Skip to content

Commit fa600b4

Browse files
dvc94chdvc94ch
committed
Clarify spec.
1 parent ebd9b73 commit fa600b4

File tree

1 file changed

+33
-4
lines changed

1 file changed

+33
-4
lines changed

README.md

Lines changed: 33 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -24,12 +24,18 @@ is converted to an x25519 key using the algorithm as implemented by libsodium.
2424
NOTE: while it is likely ok to reuse the key for singing and diffie hellman it is strongly advised
2525
not to reuse the key for other protocols like VRF or threshold signatures.
2626

27-
## Handshake session
27+
## Crypto algorithms
2828

2929
Using xoodyak (a finalist in the on-going NIST light weight crypto competition), the following
3030
sequence of operations are performed for deriving the 0rtt-key, 1rtt-key and next-1rtt-key. For
3131
fast authenticated encryption a chacha8poly1305 cipher is used.
3232

33+
## Session
34+
35+
The initial packet contains the ephemeral client public key, the encrypted client static public key
36+
and the encrypted client transport parameters. After the initial packet 0-rtt packets can be sent
37+
using the `initiator-0rtt-key` without having to wait for a response from the server.
38+
3339
```
3440
Initial:
3541
| Cyclist({}, {}, {})
@@ -46,7 +52,13 @@ c | Encrypt(client_transport_parameters)
4652
t | Squeeze(16)
4753
| initiator-0rtt-key = SqueezeKey(32)
4854
| responder-0rtt-key = SqueezeKey(32)
49-
...
55+
```
56+
57+
After receiving an initial packet the server produces a handshake packet containing the encrypted
58+
server ephemeral public key and the encrypted server transport parameters. After the handshake
59+
packet 1-rtt packets can be sent. Once all 0-rtt packets have been acked the keys are discarded.
60+
61+
```
5062
Handshake:
5163
c | Encrypt(e)
5264
| Absorb(ee)
@@ -55,8 +67,13 @@ c | Encrypt(server_transport_parameters)
5567
t | Squeeze(16)
5668
| initiator-1rtt-key = SqueezeKey(32)
5769
| responder-1rtt-key = SqueezeKey(32)
58-
...
59-
Data:
70+
```
71+
72+
During the transport session the 1-rtt keys might need to be rotated. This happens when approaching
73+
`u64::MAX` sent packets or if requested by the other party. See the quic spec for details.
74+
75+
```
76+
Key rotation:
6077
| Ratchet()
6178
| initiator-next-1rtt-key = SqueezeKey(32)
6279
| responder-next-1rtt-key = SqueezeKey(32)
@@ -69,6 +86,18 @@ valid `quinn-noise` version.
6986

7087
- [0] https://github.com/quicwg/base-drafts/wiki/QUIC-Versions
7188

89+
## Header protection
90+
91+
Header protection/obfuscation serves to prevent middle boxes from reading the header. Modification
92+
is not possible since the header is passed as associated data to the cipher. The idea is that if
93+
the header changes in a future quic version, middle boxes may drop the packets because they can't
94+
read the header. But header protection/obfuscation only makes it harder not impossible. Due to
95+
being questionable if it serves it's purpose it was decided that no header obfuscation is applied.
96+
97+
## Retry mechanism
98+
99+
The retry mechanism is identical to what is specified in the quic-tls spec.
100+
72101
## License
73102

74103
MIT OR Apache-2.0

0 commit comments

Comments
 (0)