Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Session Initialization Implicit #364

Merged
merged 12 commits into from
Oct 22, 2024
Merged

Make Session Initialization Implicit #364

merged 12 commits into from
Oct 22, 2024

Commits on Oct 21, 2024

  1. Make session initialization implicit 

    A session is now initialized by generating keys and sharing them out
of band. The semantics of the protocol are otherwise unchanged.

Because sessions are implicit the typestate is now called `Receiver`.
    @DanGould
    DanGould committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    8b80fcf View commit details
    Browse the repository at this point in the history

  2. Request with implicit initialization pattern

    @DanGould
    DanGould committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    4e7cd28 View commit details
    Browse the repository at this point in the history

  3. Separate hpke and ohttp v2 modules

    @DanGould
    DanGould committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    86e3781 View commit details
    Browse the repository at this point in the history

  4. Encrypt Message A with ephemeral key like Noise IK 

    Encrypting Message A with an ephemeral "encapsulation key" allows the sender
"reply key" corresponding to its subdirectory to be hidden from the directory.
    @DanGould
    DanGould committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    84bec83 View commit details
    Browse the repository at this point in the history

  5. Remove obsolete Sender keypair

    @DanGould
    DanGould committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    9b2635a View commit details
    Browse the repository at this point in the history

  6. Seek in hpke en/decryption instead of magic numbers

    @DanGould
    DanGould committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    affb88b View commit details
    Browse the repository at this point in the history

  7. Redact hpke secret key from Debug

    @DanGould
    DanGould committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    38d8777 View commit details
    Browse the repository at this point in the history

  8. make payloads uniform by removing sender auth key 

    Since the encapsulation keypair was ephemeral and not known to the
receiver, but used in the Auth pattern it was included as authenticated
associated data in the payload.

This means that encrypt_message_a and encrypt_message_b had
distinguishable bit patterns, the former starting with two uncompressed
curve points (one for the DHKEM and one for this auth key), whereas the
latter only had one (the DHKEM point).

Since the sender's first message establishes a reply key, that key could
be used in a second Auth HPKE setup after the Base setup, in order to
prove that the sender can decrypt the receiver's reply.  However,
incentives are for the sender to provide a valid point, and the reply
key is included in AEAD ciphertext, so this would add complexity without
meaningful improving security or incentive compatibility.
    @nothingmuch @DanGould
    nothingmuch authored and DanGould committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    3135d57 View commit details
    Browse the repository at this point in the history

  9. Define INFO_x msg as constant size array ref

    @DanGould
    DanGould committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    9c4880c View commit details
    Browse the repository at this point in the history

  10. Ellswift Encode public keys in hpke wire protocol

    @DanGould
    DanGould committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    69c7800 View commit details
    Browse the repository at this point in the history

  11. test HPKE encryption/decryption 

    The constants PADDED_PLAINTEXT_{A,B}_LENGTH now represent the maximum
payload size for the input, whereas before the message A constant
included the reply key size. This makes the PayloadTooLarge error
represent a maximum and actual size that correspond to the inputs to
encrypt_message_a and encrypt_message_b.
    @nothingmuch @DanGould
    nothingmuch authored and DanGould committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    5d83737 View commit details
    Browse the repository at this point in the history

  12. Adjust send documentation to use Sender

    @DanGould
    DanGould committed Oct 21, 2024
    Configuration menu
    Copy the full SHA
    96c0eb6 View commit details
    Browse the repository at this point in the history