lsd0001

LSD0001: GNU Name System
Log | Files | Refs | README
commit 7653d417abc4f30906c252484b003229156ab857
parent 5bd96ee1fb7a9c7338ee6756a50d9d5e5a690c24
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
Date:   Mon,  5 Oct 2020 14:51:32 +0200

gcm

Diffstat:

Mdraft-schanzen-gns.xml | 63+++++++++++++++++++++++++++++++--------------------------------


1 file changed, 31 insertions(+), 32 deletions(-)

diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -552,7 +552,7 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
          extraction phase and HMAC-SHA256 for the expansion phase.
          The output keying material is 32 octets (256 bits) for the symmetric
          key and 4 octets (32 bits) for the nonce.
-         The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key:
+         The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key.
        </t>
        <t>
          The nonce is combined with a 64-bit initialization vector and a
@@ -722,13 +722,19 @@ SB == R + SHA512(R, zk', M) * A'
            <!-- FIXME: here we SHOULD consider standardizing AES-GCM
                 instead. Please review this choice when implementing
                 EDKEY support! -->
-           The S-Encrypt() and S-Decrypt() functions use AES in counter mode
-           as defined in <xref target="MODES" /> (CTR-AES-256):
+           The S-Encrypt() and S-Decrypt() functions use AES in galois
+           counter mode as defined in <xref target="GCM" /> (GCM-AES-256):
          </t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
-RDATA := CTR-AES256(K, IV, BDATA)
-BDATA := CTR-AES256(K, IV, RDATA)
-         ]]></artwork>
+RDATA := GCM-AES-256(K, IV, BDATA)
+BDATA := C|T = GCM-AES-256(K, IV, RDATA)
+           ]]></artwork>
+         <t>
+           The result of the GCM encryption function is the encrypted
+           ciphertext "C" concatenated with the GCM authentication tag "T".
+           Accordingly, the length of BDATA equals the legnth of the
+           RDATA plus the length of the GCM authentication tag.
+         </t>
          <t>
            The key "K" and counter "IV" are derived from
            the record "label" and the zone key "zk" as follows:
@@ -737,39 +743,16 @@ BDATA := CTR-AES256(K, IV, RDATA)
 PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
 PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
 K := HKDF-Expand (PRK_k, label, 256 / 8);
-NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
+IV := HKDF-Expand (PRK_n, label, 16 / 8)
 ]]></artwork>
          <t>
            HKDF is a hash-based key derivation function as defined in
            <xref target="RFC5869" />. Specifically, HMAC-SHA512 is used for the
            extraction phase and HMAC-SHA256 for the expansion phase.
            The output keying material is 32 octets (256 bits) for the symmetric
-           key and 4 octets (32 bits) for the nonce.
-           The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key:
-         </t>
-         <t>
-           The nonce is combined with a 64-bit initialization vector and a
-           32-bit block counter as defined in <xref target="RFC3686" />.
-           The block counter begins with the value of 1, and it is incremented
-           to generate subsequent portions of the key stream.
-           The block counter is a 32-bit integer value in network byte order.
-           The initialization vector is the expiration time of the
-           resource record block in network byte order.
-           The resulting counter ("IV") wire format is as follows:
+           key and 16 octets (128 bits) for the IV.
+           The symmetric key "K" is a 256-bit AES <xref target="RFC3826" /> key.
          </t>
-         <figure anchor="figure_hkdf_ivs_edkey">
-           <artwork name="" type="" align="left" alt=""><![CDATA[
-0     8     16    24    32
-+-----+-----+-----+-----+
-|         NONCE         |
-+-----+-----+-----+-----+
-|       EXPIRATION      |
-|                       |
-+-----+-----+-----+-----+
-|      BLOCK COUNTER    |
-+-----+-----+-----+-----+
-           ]]></artwork>
-         </figure>
        </section>
 
        <section anchor="gnsrecords_gns2dns" numbered="true" toc="default">
@@ -2282,6 +2265,22 @@ ee83f0cc79c4c5ea
            </abstract>
          </front>
        </reference>
+       <reference anchor="GCM" target="https://doi.org/10.6028/NIST.SP.800-38D">
+         <front>
+           <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title>
+          <author initials="M." surname="Dworkin" fullname="Morris Dworkin">
+            <organization>NIST</organization>
+          </author>
+
+           <date year="2007" month="November"/>
+           <abstract>
+             <t>
+               This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with associated data, and its specialization, GMAC, for generating a message authentication code (MAC) on data that is not encrypted. GCM and GMAC are modes of operation for an underlying approved symmetric key block cipher.
+             </t>
+           </abstract>
+         </front>
+       </reference>
+
       <reference anchor="ed25519" target="http://link.springer.com/chapter/10.1007/978-3-642-23951-9_9">
          <front>
            <title>High-Speed High-Security Signatures</title>