tapir sketch
This commit is contained in:
parent
3785479f48
commit
06198bc6c4
66
src/tapir.md
66
src/tapir.md
|
@ -21,7 +21,13 @@ application.
|
|||
|
||||
## Primitives
|
||||
|
||||
### Privacy Pass
|
||||
### Identity
|
||||
|
||||
An ed25519 keypair, required for established a Tor v3 onion service
|
||||
and used to maintain a consistent cryptographic identity for a peer.
|
||||
|
||||
* InitializeIdentity - from a known, persistent keypair: \\(i,I\\)
|
||||
* InitializeEphemeralIdentity - from a random keypair: \\(i_e, I_e\\)
|
||||
|
||||
## Applications
|
||||
|
||||
|
@ -38,18 +44,74 @@ Initializes a [Merlin](https://merlin.cool)-based cryptographic transcript that
|
|||
|
||||
### Authentication App
|
||||
|
||||
**Dependencies:** Transcript App
|
||||
* **Dependencies**: Transcript App
|
||||
* **Capabilities Granted**: *AuthenticationCapability*
|
||||
* **Capabilities Required**: *None*
|
||||
|
||||
Engages in an ephemeral triple-diffie-hellman handshake to derive a unique,
|
||||
authenticated session key.
|
||||
|
||||
Each peer, given an open connection \\(C\\):
|
||||
|
||||
\\[ \\
|
||||
I = \mathrm{InitializeIdentity()} \\\\
|
||||
I_e = \mathrm{InitializeEphemeralIdentity()} \\\\
|
||||
\\\\
|
||||
I,I_e \rightarrow C \\\\
|
||||
P,P_e \leftarrow C \\\\
|
||||
\\\\
|
||||
k = \mathrm{KDF}({P_e}^{i} + {P}^{i_e} + {P_e}^{i_e}) \\\\
|
||||
c = \mathrm{E}(k, I) \\\\
|
||||
c \rightarrow C \\\\
|
||||
c_p \leftarrow C \\\\
|
||||
\mathrm{D}(k, c_p) \stackrel{?}{=} P \\\\
|
||||
\\]
|
||||
|
||||
The above represents a sketch protocol, in reality there are a few
|
||||
implementation details worth pointing out:
|
||||
|
||||
Once derived from the key deriviation function \\(\mathrm{KDF}\\\) the key
|
||||
\\(k\\) is set *on* the connection, meaning the authentication app doesn't
|
||||
do the encryption or decryption explicitly.
|
||||
|
||||
Also the concatenation of parts of the 3DH exchange is strictly ordered:
|
||||
|
||||
* DH of the Long term identity of the outbound connection by the ephemeral
|
||||
key of the inbound connection.
|
||||
* DH of the Long term identity of the inbound connection by the ephemeral
|
||||
key of the outbound connection.
|
||||
* DH of the two ephemeral identities of the inbound and outbound connections.
|
||||
|
||||
This strict ordering ensures both sides of the connection derive the *same*
|
||||
session key.
|
||||
|
||||
#### Asymmetry
|
||||
|
||||
The client connection is guaranteed to possess the long term identity of the
|
||||
server connection through the propreties of the underlying tor v3 onion
|
||||
connection.
|
||||
|
||||
As such if the server attempts to send a different long term identity to the
|
||||
client we can detect it and terminate the authentication protocol early.
|
||||
|
||||
|
||||
### Token App
|
||||
|
||||
**Dependencies:** Transcript App
|
||||
* **Capabilities Granted**: *HasTokensCapability*
|
||||
* **Capabilities Required**: *None* (implicitly guarded)
|
||||
|
||||
Allows the client to obtain signed, blinded tokens for use in another
|
||||
application.
|
||||
|
||||
While this application has no explicit requirement for any given capability,
|
||||
we expect it to be protected via a preceeding app in an `ApplicationChain` e.g.
|
||||
|
||||
powTokenApp := new(applications.ApplicationChain).
|
||||
ChainApplication(new(applications.ProofOfWorkApplication), applications.SuccessfulProofOfWorkCapability).
|
||||
ChainApplication(tokenApplication, applications.HasTokensCapability)
|
||||
|
||||
|
||||
#### Notes
|
||||
|
||||
* No direct testing (tested via integration tests and unit tests)
|
||||
|
|
Loading…
Reference in New Issue