Skip to content
Snippets Groups Projects
Commit 226ed192 authored by Nico's avatar Nico
Browse files

Update BHP spec to version 0.1

parent b5485392
No related branches found
No related tags found
1 merge request!8Update BHP spec to version 0.1
Hide whitespace changes
Inline Side-by-side
Showing
with 9 additions and 5 deletions
protocols/BHP.md
+ 9
5
View file @ 226ed192
# Bramble Handshake Protocol, version 0
# Bramble Handshake Protocol, version 0.1
## 1 Introduction
......@@ -68,14 +68,18 @@ The peers exchange a series of **records** over the transport connection. Each r
The maximum length of the payload is 48 KiB.
The current version of the protocol is 0, which has two record types:
The current version of the protocol is 0.1, which has three record types:
**0: EPHEMERAL\_PUBLIC\_KEY** - The payload consists of the sender's ephemeral public key.
**1: PROOF\_OF\_OWNERSHIP** - The payload consists of a message authentication code proving ownership of the sender's long-term and ephemeral public keys and binding them to the recipient's long-term and ephemeral public keys.
**2: MINOR\_VERSION** - The payload consists of a single byte giving the sender's protocol minor version, which must be non-zero.
A peer should reject any record with an unsupported protocol version and ignore any record with a supported protocol version but an unrecognised record type. This allows new record types to be added without breaking compatibility.
A peer must abort the protocol when no minor version is received from its remote peer, since the initial version 0 of BHP is vulnerable to attacks on forward secrecy.
### 2.2 Protocol Steps
The protocol has four steps:
......@@ -89,13 +93,13 @@ The protocol has four steps:
Alice calculates three "raw" shared secrets as follows:
- raw\_static = DH(pri\_long\_term\_a, pub\_long\_term\_b)
- raw\_ephemeral = DH(pri\_ephemeral\_a, pub\_ephemeral\_b)
- raw\_static\_ephemeral = DH(pri\_long\_term\_a, pub\_ephemeral\_b)
- raw\_ephemeral\_static = DH(pri\_ephemeral\_a, pub\_long\_term\_b)
Bob calculates three "raw" shared secrets as follows:
- raw\_static = DH(pri\_long\_term\_b, pub\_long\_term\_a)
- raw\_ephemeral = DH(pri\_ephemeral\_b, pub\_ephemeral\_a)
- raw\_static\_ephemeral = DH(pri\_ephemeral\_b, pub\_long\_term\_a)
- raw\_ephemeral\_static = DH(pri\_long\_term\_b, pub\_ephemeral\_a)
......@@ -103,7 +107,7 @@ Bob calculates three "raw" shared secrets as follows:
If the adversary did not intercept the prior exchange of long-term public keys and has not modified the EPHEMERAL\_PUBLIC\_KEY records then both peers will calculate the same shared secrets. The peers then derive a "cooked" shared secret known as the **ephemeral master key**, which incorporates both peers' long-term and ephemeral public keys:
- ephemeral\_master\_key = HASH("org.briarproject.bramble.handshake/MASTER\_KEY", raw\_static, raw\_static\_ephemeral, raw\_ephemeral\_static, pub\_long\_term\_a, pub\_long\_term\_b, pub\_ephemeral\_a, pub\_ephemeral\_b)
- ephemeral\_master\_key = HASH("org.briarproject.bramble.handshake/MASTER\_KEY", raw\_ephemeral, raw\_static\_ephemeral, raw\_ephemeral\_static, pub\_long\_term\_a, pub\_long\_term\_b, pub\_ephemeral\_a, pub\_ephemeral\_b)
The peers must then delete their ephemeral private keys and the raw shared secrets, allowing the calling application to use the master key for forward secret communication if required.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment