diff options
authorChristian Grothoff <>2019-10-10 09:44:58 +0200
committerChristian Grothoff <>2019-10-10 09:44:58 +0200
commit13c92ded5d3b023d29490ba6788c22f54bf79aa4 (patch)
parent06984c979da0b991889de19a21f20cef15fa7d27 (diff)
1 files changed, 18 insertions, 15 deletions
diff --git a/anastasis.rst b/anastasis.rst
index d4bb279..21c3698 100644
--- a/anastasis.rst
+++ b/anastasis.rst
@@ -238,13 +238,15 @@ Encryption
Before every encryption a 32-byte nonce is generated.
From this the symmetric key is computed as described above.
We use AES256-GCM for the encryption of the **recovery document** and
-the **key_share**.
+the **key_share**. To ensure that the key derivation for the encryption
+of the **recovery document** differs fundamentally from that of an
+individual **key share**, we use different salts ("erd" and "eks" respectively).
.. code-block:: tsref
- (iv0, key0) = HKDF(key_id, nonce0, keysize + ivsize)
+ (iv0, key0) = HKDF(key_id, nonce0, "erd", keysize + ivsize)
(encrypted_recovery_document, aes_gcm_tag) = AES256_GCM(recovery_document, key0, iv0)
- (iv_i, key_i) = HKDF(key_id, nonce_i, keysize + ivsize)
+ (iv_i, key_i) = HKDF(key_id, nonce_i, "eks", [optional data], keysize + ivsize)
(encrypted_key_share_i, aes_gcm_tag_i) = AES256_GCM(key_share_i, key_i, iv_i)
**encrypted_recovery_document**: The encrypted **recovery document** which contains the escrow methods, policies
@@ -253,6 +255,8 @@ and the encrypted **core secret**.
**nonce0**: Nonce which is used to generate *key0* and *iv0* which are used for the encryption of the *recovery document*.
Nonce must contain the string "ERD".
+**optional data**: Key material that optionally is contributed from the authentication method to further obfuscate the key share from the escrow provider.
**encrypted_key_share_i**: The encrypted **key_share** which the escrow provider must release upon successful authentication.
Here, **i** must be a positive number used to iterate over the various **key shares** used for the various **escrow methods**
at the various providers.
@@ -750,24 +754,23 @@ charge per truth operation using GNU Taler.
interface EncryptedKeyShare {
// Nonce used to compute the decryption (iv,key) pair.
- nonce: byte[32];
+ nonce_i: byte[32];
// Authentication tag
- aes_gcm_tag: byte[32];
+ aes_gcm_tag_i: byte[16];
// Encrypted key-share in base32 encoding.
// After decryption, this yields a KeyShare_. Note that
// the KeyShare_ MUST be encoded as a fixed-size binary
// block (instead of in JSON encoding).
- // The nonce of the HKDF for the encryption of this
- // value must include the string "EKS" plus a positive number
- // which represents the key share method.
- // Depending on the method,
+ // HKDF for the key generation must include the
+ // string "eks" as salt.
+ // Depending on the meth od,
// the HKDF may additionally include
// bits from the response (i.e. some hash over the
// answer to the security question)
- encrypted_key_share: byte[];
+ encrypted_key_share_i: byte[];
@@ -824,11 +827,11 @@ FIXME: details!
Security question (qa)
-Asks the user a security question.
-The user sends back a hash over the answer.
-If the hash value matches with the one the server is expecting, the server answers
-with the requested encrypted key share
-FIXME: details!
+Asks the user a security question. The user sends back a hash over the
+answer. If the hash value matches with the one the server is expecting, the
+server answers with the requested encrypted key share. A different hash
+function over the same security answer is used to provide **optional data**
+for the decryption of the (encrypted) **key share**.
Post-Indent (post)