... | ... | @@ -14,6 +14,7 @@ BTP uses the following cryptographic primitives: |
|
|
|
|
|
* A message authentication code, MAC(k, m)
|
|
|
* An authenticated cipher, ENC(k, n, m) and DEC(k, n, m), where n is a nonce
|
|
|
* A random number generator, R(n), with an output length of n bytes. R(n) must be either a true random number generator or a cryptographically secure pseudo-random number generator.
|
|
|
|
|
|
We use MAC(k, m) to define a key derivation function:
|
|
|
|
... | ... | @@ -96,6 +97,9 @@ To avoid reusing tags, which would allow the adversary to distinguish BTP traffi |
|
|
|
|
|
The pseudo-random tag is followed by the stream header, which consists of a random initialisation vector followed by an ephemeral key encrypted and authenticated with the sender's outgoing header key, using the random IV as the nonce. The stream header is NONCE_LEN + KEY_LEN + AUTH_LEN bytes long. The ephemeral key is used for encrypting and authenticating the rest of the stream.
|
|
|
|
|
|
* `stream_iv = R(NONCE_LEN)`
|
|
|
* `stream_header = stream_iv || ENC(outgoing_header_key, stream_iv, ephemeral_key)`
|
|
|
|
|
|
### Frames
|
|
|
|
|
|
The remainder of the stream consists of one or more frames. Each frame has a fixed-length header and a variable-length body that may contain data, padding, neither or both. The frames are numbered from zero. A stream may not contain more than 2^63 frames.
|
... | ... | @@ -107,9 +111,9 @@ The plaintext frame header is 4 bytes long, with the following format: |
|
|
* Bit 16: Zero
|
|
|
* Bits 17-31: Length of the padding in bytes as a 15-bit integer
|
|
|
|
|
|
The plaintext frame body contains the data and padding. The total length of the data and padding must be less than 2^15 bytes. If any padding is present it must all be zeroes.
|
|
|
The plaintext frame body contains the data and padding. The total length of the data and padding must be less than 2^15 bytes.
|
|
|
|
|
|
The header and body are encrypted and authenticated separately using the ephemeral key and deterministic nonces, which are not sent.
|
|
|
The header and body are encrypted and authenticated separately using the ephemeral key and deterministic nonces, which are not sent. The encrypted and authenticated frame header is 4 + AUTH_LEN bytes long, while the encrypted and authenticated frame body is AUTH_LEN bytes longer than the data and padding.
|
|
|
|
|
|
The nonce for the frame header is NONCE_LEN bytes long, with the following format:
|
|
|
|
... | ... | |