lbt/I2P_Website
1
0
Fork 0
forked from I2P_Developers/i2p.www
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

prop 123 updates

Browse Source
This commit is contained in:
zzz
2019-02-04 13:56:03 +00:00
parent 0a3a6238df
commit 3715ab6cb5
2 changed files with 130 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
i2p2www/spec/common-structures.rst
View File

@@ -3,7 +3,7 @@ Common structures Specification
===============================
.. meta::
:category: Design
:lastupdated: January 2019
:lastupdated: February 2019
:accuratefor: 0.9.38
.. contents::
@@ -410,16 +410,17 @@ The defined Signing Public Key types are:
Type Type Code Total Public Key Length Since Usage
====================== =========== ======================= ====== =====
DSA_SHA1 0 128 0.9.12 Legacy Router Identities and Destinations, never explicitly set
ECDSA_SHA256_P256 1 64 0.9.12 Recent Destinations
ECDSA_SHA384_P384 2 96 0.9.12 Sometimes used for Destinations
ECDSA_SHA512_P521 3 132 0.9.12 Sometimes used for Destinations
ECDSA_SHA256_P256 1 64 0.9.12 Older Destinations
ECDSA_SHA384_P384 2 96 0.9.12 Rarely if ever used for Destinations
ECDSA_SHA512_P521 3 132 0.9.12 Rarely if ever used for Destinations
RSA_SHA256_2048 4 256 0.9.12 Offline only; never used in Key Certificates for Router Identities or Destinations
RSA_SHA384_3072 5 384 0.9.12 Offline only; never used in Key Certificates for Router Identities or Destinations
RSA_SHA512_4096 6 512 0.9.12 Offline only; never used in Key Certificates for Router Identities or Destinations
EdDSA_SHA512_Ed25519 7 32 0.9.15 Recent Router Identities and Destinations
EdDSA_SHA512_Ed25519ph 8 32 0.9.25 Offline only; never used in Key Certificates for Router Identities or Destinations
reserved 9 Reserved, see proposal 134
reserved 10 Reserved, see proposal 134
reserved (GOST) 9 64 Reserved, see proposal 134
reserved (GOST) 10 128 Reserved, see proposal 134
reserved (RedDSA) 11 32 Reserved, see proposal 123
reserved 65280-65534 Reserved for experimental use
reserved 65535 Reserved for future expansion
====================== =========== ======================= ====== =====

174
i2p2www/spec/proposals/123-new-netdb-entries.rst
View File

@@ -5,7 +5,7 @@ New netDB Entries
:author: zzz, str4d, orignal
:created: 2016-01-16
:thread: http://zzz.i2p/topics/2051
:lastupdated: 2019-02-03
:lastupdated: 2019-02-04
:status: Open
:supercedes: 110, 120, 121, 122
@@ -509,19 +509,18 @@ SIG
It must also support the following key blinding operations:
BLIND_PRIVKEY(privkey, blind)
Blinds a private key.
Blinding is roughly as specified in Tor's rend-spec-v3 appendices A.1 and A.2.
TODO
GENERATE_ALPHA(data, secret)
Generate alpha for those who know the data and an optional secret.
The result must be identically distributed as the private keys.
BLIND_PUBKEY(pubkey, blind)
Blinds a public key, such that for a given keypair (privkey, pubkey) the
following relationship holds::
BLIND_PRIVKEY(privkey, alpha)
Blinds a private key, using a secret alpha.
BLIND_PUBKEY(pubkey, blind) == DERIVE_PUBLIC(BLIND_PRIVKEY(privkey, blind))
BLIND_PUBKEY(pubkey, alpha)
Blinds a public key, using a secret alpha.
For a given keypair (privkey, pubkey) the following relationship holds::
Blinding is roughly as specified in Tor's rend-spec-v3 appendices A.1 and A.2.
TODO
BLIND_PUBKEY(pubkey, alpha) == DERIVE_PUBLIC(BLIND_PRIVKEY(privkey, alpha))
DH
X25519 public key agreement system. Private keys of 32 bytes, public keys of 32
@@ -534,7 +533,7 @@ DH
DERIVE_PUBLIC(privkey)
Returns the public key corresponding to the given private key.
AGREE(privkey, pubkey)
DH(privkey, pubkey)
Generates a shared secret from the given private and public keys.
HKDF(salt, ikm, info, n)
@@ -717,65 +716,140 @@ Blinding Key Derivation
We use the following scheme for key blinding, based on Ed25519
and ZCash RedDSA [ZCASH]_.
The RedDSA signatures are over the Ed25519 curve, using SHA-512 for the hash.
We do not use Tor's rend-spec-v3.txt appendix A.2 [TOR-REND-SPEC-V3]_,
which has similar design goals, because its blinded public keys
may be off the prime-order subgroup, with unknown security implications.
The RedDSA signatures are over the Ed25519 curve, using SHA-512 for the hash.
Goals
~~~~~
- Signing public key in unblinded destination must be Ed25519 (sig type 7); no other sig types are supported
- If the signing public key is offline, the transient signing public key must also be Ed25519
- Blinding is computationally simple
- Use existing cryptographic primitives
- Blinded public keys cannot be unblinded
- Blinded public keys must be on the Ed25519 curve and prime-order subgroup
- Must know the full destination to derive the blinded public key
- Optionally provide for an additional secret required to derive the blinded public key
Issues
``````
- How to do this with offline/transient keys?
The blinded key would be generated from the transient key, but those fetching
the leaseset don't know the transient key, because it's in the leaseset.
- Do we need to use sig type 11 for RedDSA, or use type 7 for it?
- Is RedDSA really compatible with Ed25519? Is T the only change?
- Should we call it Red25519?
Definitions
~~~~~~~~~~~
B
The Ed25519 base point as in [ED25519-REFS]_
G
The Ed25519 generator as in [ED25519-REFS]_
DERIVE_PUBLIC(a)
Convert a private key to public, as in Ed25519 (mulitply by G)
alpha
A 32-byte random number known to those who know the destination.
GENERATE_ALPHA(destination, date, secret)
Generate alpha for the current date, for those who know the destination and the secret.
The result must be identically distributed as Ed25519 private keys.
a
The unblinded 32-byte EdDSA signing private key used to sign the destination
A
The unblinded 32-byte EdDSA signing public key in the destination,
= DERIVE_PUBLIC(a), as in Ed25519
a'
The blinded 32-byte EdDSA signing private key used to sign the encrypted leaseset
This is a valid EdDSA private key.
A'
The blinded 32-byte EdDSA signing public key in the Destination,
may be generated with DERIVE_PUBLIC(a'), or from A and alpha.
This is a valid EdDSA public key, on the curve and on the prime-order subgroup.
LEOS2IP(x)
Flip the order of the input bytes to little-endian
H*(x)
32 bytes = (LEOS2IP(SHA512(x))) mod B, same as in Ed25519 hash-and-reduce
Blinding Calculations
~~~~~~~~~~~~~~~~~~~~~
::
Let B be the ed25519 base point as in [ED25519-REFS]:
B = (15112221349535400772501151409588531511454012693041857206046113283949847762202,
46316835694926478169428394003475163141307993866256225615783033603165251855960)
GENERATE_ALPHA(destination, date, secret), for all parties:
secret is optional, else zero-length
personalization = 12 bytes "i2pblinding1"
datestring = YYYYMMDD from the current date UTC
alpha = SHA256(personalization || SHA256(destination) || datestring || secret)
"clamp" the hash to make a valid Ed25519 little-endian private key:
alpha[0] &= 248;
alpha[31] &= 63;
alpha[31] |= 64;
Assume B has prime order l, so lB=0. Let a master keypair be written as
(a,A), where a is the private key and A is the public key (A=aB).
BLIND_PRIVKEY(), for the owner of the leaseset:
alpha = GENERATE_ALPHA(destination, date, secret)
Take the destination's signing private key a
blinded signing private key = a' = BLIND_PRIVKEY(a, alpha) = (a + alpha) mod B
blinded signing public key = A' = DERIVE_PUBLIC(a')
To derive the key for a nonce N and an optional secret s, compute the
blinding factor like this:
BLIND_PUBKEY(), for those retrieving the leaseset:
alpha = GENERATE_ALPHA(destination, date, secret)
Take the destination's signing public key A
blinded public key = A' = BLIND_PUBKEY(A, alpha) = A + DERIVE_PUBLIC(alpha)
h = H(BLIND_STRING | A | s | B | N)
BLIND_STRING = "Derive temporary signing key" | INT_1(0)
N = "key-blind" | INT_8(period-number) | INT_8(period_length)
B = "(1511[...]2202, 4631[...]5960)"
Both methods of calculating A' yield the same result, as required.
then clamp the blinding factor 'h' according to the ed25519 spec:
h[0] &= 248;
h[31] &= 63;
h[31] |= 64;
and do the key derivation as follows:
Signing
~~~~~~~
private key for the period:
The unblinded leaseset is signed by the unblinded Ed25519 signing private key
and verified with the unblinded Ed25519 signing public key (sig type 7) as usual.
a' = h a mod l
RH' = SHA-512(RH_BLIND_STRING | RH)[:32]
RH_BLIND_STRING = "Derive temporary signing key hash input"
If the signing public key is offline,
the unblinded leaseset is signed by the unblinded transient Ed25519 signing private key
and verified with the unblinded Ed25519 transient signing public key (sig type 7) as usual.
public key for the period:
For signing of the encrypted leaseset, we use RedDSA [ZCASH]_
to sign and verify with blinded keys.
The RedDSA signatures are over the Ed25519 curve, using SHA-512 for the hash.
A' = h A = (ha)B
RedDSA is the same as standard Ed25519 except for the addition of
an 80-byte random byte sequence T that is included in the signature calculation.
This is compatible with standard Ed25519.
Generating a signature of M: given a deterministic random-looking r
(see EdDSA paper), take R=rB, S=r+hash(R,A',M)ah mod l. Send signature
(R,S) and public key A'.
Verifying the signature: Check whether SB = R+hash(R,A',M)A'.
Sign/Verify Calculations
~~~~~~~~~~~~~~~~~~~~~~~~
(If the signature is valid,
SB = (r + hash(R,A',M)ah)B
= rB + (hash(R,A',M)ah)B
= R + hash(R,A',M)A' )
::
This boils down to regular Ed25519 with key pair (a', A').
Signing:
T = 80 random bytes
r = H*(T || a || message)
(rest is the same as in Ed25519)
See [KEYBLIND-REFS]_ for an extensive discussion on this scheme and
possible alternatives. Also, see [KEYBLIND-PROOF]_ for a security
proof of this scheme.
Verification:
Same as for Ed25519
@@ -940,7 +1014,7 @@ Then for each authorized client, the server encrypts ``authCookie`` to its publi
.. raw:: html
{% highlight lang='text' %}
sharedSecret = AGREE(esk, cpk_i)
sharedSecret = DH(esk, cpk_i)
authInput = sharedSecret || cpk_i || subcredential || publishedTimestamp
okm = HKDF(epk, authInput, "ELS2_XCA", 52)
clientKey_i = okm[0:31]
@@ -960,7 +1034,7 @@ encryption key ``clientKey_i``, and encryption IV ``clientIV_i``:
.. raw:: html
{% highlight lang='text' %}
sharedSecret = AGREE(csk_i, epk)
sharedSecret = DH(csk_i, epk)
authInput = sharedSecret || cpk_i || subcredential || publishedTimestamp
okm = HKDF(epk, authInput, "ELS2_XCA", 52)
clientKey_i = okm[0:31]
@@ -1075,8 +1149,6 @@ Downsides of PSK client authorization
Issues
``````
- Blinding spec TODO
- Use AES instead of ChaCha20?
- If we care about speed, we could use keyed-BLAKE2b instead. It has an output