From 388e1d23c04c2f6954d13d36ffc231611a3c6fa9 Mon Sep 17 00:00:00 2001
From: akwizgran <akwizgran@users.sourceforge.net>
Date: Tue, 20 Sep 2016 15:42:49 +0100
Subject: [PATCH] Updated BTP spec to include stream number in stream header
 nonce.

---
 protocols/BTP.md | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/protocols/BTP.md b/protocols/BTP.md
index 1fe9efa..75565f2 100644
--- a/protocols/BTP.md
+++ b/protocols/BTP.md
@@ -204,17 +204,21 @@ The tag for the i<sup>th</sup> stream from a given sender to a given recipient i
 
 ### 3.2 Stream Headers
 
-The pseudo-random tag is followed by the stream header, which consists of a true random **initialisation vector (IV)** followed by a symmetric **ephemeral cipher key.**
+The pseudo-random tag is followed by the stream header, which consists of a true random **initialisation vector (IV)** followed by a symmetric **ephemeral cipher key.** The IV is IV\_LEN bytes long, where IV\_LEN = NONCE\_LEN - 8.
 
-The ephemeral cipher key is encrypted and authenticated with the sender's outgoing header key, using the random IV as the nonce. The ephemeral cipher key is used for encrypting and authenticating the rest of the stream.
+The ephemeral cipher key is encrypted and authenticated with the sender's outgoing header key, using a nonce consisting of the stream number as a 64-bit integer followed by the IV. The ephemeral cipher key is used for encrypting and authenticating the rest of the stream.
 
-The stream header is NONCE\_LEN + KEY\_LEN + AUTH\_LEN bytes long.
+The stream header is IV\_LEN + KEY\_LEN + AUTH\_LEN bytes long.
 
 The stream header is composed as follows:
 
-- stream\_iv = R(NONCE\_LEN)
+- stream\_iv = R(IV\_LEN)
 
-- stream\_header = stream\_iv || ENC(outgoing\_header\_key, stream\_iv, ephemeral\_cipher\_key)
+- stream\_header\_nonce = int(stream\_number) || stream\_iv
+
+- stream\_header = stream\_iv || ENC(outgoing\_header\_key, stream\_header\_nonce, ephemeral\_cipher\_key)
+
+The random IV ensures that if a stream number is accidentally reused, the nonces will be different. IV\_LEN must be large enough to ensure that two random IVs are different with high probability. (*Note:* In the current version of the protocol, IV\_LEN = 16.)
 
 ### 3.3 Frames
 
-- 
GitLab