-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Whitepaper proof read #68
Comments
The root cause of most of these issues is assuming knowledge of the WireGuard whitepaper1. This is an oversight; if we assume the reader knows the WireGuard whitepaper, we should say so and we shouldn't require users to read the WG whitepaper in the first place. The other thing to know is that Rosenpass is structured like WireGuard -- it is designed to act like a VPN protocol but in practice we just use it to send a key to WireGuard; this leads to some oddities like the present but barely-used live transport data feature.
That actually was a deliberate decision. These variables are implied by the naming scheme; maybe we should make it more obvious that they are defined but unused.
On the contrary; it is used to enter the live transport session; Rosenpass does not implement live transport sessions but this is still needed to send the See Rosenpass Whitepaper Fig. 4 instructions ICI7 and ICR7.
They are not assigned; both peers can be initiator and responder at the same time; such a situation results in two handshakes being executed at the same time. This is actually necessary to avoid denial of service attacks on the protocol level since without having executed the handshake neither party can be sure the other is legitimate. This is tricky to get right; the current rust implementation has a race condition due to this; I need to spend some time figuring out how to fix this. Footnotes |
thanks for the very detailed explanations 😃 I've seen that you already updated the figures of the whitepaper. I have two questions about the changes in Figure 2:
Thanks a lot :) |
Should we maybe rename those as well in the figure? |
Hi @stv0g |
Oh you are right. Sorry, I was confused by GitHubs image-diffing feature.. |
I think we should! @Mullana Its not urgent at all :) |
Hi @koraa, I added a little status section to the description of this ticket so we can track the progress. There is another thing, which should probably be added to the whitepaper: Endianess of biscuit counterIt is currently not defined but is essential for a working implementation. |
@stv0g Thank you! Everything is currently in little endian. And wonderful idea to add the status section. |
Figure 4: Wrong cipher-text variableIn Figure 4, Step IHR5 it should probably say |
@koraa Sorry for all the spam here. These are just peer-review comments about the whitepaper. Nothing critical or urgent. I just want to keep track of my comments so we can improve the next version of the white paper 😃 Section 2.4.1: Better naming for session/index tableSection 2.4.1 mentions a global table for keeping track of ongoing session:
I am wondering where this naming comes from. I think something like |
This comment was marked as off-topic.
This comment was marked as off-topic.
load_biscuit: Inverted assertions for replay detectionThe pseudo code for assert(pt.biscuit_no ≤ peer.biscuit_used); Shouldnt it be the opposite? E.g.: assert(pt.biscuit_no > peer.biscuit_used); The number in the biscuit must be larger than any previously seen number. Step ICR5 of Figure 4 actually makes the correct assertion. Edit: Looking at the implementation, the assertions seem to be correct. It works with them as in the whitepaper. However, I will need to put in some more effort to understand this. I guess its related to the replay vs. retransmission detection. |
Figure 3: Wrong PRF labels for session encryption keysThe whitepaper uses the following PRF labels for deriving the session encryption keys:
However, the Rust implementation uses:
See: Line 43 in b29720b
|
Section 2.3: Wrong protocol identifierThe whitepaper uses the following string as the protocol identifier
However, the Rust implementation uses: Line 10 in b29720b
|
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Section 2.1.1: Wrong hash function?Section 2.1.1 says:
However the Rust implementation used BLAKE2b: Line 218 in b29720b
|
Section 2.1.1: Describe non-standard HMAC-Blake2 variantI fallen into the trap to assume that the key of the inner Blake2 hash-function for the HMAC calculation will be set to zero like Wireguard is doing it: However, Rosenpass seems to take another approach and uses the Lines 251 to 266 in b29720b
The white paper does not motivate why this is done. I would argue that the HMAC implementation of Rosenpass is not following RFC 2104 as referenced in 1. Interestingly, also Jason Donenfeld is arguing that HMAC-Blake2s is not that useful? https://lore.kernel.org/lkml/20220111181037.632969-2-Jason@zx2c4.com/ Footnotes
|
Figure 3 / Section 2.5: Wrong order of mixing in
|
self.mix(pk)?.mix(shk.secret())?.mix(ct) | |
} |
Figure 2: Wrong field ordering in RespHello messageThe white paper defines the order as follows:
The Rust code implements it as
Note that 5. and 6. are swapped: Lines 255 to 268 in b29720b
|
The entire situation surrounding HMAC is a mess…I'll tell you some time in detail; it's better as an anecdote than as a technical comment. Right now the assumption is that rosenpass does the same thing WireGuard does; although I haven't consulted the WireGuard source code myself. I'll do a deep dive when I apply your comments to check this. Good catch! |
Hi @koraa, do you mind if I split up this issue into multipLe issues for addressing, discussing each individual inconsistency? |
I kind of like having it in one issue, I'd wait until this commit settles and then address all issues in one go xD. |
Section 2.4.3: Mismatching biscuit key epochThe white paper says:
The Rust implementation uses an epoch of 5 minutes: Line 114 in 397a776
|
Section 2.1.4 / 2.1.5: Add references to exact versions of KEM specifications which are used by RosenpassCurrently, the whitepaper does not say which version of Classic McEliece nor Kyber is used. In the case of Classic McElience, the Rust implementation of Rosenpass currently uses liboqs which implements and older version of the KEM (Round 3) while the latest version of the KEM is specified by the NIST PQC round 4 submission. I assume that there are also different version of Kyber in existance. So we should be more precise in saying which version of the KEMs must be used. |
Figure 3: Indicate when responder/initiator are authenticatedI think Figure 3 would be a great place to show from which step onwards responder/initiators are authenticated. This is currently only visualized in Figure 1 in which we are lacking the implementation details. |
Some nits from @wucke13 and @emilenglerFrom #108
|
@Mullana I am adding some TODOs for you in the issue description; please give me some time to finalize the changes I am making before actually starting on any of these TODOs |
Issue: #68 (#68 (comment)) pk, shk, ct -> pk, ct, shk
Issue: #68 (#68 (comment)) pk, shk, ct -> pk, ct, shk
I've started to work on a Golang implementation of the Rosenpass key exchange1.
While implementing it, I stumbled over some confusing parts in the whitepaper:
Variables / message fields
mac
,cookie
,ini_enc
&res_enc
Figure 3 shows the output variables
mac
andcookie
which apparently should be included in a message envelope (Figure 2).But I find no mention about use of the
mac
andcookie
variable elsewhere in the whitepaper.Apart from the
osk
two more output variables are generated after the completion of the handshake:ini_enc
&res_enc
What is their purpose?
Message types: Data & CookieReply
Figure 2 shows these two message types. But they are nowhere described or used?
Live session state
Section 2.4.4 covers some variables which are not described and used in the handshake?
Enter live helper
What is the purpose of the
enter_live
helper function mentioned in section 2.5?It appears also not to be used?
How are the roles of initiator / responder assigned?
WireGuard has no designated server/client as both sides are treated equal.
How does Rosenpass decide which side initiates the key exchange?
Status
Footnotes
https://github.com/stv0g/go-rosenpass ↩
The text was updated successfully, but these errors were encountered: