Prop 123: EncLS2 typos and cleanups
This commit is contained in:
str4d
@@ -506,7 +506,7 @@ SIG
|
|||||||
TODO
|
TODO
|
||||||
|
|
||||||
DH
|
DH
|
||||||
Curve25519 public key agreement system. Private keys of 32 bytes, public keys of 32
|
X25519 public key agreement system. Private keys of 32 bytes, public keys of 32
|
||||||
bytes, produces outputs of 32 bytes. DH_PUBKEY_LEN = 32. It has the following
|
bytes, produces outputs of 32 bytes. DH_PUBKEY_LEN = 32. It has the following
|
||||||
functions:
|
functions:
|
||||||
|
|
||||||
@@ -635,7 +635,7 @@ Flags
|
|||||||
|
|
||||||
Bits 7-4: Unused, set to 0 for future compatibility
|
Bits 7-4: Unused, set to 0 for future compatibility
|
||||||
|
|
||||||
X25519 client auth data
|
DH client auth data
|
||||||
Present if flag bit 0 is set to 1 and flag bits 3-1 are set to 0.
|
Present if flag bit 0 is set to 1 and flag bits 3-1 are set to 0.
|
||||||
|
|
||||||
ephemeralPublicKey
|
ephemeralPublicKey
|
||||||
@@ -888,14 +888,14 @@ client generates and sends to the server via a secure out-of-band mechanism.
|
|||||||
|
|
||||||
There are two current alternatives for implementing per-client authorization:
|
There are two current alternatives for implementing per-client authorization:
|
||||||
|
|
||||||
X25519 client authorization
|
DH client authorization
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
Each client generates an X25519 keypair ``[csk_i, cpk_i]``, and sends the public key
|
Each client generates a DH keypair ``[csk_i, cpk_i]``, and sends the public key ``cpk_i``
|
||||||
``cpk_i`` to the server.
|
to the server.
|
||||||
|
|
||||||
Server processing
|
Server processing
|
||||||
^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^
|
||||||
The server generates a new ``authCookie`` and an ephemeral X25519 keypair:
|
The server generates a new ``authCookie`` and an ephemeral DH keypair:
|
||||||
|
|
||||||
.. raw:: html
|
.. raw:: html
|
||||||
|
|
||||||
@@ -1015,15 +1015,16 @@ been added or revoked.
|
|||||||
A server MAY choose to hide the number of clients that are subscribed by inserting random
|
A server MAY choose to hide the number of clients that are subscribed by inserting random
|
||||||
entries into the list of authorization data.
|
entries into the list of authorization data.
|
||||||
|
|
||||||
Advantages of PSK client authorization
|
Advantages of DH client authorization
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
- Security of the scheme is not solely dependent on the out-of-band exchange of client key
|
- Security of the scheme is not solely dependent on the out-of-band exchange of client key
|
||||||
material. The client's private key never needs to leave their device, and so an
|
material. The client's private key never needs to leave their device, and so an
|
||||||
adversary that is able to intercept the out-of-band exchange, but cannot break X25519,
|
adversary that is able to intercept the out-of-band exchange, but cannot break the DH
|
||||||
cannot decrypt the encrypted LS2, or determine how long the client is given access.
|
algorithm, cannot decrypt the encrypted LS2, or determine how long the client is given
|
||||||
|
access.
|
||||||
|
|
||||||
Downsides of X25519 client authorization
|
Downsides of DH client authorization
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
- Requires N + 1 DH operations on the server side for N clients.
|
- Requires N + 1 DH operations on the server side for N clients.
|
||||||
- Requires one DH operation on the client side.
|
- Requires one DH operation on the client side.
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user