@@ -9,117 +9,6 @@ If you are not yet familiar with the concepts of quantum-safe security, Post Qua
99(PQC) or Quantum Key Distribution (QKD), it is helpful to first read the introduction:
1010[ what is DSKE and what problem does it solve?] ( what-is-dske-and-what-problem-does-it-solve.md ) .
1111
12- ## High-level overview
13-
14- We start with a high-level overview of how the protocol works.
15- Our goal is try to avoid losing the forest for the trees later on when we dive into the details.
16- We gloss over many important details and we use some terminology without defining it; these
17- details and definitions will be filled in in the remainder of the chapter.
18-
19- We have a network consisting of network nodes.
20- These nodes are connected to each other using a normal IP network (i.e. using routers and switches).
21-
22- Some of these nodes want to exchange encrypted traffic with each other, and for this reason they
23- need to agree on encryption keys.
24- We refer to these nodes as DSKE client nodes, or simply clients.
25- The clients are running the DSKE protocol as the key establishment protocol.
26-
27- The DSKE protocol relies heavily on using very large blocks of Pre-Shared Random Data (PSRD).
28- Before two nodes can establish keys, they first need to exchange blocks of PSRD.
29- The exchange of PSRD uses what we refer to as a secure out-of-band mechanism.
30- Think, for example, of using armed guards to exchange tamper-proof disks full of random data,
31- where the disks are destroyed after the same block of PSRD is delivered to each of a pair of nodes.
32-
33- Imagine, for now, that two clients Carol and Celia have exchanged blocks of PSRD.
34- This means that Carol and Celia both have a identical copies of the PSRD blocks, and no-one else
35- knows what these blocks of PSRD are.
36-
37- Carol and Celia can now agree on a Carol-Celia encryption key using a public
38- conversation.
39- For example, Carol could announce that she will use bytes numbers 100 through 228 of PSRD block
40- number 123 as the key.
41- We refer to this as the meta-data for the encryption key.
42- Since Celia has a copy of PSRD block 123, she can extract bytes 100 through 228 and find the
43- same encryption key.
44- But no-one else knows the contents of PSRD block 123, so no-one else can determine what the
45- Carol-Celia encryption key is.
46-
47- Carol and Celia need to make sure that they are really talking to each other and not to some
48- imposter.
49- In other words, Carol and Celia need to authenticate each other.
50- The clients authenticate messages by extracting an authentication key from the PSRD.
51- The sender (say Carol) allocates the authentication key and uses it to sign the message.
52- Carol sends the meta-data for the authentication key (but not the key value), the signature, and
53- the message itself to the receiver (say Celia).
54- Celia uses the received key meta-data to extract the authentication key value from her copy of the
55- PSRD and uses it to validate the received signature.
56-
57- The scheme that we have described thus far becomes impractical if we have a very large number of
58- clients.
59- Each client would have to pro-actively and a-priori exchange PSRD with each of the other clients
60- on the network that it could potentially wish to communicate with at some point in the future.
61-
62- For this reason, we introduce a second type of node that we refer to as a DSKE security hub,
63- or simply hub for short.
64-
65- Instead of establishing a key directly between a pair of clients, we use the hubs as trusted relay
66- nodes.
67- The clients do not establish PSRD with directly with each other;
68- instead, the clients establish PSRD with the hubs.
69-
70- As an example, let's say we have two clients Carol and Celia, and one hub Hank.
71- And let's say Carol and Celia want to agree on a key.
72- First, Carol and Hank agree on a local Carol-Hank key using the mechanism described above.
73- Then, Celia and Hank agree on a local Celia-Hank key, also using the mechanism described above.
74- Finally, the end-to-end Carol-Celia key is established.
75- Carol allocates some random bytes as the end-to-end Carol-Celia key.
76- Carol sends the end-to-end Carol-Celia key to Hank, encrypting it using the local Carol-Hank key.
77- And then Hank forwards the end-to-end Carol-Celia key to Celia, encrypting it using the
78- local Celia-Hank key.
79-
80- Note that the end-to-end Carol-Celia key is decrypted and re-encrypted at Hank in this process.
81- In other words, for a brief moment, Hank knows what the end-to-end Carol-Celia key is.
82- We have to trust Hank not to abuse that knowledge or be hacked by an attacker to steal that
83- knowledge.
84- Because Hank needs to be trusted, Hank is called a Trusted Relay Node (TRN).
85-
86- Also, hub Hank becomes a Single Point of Failure (SPoF).
87- If hub Hank fails, the clients relying on Hank are enable to establish keys.
88-
89- To ameliorate both the problem of having to trust the hub node and the problem of the hub node
90- being a single point of failure, we introduce the concept of using multiple hub nodes in
91- parallel.
92- This is where the "Distributed" in "Distributed Symmetric Key Establishment" comes from.
93-
94- To understand how using multiple hubs works, we fist need to understand
95- [ Shamir's Secret Sharing (SSS)] ( https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing )
96- algorithm.
97-
98- Shamir's secret sharing allows us to split the end-to-end Carol-Celia key into some number (_ n_ )
99- of parts.
100- Here, _ n_ is the number of hubs that we will use in parallel to relay the key.
101- Each part is called a share of the key.
102- The original key can be reconstructed if you have at least _ k_ out of the original _ n_ shares
103- (were _ k_ is some number smaller than _ n_ ).
104- If you have fewer than _ k_ shares, no information about the secret can be extracted.
105-
106- We use Shamir's secret sharing as follows.
107- After Carol allocates the end-to-end Carol-Celia key, she splits the key up into _ n_ shares.
108- She then relays each of these _ n_ shares to Celia using a different hub.
109- Thus, she uses _ n_ hubs in parallel to relay each of the _ n_ shares.
110-
111- This solves both the trusting problem and the single point of failure problem.
112-
113- Each hub only has knowledge of a single share of the end-to-end key.
114- It would require _ k_ hubs to conspire with each other (or _ k_ hubs to be hacked)
115- for the hubs or the attacker to reconstruct the end-to-end key.
116- As long as fewer than _ k_ shares are leaked, no information whatsoever about the end-to-end key
117- is leaker.
118-
119- Also, if some of the hubs fail, the end-to-end key establishment can still complete successfully.
120- The protocol continues to work as long as at least _ k_ hubs remain (i.e. as longs as no more than
121- _ n_ - _ k_ nodes fail).
122-
12312## Inspiration
12413
12514Our DSKE implementation is inspired by:
@@ -260,6 +149,117 @@ These lines are not intended to represent single-hop point-to-point physical con
260149Instead they represent potentially multi-hop IP connectivity between the network nodes; each link
261150may contain multiple switch or router hops.
262151
152+ ## High-level overview
153+
154+ We start with a high-level overview of how the protocol works.
155+ Our goal is try to avoid losing the forest for the trees later on when we dive into the details.
156+ We gloss over many important details and we use some terminology without defining it; these
157+ details and definitions will be filled in in the remainder of the chapter.
158+
159+ We have a network consisting of network nodes.
160+ These nodes are connected to each other using a normal IP network (i.e. using routers and switches).
161+
162+ Some of these nodes want to exchange encrypted traffic with each other, and for this reason they
163+ need to agree on encryption keys.
164+ We refer to these nodes as DSKE client nodes, or simply clients.
165+ The clients are running the DSKE protocol as the key establishment protocol.
166+
167+ The DSKE protocol relies heavily on using very large blocks of Pre-Shared Random Data (PSRD).
168+ Before two nodes can establish keys, they first need to exchange blocks of PSRD.
169+ The exchange of PSRD uses what we refer to as a secure out-of-band mechanism.
170+ Think, for example, of using armed guards to exchange tamper-proof disks full of random data,
171+ where the disks are destroyed after the same block of PSRD is delivered to each of a pair of nodes.
172+
173+ Imagine, for now, that two clients Carol and Celia have exchanged blocks of PSRD.
174+ This means that Carol and Celia both have a identical copies of the PSRD blocks, and no-one else
175+ knows what these blocks of PSRD are.
176+
177+ Carol and Celia can now agree on a Carol-Celia encryption key using a public
178+ conversation.
179+ For example, Carol could announce that she will use bytes numbers 100 through 228 of PSRD block
180+ number 123 as the key.
181+ We refer to this as the meta-data for the encryption key.
182+ Since Celia has a copy of PSRD block 123, she can extract bytes 100 through 228 and find the
183+ same encryption key.
184+ But no-one else knows the contents of PSRD block 123, so no-one else can determine what the
185+ Carol-Celia encryption key is.
186+
187+ Carol and Celia need to make sure that they are really talking to each other and not to some
188+ imposter.
189+ In other words, Carol and Celia need to authenticate each other.
190+ The clients authenticate messages by extracting an authentication key from the PSRD.
191+ The sender (say Carol) allocates the authentication key and uses it to sign the message.
192+ Carol sends the meta-data for the authentication key (but not the key value), the signature, and
193+ the message itself to the receiver (say Celia).
194+ Celia uses the received key meta-data to extract the authentication key value from her copy of the
195+ PSRD and uses it to validate the received signature.
196+
197+ The scheme that we have described thus far becomes impractical if we have a very large number of
198+ clients.
199+ Each client would have to pro-actively and a-priori exchange PSRD with each of the other clients
200+ on the network that it could potentially wish to communicate with at some point in the future.
201+
202+ For this reason, we introduce a second type of node that we refer to as a DSKE security hub,
203+ or simply hub for short.
204+
205+ Instead of establishing a key directly between a pair of clients, we use the hubs as trusted relay
206+ nodes.
207+ The clients do not establish PSRD with directly with each other;
208+ instead, the clients establish PSRD with the hubs.
209+
210+ As an example, let's say we have two clients Carol and Celia, and one hub Hank.
211+ And let's say Carol and Celia want to agree on a key.
212+ First, Carol and Hank agree on a local Carol-Hank key using the mechanism described above.
213+ Then, Celia and Hank agree on a local Celia-Hank key, also using the mechanism described above.
214+ Finally, the end-to-end Carol-Celia key is established.
215+ Carol allocates some random bytes as the end-to-end Carol-Celia key.
216+ Carol sends the end-to-end Carol-Celia key to Hank, encrypting it using the local Carol-Hank key.
217+ And then Hank forwards the end-to-end Carol-Celia key to Celia, encrypting it using the
218+ local Celia-Hank key.
219+
220+ Note that the end-to-end Carol-Celia key is decrypted and re-encrypted at Hank in this process.
221+ In other words, for a brief moment, Hank knows what the end-to-end Carol-Celia key is.
222+ We have to trust Hank not to abuse that knowledge or be hacked by an attacker to steal that
223+ knowledge.
224+ Because Hank needs to be trusted, Hank is called a Trusted Relay Node (TRN).
225+
226+ Also, hub Hank becomes a Single Point of Failure (SPoF).
227+ If hub Hank fails, the clients relying on Hank are enable to establish keys.
228+
229+ To ameliorate both the problem of having to trust the hub node and the problem of the hub node
230+ being a single point of failure, we introduce the concept of using multiple hub nodes in
231+ parallel.
232+ This is where the "Distributed" in "Distributed Symmetric Key Establishment" comes from.
233+
234+ To understand how using multiple hubs works, we fist need to understand
235+ [ Shamir's Secret Sharing (SSS)] ( https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing )
236+ algorithm.
237+
238+ Shamir's secret sharing allows us to split the end-to-end Carol-Celia key into some number (_ n_ )
239+ of parts.
240+ Here, _ n_ is the number of hubs that we will use in parallel to relay the key.
241+ Each part is called a share of the key.
242+ The original key can be reconstructed if you have at least _ k_ out of the original _ n_ shares
243+ (were _ k_ is some number smaller than _ n_ ).
244+ If you have fewer than _ k_ shares, no information about the secret can be extracted.
245+
246+ We use Shamir's secret sharing as follows.
247+ After Carol allocates the end-to-end Carol-Celia key, she splits the key up into _ n_ shares.
248+ She then relays each of these _ n_ shares to Celia using a different hub.
249+ Thus, she uses _ n_ hubs in parallel to relay each of the _ n_ shares.
250+
251+ This solves both the trusting problem and the single point of failure problem.
252+
253+ Each hub only has knowledge of a single share of the end-to-end key.
254+ It would require _ k_ hubs to conspire with each other (or _ k_ hubs to be hacked)
255+ for the hubs or the attacker to reconstruct the end-to-end key.
256+ As long as fewer than _ k_ shares are leaked, no information whatsoever about the end-to-end key
257+ is leaker.
258+
259+ Also, if some of the hubs fail, the end-to-end key establishment can still complete successfully.
260+ The protocol continues to work as long as at least _ k_ hubs remain (i.e. as longs as no more than
261+ _ n_ - _ k_ nodes fail).
262+
263263## Interfaces
264264
265265The topology contains the following software interfaces:
0 commit comments