From 8adc7bb41d62d1a73329af5055a8ed457fcc9fb7 Mon Sep 17 00:00:00 2001 From: zzz Date: Thu, 6 Dec 2018 15:10:58 +0000 Subject: [PATCH] proposal 123/144 updates --- .../spec/proposals/123-new-netdb-entries.rst | 7 +- .../144-ecies-x25519-aead-ratchet.rst | 83 +++++++++++++++---- 2 files changed, 72 insertions(+), 18 deletions(-) diff --git a/i2p2www/spec/proposals/123-new-netdb-entries.rst b/i2p2www/spec/proposals/123-new-netdb-entries.rst index 712eeab4..f6247a58 100644 --- a/i2p2www/spec/proposals/123-new-netdb-entries.rst +++ b/i2p2www/spec/proposals/123-new-netdb-entries.rst @@ -5,7 +5,7 @@ New netDB Entries :author: zzz, str4d, orignal :created: 2016-01-16 :thread: http://zzz.i2p/topics/2051 - :lastupdated: 2018-12-03 + :lastupdated: 2018-12-06 :status: Open :supercedes: 110, 120, 121, 122 @@ -62,7 +62,10 @@ Goals - All new types live in the same DHT space and same locations as existing leasesets, so that users may migrate from the old LS to LS2, or change among LS2, Meta, and Encrypted, - without changing their Destination. + without changing the Destination or hash. +- An existing Destination may be converted to use offline keys, + or back to online keys, without changing the Destination or hash. + Non-Goals / Out-of-scope ------------------------ diff --git a/i2p2www/spec/proposals/144-ecies-x25519-aead-ratchet.rst b/i2p2www/spec/proposals/144-ecies-x25519-aead-ratchet.rst index f8474d78..f5f0ff81 100644 --- a/i2p2www/spec/proposals/144-ecies-x25519-aead-ratchet.rst +++ b/i2p2www/spec/proposals/144-ecies-x25519-aead-ratchet.rst @@ -5,7 +5,7 @@ ECIES-X25519-AEAD-Ratchet :author: zzz :created: 2018-11-22 :thread: http://zzz.i2p/topics/2639 - :lastupdated: 2018-12-03 + :lastupdated: 2018-12-06 :status: Open .. contents:: @@ -421,6 +421,9 @@ Four message total (two each direction) For ECIES-X25519-AEAD-Ratchet ````````````````````````````` +TODO update this section after proposal is stable. + + Alice-Bob new session message: - 32 byte public key - 8 byte nonce @@ -463,6 +466,7 @@ Four message total (two each direction) Processing overhead estimate ---------------------------- +TODO update this section after proposal is stable. The following cryptographic operations are required by each party to initiate a new session and do the first ratchet: @@ -723,13 +727,25 @@ Encrypted: +----+----+----+----+----+----+----+----+ | | + + - | DH Ratchet Public Key | + | New Session Public Key | + + | | + + | | +----+----+----+----+----+----+----+----+ - | Nonce | + | | + + + + | ChaCha20 encrypted data | + + + + | | + + + + | | + + + + | | + +----+----+----+----+----+----+----+----+ + | Poly1305 Message Authentication Code | + + (MAC) + + | 16 bytes | +----+----+----+----+----+----+----+----+ | | + + @@ -746,16 +762,44 @@ Encrypted: Public Key :: 32 bytes, little endian, cleartext - Nonce :: 8 bytes, cleartext + encrypted data 1 :: 40 bytes - encrypted data :: Same size as plaintext data, Size varies + MAC 1 :: Poly1305 message authentication code, 16 bytes - MAC :: Poly1305 message authentication code, 16 bytes + encrypted data 2 :: Same size as plaintext data, Size varies + + MAC 2 :: Poly1305 message authentication code, 16 bytes {% endhighlight %} -Decrypted: +Decrypted data 1: + +.. raw:: html + + {% highlight lang='dataspec' %} ++----+----+----+----+----+----+----+----+ + | | + + + + | DH Ratchet Public Key | + + + + | | + + + + | | + +----+----+----+----+----+----+----+----+ + | Flags, IV, sequence number, TODO | + +----+----+----+----+----+----+----+----+ + + Public Key :: 32 bytes, little endian + + TODO :: 8 bytes + +{% endhighlight %} + + + + +Decrypted data 2: See AEAD section below. @@ -794,25 +838,28 @@ thus cutting the storage requirements in half. Notes ````` -This allows sending multiple new session messages with the same cleartext key, -which is less privacy but much more efficient, e.g. for a POST. -Send different nonces with each message. -Nonce should be generated randomly. +This allows sending multiple new session messages with the same initial ratchet key, +which is more efficient, e.g. for a POST. +These messages will have a different cleartext (new session) key but contain +the same ratchet key inside the first AEAD block. +New session keys are never reused. +This prevents external observers from identifying a POST sequence through +seeing duplicate cleartext keys. However, these messages may still be +identified as containing keys, unless we use Elligator2. +The first AEAD block will contain a sequence number and/or IV so the second block may +be decrypted correctly. Issues `````` -- Obfuscation of key? +- Obfuscation of cleartext key? We could do Elligator 2 but that's expensive. -- Do we need the nonce? Does it need to be 8 bytes? 4? +- Do we need a nonce? Does it need to be 8 bytes? 4? - IV is in the LS2 property? Alternative: Send a 16 byte IV instead of 8 byte nonce, and use a nonce of 0. -- Alternative: Encrypt the key and IV in a fixed-size AEAD block, - as in ElGamal. Then append a second AEAD block, as in ElGamal. - 1b) Existing session format @@ -1107,6 +1154,8 @@ we use session tags instead. By using a DH ratchet, we acheive forward secrecy, which was never implemented in ElGamal/AES+SessionTags. +Note: The new session public key is not part of the ratchet, its sole function +is to encrypt Alice's initial DH ratchet key. Message Numbers @@ -1242,6 +1291,8 @@ KDF: {% highlight lang='text' %} + TODO there's two AEAD blocks in the new session message, explain KDF for both + Inputs: 1) Root key (first time from where? see Signal section 3.3) 2) input_key_material