Kaladaran/briar
0
0
Fork 0
mirror of https://code.briarproject.org/briar/briar.git synced 2026-03-07 05:58:18 +01:00
Code Issues Projects Releases Wiki Activity

akwizgran created page: BSP

akwizgran
2015-03-21 10:25:23 +00:00
parent 07987e18ab
commit ca9481e9e3
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
BTP.markdown

@@ -43,11 +43,11 @@ KDF(k, x_1, ..., x_n) == MAC(k, pack(x_1) || ... || pack(x_n))
Each device derives four initial keys from S:
* atk = KDF(S, "ALICE_TAG_KEY")
* ack = KDF(S, "ALICE_CIPHER_KEY")
* ahk = KDF(S, "ALICE_HEADER_KEY")
* btk = KDF(S, "BOB_TAG_KEY")
* bck = KDF(S, "BOB_CIPHER_KEY")
* bhk = KDF(S, "BOB_HEADER_KEY")
Alice initialises her outgoing tag and cipher keys otk = atk and ock = ack, and her incoming tag and cipher keys itk = btk and ick = bck. Bob initialises his outgoing tag and cipher keys otk = btk and ock = bck, and his incoming tag and cipher keys itk = atk and ick = ack. Thus Alice's outgoing keys are Bob's incoming keys and vice versa. Both devices then erase S.
Alice initialises her outgoing tag and header keys otk = atk and ohk = ahk, and her incoming tag and header keys itk = btk and ihk = bhk. Bob initialises his outgoing tag and header keys otk = btk and ohk = bhk, and his incoming tag and header keys itk = atk and ihk = ahk. Thus Alice's outgoing keys are Bob's incoming keys and vice versa. Both devices then erase S.
### Key rotation
@@ -57,16 +57,16 @@ The length of each rotation period is R = D + L seconds. Rotation periods are al
The initial keys derived from S are the keys for period P. The keys for each subsequent period i are derived from the previous period's keys as follows:
* next_otk = KDF(otk, "ROTATE_OUTGOING_TAG_KEY", int(i))
* next_ock = KDF(ock, "ROTATE_OUTGOING_CIPHER_KEY", int(i))
* next_itk = KDF(itk, "ROTATE_INCOMING_TAG_KEY", int(i))
* next_ick = KDF(ick, "ROTATE_INCOMING_CIPHER_KEY", int(i))
* next_otk = KDF(otk, "ROTATE_TAG_KEY", int(i))
* next_ock = KDF(ock, "ROTATE_HEADER_KEY", int(i))
* next_itk = KDF(itk, "ROTATE_TAG_KEY", int(i))
* next_ick = KDF(ick, "ROTATE_HEADER_KEY", int(i))
If the sender starts sending a stream at time t according to the sender's clock, the recipient may start receiving the stream at any time between t - D and t + D + L according to the recipient's clock. Therefore each device must retain the incoming keys for the previous, current and next rotation periods, along with the outgoing keys for the current rotation period. Keys are erased when they are no longer needed.
### Tags
Each stream starts with a pseudo-random tag, which is tag_len bytes long. The recipient calculates the tag in advance and uses it to recognise which sender the stream comes from and which incoming cipher key should be used.
Each stream starts with a pseudo-random tag, which is tag_len bytes long. The recipient calculates the tag in advance and uses it to recognise which sender the stream comes from and which incoming header key should be used.
The tag for the i^th stream from the sender to the recipient in a given rotation period is the first tag_len bytes of MAC(k, int(i)), where k is the sender's outgoing tag key. We require that mac_len >= tag_len. Streams are counted starting from zero in each rotation period.
@@ -87,7 +87,7 @@ To avoid reusing tags, which would allow the adversary to distinguish BTP traffi
### Stream header
The pseudo-random tag is followed by the stream header, which consists of a random nonce and an ephemeral cipher key encrypted and authenticated with the sender's outgoing cipher key and the nonce. The stream header is nonce_len + key_len + auth_len bytes long. The ephemeral cipher key is used for encrypting and authenticating the rest of the stream.
The pseudo-random tag is followed by the stream header, which consists of a random nonce and an ephemeral key encrypted and authenticated with the sender's outgoing header key and the nonce. The stream header is nonce_len + key_len + auth_len bytes long. The ephemeral key is used for encrypting and authenticating the rest of the stream.
### Frames
@@ -102,7 +102,7 @@ The plaintext frame header is 4 bytes long with the following format:
The plaintext frame body contains the data and padding. The total length of the data and padding must be less than 2^15 bytes. If any padding is present it must all be zeroes.
The header and body are encrypted and authenticated separately using the ephemeral cipher key and deterministic nonces, which are not sent.
The header and body are encrypted and authenticated separately using the ephemeral key and deterministic nonces, which are not sent.
The nonce for the frame header is nonce_len bytes long with the following format: