diff --git a/papers/graphics/rosenpass-wp-hashing-tree-rgb.pdf b/papers/graphics/rosenpass-wp-hashing-tree-rgb.pdf new file mode 100644 index 0000000..553ec7c Binary files /dev/null and b/papers/graphics/rosenpass-wp-hashing-tree-rgb.pdf differ diff --git a/papers/graphics/rosenpass-wp-hashing-tree-rgb.svg b/papers/graphics/rosenpass-wp-hashing-tree-rgb.svg new file mode 100644 index 0000000..7228f23 --- /dev/null +++ b/papers/graphics/rosenpass-wp-hashing-tree-rgb.svg @@ -0,0 +1,2341 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + hash function + + + application + + + + + chaining key + + + + + + + + + "string constant" + + + + + + + + + + output + + + + + + + + + + + + + + + + + + + pseudo-random label + + + + + + + + + + + + + + + + input variable + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + + + + + + + + RespHello + + + + + + + + + + + state from InitHello + + + + + encaps spki + + + + + encaps epki + + + + + encrypt auth + + + + + + + + sidr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + epki + + + + + + + + + + + + + + + + + epti + + + + + + + + + + + + + + + + + + + + + + + + + + scti + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + sidi + + + + + + + + + + + + + + + + + + + + + + + + + + ecti + + + + + + + + + + + + + + + + + + + + + + + + + + spki + + + + + + + + + + + + + + + + + + + + + + + + + + spti + + + + + + + + + + + + + + + + + + + + + + + + + + + + + InitHello + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + sidi + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + epki + + + + + + + + + + spkr + + + + + + + + + + spki + + + + + + + + + sctr + + + + + + + + + psk + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + sptr + + + + + + + + + + + spkr + + + + + + + + + + PROTOCOL + + + + + + + + + + + + Global Domains + + + + + + + + + + + + + + + + + + "user" + + + + + + + + + + "mix" + + + + + + + + + + "rosenpass.eu" + + + + + + + + + + "wireguard psk" + + + + + + + + + + "key chaining init" + + + + + + + + + + + + mix + + + + + + + + + + + + + + + + "handshake encryption" + + + + + + + + "initiator session encryption" + + + + + + + + "responder session encryption" + + + + + + + + + + + + + + "mac" + + + + + "cookie" + + + + + "peer_id" + + + + + "key chaining extract" + + + + + MAC_WIRE_DATA + + + + + COOKIE_WIRE_DATA + + + spki + + + spkr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + encrypt auth + + + + + + + + + + + + + + + + + + + + + + + encaps spkr + + + + + encrypt ltk + + + + + encrypt auth + + + + + AEAD::enc(pidi) + + + + + store_biscuit() + + + + + AEAD::enc(empty()) + + + + + AEAD::enc(empty()) + + + + + AEAD::enc(empty()) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + data + + + + + pidi + + + + + key + + + + + ck + + + + + key + + + + + key + + + + + key + + + + + pidiC + + + + + biscuit + + + + + auth + + + + + auth + + + + + ct + + + + + + + + + + + InitConf + + + + + + + + + + + + + + + + + state from RespHello + + + + + osk + + + + + ini_enc + + + + + res_enc + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + mac + + + + + + + + + + + + + + + + + + + + + cookie + + + + + + + + + + + + + + + + + + + + pidi   pidr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + pidi + + + + + pidi + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + osk + + + + + osk + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + hs_enc + + + + + + + + + + + + + + + + + + hs_enc + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + hs_enc + + + + + hs_enc + + + + + hs_enc + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ini_enc + + + + + ini_enc + + + + + + + + + + + + + + + + res_enc + + + + + res_enc + + + + + + + + + + sidi + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + sidr + + + + + + + + + + + + + + + diff --git a/papers/graphics/rosenpass-wp-hashing-tree.pdf b/papers/graphics/rosenpass-wp-hashing-tree.pdf new file mode 100644 index 0000000..0507572 Binary files /dev/null and b/papers/graphics/rosenpass-wp-hashing-tree.pdf differ diff --git a/papers/graphics/rosenpass-wp-hashing-tree.png b/papers/graphics/rosenpass-wp-hashing-tree.png new file mode 100644 index 0000000..ca7777a Binary files /dev/null and b/papers/graphics/rosenpass-wp-hashing-tree.png differ diff --git a/papers/graphics/rosenpass-wp-hashing-tree.svg b/papers/graphics/rosenpass-wp-hashing-tree.svg new file mode 100644 index 0000000..e241d0f --- /dev/null +++ b/papers/graphics/rosenpass-wp-hashing-tree.svg @@ -0,0 +1,2534 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + hash function + + + application + + + + + chaining key + + + + + + + + + "string constant" + + + + + + + + + + output + + + + + + + + + + + + + + + + + + + pseudo-random label + + + + + + + + + + + + + + + + input variable + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + + + + + + + + RespHello + + + + + + + + + + + state from InitHello + + + + + encaps spki + + + + + encaps epki + + + + + encrypt auth + + + + + + + + sidr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + epki + + + + + + + + + + + + + + + + + epti + + + + + + + + + + + + + + + + + + + + + + + + + + scti + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + sidi + + + + + + + + + + + + + + + + + + + + + + + + + + ecti + + + + + + + + + + + + + + + + + + + + + + + + + + spki + + + + + + + + + + + + + + + + + + + + + + + + + + spti + + + + + + + + + + + + + + + + + + + + + + + + + + + + + InitHello + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + sidi + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + epki + + + + + + + + + + spkr + + + + + + + + + + spki + + + + + + + + + sctr + + + + + + + + + psk + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + sptr + + + + + + + + + + + spkr + + + + + + + + + + PROTOCOL + + + + + + + + + + + + Global Domains + + + + + + + + + + + + + + + + + + + + + + + + "user" + + + + + + + + + + "mix" + + + + + + + + + + "rosenpass.eu" + + + + + + + + + + "wireguard psk" + + + + + + + + + + "key chaining init" + + + + + + + + + + + + mix + + + + + + + + + + + + + + + + "handshake encryption" + + + + + + + + "initiator session encryption" + + + + + + + + "responder session encryption" + + + + + + + + + + + + + + + + + + + + + + + "mac" + + + + + spkt + + + + + "cookie" + + + + + "biscuit additional data" + + + + + "peer id" + + + + + "key chaining extract" + + + + + MAC_WIRE_DATA + + + + + COOKIE_WIRE_DATA + + + + + spkr + + + + + sidi + + + + + sidr + + + spki + + + spkr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + encrypt auth + + + + + + + + + + + + + + + + + + + + + + + encaps spkr + + + + + encrypt ltk + + + + + encrypt auth + + + + + AEAD::enc(pidi) + + + + + store_biscuit() + + + + + AEAD::enc(empty()) + + + + + AEAD::enc(empty()) + + + + + AEAD::enc(empty()) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + data + + + + + pidi + + + + + key + + + + + ck + + + + + key + + + + + key + + + + + key + + + + + pidiC + + + + + biscuit + + + + + auth + + + + + auth + + + + + ct + + + + + + + + + + + InitConf + + + + + + + + + + + + + + + + + state from RespHello + + + + + osk + + + + + ini_enc + + + + + res_enc + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + mac + + + + + + + + + + + + + + + + + + + + + cookie + + + + + + + + + + + + + + + + + + + + biscuit_ad + + + + + + + + + + + + + + + + + + + pidi    pidr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + pidi + + + + + pidi + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + mix + + + + + + + + + + + + + + + + + + + osk + + + + + osk + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + hs_enc + + + + + + + + + + + + + + + + + + hs_enc + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + hs_enc + + + + + hs_enc + + + + + hs_enc + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ini_enc + + + + + ini_enc + + + + + + + + + + + + + + + + res_enc + + + + + res_enc + + + + + + + + + + sidi + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + sidr + + + + + + + + + + + + + + + diff --git a/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.pdf b/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.pdf new file mode 100644 index 0000000..3a16207 Binary files /dev/null and b/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.pdf differ diff --git a/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.svg b/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.svg new file mode 100644 index 0000000..4e3ed23 --- /dev/null +++ b/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.svg @@ -0,0 +1,191 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + InitHello + + + + + + + + + + + + + + + + + + InitConf + + + + + Biscuit + + + + + + + + + + + + + + + + + + + + + + + + + + + RespHello + + + + + Biscuit + + + + + + + + + + + + + + + EmptyData + + + + + + + + + + + + responder + + + authentication + + + initiator + authentication, + + + forward secrecy + + + acknowledges + + + InitConf + + + OSK handed + + + to WireGuard + + + + + Initiator State + + + + + Responder State + + + + + Initiator + + + + + Responder + + + + + + + + + + + + + + + + + handshake + + + + + live phase + + + + + + + + + + + + + + + + diff --git a/papers/graphics/rosenpass-wp-key-exchange-protocol.pdf b/papers/graphics/rosenpass-wp-key-exchange-protocol.pdf new file mode 100644 index 0000000..e793bb3 Binary files /dev/null and b/papers/graphics/rosenpass-wp-key-exchange-protocol.pdf differ diff --git a/papers/graphics/rosenpass-wp-key-exchange-protocol.png b/papers/graphics/rosenpass-wp-key-exchange-protocol.png new file mode 100644 index 0000000..6c5b3af Binary files /dev/null and b/papers/graphics/rosenpass-wp-key-exchange-protocol.png differ diff --git a/papers/graphics/rosenpass-wp-key-exchange-protocol.svg b/papers/graphics/rosenpass-wp-key-exchange-protocol.svg new file mode 100644 index 0000000..3a3d271 --- /dev/null +++ b/papers/graphics/rosenpass-wp-key-exchange-protocol.svg @@ -0,0 +1,194 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + InitHello + + + + + + + + + + + + + + + + + + InitConf + + + + + Biscuit + + + + + + + + + + + + + + + + + + + + + + + + + + + RespHello + + + + + Biscuit + + + + + + + + + + + + + + + EmptyData + + + + + + + + + + + + responder + + + authentication + + + initiator + authentication, + + + forward secrecy + + + acknowledges + + + InitConf + + + OSK handed + + + to WireGuard + + + + + Initiator State + + + + + Responder State + + + + + Initiator + + + + + Responder + + + + + + + + + + + + + + + + + handshake + + + + + live phase + + + + + + + + + + + + + + + + diff --git a/papers/graphics/rosenpass-wp-message-handling-code-rgb.pdf b/papers/graphics/rosenpass-wp-message-handling-code-rgb.pdf new file mode 100644 index 0000000..43ecdb5 Binary files /dev/null and b/papers/graphics/rosenpass-wp-message-handling-code-rgb.pdf differ diff --git a/papers/graphics/rosenpass-wp-message-handling-code-rgb.svg b/papers/graphics/rosenpass-wp-message-handling-code-rgb.svg new file mode 100644 index 0000000..101ff23 --- /dev/null +++ b/papers/graphics/rosenpass-wp-message-handling-code-rgb.svg @@ -0,0 +1,1009 @@ + + + + + + + + + + + + + + + + + + + + + + Responder Code + + + + + Comments + + + + + Initiator Code + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Action + + + + + + Action + + + + + + Action + + + + + + Action + + + + + + Action + + + + + + Action + + + + + Variables + + + + + Variables + + + + + Variables + + + + + Variables + + + + + Variables + + + + + Variables + + + + + Comment + + + + + Comment + + + + + Comment + + + + + Line + + + + + Line + + + + + Line + + + + + Line + + + + + Line + + + + + Line + + + + + ck + + + + + ck + + + + + + lhash("chaining key init", spkr) + + + + + sidi + + + + + + random_session_id(); + + + + + eski, epki + + + + + + EKEM::keygen(); + + + + + mix(sidi, epki); + + + + + sctr + + + + + sctr + + + + + + encaps_and_mix<SKEM>(spkr); + + + + + pidiC + + + + + pidiC + + + + + + encrypt_and_mix(pidi); + + + + + mix(spki, psk); + + + + + auth + + + + + + encrypt_and_mix(empty()) + + + + + ck + + + + + + lhash("chaining key init", spkr) + + + + + mix(sidi, epki) + + + + + decaps_and_mix<SKEM>(sskr, spkr, ct1) + + + + + spki, psk + + + + + + lookup_peer(decrypt_and_mix(pidi_crypt)) + + + + + mix(spki, psk); + + + + + decrypt_and_mix(auth) + + + + + Initialize the chaining key, for domain separation. + + + + + The session id is used to associate packets with the handshake state. + + + + + Generate new ephemeral keys for forward secrecy. + + + Sidi and epki are included in InitHello, so we mix them into the chaining key to + + + prevent tampering. + + + Key encapsulation using the responder public key. Mixes the public key, shared + + + key and ciphertext into the chaining key and authenticates the responder. + + + + + Tell the responder who the initiator is by transmitting the peer id. + + + Ensure the responder has the correct peer information. Mixing PSK also + + + provides a static, symmetric key exchange with epki & sptr serving as nonces. + + + + + Add a message authentication code ensuring both participants share the state. + + + + + Responder generates a session id. + + + + + Initiator needs to look up their session state using the session id they generated. + + + + + Protect both session ids against tampering. + + + + + Key encapsulation using the ephemeral key; provides forward secrecy. + + + Key encapsulation using the initiator static key; authenticates the initiator + + + (and provides redundant secrecy if kyber where broken). + + + The responder transmits their state to the initiator in an encrypted container + + + to avoid having to store state. + + + + + Authentication code. + + + + + IHI1 + + + + + RHI1 + + + + + ICI1 + + + + + IHR1 + + + + + RHR1 + + + + + ICR1 + + + + + IHI4 + + + + + RHI4 + + + + + ICI4 + + + + + IHR4 + + + + + RHR4 + + + + + ICR4 + + + + + IHI5 + + + + + RHI5 + + + + + ICI5 + + + + + IHR5 + + + + + RHR5 + + + + + ICR5 + + + + + IHI2 + + + + + RHI2 + + + + + ICI2 + + + + + RHR2 + + + + + ICR2 + + + + + IHI6 + + + + + RHI6 + + + + + ICI6 + + + + + IHR6 + + + + + RHR6 + + + + + ICR6 + + + + + IHI3 + + + + + RHI3 + + + + + ICI3 + + + + + RHR3 + + + + + ICR3 + + + + + IHI7 + + + + + RHI7 + + + + + ICI7 + + + + + IHR7 + + + + + RHR7 + + + + + ICR7 + + + + + IHI8 + + + + + IHR8 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + lookup_session(sidi); + + + + + mix(sidr, sidi); + + + + + decaps_and_mix<EKEM>(eski, epki, ecti); + + + + + decaps_and_mix<SKEM>(sski, spki, scti); + + + + + mix(biscuit) + + + + + decrypt_and_mix(auth) + + + + + + random_session_id() + + + + + sidr + + + + + mix(sidr, sidi); + + + + + + encaps_and_mix<EKEM>(epki); + + + + + ecti + + + + + + encaps_and_mix<SKEM>(spki); + + + + + scti + + + + + + store_biscuit(); + + + + + biscuit + + + + + + encrypt_and_mix(empty()); + + + + + auth + + + + + mix(sidi, sidr); + + + + + auth + + + + + + encrypt_and_mix(empty); + + + + + enter_live(); + + + + + biscu it_no + + + + + + load_biscuit(biscuit); + + + + + encrypt_and_mix(empty()); + + + + + mix(sidi, sidr); + + + + + decrypt_and_mix(auth); + + + + + assert(biscuit_no > biscuit_used); + + + + + biscuit_used + + + + + + biscuit_no; + + + + + enter_live(); + + + + + Responder loads their biscuit. This restores the state from after RHR6. + + + + + Responder recalculates RHR7, since this step was performed after biscuit encoding. + + + + + Protect session ids against tampering. + + + + + + + + + + + + + Authentication code certifies that both participants have the same final chaining key. + + + + + Biscuit replay attack detection. + + + + + Biscuit replay attack detection. + + + + + Generate the transmission keys, classic wireguard key. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + InitHello { sidi, epki, sctr, pidiC, auth } + + + + + RespHello { sidr, sidi, ecti, scti, biscuit, auth } + + + + + InitConf { sidi, sidr, biscuit, auth } + + + + + + + + + + + + + + + + + + + + + + + 1 + + + + + 4 + + + + + 5 + + + + + 2 + + + + + 3 + + + + + 6 + + + + diff --git a/papers/graphics/rosenpass-wp-message-handling-code.pdf b/papers/graphics/rosenpass-wp-message-handling-code.pdf new file mode 100644 index 0000000..e9d93fc Binary files /dev/null and b/papers/graphics/rosenpass-wp-message-handling-code.pdf differ diff --git a/papers/graphics/rosenpass-wp-message-handling-code.png b/papers/graphics/rosenpass-wp-message-handling-code.png new file mode 100644 index 0000000..82b7f5c Binary files /dev/null and b/papers/graphics/rosenpass-wp-message-handling-code.png differ diff --git a/papers/graphics/rosenpass-wp-message-handling-code.svg b/papers/graphics/rosenpass-wp-message-handling-code.svg new file mode 100644 index 0000000..b4c8398 --- /dev/null +++ b/papers/graphics/rosenpass-wp-message-handling-code.svg @@ -0,0 +1,1004 @@ + + + + + + + + + + + + + + + + + + + + + + + + + Responder Code + + + + + Comments + + + + + Initiator Code + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Action + + + + + + Action + + + + + + Action + + + + + + Action + + + + + + Action + + + + + + Action + + + + + Variables + + + + + Variables + + + + + Variables + + + + + Variables + + + + + Variables + + + + + Variables + + + + + Comment + + + + + Comment + + + + + Comment + + + + + Line + + + + + Line + + + + + Line + + + + + Line + + + + + Line + + + + + Line + + + + + ck + + + + + ck + + + + + + lhash("chaining key init", spkr) + + + + + sidi + + + + + + random_session_id(); + + + + + eski, epki + + + + + + EKEM::keygen(); + + + + + mix(sidi, epki); + + + + + sctr + + + + + + encaps_and_mix<SKEM>(spkr); + + + + + pidiC + + + + + + encrypt_and_mix(pidi); + + + + + mix(spki, psk); + + + + + auth + + + + + + encrypt_and_mix(empty()) + + + + + ck + + + + + + lhash("chaining key init", spkr) + + + + + mix(sidi, epki) + + + + + decaps_and_mix<SKEM>(sskr, spkr, ct1) + + + + + spki, psk + + + + + + lookup_peer(decrypt_and_mix(pidiC)) + + + + + mix(spki, psk); + + + + + decrypt_and_mix(auth) + + + + + Initialize the chaining key, and bind to the responder’s public key. + + + + + The session ID is used to associate packets with the handshake state. + + + + + Generate fresh ephemeral keys, for forward secrecy. + + + InitHello includes sidi and epki as part of the protocol transcript, and so we + + + mix them into the chaining key to prevent tampering. + + + Key encapsulation using the responder’s public key. Mixes public key, shared + + + secret, and ciphertext into the chaining key, and authenticates the responder. + + + + + Tell the responder who the initiator is by transmitting the peer ID. + + + Ensure the responder has the correct view on spki. Mix in the PSK as optional + + + static symmetric key, with epki and spkr serving as nonces. + + + Add a message authentication code to ensure both participants agree on the + + + session state and protocol transcript at this point. + + + + + Responder generates a session ID. + + + + + Initiator looks up their session state using the session ID they generated. + + + + + Mix both session IDs as part of the protocol transcript. + + + + + Key encapsulation using the ephemeral key, to provide forward secrecy. + + + Key encapsulation using the initiator’s static key, to authenticate the + + + + + + + initiator, and non-forward-secret confidentiality. + + + The responder transmits their state to the initiator in an encrypted container + + + to avoid having to store state. + + + + + Add a message authentication code for the same reason as above. + + + + + IHI1 + + + + + RHI1 + + + + + ICI1 + + + + + IHR1 + + + + + RHR1 + + + + + ICR1 + + + + + IHI4 + + + + + RHI4 + + + + + ICI4 + + + + + IHR4 + + + + + RHR4 + + + + + ICR4 + + + + + IHI5 + + + + + RHI5 + + + + + ICI5 + + + + + IHR5 + + + + + RHR5 + + + + + ICR5 + + + + + IHI2 + + + + + RHI2 + + + + + ICI2 + + + + + RHR2 + + + + + ICR2 + + + + + IHI6 + + + + + RHI6 + + + + + ICI6 + + + + + IHR6 + + + + + RHR6 + + + + + ICR6 + + + + + IHI3 + + + + + RHI3 + + + + + ICI3 + + + + + RHR3 + + + + + ICR3 + + + + + IHI7 + + + + + RHI7 + + + + + ICI7 + + + + + IHR7 + + + + + RHR7 + + + + + ICR7 + + + + + IHI8 + + + + + IHR8 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + lookup_session(sidi); + + + + + mix(sidr, sidi); + + + + + decaps_and_mix<EKEM>(eski, epki, ecti); + + + + + decaps_and_mix<SKEM>(sski, spki, scti); + + + + + mix(biscuit) + + + + + decrypt_and_mix(auth) + + + + + + random_session_id() + + + + + sidr + + + + + mix(sidr, sidi); + + + + + + encaps_and_mix<EKEM>(epki); + + + + + ecti + + + + + + encaps_and_mix<SKEM>(spki); + + + + + scti + + + + + + store_biscuit(); + + + + + biscuit + + + + + + encrypt_and_mix(empty()); + + + + + auth + + + + + mix(sidi, sidr); + + + + + auth + + + + + + encrypt_and_mix(empty); + + + + + enter_live(); + + + + + biscuit_no + + + + + + load_biscuit(biscuit); + + + + + encrypt_and_mix(empty()); + + + + + mix(sidi, sidr); + + + + + decrypt_and_mix(auth); + + + + + assert(biscuit_no > biscuit_used); + + + + + biscuit_used + + + + + + biscuit_no; + + + + + enter_live(); + + + + + Responder loads their biscuit. This restores the state from after RHR6. + + + + + Responder recomputes RHR7, since this step was performed after biscuit encoding. + + + + + Mix both session IDs as part of the protocol transcript. + + + Message authentication code for the same reason as above, which in particular + + + + + + + ensures that both participants agree on the final chaining key. + + + + + Biscuit replay detection. + + + + + Biscuit replay detection. + + + + + Derive the transmission keys, and the output shared key for use as WireGuard’s PSK. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + InitHello { sidi, epki, sctr, pidiC, auth } + + + + + RespHello { sidr, sidi, ecti, scti, biscuit, auth } + + + + + InitConf { sidi, sidr, biscuit, auth } + + + + + + + + + + + + + + + + + + + + + + + 1 + + + + + 4 + + + + + 5 + + + + + 2 + + + + + 3 + + + + + 6 + + + + diff --git a/papers/graphics/rosenpass-wp-message-types-rgb.pdf b/papers/graphics/rosenpass-wp-message-types-rgb.pdf new file mode 100644 index 0000000..ea9e7c3 Binary files /dev/null and b/papers/graphics/rosenpass-wp-message-types-rgb.pdf differ diff --git a/papers/graphics/rosenpass-wp-message-types-rgb.svg b/papers/graphics/rosenpass-wp-message-types-rgb.svg new file mode 100644 index 0000000..87d0fa8 --- /dev/null +++ b/papers/graphics/rosenpass-wp-message-types-rgb.svg @@ -0,0 +1,393 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + type + reserved + payload + mac + + + cookie + + + 1 + 3 + n + 16 + 6 + + + envelope  n + 36 + + + Envelope + + + bytes + + + + + + + + + + + MAC_WIRE_DATA + + + + + COOKIE_WIRE_DATA + + + + + + + + + + + + InitHello + + + type=0x81 + + + sidi + epki + sctr + peerid + auth + + + 4 + 800 + 188 + 32 + 16 = + 48 + 16 + payload  1056 + + + + envelope  1092 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + RespHello + + + type=0x82 + + + sidr + sidi + ecti + scti + biscuit + + + auth + + + 4 + 4 + 768 + 188 + 76 + 24 + 16 = + 116 + 16 + payload  1096 + + + + envelope  1132 + + + + + data + + + + + nonce + + + + + auth code + + + + + + + + + + + + EmptyData + + + type=0x84 + + + sidx + ctr + + + auth + + + 4 + 8 + 16 + payload  28 + + + + envelope  64 + + + + + + + + + + + + CookieReply + + + type=0x86 + + + sidx + nonce + + + cookie + + + 4 + 24 + 16 + 16 = + 32 + payload  60 + + + + envelope  96 + + + + + + + + + + + + + + + + + + + + + + + + + + + + InitConf + + + type=0x83 + + + sidi + sidr + biscuit + + + auth + + + 4 + 4 + 76 + 24 + 16 = + 116 + 16 + payload  140 + + + + envelope  176 + + + + + + + + + + + + Data + + + type=0x85 + + + sidx + ctr + + + data + + + 4 + 8 + variable + + 16 + payload + variable + + 28 + + envelope + variable + + + + 64 + + + + + + + + + + + + + + biscuit + + + 32 + 12 + 32 + biscuit  76 + + nonce  100 + + + + auth code  116 + + + + + + peerid + no + + + ck + + + + diff --git a/papers/graphics/rosenpass-wp-message-types.pdf b/papers/graphics/rosenpass-wp-message-types.pdf new file mode 100644 index 0000000..3423351 Binary files /dev/null and b/papers/graphics/rosenpass-wp-message-types.pdf differ diff --git a/papers/graphics/rosenpass-wp-message-types.png b/papers/graphics/rosenpass-wp-message-types.png new file mode 100644 index 0000000..04fbe27 Binary files /dev/null and b/papers/graphics/rosenpass-wp-message-types.png differ diff --git a/papers/graphics/rosenpass-wp-message-types.svg b/papers/graphics/rosenpass-wp-message-types.svg new file mode 100644 index 0000000..0199599 --- /dev/null +++ b/papers/graphics/rosenpass-wp-message-types.svg @@ -0,0 +1,402 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + type + reserved + payload + mac + + + cookie + + + 1 + 3 + n + 16 + 16 + + + envelope  n + 36 + + + Envelope + + + bytes + + + + + + + + + + + MAC_WIRE_DATA + + + + + COOKIE_WIRE_DATA + + + + + + + + + + + + InitHello + + + type=0x81 + + + sidi + epki + sctr + pidiC + auth + + + 4 + 800 + 188 + 32 + 16 = + 48 + 16 + payload  1056 + + + + envelope  1092 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + RespHello + + + type=0x82 + + + sidr + sidi + ecti + scti + biscuit + + + auth + + + 4 + 4 + 768 + 188 + 76 + 24 + 16 = + 116 + 16 + payload  1096 + + + + envelope  1132 + + + + + data + + + + + nonce + + + + + auth code + + + + + + + + + + + + EmptyData + + + type=0x84 + + + sid + ctr + + + auth + + + 4 + 8 + 16 + payload  28 + + + + envelope  64 + + + + + + + + + + + + CookieReply + + + type=0x86 + + + type(0x86) + reserved + sid + nonce + + + cookie + + + 1 + 3 + 4 + 24 + 16 + 16 = + 32 + + + payload  64 + + + + + + + + + + + + + + + + + + + + + + + + + + + + InitConf + + + type=0x83 + + + sidi + sidr + biscuit + + + auth + + + 4 + 4 + 76 + 24 + 16 = + 116 + 16 + payload  140 + + + + envelope  176 + + + + + + + + + + + + Data + + + type=0x85 + + + sid + ctr + + + data + + + 4 + 8 + variable + + 16 + payload + variable + + 28 + + envelope + variable + + + + 64 + + + + + + + + + + + + + + biscuit + + + 32 + 12 + 32 + biscuit  76 + + nonce  100 + + + + auth code  116 + + + + + + pidi + biscuit_no + + + ck + + + + diff --git a/papers/prftree.d2 b/papers/prftree.d2 new file mode 100644 index 0000000..0ee5fc0 --- /dev/null +++ b/papers/prftree.d2 @@ -0,0 +1,218 @@ +root: 0 { shape: text } +PROTOCOL: "PROTOCOL" { shape: text } + +protocol_comment: 'PROTOCOL = "rosenpass 1 rosenpass.eu aead=chachapoly1305 dprf=blake2s ekem=lightsaber skem=mceliece460896 xaead=xchachapoly1305"' { shape: text} + +ck_init: '"chaining key init"' { shape: text } +ck_ext: '"chaining key extract"' { shape: text } + +mac: '"mac"' { shape: text } +mac_param: MAC_WIRE_DATA { shape: text } +cookie: '"cookie"' { shape: text } +cookie_param: COOKIE_WIRE_DATA { shape: text } +peer_id: '"peer_id"' { shape: text } +peer_id_p1: spkm { shape: text} +peer_id_p2: spkt { shape: text} + +root -> PROTOCOL + +PROTOCOL -> mac -> mac_param +PROTOCOL -> cookie -> cookie_param +PROTOCOL -> peer_id -> peer_id_p1 -> peer_id_p2 +PROTOCOL -> ck_init +PROTOCOL -> ck_ext + +mix: '"mix"' { shape: text } +user: '"user"' { shape: text } +rp_eu: '"rosenpass.eu"' { shape: text } +wg_psk: '"wireguard psk"' { shape: text } +hs_enc: '"handshake encryption"' { shape: text } +ini_enc: '"initiator session encryption"' { shape: text } +res_enc: '"responder session encryption"' { shape: text } + +ck_ext -> mix +ck_ext -> user -> rp_eu -> wg_psk +ck_ext -> hs_enc +ck_ext -> ini_enc +ck_ext -> res_enc + +# ck_init -> InitHello.start + +InitHello { + start -> d0 \ + -> m1 -> d1 \ + -> m2 -> d2 + + d2 -> encaps_spkr.m1 + encaps_spkr.d3 -> encrypt_ltk.m1 + encaps_spkr.d3 -> encrypt_ltk.key + encrypt_ltk.d1 -> encrypt_auth.m1 + encrypt_ltk.d1 -> encrypt_auth.key + + m1: "mix" { shape: text } + m2: "mix" { shape: text } + + start: '"chaining key init"' { shape: text } + d0: "spkr" { shape: circle } + d1: "sidi" { shape: circle } + d2: "epki" { shape: circle } + + encaps_spkr { + m1 -> d1 \ + -> m2 -> d2 \ + -> m3 -> d3 \ + + m1: "mix" { shape: text } + m2: "mix" { shape: text } + m3: "mix" { shape: text } + + d1: "spkr" { shape: circle } + d2: "sctr" { shape: circle } + d3: "sptr" { shape: circle } + } + + encrypt_ltk { + m1 -> d1 + + encrypt: 'Aead::enc(peer_id(spkr, spki))' + key -> encrypt: { + target-arrowhead.label: key + } + data -> encrypt: { + target-arrowhead.label: data + } + encrypt -> d1: { + source-arrowhead.label: output + } + + m1: "mix" { shape: text } + key: '"handshake encryption"' { shape: text } + data: 'ref from "peer id" branch after spkt' { shape: text } + d1: "ct" { shape: diamond } + } + + encrypt_auth { + m1 -> d1 + + encrypt: 'Aead::enc(empty())' + key -> encrypt: { + target-arrowhead.label: key + } + encrypt -> d1: { + source-arrowhead.label: output + } + + m1: "mix" { shape: text } + key: '"handshake encryption"' { shape: text } + d1: "ct" { shape: diamond } + } +} + +RespHello { + start -> d0 -> m1 -> d1 + d1 -> encaps_epki.m1 + encaps_epki.d3 -> encaps_spki.m1 + encaps_spki.d3 -> m2 -> d2 + d2 -> encrypt_auth.m1 + + store_biscuit -> d2 + "pidi" -> store_biscuit { + target-arrowhead.label: "field=peerid" + } + encaps_spki.d3 -> store_biscuit { + target-arrowhead.label: "field=ck" + } + + + m1: "mix" { shape: text } + m2: "mix" { shape: text } + + start: '(state from InitHello)' { shape: text } + d0: "sidr" { shape: circle } + d1: "sidi" { shape: circle } + d2: "biscuit" { shape: diamond } + + store_biscuit: "store_biscuit()" + + encaps_epki { + m1 -> d1 \ + -> m2 -> d2 \ + -> m3 -> d3 \ + + m1: "mix" { shape: text } + m2: "mix" { shape: text } + m3: "mix" { shape: text } + + d1: "epki" { shape: circle } + d2: "ecti" { shape: circle } + d3: "epti" { shape: circle } + } + + encaps_spki { + m1 -> d1 \ + -> m2 -> d2 \ + -> m3 -> d3 \ + + m1: "mix" { shape: text } + m2: "mix" { shape: text } + m3: "mix" { shape: text } + + d1: "spki" { shape: circle } + d2: "scti" { shape: circle } + d3: "spti" { shape: circle } + } + + encrypt_auth { + m1 -> d1 + + encrypt: 'Aead::enc(empty())' + key -> encrypt: { + target-arrowhead.label: key + } + encrypt -> d1: { + source-arrowhead.label: output + } + + m1: "mix" { shape: text } + key: '"handshake encryption"' { shape: text } + d1: "ct" { shape: diamond } + } +} + +InitConf { + start -> d0 -> m1 -> d1 -> encrypt_auth.m1 + + encrypt_auth.d1 -> ol1 -> o1 + encrypt_auth.d1 -> ol2 -> o2 + encrypt_auth.d1 -> ol3 -> o3 + + m1: "mix" { shape: text } + + start: '(state from RespHello)' { shape: text } + d0: "sidi" { shape: circle } + d1: "sidr" { shape: circle } + + ol1: '"wireguard psk"' { shape: text } + ol2: '"initiator session encryption"' { shape: text } + ol3: '"responder session encryption"' { shape: text} + o2: "" { shape: page } + o1: "" { shape: step } + o2: "" { shape: step } + o3: "" { shape: step } + + encrypt_auth { + m1 -> d1 + + encrypt: 'Aead::enc(empty())' + key -> encrypt: { + target-arrowhead.label: key + } + encrypt -> d1: { + source-arrowhead.label: output + } + + m1: "mix" { shape: text } + key: '"handshake encryption"' { shape: text } + d1: "ct" { shape: diamond } + } +} diff --git a/papers/prftree.svg b/papers/prftree.svg new file mode 100644 index 0000000..1f55670 --- /dev/null +++ b/papers/prftree.svg @@ -0,0 +1,823 @@ + +0PROTOCOLPROTOCOL = "rosenpass 1 rosenpass.eu aead=chachapoly1305 dprf=blake2s ekem=lightsaber skem=mceliece460896 xaead=xchachapoly1305""chaining key init""chaining key extract""mac"MAC_WIRE_DATA"cookie"COOKIE_WIRE_DATA"peer_id"spkmspkt"mix""user""rosenpass.eu""wireguard psk""handshake encryption""initiator session encryption""responder session encryption"InitHelloRespHelloInitConfmixmix"chaining key init"spkrsidiepkiencaps_spkrencrypt_ltkencrypt_authmixmix(state from InitHello)sidrsidibiscuitstore_biscuit()encaps_epkiencaps_spkiencrypt_authmix(state from RespHello)sidisidr"wireguard psk""initiator session encryption""responder session encryption"encrypt_authpidimixmixmixspkrsctrsptrAead::enc(peer_id(spkr, spki))mix"handshake encryption"ref from "peer id" branch after spktctAead::enc(empty())mix"handshake encryption"ctmixmixmixepkiectieptimixmixmixspkisctisptiAead::enc(empty())mix"handshake encryption"ctAead::enc(empty())mix"handshake encryption"ct keydataoutputkeyoutputfield=peeridfield=ckkeyoutputkeyoutput + + + diff --git a/papers/sequencing.d2 b/papers/sequencing.d2 new file mode 100644 index 0000000..5f19b6b --- /dev/null +++ b/papers/sequencing.d2 @@ -0,0 +1,81 @@ +Protocol: { + shape: sequence_diagram + ini: "Initiator" + res: "Responder" + ini -> res: "InitHello" + res -> ini: "RespHello" + ini -> res: "InitConf" + res -> ini: "EmptyData" +} + +Envelope: "Envelope" { + shape: class + type: "1" + '': 3 + payload: variable + mac: 16 + cookie: 16 +} + +Envelope.payload -> InitHello +InitHello: "InitHello (type=0x81)" { + shape: class + sidi: 4 + epki: 800 + sctr: 188 + peerid: 32 + 16 = 48 + auth: 16 +} + +Envelope.payload -> RespHello +RespHello: "RespHello (type=0x82)" { + shape: class + sidr: 4 + sidi: 4 + ecti: 768 + scti: 188 + biscuit: 76 + 24 + 16 = 116 + auth: 16 +} + +Envelope.payload -> InitConf +InitConf: "InitConf (type=0x83)" { + shape: class + sidi: 4 + sidr: 4 + biscuit: 76 + 24 +16 = 116 + auth: 16 +} + +Envelope.payload -> EmptyData +EmptyData: "EmptyData (type=0x84)" { + shape: class + sidx: 4 + ctr: 8 + auth: 16 +} + +Envelope.payload -> Data +Data: "Data (type=0x85)" { + shape: class + sidx: 4 + ctr: 8 + data: variable + 16 +} + +Envelope.payload -> CookieReply +CookieReply: "CookieReply (type=0x86)" { + shape: class + sidx: 4 + nonce: 24 + cookie: 16 + 16 = 32 +} + +RespHello.biscuit -> Biscuit +InitConf.biscuit -> Biscuit +Biscuit: "Biscuit" { + shape: class + peerid: 32 + no: 12 + ck: 32 +} diff --git a/papers/sequencing.svg b/papers/sequencing.svg new file mode 100644 index 0000000..090d70b --- /dev/null +++ b/papers/sequencing.svg @@ -0,0 +1,133 @@ + +ProtocolEnvelope+ +type +1+ + +3+ +payload +variable+ +mac +16+ +cookie +16InitHello (type=0x81)+ +sidi +4+ +epki +800+ +sctr +188+ +peerid +32 + 16 = 48+ +auth +16RespHello (type=0x82)+ +sidr +4+ +sidi +4+ +ecti +768+ +scti +188+ +biscuit +76 + 24 + 16 = 116+ +auth +16InitConf (type=0x83)+ +sidi +4+ +sidr +4+ +biscuit +76 + 24 +16 = 116+ +auth +16EmptyData (type=0x84)+ +sidx +4+ +ctr +8+ +auth +16Data (type=0x85)+ +sidx +4+ +ctr +8+ +data +variable + 16CookieReply (type=0x86)+ +sidx +4+ +nonce +24+ +cookie +16 + 16 = 32Biscuit+ +peerid +32+ +no +12+ +ck +32InitiatorResponder InitHelloRespHelloInitConfEmptyData + + + + + +