Kaladaran/briar
0
0
Fork 0
mirror of https://code.briarproject.org/briar/briar.git synced 2026-03-04 20:48:18 +01:00
Code Issues Projects Releases Wiki Activity

akwizgran created page: BSP

akwizgran
2015-04-01 10:59:10 +00:00
parent 60c89b4daa
commit 852d662401
1 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
BTP.markdown

@@ -38,14 +38,14 @@ The devices must also agree which of them will play the role of Alice and which
BTP's key derivation function is based on a message authentication code:
KDF(k, x_1, ..., x_n) == MAC(k, len(x_1) || x_1 || ... || len(x_n) || x_n)
* `KDF(k, x_1, ..., x_n) == MAC(k, len(x_1) || x_1 || ... || len(x_n) || x_n)`
Each device derives four initial keys from S:
* atk = KDF(S, "ALICE_TAG_KEY")
* ahk = KDF(S, "ALICE_HEADER_KEY")
* btk = KDF(S, "BOB_TAG_KEY")
* bhk = KDF(S, "BOB_HEADER_KEY")
* `atk = KDF(S, "ALICE_TAG_KEY")`
* `ahk = KDF(S, "ALICE_HEADER_KEY")`
* `btk = KDF(S, "BOB_TAG_KEY")`
* `bhk = KDF(S, "BOB_HEADER_KEY")`
Alice initialises her outgoing tag and header keys otk = atk and ohk = ahk, and her incoming tag and header keys itk = btk and ihk = bhk. Bob initialises his outgoing tag and header keys otk = btk and ohk = bhk, and his incoming tag and header keys itk = atk and ihk = ahk. Thus Alice's outgoing keys are Bob's incoming keys and vice versa. Both devices then erase S.
@@ -57,10 +57,10 @@ The length of each rotation period is R = D + L seconds. Rotation periods are al
The initial keys derived from S are the keys for period P - 1. The keys for the i^th rotation period are derived from the previous period's keys as follows:
* otk = KDF(otk, "ROTATE_TAG_KEY", int(i))
* ock = KDF(ock, "ROTATE_HEADER_KEY", int(i))
* itk = KDF(itk, "ROTATE_TAG_KEY", int(i))
* ick = KDF(ick, "ROTATE_HEADER_KEY", int(i))
* `otk = KDF(otk, "ROTATE_TAG_KEY", int(i))`
* `ock = KDF(ock, "ROTATE_HEADER_KEY", int(i))`
* `itk = KDF(itk, "ROTATE_TAG_KEY", int(i))`
* `ick = KDF(ick, "ROTATE_HEADER_KEY", int(i))`
If the sender starts sending a stream at time t according to the sender's clock, the recipient may start receiving the stream at any time between t - D and t + D + L according to the recipient's clock. Therefore each device must retain the incoming keys for the previous, current and next rotation periods, along with the outgoing keys for the current rotation period. Keys are erased when they are no longer needed.