Protocol Architecture
In order to use Bramble (Briar) for low-level and low-bandwidth transports (I am thinking beyond LoRa for now), Bramble lacks some properties:
- Frame segmentation (without having something like a visible SequenceNr)
- also acknowledge&re-transmit smaller segments
- Forward Error Correction (not needed for LoRa)
I think we can also safe up some space
- I think we can save quite some bytes in the BTP header
- Message compression (Unixshox?; How big is the risk of this side-channel? - #14)
- Set a record-size limit on a per-transport-basis (#14)
- Are the tags to long? (Haven't thought through)
- Can the Frame Key also be derived from the header and/or tag key (or a 3rd line of keys) without security implications? (?)
- Can we combine some MACs?
For increased security, I propose implementing:
- add random delays to packets
- use padding
- inject bogus packets
I am thinking about creating BTPv5 and BSPv1 (for low-level low-bandwidth transports) while keeping BTPv4 and BSPv0 for current transports. The most error-prone (and not yet fully thought through) aspect will be the new acknowledgement and retransmission method. There is a lot not completely thought through, but some ideas:
- cut the BTP-Stream into multiple frames, each starting with a Tag
- include the Frame Number in the KDF used for Tag generation
- allow FEC encodings like reed-solomon (encrypting the parity bytes with the stream-cipher - not yet decided which key to use)
- the Tag will not be part of the FEC sadly - error in tag = wait for re-connection
- I am thinking about using the Tag as Nonce (and since the Tag is generated using KDF, we can also use eg. bytes 16-39 of the KDF output - so an attacker doesn't even know the nonce). This would be another way to solve briar/briar#329 (closed) - we wouldn't need to re-transmit the stream number here. On the other hand, I am also wondering, if using two strands of Blake2b-KDF (tag key and header key) both originating from the same root key for the same key can lead to some complexity reduction attacks (something similar to Meet-in-the-middle).
I am especially interested in your thoughts @akwizgran .
TODO: Think through how acknowledging&retransmission should work