jmg
/
lora-irrigation
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Implement a secure ICS protocol targeting LoRa Node151 microcontroller for controlling irrigation.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
25 Commits
4 Branches
18 MiB
 
 
 
 
 
 
Tree: df2aac27e6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'df2aac27e6'
${ noResults }
lora-irrigation/strobe/www/examples/aead/index.html

103 lines
7.1 KiB
Raw Blame History 

  1. <html>

  2. <head>

  3.     <title>Strobe protocol framework</title>

  4.     <link rel="stylesheet" type="text/css" href="/style.css"/>

  5. </head>

  6. <body>

  7.     <h1><a href="/"><span class="sc">Strobe</span> protocol framework</a></h1>

  8.     <div id="nav">

  9.         <a href="/">overview</a>

  10.         <a href="/specs/">specification</a>

  11.         <a class="here" href="/examples/">example protocols</a>

  12.         <a href="/code/">code</a>

  13.         <a href="/papers/">papers</a>

  14.     </div>

  15. 

  16.     <h2>Protocol examples: AEAD</h2>

  17.     

  18.     <h2>Table of Contents</h2>

  19.     <div class="toc">

  20.         <h2><a href="#version">Version</a></h2>

  21.         <h2><a href="#goals">Goals</a></h2>

  22.         <h2><a href="#sep">Domain separation string</a></h2>

  23.         <h2><a href="#seq">Sequence of operations</a></h2>

  24.         <h2><a href="#sec">Security requirements</a></h2>

  25.         <h3><a href="#sec.capacity">Capacity</a></h3>

  26.         <h3><a href="#sec.entropy">Key entropy</a></h3>

  27.         <h3><a href="#sec.unique">Uniqueness</a></h3>

  28.         <h2><a href="#claim">Security claim</a></h2>

  29.         <h2><a href="#comp">Composition</a></h2>

  30.     </div>

  31.     

  32.     <h2 id="version">Version</h2>

  33.     <p>This is version 1 of the AEAD example protocol.</p>

  34.     

  35.     <h2 id="goals">Goals</h2>

  36.     <p>This protocol transmits any number of authenticated plaintext data and any number of encrypted messages.

  37.         It authenticates them with any positive number of keys, which in most use cases will be one.

  38.     </p>

  39.     <p>

  40.         Several of the operations may be either untransmitted, transmitted without framing information, or

  41.         transmitted with framing information.  These are written as <code>meta-AD/CLR</code> and <code>AD/CLR</code>

  42.         operations.  The protocol is secure with any combination of transmitted and untransmitted information

  43.         in any order.  If the recipient uses a different combination of transmitting and not transmitting, then

  44.         the message will fail to decrypt correctly (that is, the MAC check will fail with high probability).

  45.     </p>

  46.     

  47.     <h2 id="sep">Domain separation string</h2>

  48.     <p>The domain separation string for this protocol is <code>"<a href="https://strobe.sourceforge.io/examples/aead">https://strobe.sourceforge.io/examples/aead</a>"</code>.</p>

  49.     

  50.     <h2 id="seq">Sequence of operations</h2>

  51.     <p>The protocol consists of the following operations:</p>

  52.     <ul><li>One or more <code>KEY</code> operations, with the <code>SYM_KEY = 0x01</code> tag: <pre>(meta-AD(0x01); KEY(key))+</pre></li>

  53.     <li>Zero or more <code>VERSION</code> operations, with the <code>VERSION = 0x21</code> tag and exactly 2 length bytes.  This protocol specification is version 0x01:

  54.         <pre>(meta-AD/CLR(0x21 0x01 0x00); AD/CLR(0x01))+</pre>

  55.     </li>

  56.     <li>Zero or more <code>NONCE</code> operations, with the <code>NONCE = 0x04</code> tag and any number of length bytes.

  57.         Also, zero or more <code>AUTH_DATA</code> operations, with the <code>AUTH_DATA = 0x05</code> tag and any number of length bytes.  The <code>AUTH_DATA</code> operations may be mixed in arbitrary order with the nonce(s): <pre>( meta-AD/CLR(0x05 .. length); AD/CLR(ad)

  58. | meta-AD/CLR(0x04 .. length); AD/CLR(nonce)

  59. )*</pre>

  60.         If the metadata for an AD or nonce is transmitted, then the AD or nonce must also be transmitted.</li>

  61.     <li>Zero or more <code>APP_CIPHERTEXT</code> operations, with the <code>APP_CIPHERTEXT = 0x03</code> tag and any number of length bytes: <pre>(meta-AD/CLR(0x03 .. length); ENC(data))*</pre></li>

  62.     <li>Exactly one <code>MAC</code> operation, with the <code>MAC = 0x06</code> tag and exactly 2 length bytes:

  63.         <pre>meta-AD/CLR(0x06, length low, length high); MAC()</pre>

  64.         The MAC must be at least 8 bytes (64 bits) long, but 128 bytes is recommended.

  65.     </li>

  66.     </ul>

  67.     

  68.     <h2 id="sec">Security requirements</h2>

  69.     <h3 id="sec.capacity">Capacity</h3>

  70.     <p>The capacity of the sponge must be at least 2<var>&lambda;</var> bits, where <var>&lambda;</var> is the desired security level.  For 128-bit security, the capacity must be 32 bytes (256 bits) or more.

  71.     </p>

  72.     <h3 id="sec.entropy">Key entropy</h3>

  73.     <p>The keys must be drawn from a set which is hard to guess.  We recommend one key which is uniformly random and 32 bytes (256 bits) long, but 16 bytes (128 bits) is acceptable for most use cases.  The keys must be kept secret from the adversary.  If the adversary can guess the keys, then all security will be lost.</p>

  74.     <h3 id="sec.unique">Uniqueness</h3>

  75.     <p>The (keys,version,nonces,auth_datas) tuple must be unique.  Otherwise, an adversary can learn the encrypted messages, but still can't forge MACs.  <b>This construction is not nonce-misuse resistant.</b></p>

  76.     

  77.     <h2 id="claim">Security claim</h2>

  78.     <p>If the security requirements are observed, then the system is IND-CCA2 secure.  This means that an adversary cannot distinguish between encrypted messages that have the same length.  The adversary can learn the length of the message.  If a tuple of messages is sent, then the adversary can learn the length of the messages if and only if the length framing is sent.  Furthermore, the adversary cannot forge MACs, except by random chance (i.e. with probability 256<sup>-MAC length</sup>).

  79.     </p>

  80.     <p>The adversary can gain an advantage by collecting data (possibly across multiple encrypted messages) and by doing computation.  The advantage is <var>&epsilon;</var> &lt; (<var>N</var>/2<sup><var>&lambda;</var></sup>)<sup>2</sup>, where <var>N</var> is the number of times the adversary calls <var>F</var>, plus the number of times someone else calls <var>F</var> and the adversary collects the results.

  81.     </p>

  82.     <p>The adversary can also break all security by guessing the keys, which will happen after <var>N</var> work with probability <var>N</var><var>D</var>/2<sup><var>K</var></sup>, where <var>D</var> is the number of encrypted messages with different keys but the same (nonces,ADs) that the adversary can collect, and <var>K</var> is the min-entorpy of the key space.

  83.     </p>

  84.     

  85.     <h2 id="comp">Composition</h2>

  86.     <p>This protocol may be composed before or after any number of other protocols, using an operation

  87.         <pre>meta-AD/CLR(0x00 .. length); AD/CLR(<var>sep</var>)</pre>, where <var>sep</var>

  88.         is the domain separation string <code>"https://strobe.sourceforge.io/examples/aead"</code>.

  89.         Larger protocols may instead assign other (e.g., shorter) separation strings, or omit them

  90.         if the use of this protocol is clear from context.

  91.         When running a second instance of this protocol following the first, this operation may be omitted.

  92.     </p>

  93.     <p>If a previous protocol has set one or more keys, then the <code>KEY</code> component of this may be omitted.

  94.         It will then rely on the security of the previously-set keys.

  95.     </p>

  96.     <p>

  97.         If in a previous protocol, this party has sent messages (or absorbed AD) which it knows is unique, then

  98.         this satisfies the (keys,version,nonces,auth_datas) uniqueness requirement.  Messages sent by the other party

  99.         also satisfy this.  But because it is often hard to tell if the other party's messages have been replayed,

  100.         applications SHOULD NOT rely on this.

  101.     </p>

  102.     

  103. </body>