Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rosenpass Protocol Version 2 #136

Closed
wants to merge 20 commits into from
Closed

Rosenpass Protocol Version 2 #136

wants to merge 20 commits into from

Conversation

koraa
Copy link
Member

@koraa koraa commented Oct 2, 2023
edited

TODOs (Karolin):

Blockers:

Todo Marei (please do not work on those yet):

  • Make sure the "References" section appears in the toc
  • "Version history" chapter should not get its own number
  • Move Fig1 to front page, page 2 shared between TOC and Fig 2?
  • The list in "Cryptographic building blocks" might need some work to look decent. Maybe the acronym on the left, name of the scheme right and flushed right ref to the spec, Version of the scheme, description?

Todo Mullana (please do not work on these yet):

  • Add a abort_initiator_handshake() call as ICR8 in the protocol steps graphic

  • Figure 2: Add a note to the bottom saying "All numeric values are in little-endian format"

  • Figure 3: Add short codes from Fig 4; IHI1/IHR1 etc

  • Figure 3: Add a note pointing people to fig 4 for details about security levels achieved and for the code to use this tree

  • Figure 3: Introduce a special symbol for the mix, then value sequence and maybe a "zoomed in" explanation.

  • Figure 4: Get rid of semicolons

  • Figure 4: ct1 with sctr in IHR5

  • Figure 4: Add a step RHI8 to erase the ephemeral secret keys

    Initiator line Initiator code Responder Line Responder code Comment
    RHI8 erase(eski) RHR8 Erase the ephemeral secret key to achieve forward secrecy. Implementations may defer execution of RHR8 until completion of the handshake (after ICI7) before transmission of InitConf.

  • Figure 4: Add a box with a table indicating when security properties are reached:

    Property Reached after Comment
    Secrecy IHI5/IHR5 Based on sskr/spkr (the responder's static key pair)
    Responder authentication RHI7 Responder authentication is reached after the initiator processes the complete RespHello message. The crucial step is proving that the responder was able to decapsulate the secret encrypted with their static public key (IHR5). This confirmation is produced by the responder in RHR7 and checked in RHI7.
    Initiator authentication ICR5 This works similar to responder authentication. In RHI5 the initiator decapsulates a secret with their static secret key; they provide a confirmation in ICI4, this confirmation is checked in ICI5. Final confirmation is achieved after biscuit replay detection in ICI5.
    Forward secrecy RHI8 The initiator generates a fresh ephemeral keypair before the handhshake; the responder encapsulates a random secret in RHR4 and the initiator decapsulates it in RHI4. Forward secrecy is achieved after the ephemeral secret key is securely erased in RHR8.

/cc @stv0g

Fixes: #68

emilengler
emilengler reviewed Oct 2, 2023
View reviewed changes
papers/whitepaper.md Outdated

# Version history

## Version 2 -- XXXX-XX-XX
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm. These version numbers do not align with the git tags of this repository. Maybe we should include the git hashes of the whitepaper versions alongside?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its a protocol version, not a source code version

@koraa
fix(whitepaper): Use the PROTOCOL string from the whitepaper
beaded7
@koraa
feat(whitepaper): Clarify that these are protocol versions – not soft…
8dd82ef 
…ware versions
@koraa
feat(whitepaper): Explicitly handle erasure of eski to achieve forwar…
8779605 
…d secrecy

This is a minor security fix: Before this change the specification left erasing the secret key to the implementation. The reference implementation did erase `eski` but only after receiving the responder confirmation package (EmptyData at the time) instructing the initiator to stop retransmission of the InitConf package. With this change, `eski` is erased before transmission of the InitConf package.
@koraa
feat(whitepaper): Detailed info about when security properties are ac…
dc068cb 
…hieved
@koraa
feat(whitepaper): Mandate little-endian format for numbers
6407f80
@koraa
feat(whitepaper): Biscuit rotation interval is not mandatory and ever…
85f0a49 
…y five min
@koraa
feat(whitepaper): Add an extra session for information about timers
ea51c20
@koraa
feat(whitepaper): Typo ct1 -> sctr in IHR5
58eb1d9
@koraa
feat(whitepaper): Rename variable: index -> sessions
43748a2
@koraa
feat(whitepaper): Typo in biscuit counter comparison in load_biscuit
f4c39e8
@koraa
chore(whitepaper): Changelog entry for 303c5a5
2f1dbf0 
 Fix a typo "key chaining extract" -> "chaining key extract"; "key chaining init" -> "chaining key init"
@koraa
fix: Typo in ini_enc and res_enc labels
ed0043f 
Issue: #68 (#68)

initiator handshake encryption -> initiator session encryption
responder handshake encryption -> responder session encryption
@koraa
fix(whitepaper): Mixing order in encaps/decaps_and_mix
cd10326 
Issue: #68 (#68 (comment))

pk, shk, ct -> pk, ct, shk
@koraa
fix: Swap auth and biscuit fields in RespHello
7f4f35e 
Issue: #68 (#68 (comment))
@koraa koraa changed the title feat(whitepaper): Clarify how protocol roles are determined and race … Rosenpass Protocol Version 2 Oct 3, 2023
@koraa
feat: Use NIST Round 4 Submission Classic McEliece
4704603 
Issue: #91 (#91)

Add version info to whitepaper

This uses an release candidate of liboqs and a patched version of the
oqs-sys rust crate. We should wait until a proper release is done.
emilengler
emilengler reviewed Oct 3, 2023
View reviewed changes
papers/whitepaper.md
@@ -228,6 +228,10 @@ Implementations must account for this possibility by aborting any ongoing initia

In practice these delays cause participants to take turns acting as initiator and acting as responder since the ten seconds difference is usually enough for the handshake with switched roles to complete before the old initiator's rekey timer goes to zero.

## Endianess
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: It is spelled "Endianness"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides this, is this section even required. As far as I can tell, the protocol does not transmit any integers, but only single-byte integers or binary data.

Copy link
Member Author

@koraa koraa Oct 3, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feel free to use your push rights for spell correction, but do notify me please so I do not accidentally overwrite your commit.

Besides this, is this section even required. As far as I can tell, the protocol does not transmit any integers, but only single-byte integers or binary data.

There is the biscuit counter…

This was referenced Oct 3, 2023
Open
Closed
@koraa koraa mentioned this pull request Oct 18, 2023
Open
@koraa koraa closed this Nov 5, 2023
@koraa koraa deleted the karo/whitepaper-fixes branch November 5, 2023 19:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emilengler emilengler emilengler left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Whitepaper proof read
2 participants
@koraa @emilengler