From 9e3f0e8ccb47e145428ae8bcdbdcdf77d42a0261 Mon Sep 17 00:00:00 2001
From: akwizgran <michael@briarproject.org>
Date: Wed, 10 Apr 2019 12:02:23 +0000
Subject: [PATCH] Update BTP.md

---
 protocols/BTP.md | 46 +++++++++++++++++++++++-----------------------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/protocols/BTP.md b/protocols/BTP.md
index 02fa42a..a8832ed 100644
--- a/protocols/BTP.md
+++ b/protocols/BTP.md
@@ -136,8 +136,6 @@ These modes are intended to be complementary. Static mode can be used to bootstr
 
 The establishment of root keys and timestamps is not handled by BTP itself. BTP is designed to be used with a separate key agreement protocol that securely establishes the initial state.
 
-If two peers wish to communicate across more than one transport, they must establish a separate root key for each transport to ensure they do not reuse keys.
-
 ### 2.2 Key Derivation Function
 
 BTP uses a **key derivation function** to derive temporary keys from the root key. The key derivation function is based on PRF(k, m):
@@ -158,33 +156,35 @@ In dynamic mode, BTP achieves forward secrecy by periodically rotating and delet
 
 ##### Initial Keys
 
-Each peer derives four initial keys from the root key. Alice derives her initial keys as follows:
+The peers derive temporary keys for each transport over which they want to communicate. Each transport is uniquely identified by an ASCII string known to both peers (for example, "org.briarproject.bramble.bluetooth" for Bluetooth).
+
+For each transport, each peer derives four initial keys from the root key. Alice derives her initial keys as follows:
 
-- outgoing\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_TAG\_KEY")
+- outgoing\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_TAG\_KEY", transport\_id)
 
-- outgoing\_header\_key := KDF(root\_key, "org.briarproject.bramble.transports/ALICE\_HEADER\_KEY")
+- outgoing\_header\_key := KDF(root\_key, "org.briarproject.bramble.transports/ALICE\_HEADER\_KEY", transport\_id)
 
-- incoming\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_TAG\_KEY")
+- incoming\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_TAG\_KEY", transport\_id)
 
-- incoming\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_HEADER\_KEY")
+- incoming\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_HEADER\_KEY", transport\_id)
 
 Bob derives his initial keys as follows:
 
-- outgoing\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_TAG\_KEY")
+- outgoing\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_TAG\_KEY", transport\_id)
 
-- outgoing\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_HEADER\_KEY")
+- outgoing\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_HEADER\_KEY", transport\_id)
 
-- incoming\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_TAG\_KEY")
+- incoming\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_TAG\_KEY", transport\_id)
 
-- incoming\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_HEADER\_KEY")
+- incoming\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_HEADER\_KEY", transport\_id)
 
-Thus Alice's outgoing keys are Bob's incoming keys and vice versa.
+Thus Alice's outgoing keys for each transport are the same as Bob's incoming keys, and vice versa.
 
 After deriving the initial keys, both peers must delete the root key.
 
-The initial keys are used as the temporary keys for the period preceding the period containing the timestamp T.
+The initial keys are used as the temporary keys for period P - 1, where period P contains the timestamp T.
 
-The purpose of the timestamp is to save the cost of rotating keys from period zero up to the current period. If it is not possible or convenient to agree a timestamp T along with the root key then T can be hard-coded to some value that is certain to be in the past according to both peers' clocks, at the cost of some extra key rotations.
+The purpose of the timestamp is to save the cost of rotating keys from period zero to the current period. If it is not possible or convenient to agree a timestamp T along with the root key then T can be hard-coded to some value that is certain to be in the past according to both peers' clocks, at the cost of some extra key rotations.
 
 ##### Key Rotation
 
@@ -206,25 +206,25 @@ In static mode, BTP does not provide forward secrecy. The temporary keys for any
 
 Alice derives her temporary keys for each time period P as follows:
 
-- outgoing\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_STATIC\_TAG\_KEY", int\_64(P))
+- outgoing\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_STATIC\_TAG\_KEY", transport\_id, int\_64(P))
 
-- outgoing\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_STATIC\_HEADER\_KEY", int\_64(P))
+- outgoing\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_STATIC\_HEADER\_KEY", transport\_id, int\_64(P))
 
-- incoming\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_STATIC\_TAG\_KEY", int\_64(P))
+- incoming\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_STATIC\_TAG\_KEY", transport\_id, int\_64(P))
 
-- incoming\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_STATIC\_HEADER\_KEY", int\_64(P))
+- incoming\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_STATIC\_HEADER\_KEY", transport\_id, int\_64(P))
 
 Bob derives his temporary keys as follows:
 
-- outgoing\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_STATIC\_TAG\_KEY", int\_64(P))
+- outgoing\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_STATIC\_TAG\_KEY", transport\_id, int\_64(P))
 
-- outgoing\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_STATIC\_HEADER\_KEY", int\_64(P))
+- outgoing\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/BOB\_STATIC\_HEADER\_KEY", transport\_id, int\_64(P))
 
-- incoming\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_STATIC\_TAG\_KEY", int\_64(P))
+- incoming\_tag\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_STATIC\_TAG\_KEY", transport\_id, int\_64(P))
 
-- incoming\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_STATIC\_HEADER\_KEY", int\_64(P))
+- incoming\_header\_key := KDF(root\_key, "org.briarproject.bramble.transport/ALICE\_STATIC\_HEADER\_KEY", transport\_id, int\_64(P))
 
-Thus Alice's outgoing keys are Bob's incoming keys and vice versa.
+Thus Alice's outgoing keys for each transport are the same as Bob's incoming keys, and vice versa.
 
 The outgoing keys for period P can be deleted at the end of period P, and the incoming keys for period P can be deleted at the end of period P + 1, but this is not required for security.
 
-- 
GitLab