diff --git a/src/tapir.md b/src/tapir.md index ea390c1..a773b8b 100644 --- a/src/tapir.md +++ b/src/tapir.md @@ -21,7 +21,13 @@ application. ## Primitives -### Privacy Pass +### Identity + +An ed25519 keypair, required for established a Tor v3 onion service +and used to maintain a consistent cryptographic identity for a peer. + +* InitializeIdentity - from a known, persistent keypair: \\(i,I\\) +* InitializeEphemeralIdentity - from a random keypair: \\(i_e, I_e\\) ## Applications @@ -38,18 +44,74 @@ Initializes a [Merlin](https://merlin.cool)-based cryptographic transcript that ### Authentication App -**Dependencies:** Transcript App +* **Dependencies**: Transcript App +* **Capabilities Granted**: *AuthenticationCapability* +* **Capabilities Required**: *None* Engages in an ephemeral triple-diffie-hellman handshake to derive a unique, authenticated session key. +Each peer, given an open connection \\(C\\): + +\\[ \\ +I = \mathrm{InitializeIdentity()} \\\\ +I_e = \mathrm{InitializeEphemeralIdentity()} \\\\ +\\\\ +I,I_e \rightarrow C \\\\ +P,P_e \leftarrow C \\\\ +\\\\ +k = \mathrm{KDF}({P_e}^{i} + {P}^{i_e} + {P_e}^{i_e}) \\\\ +c = \mathrm{E}(k, I) \\\\ +c \rightarrow C \\\\ +c_p \leftarrow C \\\\ +\mathrm{D}(k, c_p) \stackrel{?}{=} P \\\\ +\\] + +The above represents a sketch protocol, in reality there are a few + implementation details worth pointing out: + +Once derived from the key deriviation function \\(\mathrm{KDF}\\\) the key + \\(k\\) is set *on* the connection, meaning the authentication app doesn't + do the encryption or decryption explicitly. + +Also the concatenation of parts of the 3DH exchange is strictly ordered: + +* DH of the Long term identity of the outbound connection by the ephemeral + key of the inbound connection. +* DH of the Long term identity of the inbound connection by the ephemeral +key of the outbound connection. +* DH of the two ephemeral identities of the inbound and outbound connections. + +This strict ordering ensures both sides of the connection derive the *same* +session key. + +#### Asymmetry + +The client connection is guaranteed to possess the long term identity of the +server connection through the propreties of the underlying tor v3 onion + connection. + +As such if the server attempts to send a different long term identity to the +client we can detect it and terminate the authentication protocol early. + + ### Token App **Dependencies:** Transcript App +* **Capabilities Granted**: *HasTokensCapability* +* **Capabilities Required**: *None* (implicitly guarded) Allows the client to obtain signed, blinded tokens for use in another application. +While this application has no explicit requirement for any given capability, +we expect it to be protected via a preceeding app in an `ApplicationChain` e.g. + + powTokenApp := new(applications.ApplicationChain). + ChainApplication(new(applications.ProofOfWorkApplication), applications.SuccessfulProofOfWorkCapability). + ChainApplication(tokenApplication, applications.HasTokensCapability) + + #### Notes * No direct testing (tested via integration tests and unit tests)