[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-anastasis] branch master updated: small adjustments
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [taler-anastasis] branch master updated: small adjustments to be discussed |
|
Date: |
Sat, 28 Sep 2019 14:48:12 +0200 |
This is an automated email from the git hooks/post-receive script.
ds-meister pushed a commit to branch master
in repository anastasis.
The following commit(s) were added to refs/heads/master by this push:
new c390497 small adjustments to be discussed
c390497 is described below
commit c390497282188990c90d3fb41950e29d8b54cdf4
Author: Dominik Meister <address@hidden>
AuthorDate: Sat Sep 28 14:48:05 2019 +0200
small adjustments to be discussed
---
src/api/crypto-anastasis.rst | 37 ++++++++++++++-----------------------
1 file changed, 14 insertions(+), 23 deletions(-)
diff --git a/src/api/crypto-anastasis.rst b/src/api/crypto-anastasis.rst
index 85f7cbd..c9d65fd 100644
--- a/src/api/crypto-anastasis.rst
+++ b/src/api/crypto-anastasis.rst
@@ -39,24 +39,20 @@ depend on the cultural context, in this document we will
simply refer to this
information as the **user_identifier**.
This user_identifier will be first hashed with SCrypt, to provide a **kdf_id**
-which will be used to derive other keys later. The use of SCrypt is intended
+which will be used to derive other keys later. The Hash must also include the
respective **server_salt**. This also ensures that the **kdf_id** is different
on each server. The use of SCrypt and the respective server_salt is intended
to make it difficult to brute-force **kdf_id** values and help protect user's
-privacy. However, we do not assume that the **user_identifier** or the
+privacy. Also this ensures that the kdf_ids on every server differs. However,
we do not assume that the **user_identifier** or the
**kdf_id** cannot be determined by an adversary performing a targeted attack,
as a user's **user_identifier** is likely to always be known to state actors
and may likely also be available to other actors.
-The kdf_id derivation also includes the Anastasis' server's **server_salt**,
-again to make it difficult to brute-force values as the computation would have
-to be done per Anastasis server.
-
-FIXME: What do we do if a user backs up their data using 3 different
+FIXME?: What do we do if a user backs up their data using 3 different
Anastasis operators with 3 different salts? We must check that the
kdf_id can differ between servers, and maybe then clarify that it is
kdf_id^S (^S = per server), instead of one value for all servers!
NOTE that api-anastasis in the introduction already explains that the
server_salt should NOT be used to derive the **kdf_id**. So this is
-likely wrong.
+likely wrong.?
.. code-block::
@@ -87,19 +83,15 @@ generate the corresponding public key.
.. code-block::
- ver_secret:= HKDF(kdf_id, salt_ver, keysize)
+ ver_secret:= HKDF(kdf_id, server_salt, keysize)
eddsa_priv := eddsa_d_to_a(ver_secret)
eddsa_pub := get_EdDSA_Pub(eddsa_priv)
-FIXME: ecdhe_d_to_a() needs to be specified.
-
**HKDF()**: The HKDF-function uses to phases: First we use HMAC-SHA512 for the
extraction phase, then HMAC-SHA256 is used for expansion phase.
**kdf_id**: Hashed user_identifier.
-**salt_ver**: Salt for the derivation of the verficiation keys (FIXME: specify
precise value used). FIXME: isn't this supposed to be the server_salt?
-
**key_size**: Size of the output, here 32 bytes.
**ver_secret**: Derived key from the kdf_id, serves as intermediate step for
the generation of the private key
@@ -130,14 +122,13 @@ ephemeral ECDHE key is chosen at random before every
encryption.
ecdh_pub := get_ecdhe_pub(ecdh_priv)
ecdhe_priv := ecdhe_create(PRNG)
ecdhe_pub := get_ecdhe_pub(ecdhe_priv)
- sym_key := ecdhe(ecdhe_priv, ecdh_pub) = ecdhe(ecdh_pub, ecdhe_priv)
+ dh_secret := ecdhe(ecdhe_priv, ecdh_pub) = ecdhe(ecdh_pub, ecdhe_priv)
+ iv:= Hash(dh_secret)
enc_key:= HKDF(sym_key, salt_enc, keysize)
**HKDF()**: The HKDF-function uses to phases: First we use HMAC-SHA512 for the
extraction phase, then HMAC-SHA256 is used for expansion phase.
-**kdf_id**: Hashed user secret
-
-**salt_enc**: Salt for the derivation of the encryption Keys
+**kdf_id**: Hashed user_identifier
**key_size**: Size of the output, here 32Byte
@@ -145,13 +136,13 @@ ephemeral ECDHE key is chosen at random before every
encryption.
**ecdhe_d_to_a()**: Function which converts the enc_secret to a valid ECDH(E)
private key.
-**sym_key**: Intermediate step for the generation of the symmetric key.
-
-FIXME: Maybe call it something else? "dh_secret" might be a good name.
+**dh_secret**: Intermediate step for the generation of the symmetric key.
**enc_key**: Symmetric key which is later used to encrypt the documents with
AES256-GCM.
+
+**iv**: IV which will be used for AES-GCM
-FIXME: You need to specify the salt, and you also need to derive an IV (from
sym_key).
+**Hash** SHA512 Hash with an output of 64Byte.
----------------------------
2. Key Usage
@@ -166,9 +157,9 @@ the key_share of the user.
Before every encryption an ephemeral ECDHE public key is generated.
From this the symmetric key is computed as described above.
We use AES256-GCM for the encryption of the recovery_document and
-key_share.
+key_share.
-FIXME: This is underspecified.
+FIXME: This is underspecified. ( To be adjusted after Monday(Nonce))
2.2 Signatures
--
To stop receiving notification emails like this one, please contact
address@hidden.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] [taler-anastasis] branch master updated: small adjustments to be discussed,
gnunet <=