tapir sketch
This commit is contained in:
parent
3785479f48
commit
06198bc6c4
66
src/tapir.md
66
src/tapir.md
|
@ -21,7 +21,13 @@ application.
|
||||||
|
|
||||||
## Primitives
|
## Primitives
|
||||||
|
|
||||||
### Privacy Pass
|
### Identity
|
||||||
|
|
||||||
|
An ed25519 keypair, required for established a Tor v3 onion service
|
||||||
|
and used to maintain a consistent cryptographic identity for a peer.
|
||||||
|
|
||||||
|
* InitializeIdentity - from a known, persistent keypair: \\(i,I\\)
|
||||||
|
* InitializeEphemeralIdentity - from a random keypair: \\(i_e, I_e\\)
|
||||||
|
|
||||||
## Applications
|
## Applications
|
||||||
|
|
||||||
|
@ -38,18 +44,74 @@ Initializes a [Merlin](https://merlin.cool)-based cryptographic transcript that
|
||||||
|
|
||||||
### Authentication App
|
### Authentication App
|
||||||
|
|
||||||
**Dependencies:** Transcript App
|
* **Dependencies**: Transcript App
|
||||||
|
* **Capabilities Granted**: *AuthenticationCapability*
|
||||||
|
* **Capabilities Required**: *None*
|
||||||
|
|
||||||
Engages in an ephemeral triple-diffie-hellman handshake to derive a unique,
|
Engages in an ephemeral triple-diffie-hellman handshake to derive a unique,
|
||||||
authenticated session key.
|
authenticated session key.
|
||||||
|
|
||||||
|
Each peer, given an open connection \\(C\\):
|
||||||
|
|
||||||
|
\\[ \\
|
||||||
|
I = \mathrm{InitializeIdentity()} \\\\
|
||||||
|
I_e = \mathrm{InitializeEphemeralIdentity()} \\\\
|
||||||
|
\\\\
|
||||||
|
I,I_e \rightarrow C \\\\
|
||||||
|
P,P_e \leftarrow C \\\\
|
||||||
|
\\\\
|
||||||
|
k = \mathrm{KDF}({P_e}^{i} + {P}^{i_e} + {P_e}^{i_e}) \\\\
|
||||||
|
c = \mathrm{E}(k, I) \\\\
|
||||||
|
c \rightarrow C \\\\
|
||||||
|
c_p \leftarrow C \\\\
|
||||||
|
\mathrm{D}(k, c_p) \stackrel{?}{=} P \\\\
|
||||||
|
\\]
|
||||||
|
|
||||||
|
The above represents a sketch protocol, in reality there are a few
|
||||||
|
implementation details worth pointing out:
|
||||||
|
|
||||||
|
Once derived from the key deriviation function \\(\mathrm{KDF}\\\) the key
|
||||||
|
\\(k\\) is set *on* the connection, meaning the authentication app doesn't
|
||||||
|
do the encryption or decryption explicitly.
|
||||||
|
|
||||||
|
Also the concatenation of parts of the 3DH exchange is strictly ordered:
|
||||||
|
|
||||||
|
* DH of the Long term identity of the outbound connection by the ephemeral
|
||||||
|
key of the inbound connection.
|
||||||
|
* DH of the Long term identity of the inbound connection by the ephemeral
|
||||||
|
key of the outbound connection.
|
||||||
|
* DH of the two ephemeral identities of the inbound and outbound connections.
|
||||||
|
|
||||||
|
This strict ordering ensures both sides of the connection derive the *same*
|
||||||
|
session key.
|
||||||
|
|
||||||
|
#### Asymmetry
|
||||||
|
|
||||||
|
The client connection is guaranteed to possess the long term identity of the
|
||||||
|
server connection through the propreties of the underlying tor v3 onion
|
||||||
|
connection.
|
||||||
|
|
||||||
|
As such if the server attempts to send a different long term identity to the
|
||||||
|
client we can detect it and terminate the authentication protocol early.
|
||||||
|
|
||||||
|
|
||||||
### Token App
|
### Token App
|
||||||
|
|
||||||
**Dependencies:** Transcript App
|
**Dependencies:** Transcript App
|
||||||
|
* **Capabilities Granted**: *HasTokensCapability*
|
||||||
|
* **Capabilities Required**: *None* (implicitly guarded)
|
||||||
|
|
||||||
Allows the client to obtain signed, blinded tokens for use in another
|
Allows the client to obtain signed, blinded tokens for use in another
|
||||||
application.
|
application.
|
||||||
|
|
||||||
|
While this application has no explicit requirement for any given capability,
|
||||||
|
we expect it to be protected via a preceeding app in an `ApplicationChain` e.g.
|
||||||
|
|
||||||
|
powTokenApp := new(applications.ApplicationChain).
|
||||||
|
ChainApplication(new(applications.ProofOfWorkApplication), applications.SuccessfulProofOfWorkCapability).
|
||||||
|
ChainApplication(tokenApplication, applications.HasTokensCapability)
|
||||||
|
|
||||||
|
|
||||||
#### Notes
|
#### Notes
|
||||||
|
|
||||||
* No direct testing (tested via integration tests and unit tests)
|
* No direct testing (tested via integration tests and unit tests)
|
||||||
|
|
Loading…
Reference in New Issue