diff --git a/BTP.markdown b/BTP.markdown index 40f2e9b..344a86e 100644 --- a/BTP.markdown +++ b/BTP.markdown @@ -1,10 +1,21 @@ -BTP is a transport layer security protocol for delay-tolerant networks. It provides confidentiality, authenticity, integrity, forward secrecy and protocol obfuscation for simplex byte streams. It can operate over any transport that can deliver a stream of bytes from a sender to a recipient on a best-effort basis. A memory card strapped to a carrier pigeon is one example of such a transport. - -When operating over a duplex transport such as TCP, BTP treats each duplex connection as two independent simplex streams. +BTP is a transport layer security protocol for delay-tolerant networks. It provides confidentiality, authenticity, integrity, forward secrecy and protocol obfuscation for simplex byte streams. It can operate over any transport that can deliver a stream of bytes from a sender to a recipient on a best-effort basis. A memory card strapped to a carrier pigeon is one example of such a transport. When operating over a duplex transport such as TCP, BTP treats each duplex connection as two independent simplex streams. The underlying transport is not required to provide any security properties. We assume the adversary can read, modify, delete and insert traffic on the underlying transport at will. -### Requirements +### Notation + +We use *||* to denote concatenation, double quotes to denote a UTF-8 string, *int(b, x)* to denote *x* represented as a *b*-bit two's complement big-endian integer, *len(m)* to denote the length of *m* in bytes, and *pack(m)* as shorthand for *int(64, len(m)) || m*. + +### Crypto primitives + +BTP uses the following cryptographic primitives: + +* A pseudorandom function, *r = MAC(k, m)*, where *r* is *mac_len* bytes long +* An authenticated cipher, *c = ENC(k, n, m)* and *m = DEC(k, n, c)*, where *n* is a 24-byte nonce and *c* is *auth_len* bytes longer than *m* + +All keys are *key_len* bytes long. For simplicity we require that *mac_len == keylen*. + +### Initial state Before two devices can communicate using BTP they must establish the following state: @@ -16,20 +27,9 @@ Before two devices can communicate using BTP they must establish the following s How this state is established is outside the scope of BTP. The devices must establish a separate *S* for each transport over which they wish to communicate, and *T* must be in the past according to both devices' clocks. The device for which *A* is true is referred to as Alice, and the device for which *A* is false is referred to as Bob. -### Crypto primitives - -BTP uses the following cryptographic primitives: - -* A pseudorandom function, *r = MAC(k, m)*, where *r* is *maclen* bytes -* An authenticated cipher, *c = ENC(k, n, m)* and *m = DEC(k, n, c)*, where *n* is a 24-byte nonce and *c* is *authlen* bytes longer than *m* - -All keys are *keylen* bytes. For simplicity we require that *maclen == keylen*. - -We use *||* to denote concatenation, double quotes to denote a UTF-8 string, *int(b, x)* to denote *x* represented as a *b*-bit two's complement big-endian integer, *len(m)* to denote the length of *m* in bytes, and *pack(m)* as shorthand for *int(64, len(m)) || m*. - ### Key derivation -BTP's key derivation function is based on a pseudorandom function, similar to the counter mode KDF from NIST SP 800-108. The KDF always produces *keylen* bytes of output, so we can omit the counter and output length arguments. +BTP's key derivation function is based on a pseudorandom function, similar to the counter mode KDF from NIST SP 800-108. The KDF always produces *key_len* bytes of output, so we can omit the counter and output length arguments. The key derivation function takes an input key *k*, a label *p*, and zero or more additional arguments *a_1* to *a_n*, and returns an output key. The label describes the purpose of the output key, and the additional arguments vary according to the purpose. @@ -42,8 +42,10 @@ Each device derives four initial keys from *S*: *alice_tag = KDF(*S*, "ALICE_TAG")* *bob_tag = KDF(*S*, "BOB_TAG")* -Alice sets *out_cipher = alice_cipher*, *in_cipher = bob_cipher*, *out_tag = alice_tag*, *in_tag = bob_tag*. Bob sets *out_cipher = bob_cipher*, *in_cipher = alice_cipher*, *out_tag = bob_tag*, *in_tag = alice_tag*. +Alice sets *out_cipher = alice_cipher*, *in_cipher = bob_cipher*, *out_tag = alice_tag*, and *in_tag = bob_tag*. + +Bob sets *out_cipher = bob_cipher*, *in_cipher = alice_cipher*, *out_tag = bob_tag*, and *in_tag = alice_tag*. ### Key rotation -BTP achieves forward secrecy by rotating keys periodically. The key rotation function is deterministic, so the devices have matching keys in each rotation period. \ No newline at end of file +BTP achieves forward secrecy by rotating keys periodically. The key rotation function is deterministic, so the devices always have matching keys.