On 04/07/15 21:50, Brian Warner wrote: > The sender puts three items into each message: (some details omitted for > brevity, SecretBox/Box are from NaCl) > > 1: "CIDToken": HKDF(key=CIDKey+seqnum) > 2: "CIDBox": SecretBox(key=CIDKey, data=seqnum+rxpub+..) > 3: encrypted message: Box(privkey=ephemeralpriv, pub=rxpub, data=msg) > > The recipient looks up the CIDToken against a pre-generated table of > values created for the next-expected sequence number for each potential > sender. In the best case, this is basically O(1), and identifies the > sender (who either used the current pubkey, or the old one).
This is similar to what we do in Briar, with the following differences:
1. The recipient keeps a sliding window of CIDTokens ("tags" in Briar)
so they can be recognised out of order without trial decryption.
2. The CIDBox ("stream header" in Briar) contains a symmetric key for
decrypting and authenticating the remainder of the message ("stream" in
Briar). No asymmetric crypto is needed.
3. The remainder of the stream consists of one or more frames, each made
up of two secretboxes. The first secretbox is a fixed-length header
containing the length of the second secretbox, which is a
variable-length body containing data and/or padding. The header also
contains a flag to indicate the last frame in the stream.
https://code.briarproject.org/akwizgran/briar/wikis/BTP
Cheers,
Michael
0x9FC527CC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
