+AMg0XESKGPMaHvhFbvqv9BA/esRsA9/Ay9 | ||
314 | eJbxQMr72TMOnXy4EM9P29CZMg/HHh3tKhzQ4RJD4kgjUb+qD1JsTp0tL/W6 | ||
315 | xOH+UXRxuRMe9hTH1010STOvtTQUUVHC+zpMQLMPD6/yMzYH/OwYc3qk0aOy | ||
316 | NDfv4csZsWx5PTT4MXDfj4E4Ie70dl5IYASiFWbJPk+GfhxDbGRIP5PR004y | ||
317 | 1GasRJqFz4iHODBWpNtLA65KsfS4YOeKWgsVD8Z+CigKY+spoODWQX/iyR3G | ||
318 | bTgU5IvCTwQtEdE0+bMDnGIDOYgsF1hLbpMcGrtnu4ehLcrQ35C5v+PQRTER | ||
319 | 2wUtfCNGov4NMZRdgccNAAA= | ||
114 | 320 | ||
115 | --> | 321 | --> |
116 | 322 | ||