Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# Bramble Rendezvous Protocol, version 0
## 1 Introduction
Bramble Rendezvous Protocol (BRP) is a discovery protocol for peer-to-peer networks. It enables two peers that have previously exchanged public keys to connect to each other. No other information, such as network addresses, needs to be exchanged in advance.
BRP is designed to operate over a wide range of connection-oriented transport protocols. The current version of BRP uses the Tor hidden service protocol as the transport. Future versions of BRP may support other transports.
### 1.1 Motivation
BRP enables two peers in a peer-to-peer network to connect to each other. In general terms this requires each peer to have some kind of network address at which the other peer can contact it.
Regardless of what kind of network address is used, there are risks associated with exchanging network addresses over an insecure channel where they may be seen by an adversary.
If an adversary knows a peer's network address, the adversary can connect to the address in order to track when the peer is online or carry out attacks such as flooding the peer with connection attempts.
To avoid exposing their network addresses, peers in BRP exchange public keys instead of network addresses. Two peers that have exchanged public keys can derive a shared secret that is not known to any other party, including an adversary who may have seen both public keys. The peers then derive network addresses from the shared secret and use these addresses for connecting to each other.
### 1.2 Adversary Model
We assume the adversary can read, modify, delete and insert traffic on all transports at will. We assume the adversary knows both peers' public keys but does not know the corresponding private keys.
If the adversary can modify the public keys exchanged by the peers then BRP does not prevent man-in-the-middle attacks. If the adversary can see but not modify the public keys then BRP prevents man-in-the-middle attacks.
### 1.3 Notation
- || denotes concatenation
- Double quotes denote an ASCII string
- len(x) denotes the length of x in bytes
- int\_n(x) denotes x represented as an unsigned, big-endian, n-bit integer
### 1.4 Cryptographic Primitives
BRP uses three cryptographic primitives:
1. **A cryptographic hash function**, H(m)
2. **A key agreement function**, DH(pri, pub), where pri is one party's private key and pub is the other party's public key
3. **A message authentication code**, MAC(k, m), which must be a pseudo-random function
4. **A stream cipher**, STREAM(k, len), which expands a key into a stream of pseudo-random bytes
We use H(m) to define a multi-argument hash function:
- HASH(x\_1, ..., x\_n) = H(int\_32(len(x\_1)) || x\_1 || ... || int\_32(len(x\_n)) || x\_n)
We use MAC(k, m) to define a key derivation function:
- KDF(k, x\_1, ..., x\_n) = MAC(k, int\_32(len(x\_1)) || x\_1 || ... || int\_32(len(x\_n)) || x\_n)
All hashes are HASH\_LEN bytes, all symmetric keys are KEY\_LEN bytes, and the output of MAC(k, m) is MAC\_LEN bytes. For simplicity we require that HASH\_LEN = KEY\_LEN = MAC\_LEN.
(*Note:* The current version of the protocol uses BLAKE2b as the hash function and keyed BLAKE2b as the message authentication code, both with an output length of 32 bytes. This gives HASH\_LEN = KEY\_LEN = MAC\_LEN = 32. The key agreement function is X25519. The stream cipher is Salsa20 with an all-zero nonce.)
### 1.5 Prerequisites
Before two peers can communicate using BRP they must exchange public keys. BRP does not specify how this should be done. Any synchronous or asynchronous communication channel can be used, subject to the caveat that if an adversary can modify the keys being exchanged then the adversary can carry out a man-in-the-middle attack.
## 2 The Rendezvous Protocol
### 2.1 Deriving the Rendezvous Key
After exchanging public keys, each peer decides whether it will take the role of **Alice** or **Bob**. The peers take roles according to the lexicographic order of their public keys, compared as byte strings. The peer with the earlier key plays the role of Alice, while the peer with the later key plays the role of Bob. The roles are identical apart from some key derivation constants.
Both peers calculate the "raw" shared secret as follows:
- Alice calculates raw\_secret = DH(pri\_a, pub\_b)
- Bob calculates raw\_secret = DH(pri\_b, pub\_a)
(*Note:* If a peer calculates an X25519 raw shared secret that is all zeroes, the peer must abort the protocol.)
If the adversary has not modified the public keys then both peers will calculate the same raw shared secret, which will be unknown to the adversary.
The peers then derive a "cooked" shared secret known as the **static master key**, which incorporates both peers' public keys:
- static\_master\_key = HASH("org.briarproject.bramble.transport/STATIC\_MASTER\_KEY", raw\_secret, pub\_a, pub\_b)
Next the peers derive a **rendezvous key** from the static master key:
- rendezvous\_key = KDF(static\_master\_key, "org.briarproject.bramble.rendezvous/RENDEZVOUS\_KEY", int\_8(protocol\_version))
The protocol version is 0 for the current version of BRP.
### 2.2 Creating Network Endpoints
Each peer uses the rendezvous key to create a **network endpoint** for each transport the peer supports. The peer derives a **stream key** for each transport from the rendezvous key. The peer uses the stream key to generate pseudo-random network addresses for its own endpoint and the other peer's endpoint. The other peer derives the same stream key and generates the same addresses, so the peers know the addresses of each other's endpoints.
- stream\_key = KDF(rendezvous\_key, "org.briarproject.bramble.rendezvous/KEY\_MATERIAL", transport\_id)
The only transport used by this version of BRP is the Tor hidden service protocol, which has the transport identifier "org.briarproject.bramble.tor".
#### 2.2.1 Network Endpoints for the Tor Hidden Service Protocol
Both peers derive 64 bytes of key material from the stream key:
- key\_material = STREAM(stream\_key, 64)
The first 32 bytes are Alice's seed and the last 32 bytes are Bob's seed. Each seed is used as the private key of an Ed25519 key pair, as described in RFC 8032 section 5.1.5. Each key pair is used as the master identity key pair of a Tor hidden service, as described in section 1.9 of the Tor Rendezvous Specification, Version 3. The hidden service address is derived from the public key, as described in section 6 of the same specification.
Each peer uses the identity key pair of its own hidden service to publish the hidden service and accept incoming connections, and at the same time uses the address of the other peer's hidden service to make outgoing connections.
### 2.3 Polling for Connections
Each peer keeps its network endpoints open and tries to connect to the other peer's endpoints once per minute for up to 48 hours. If a peer goes offline during this time, it reopens its endpoints and resumes trying to connect when it comes back online.
When BRP establishes an incoming or outgoing connection it passes the connection to the application layer. When the application layer determines that no further rendezvous connections are needed, it tells BRP to end the rendezvous. BRP closes its network endpoints and stops making outgoing connections.
If no connection is made within 48 hours of the initial key exchange, the rendezvous is considered to have failed. BRP notifies the application layer, closes its network endpoints and stops making outgoing connections.
### 2.4 Use of Rendezvous Connections
The application layer is responsible for deciding how to use any rendezvous connections created by BRP. BRP does not authenticate the remote peer, but it makes the static master key available to the application layer so other protocols can derive keys from it, for example to encrypt and authenticate communication with the remote peer over a rendezvous connection.