Skip to content
Snippets Groups Projects
Commit 623b8b29 authored by akwizgran's avatar akwizgran
Browse files

Merge branch '20-bhp-0-1' into 'master'

Update BHP spec to version 0.1

Closes #20

See merge request !8
parents b5485392 226ed192
Branches master
No related tags found
1 merge request!8Update BHP spec to version 0.1
# Bramble Handshake Protocol, version 0
# Bramble Handshake Protocol, version 0.1
## 1 Introduction
......@@ -68,14 +68,18 @@ The peers exchange a series of **records** over the transport connection. Each r
The maximum length of the payload is 48 KiB.
The current version of the protocol is 0, which has two record types:
The current version of the protocol is 0.1, which has three record types:
**0: EPHEMERAL\_PUBLIC\_KEY** - The payload consists of the sender's ephemeral public key.
**1: PROOF\_OF\_OWNERSHIP** - The payload consists of a message authentication code proving ownership of the sender's long-term and ephemeral public keys and binding them to the recipient's long-term and ephemeral public keys.
**2: MINOR\_VERSION** - The payload consists of a single byte giving the sender's protocol minor version, which must be non-zero.
A peer should reject any record with an unsupported protocol version and ignore any record with a supported protocol version but an unrecognised record type. This allows new record types to be added without breaking compatibility.
A peer must abort the protocol when no minor version is received from its remote peer, since the initial version 0 of BHP is vulnerable to attacks on forward secrecy.
### 2.2 Protocol Steps
The protocol has four steps:
......@@ -89,13 +93,13 @@ The protocol has four steps:
Alice calculates three "raw" shared secrets as follows:
- raw\_static = DH(pri\_long\_term\_a, pub\_long\_term\_b)
- raw\_ephemeral = DH(pri\_ephemeral\_a, pub\_ephemeral\_b)
- raw\_static\_ephemeral = DH(pri\_long\_term\_a, pub\_ephemeral\_b)
- raw\_ephemeral\_static = DH(pri\_ephemeral\_a, pub\_long\_term\_b)
Bob calculates three "raw" shared secrets as follows:
- raw\_static = DH(pri\_long\_term\_b, pub\_long\_term\_a)
- raw\_ephemeral = DH(pri\_ephemeral\_b, pub\_ephemeral\_a)
- raw\_static\_ephemeral = DH(pri\_ephemeral\_b, pub\_long\_term\_a)
- raw\_ephemeral\_static = DH(pri\_long\_term\_b, pub\_ephemeral\_a)
......@@ -103,7 +107,7 @@ Bob calculates three "raw" shared secrets as follows:
If the adversary did not intercept the prior exchange of long-term public keys and has not modified the EPHEMERAL\_PUBLIC\_KEY records then both peers will calculate the same shared secrets. The peers then derive a "cooked" shared secret known as the **ephemeral master key**, which incorporates both peers' long-term and ephemeral public keys:
- ephemeral\_master\_key = HASH("org.briarproject.bramble.handshake/MASTER\_KEY", raw\_static, raw\_static\_ephemeral, raw\_ephemeral\_static, pub\_long\_term\_a, pub\_long\_term\_b, pub\_ephemeral\_a, pub\_ephemeral\_b)
- ephemeral\_master\_key = HASH("org.briarproject.bramble.handshake/MASTER\_KEY", raw\_ephemeral, raw\_static\_ephemeral, raw\_ephemeral\_static, pub\_long\_term\_a, pub\_long\_term\_b, pub\_ephemeral\_a, pub\_ephemeral\_b)
The peers must then delete their ephemeral private keys and the raw shared secrets, allowing the calling application to use the master key for forward secret communication if required.
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment