From ff84721aed10764197ba00cc096709b5fc7edf40 Mon Sep 17 00:00:00 2001 From: akwizgran Date: Mon, 16 Mar 2015 16:04:17 +0000 Subject: [PATCH] akwizgran created page: BTP --- BTP.markdown | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/BTP.markdown b/BTP.markdown index 4facf67..1a96bb0 100644 --- a/BTP.markdown +++ b/BTP.markdown @@ -4,8 +4,7 @@ When operating over a duplex transport such as TCP, BTP treats each duplex conne The underlying transport is not required to provide any security properties. We assume the adversary can read, modify, delete and insert traffic on the underlying transport at will. -Requirements -============ +### Requirements Before two devices can communicate using BTP they must establish the following state: @@ -14,24 +13,27 @@ Before two devices can communicate using BTP they must establish the following s * The maximum expected difference between the devices' clocks, *D* * The maximum expected latency of the transport, *L* -How this state is established is outside the scope of BTP. *S* may be established using a key agreement protocol, while *E*, *D* and *L* may be hard-coded. The devices must establish a separate *S* for each transport over which they wish to communicate. This may be done by deriving several shared secrets from an initial shared secret established using a key agreement protocol. +How this state is established is outside the scope of BTP. The devices must establish a separate *S* for each transport over which they wish to communicate, and *E* must be in the past according to both devices' clocks. -*E* must be in the past according to both devices' clocks. This may be achieved by using a hard-coded value such as the Unix epoch, or by exchanging timestamps during the key agreement protocol and using the lesser timestamp as the epoch. - -Crypto primitives -================= +### Crypto primitives BTP uses the following cryptographic primitives: -* A hash function, *HASH(m)* -* A symmetric message authentication function, *MAC(k,m)* -* A symmetric authenticated cipher, *ENC(k,n,m)* and *DEC(k,n,m)*, where *n* is a nonce +* A symmetric message authentication function, *MAC(k, m)* +* A symmetric authenticated cipher, *c = ENC(k, n, m)* and *m = DEC(k, n, c)*, where *n* is a nonce -The output of *HASH* is *hashlen* bytes, the output of *MAC* is *maclen* bytes, and the output of *ENC(k,n,m)* is *authlen* bytes longer than the input. All keys are *keylen* bytes and all nonces are 24 bytes. +The output of *MAC* is *maclen* bytes. The output of *ENC(k, n, m)* is *authlen* bytes longer than *m*. All keys are *keylen* bytes and all nonces are 24 bytes. For simplicity we require that *maclen == keylen*. -We use *||* to denote concatenation, *int64(x)* to denote *x* represented as a two's complement 64-bit big-endian integer, *len(m)* to denote the length of *m* in bytes, and *lenprefix(m)* as shorthand for *int64(len(m))||m*. +We use || to denote concatenation, *int(b, x)* to denote *x* represented as a *b*-bit two's complement big-endian integer, *len(m)* to denote the length of *m* in bytes, and *pack(m)* as shorthand for *int(64, len(m))* || *m*. -Key rotation -============ +### Key derivation + +BTP's key derivation function (KDF) is based on a message authentication function used as a pseudo-random function (PRF). This is similar to the "KDF in Counter Mode" from NIST SP 800-108. Since we require that *maclen* == *keylen*, the output of the MAC can be used directly as the output of the KDF, and we don't need to pass the output length or counter, both of which are fixed, to the MAC. + +The key derivation function takes an input key *k*, a label *p*, and zero or more additional arguments *a_1* to *a_n*, and returns an output key. The label describes the purpose of the output key and is used to distinguish between different uses of the KDF. The additional arguments vary according to the purpose. + +*KDF(k, p, a_1, ..., a_n) = MAC(k, pack(p)* || *pack(a_1)* || ... || *pack(a_n))* + +### Key rotation BTP achieves forward secrecy by rotating keys periodically. The sender and recipient use the same deterministic function to rotate their keys, so they arrive at the same keys in each rotation period. \ No newline at end of file