Merge branch '20-bhp-0-1' into 'master'

Update BHP spec to version 0.1 Closes #20 See merge request !8

Merge branch '20-bhp-0-1' into 'master'
Update BHP spec to version 0.1 Closes #20 See merge request !8
623b8b29 · akwizgran · b5485392 · 226ed192 · 623b8b29
Commit 623b8b29 authored 1 month ago by akwizgran
--- a/protocols/BHP.md
+++ b/protocols/BHP.md
-# Bramble Handshake Protocol, version 0
+# Bramble Handshake Protocol, version 0.1

 ## 1 Introduction

@@ -68,14 +68,18 @@ The peers exchange a series of **records** over the transport connection. Each r

 The maximum length of the payload is 48 KiB.

-The current version of the protocol is 0, which has two record types:
+The current version of the protocol is 0.1, which has three record types:

 **0: EPHEMERAL\_PUBLIC\_KEY** - The payload consists of the sender's ephemeral public key.

 **1: PROOF\_OF\_OWNERSHIP** - The payload consists of a message authentication code proving ownership of the sender's long-term and ephemeral public keys and binding them to the recipient's long-term and ephemeral public keys.

+**2: MINOR\_VERSION** - The payload consists of a single byte giving the sender's protocol minor version, which must be non-zero.
+
 A peer should reject any record with an unsupported protocol version and ignore any record with a supported protocol version but an unrecognised record type. This allows new record types to be added without breaking compatibility.

+A peer must abort the protocol when no minor version is received from its remote peer, since the initial version 0 of BHP is vulnerable to attacks on forward secrecy.
+
 ### 2.2 Protocol Steps

 The protocol has four steps:
@@ -89,13 +93,13 @@ The protocol has four steps:

 Alice calculates three "raw" shared secrets as follows:

- raw\_static = DH(pri\_long\_term\_a, pub\_long\_term\_b)
+- raw\_ephemeral = DH(pri\_ephemeral\_a, pub\_ephemeral\_b)
 - raw\_static\_ephemeral = DH(pri\_long\_term\_a, pub\_ephemeral\_b)
 - raw\_ephemeral\_static = DH(pri\_ephemeral\_a, pub\_long\_term\_b)

 Bob calculates three "raw" shared secrets as follows:

- raw\_static = DH(pri\_long\_term\_b, pub\_long\_term\_a)
+- raw\_ephemeral = DH(pri\_ephemeral\_b, pub\_ephemeral\_a)
 - raw\_static\_ephemeral = DH(pri\_ephemeral\_b, pub\_long\_term\_a)
 - raw\_ephemeral\_static = DH(pri\_long\_term\_b, pub\_ephemeral\_a)

@@ -103,7 +107,7 @@ Bob calculates three "raw" shared secrets as follows:

 If the adversary did not intercept the prior exchange of long-term public keys and has not modified the EPHEMERAL\_PUBLIC\_KEY records then both peers will calculate the same shared secrets. The peers then derive a "cooked" shared secret known as the **ephemeral master key**, which incorporates both peers' long-term and ephemeral public keys:

- ephemeral\_master\_key = HASH("org.briarproject.bramble.handshake/MASTER\_KEY", raw\_static, raw\_static\_ephemeral, raw\_ephemeral\_static, pub\_long\_term\_a, pub\_long\_term\_b, pub\_ephemeral\_a, pub\_ephemeral\_b)
+- ephemeral\_master\_key = HASH("org.briarproject.bramble.handshake/MASTER\_KEY", raw\_ephemeral, raw\_static\_ephemeral, raw\_ephemeral\_static, pub\_long\_term\_a, pub\_long\_term\_b, pub\_ephemeral\_a, pub\_ephemeral\_b)

 The peers must then delete their ephemeral private keys and the raw shared secrets, allowing the calling application to use the master key for forward secret communication if required.