Kaladaran/briar
0
0
Fork 0
mirror of https://code.briarproject.org/briar/briar.git synced 2026-02-14 03:39:05 +01:00
Code Issues Projects Releases Wiki Activity

akwizgran
2016-01-12 10:27:46 +00:00
parent 1a77f8513c
commit 6c0f9b1ec6
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
BTP.md

@@ -14,6 +14,7 @@ BTP uses the following cryptographic primitives:
* A message authentication code, MAC(k, m)
* An authenticated cipher, ENC(k, n, m) and DEC(k, n, m), where n is a nonce
* A random number generator, R(n), with an output length of n bytes. R(n) must be either a true random number generator or a cryptographically secure pseudo-random number generator.
We use MAC(k, m) to define a key derivation function:
@@ -96,6 +97,9 @@ To avoid reusing tags, which would allow the adversary to distinguish BTP traffi
The pseudo-random tag is followed by the stream header, which consists of a random initialisation vector followed by an ephemeral key encrypted and authenticated with the sender's outgoing header key, using the random IV as the nonce. The stream header is NONCE_LEN + KEY_LEN + AUTH_LEN bytes long. The ephemeral key is used for encrypting and authenticating the rest of the stream.
* `stream_iv = R(NONCE_LEN)`
* `stream_header = stream_iv || ENC(outgoing_header_key, stream_iv, ephemeral_key)`
### Frames
The remainder of the stream consists of one or more frames. Each frame has a fixed-length header and a variable-length body that may contain data, padding, neither or both. The frames are numbered from zero. A stream may not contain more than 2^63 frames.
@@ -107,9 +111,9 @@ The plaintext frame header is 4 bytes long, with the following format:
* Bit 16: Zero
* Bits 17-31: Length of the padding in bytes as a 15-bit integer
The plaintext frame body contains the data and padding. The total length of the data and padding must be less than 2^15 bytes. If any padding is present it must all be zeroes.
The plaintext frame body contains the data and padding. The total length of the data and padding must be less than 2^15 bytes.
The header and body are encrypted and authenticated separately using the ephemeral key and deterministic nonces, which are not sent.
The header and body are encrypted and authenticated separately using the ephemeral key and deterministic nonces, which are not sent. The encrypted and authenticated frame header is 4 + AUTH_LEN bytes long, while the encrypted and authenticated frame body is AUTH_LEN bytes longer than the data and padding.
The nonce for the frame header is NONCE_LEN bytes long, with the following format: