Kaladaran/briar
0
0
Fork 0
mirror of https://code.briarproject.org/briar/briar.git synced 2026-03-07 22:18:18 +01:00
Code Issues Projects Releases Wiki Activity

akwizgran created page: BTP

akwizgran
2015-03-17 18:00:11 +00:00
parent b14dcb9b3d
commit c8b02ae5e0
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
BTP.markdown

@@ -17,7 +17,7 @@ BTP uses the following cryptographic primitives:
All keys are key_len bytes and all nonces are nonce_len bytes. The output of MAC(k, m) is mac_len bytes, and the output of ENC(k, n, m) is auth_len bytes longer than m. For simplicity we require that mac_len == key_len.
> Implementation note: The current version of BTP uses HMAC-SHA-256 as the pseudo-random function and AES-256-GCM as the authenticated cipher. The next version will use BLAKE2s as the pseudo-random function and XSalsa20-Poly1305 as the authenticated cipher. In both cases, key_len == 32, mac_len == 32, nonce_len == 24, and auth_len == 16.
> Implementation note: The previous version of BTP used HMAC-SHA-256 as the pseudo-random function and AES-256-GCM as the authenticated cipher. The next version will use BLAKE2s as the pseudo-random function and XSalsa20-Poly1305 as the authenticated cipher. In both cases, key_len == 32, mac_len == 32, nonce_len == 24, and auth_len == 16.
### Initial state
@@ -62,7 +62,7 @@ The initial keys derived from S are the keys for period P. The keys for each sub
* next_in_tag = KDF(in_tag, "ROTATE_INCOMING_TAG_KEY", int64(i))
* next_in_cipher = KDF(in_cipher, "ROTATE_INCOMING_CIPHER_KEY", int64(i))
If the sender starts sending a stream at time t according to the sender's clock, the recipient may start receiving it at any time between t - D and t + D + L according to the recipient's clock. Therefore each device must retain the incoming keys for the previous, current and next rotation periods, along with the outgoing keys for the current rotation period. Keys are erased when they are no longer needed.
If the sender starts sending a stream at time t according to the sender's clock, the recipient may start receiving the stream at any time between t - D and t + D + L according to the recipient's clock. Therefore each device must retain the incoming keys for the previous, current and next rotation periods, along with the outgoing keys for the current rotation period. Keys are erased when they are no longer needed.
### Tags
@@ -111,3 +111,5 @@ The nonce for the frame body is nonce_len bytes long with the following format:
* Bit 0: Header flag, set to zero
* Bits 1-63: Frame number as a big-endian integer
* Remaining bits: Zero
> Implementation note: The final frame flag allows the recipient to detect the end of the stream without reading to EOF, which is not possible for all transports on all platforms.