Kaladaran/briar
0
0
Fork 0
mirror of https://code.briarproject.org/briar/briar.git synced 2026-03-09 06:58:18 +01:00
Code Issues Projects Releases Wiki Activity

akwizgran created page: BTP

akwizgran
2015-03-16 17:11:37 +00:00
parent 7d90972f98
commit c9037afe46
1 changed files with 20 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
BTP.markdown

@@ -1,10 +1,21 @@
BTP is a transport layer security protocol for delay-tolerant networks. It provides confidentiality, authenticity, integrity, forward secrecy and protocol obfuscation for simplex byte streams. It can operate over any transport that can deliver a stream of bytes from a sender to a recipient on a best-effort basis. A memory card strapped to a carrier pigeon is one example of such a transport. BTP is a transport layer security protocol for delay-tolerant networks. It provides confidentiality, authenticity, integrity, forward secrecy and protocol obfuscation for simplex byte streams. It can operate over any transport that can deliver a stream of bytes from a sender to a recipient on a best-effort basis. A memory card strapped to a carrier pigeon is one example of such a transport. When operating over a duplex transport such as TCP, BTP treats each duplex connection as two independent simplex streams.
When operating over a duplex transport such as TCP, BTP treats each duplex connection as two independent simplex streams.
The underlying transport is not required to provide any security properties. We assume the adversary can read, modify, delete and insert traffic on the underlying transport at will. The underlying transport is not required to provide any security properties. We assume the adversary can read, modify, delete and insert traffic on the underlying transport at will.
### Requirements ### Notation
We use *||* to denote concatenation, double quotes to denote a UTF-8 string, *int(b, x)* to denote *x* represented as a *b*-bit two's complement big-endian integer, *len(m)* to denote the length of *m* in bytes, and *pack(m)* as shorthand for *int(64, len(m)) || m*.
### Crypto primitives
BTP uses the following cryptographic primitives:
* A pseudorandom function, *r = MAC(k, m)*, where *r* is *mac_len* bytes long
* An authenticated cipher, *c = ENC(k, n, m)* and *m = DEC(k, n, c)*, where *n* is a 24-byte nonce and *c* is *auth_len* bytes longer than *m*
All keys are *key_len* bytes long. For simplicity we require that *mac_len == keylen*.
### Initial state
Before two devices can communicate using BTP they must establish the following state: Before two devices can communicate using BTP they must establish the following state:
@@ -16,20 +27,9 @@ Before two devices can communicate using BTP they must establish the following s
How this state is established is outside the scope of BTP. The devices must establish a separate *S* for each transport over which they wish to communicate, and *T* must be in the past according to both devices' clocks. The device for which *A* is true is referred to as Alice, and the device for which *A* is false is referred to as Bob. How this state is established is outside the scope of BTP. The devices must establish a separate *S* for each transport over which they wish to communicate, and *T* must be in the past according to both devices' clocks. The device for which *A* is true is referred to as Alice, and the device for which *A* is false is referred to as Bob.
### Crypto primitives
BTP uses the following cryptographic primitives:
* A pseudorandom function, *r = MAC(k, m)*, where *r* is *maclen* bytes
* An authenticated cipher, *c = ENC(k, n, m)* and *m = DEC(k, n, c)*, where *n* is a 24-byte nonce and *c* is *authlen* bytes longer than *m*
All keys are *keylen* bytes. For simplicity we require that *maclen == keylen*.
We use *||* to denote concatenation, double quotes to denote a UTF-8 string, *int(b, x)* to denote *x* represented as a *b*-bit two's complement big-endian integer, *len(m)* to denote the length of *m* in bytes, and *pack(m)* as shorthand for *int(64, len(m)) || m*.
### Key derivation ### Key derivation
BTP's key derivation function is based on a pseudorandom function, similar to the counter mode KDF from NIST SP 800-108. The KDF always produces *keylen* bytes of output, so we can omit the counter and output length arguments. BTP's key derivation function is based on a pseudorandom function, similar to the counter mode KDF from NIST SP 800-108. The KDF always produces *key_len* bytes of output, so we can omit the counter and output length arguments.
The key derivation function takes an input key *k*, a label *p*, and zero or more additional arguments *a_1* to *a_n*, and returns an output key. The label describes the purpose of the output key, and the additional arguments vary according to the purpose. The key derivation function takes an input key *k*, a label *p*, and zero or more additional arguments *a_1* to *a_n*, and returns an output key. The label describes the purpose of the output key, and the additional arguments vary according to the purpose.
@@ -42,8 +42,10 @@ Each device derives four initial keys from *S*:
*alice_tag = KDF(*S*, "ALICE_TAG")* *alice_tag = KDF(*S*, "ALICE_TAG")*
*bob_tag = KDF(*S*, "BOB_TAG")* *bob_tag = KDF(*S*, "BOB_TAG")*
Alice sets *out_cipher = alice_cipher*, *in_cipher = bob_cipher*, *out_tag = alice_tag*, *in_tag = bob_tag*. Bob sets *out_cipher = bob_cipher*, *in_cipher = alice_cipher*, *out_tag = bob_tag*, *in_tag = alice_tag*. Alice sets *out_cipher = alice_cipher*, *in_cipher = bob_cipher*, *out_tag = alice_tag*, and *in_tag = bob_tag*.
Bob sets *out_cipher = bob_cipher*, *in_cipher = alice_cipher*, *out_tag = bob_tag*, and *in_tag = alice_tag*.
### Key rotation ### Key rotation
BTP achieves forward secrecy by rotating keys periodically. The key rotation function is deterministic, so the devices have matching keys in each rotation period. BTP achieves forward secrecy by rotating keys periodically. The key rotation function is deterministic, so the devices always have matching keys.