@@ -136,8 +136,6 @@ These modes are intended to be complementary. Static mode can be used to bootstr
...
@@ -136,8 +136,6 @@ These modes are intended to be complementary. Static mode can be used to bootstr
The establishment of root keys and timestamps is not handled by BTP itself. BTP is designed to be used with a separate key agreement protocol that securely establishes the initial state.
The establishment of root keys and timestamps is not handled by BTP itself. BTP is designed to be used with a separate key agreement protocol that securely establishes the initial state.
If two peers wish to communicate across more than one transport, they must establish a separate root key for each transport to ensure they do not reuse keys.
### 2.2 Key Derivation Function
### 2.2 Key Derivation Function
BTP uses a **key derivation function** to derive temporary keys from the root key. The key derivation function is based on PRF(k, m):
BTP uses a **key derivation function** to derive temporary keys from the root key. The key derivation function is based on PRF(k, m):
...
@@ -158,33 +156,35 @@ In dynamic mode, BTP achieves forward secrecy by periodically rotating and delet
...
@@ -158,33 +156,35 @@ In dynamic mode, BTP achieves forward secrecy by periodically rotating and delet
##### Initial Keys
##### Initial Keys
Each peer derives four initial keys from the root key. Alice derives her initial keys as follows:
The peers derive temporary keys for each transport over which they want to communicate. Each transport is uniquely identified by an ASCII string known to both peers (for example, "org.briarproject.bramble.bluetooth" for Bluetooth).
For each transport, each peer derives four initial keys from the root key. Alice derives her initial keys as follows:
Thus Alice's outgoing keys are Bob's incoming keys and vice versa.
Thus Alice's outgoing keys for each transport are the same as Bob's incoming keys, and vice versa.
After deriving the initial keys, both peers must delete the root key.
After deriving the initial keys, both peers must delete the root key.
The initial keys are used as the temporary keys for the period preceding the period containing the timestamp T.
The initial keys are used as the temporary keys for period P - 1, where period P contains the timestamp T.
The purpose of the timestamp is to save the cost of rotating keys from period zero up to the current period. If it is not possible or convenient to agree a timestamp T along with the root key then T can be hard-coded to some value that is certain to be in the past according to both peers' clocks, at the cost of some extra key rotations.
The purpose of the timestamp is to save the cost of rotating keys from period zero to the current period. If it is not possible or convenient to agree a timestamp T along with the root key then T can be hard-coded to some value that is certain to be in the past according to both peers' clocks, at the cost of some extra key rotations.
##### Key Rotation
##### Key Rotation
...
@@ -206,25 +206,25 @@ In static mode, BTP does not provide forward secrecy. The temporary keys for any
...
@@ -206,25 +206,25 @@ In static mode, BTP does not provide forward secrecy. The temporary keys for any
Alice derives her temporary keys for each time period P as follows:
Alice derives her temporary keys for each time period P as follows:
Thus Alice's outgoing keys are Bob's incoming keys and vice versa.
Thus Alice's outgoing keys for each transport are the same as Bob's incoming keys, and vice versa.
The outgoing keys for period P can be deleted at the end of period P, and the incoming keys for period P can be deleted at the end of period P + 1, but this is not required for security.
The outgoing keys for period P can be deleted at the end of period P, and the incoming keys for period P can be deleted at the end of period P + 1, but this is not required for security.
