Skip to content

Commit 0b2bed2

Browse files
committed
Move high-level overview down to below figure
1 parent a99362f commit 0b2bed2

1 file changed

Lines changed: 111 additions & 111 deletions

File tree

docs/protocol-guide.md

Lines changed: 111 additions & 111 deletions
Original file line numberDiff line numberDiff line change
@@ -9,117 +9,6 @@ If you are not yet familiar with the concepts of quantum-safe security, Post Qua
99
(PQC) or Quantum Key Distribution (QKD), it is helpful to first read the introduction:
1010
[what is DSKE and what problem does it solve?](what-is-dske-and-what-problem-does-it-solve.md).
1111

12-
## High-level overview
13-
14-
We start with a high-level overview of how the protocol works.
15-
Our goal is try to avoid losing the forest for the trees later on when we dive into the details.
16-
We gloss over many important details and we use some terminology without defining it; these
17-
details and definitions will be filled in in the remainder of the chapter.
18-
19-
We have a network consisting of network nodes.
20-
These nodes are connected to each other using a normal IP network (i.e. using routers and switches).
21-
22-
Some of these nodes want to exchange encrypted traffic with each other, and for this reason they
23-
need to agree on encryption keys.
24-
We refer to these nodes as DSKE client nodes, or simply clients.
25-
The clients are running the DSKE protocol as the key establishment protocol.
26-
27-
The DSKE protocol relies heavily on using very large blocks of Pre-Shared Random Data (PSRD).
28-
Before two nodes can establish keys, they first need to exchange blocks of PSRD.
29-
The exchange of PSRD uses what we refer to as a secure out-of-band mechanism.
30-
Think, for example, of using armed guards to exchange tamper-proof disks full of random data,
31-
where the disks are destroyed after the same block of PSRD is delivered to each of a pair of nodes.
32-
33-
Imagine, for now, that two clients Carol and Celia have exchanged blocks of PSRD.
34-
This means that Carol and Celia both have a identical copies of the PSRD blocks, and no-one else
35-
knows what these blocks of PSRD are.
36-
37-
Carol and Celia can now agree on a Carol-Celia encryption key using a public
38-
conversation.
39-
For example, Carol could announce that she will use bytes numbers 100 through 228 of PSRD block
40-
number 123 as the key.
41-
We refer to this as the meta-data for the encryption key.
42-
Since Celia has a copy of PSRD block 123, she can extract bytes 100 through 228 and find the
43-
same encryption key.
44-
But no-one else knows the contents of PSRD block 123, so no-one else can determine what the
45-
Carol-Celia encryption key is.
46-
47-
Carol and Celia need to make sure that they are really talking to each other and not to some
48-
imposter.
49-
In other words, Carol and Celia need to authenticate each other.
50-
The clients authenticate messages by extracting an authentication key from the PSRD.
51-
The sender (say Carol) allocates the authentication key and uses it to sign the message.
52-
Carol sends the meta-data for the authentication key (but not the key value), the signature, and
53-
the message itself to the receiver (say Celia).
54-
Celia uses the received key meta-data to extract the authentication key value from her copy of the
55-
PSRD and uses it to validate the received signature.
56-
57-
The scheme that we have described thus far becomes impractical if we have a very large number of
58-
clients.
59-
Each client would have to pro-actively and a-priori exchange PSRD with each of the other clients
60-
on the network that it could potentially wish to communicate with at some point in the future.
61-
62-
For this reason, we introduce a second type of node that we refer to as a DSKE security hub,
63-
or simply hub for short.
64-
65-
Instead of establishing a key directly between a pair of clients, we use the hubs as trusted relay
66-
nodes.
67-
The clients do not establish PSRD with directly with each other;
68-
instead, the clients establish PSRD with the hubs.
69-
70-
As an example, let's say we have two clients Carol and Celia, and one hub Hank.
71-
And let's say Carol and Celia want to agree on a key.
72-
First, Carol and Hank agree on a local Carol-Hank key using the mechanism described above.
73-
Then, Celia and Hank agree on a local Celia-Hank key, also using the mechanism described above.
74-
Finally, the end-to-end Carol-Celia key is established.
75-
Carol allocates some random bytes as the end-to-end Carol-Celia key.
76-
Carol sends the end-to-end Carol-Celia key to Hank, encrypting it using the local Carol-Hank key.
77-
And then Hank forwards the end-to-end Carol-Celia key to Celia, encrypting it using the
78-
local Celia-Hank key.
79-
80-
Note that the end-to-end Carol-Celia key is decrypted and re-encrypted at Hank in this process.
81-
In other words, for a brief moment, Hank knows what the end-to-end Carol-Celia key is.
82-
We have to trust Hank not to abuse that knowledge or be hacked by an attacker to steal that
83-
knowledge.
84-
Because Hank needs to be trusted, Hank is called a Trusted Relay Node (TRN).
85-
86-
Also, hub Hank becomes a Single Point of Failure (SPoF).
87-
If hub Hank fails, the clients relying on Hank are enable to establish keys.
88-
89-
To ameliorate both the problem of having to trust the hub node and the problem of the hub node
90-
being a single point of failure, we introduce the concept of using multiple hub nodes in
91-
parallel.
92-
This is where the "Distributed" in "Distributed Symmetric Key Establishment" comes from.
93-
94-
To understand how using multiple hubs works, we fist need to understand
95-
[Shamir's Secret Sharing (SSS)](https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing)
96-
algorithm.
97-
98-
Shamir's secret sharing allows us to split the end-to-end Carol-Celia key into some number (_n_)
99-
of parts.
100-
Here, _n_ is the number of hubs that we will use in parallel to relay the key.
101-
Each part is called a share of the key.
102-
The original key can be reconstructed if you have at least _k_ out of the original _n_ shares
103-
(were _k_ is some number smaller than _n_).
104-
If you have fewer than _k_ shares, no information about the secret can be extracted.
105-
106-
We use Shamir's secret sharing as follows.
107-
After Carol allocates the end-to-end Carol-Celia key, she splits the key up into _n_ shares.
108-
She then relays each of these _n_ shares to Celia using a different hub.
109-
Thus, she uses _n_ hubs in parallel to relay each of the _n_ shares.
110-
111-
This solves both the trusting problem and the single point of failure problem.
112-
113-
Each hub only has knowledge of a single share of the end-to-end key.
114-
It would require _k_ hubs to conspire with each other (or _k_ hubs to be hacked)
115-
for the hubs or the attacker to reconstruct the end-to-end key.
116-
As long as fewer than _k_ shares are leaked, no information whatsoever about the end-to-end key
117-
is leaker.
118-
119-
Also, if some of the hubs fail, the end-to-end key establishment can still complete successfully.
120-
The protocol continues to work as long as at least _k_ hubs remain (i.e. as longs as no more than
121-
_n_ - _k_ nodes fail).
122-
12312
## Inspiration
12413

12514
Our DSKE implementation is inspired by:
@@ -260,6 +149,117 @@ These lines are not intended to represent single-hop point-to-point physical con
260149
Instead they represent potentially multi-hop IP connectivity between the network nodes; each link
261150
may contain multiple switch or router hops.
262151

152+
## High-level overview
153+
154+
We start with a high-level overview of how the protocol works.
155+
Our goal is try to avoid losing the forest for the trees later on when we dive into the details.
156+
We gloss over many important details and we use some terminology without defining it; these
157+
details and definitions will be filled in in the remainder of the chapter.
158+
159+
We have a network consisting of network nodes.
160+
These nodes are connected to each other using a normal IP network (i.e. using routers and switches).
161+
162+
Some of these nodes want to exchange encrypted traffic with each other, and for this reason they
163+
need to agree on encryption keys.
164+
We refer to these nodes as DSKE client nodes, or simply clients.
165+
The clients are running the DSKE protocol as the key establishment protocol.
166+
167+
The DSKE protocol relies heavily on using very large blocks of Pre-Shared Random Data (PSRD).
168+
Before two nodes can establish keys, they first need to exchange blocks of PSRD.
169+
The exchange of PSRD uses what we refer to as a secure out-of-band mechanism.
170+
Think, for example, of using armed guards to exchange tamper-proof disks full of random data,
171+
where the disks are destroyed after the same block of PSRD is delivered to each of a pair of nodes.
172+
173+
Imagine, for now, that two clients Carol and Celia have exchanged blocks of PSRD.
174+
This means that Carol and Celia both have a identical copies of the PSRD blocks, and no-one else
175+
knows what these blocks of PSRD are.
176+
177+
Carol and Celia can now agree on a Carol-Celia encryption key using a public
178+
conversation.
179+
For example, Carol could announce that she will use bytes numbers 100 through 228 of PSRD block
180+
number 123 as the key.
181+
We refer to this as the meta-data for the encryption key.
182+
Since Celia has a copy of PSRD block 123, she can extract bytes 100 through 228 and find the
183+
same encryption key.
184+
But no-one else knows the contents of PSRD block 123, so no-one else can determine what the
185+
Carol-Celia encryption key is.
186+
187+
Carol and Celia need to make sure that they are really talking to each other and not to some
188+
imposter.
189+
In other words, Carol and Celia need to authenticate each other.
190+
The clients authenticate messages by extracting an authentication key from the PSRD.
191+
The sender (say Carol) allocates the authentication key and uses it to sign the message.
192+
Carol sends the meta-data for the authentication key (but not the key value), the signature, and
193+
the message itself to the receiver (say Celia).
194+
Celia uses the received key meta-data to extract the authentication key value from her copy of the
195+
PSRD and uses it to validate the received signature.
196+
197+
The scheme that we have described thus far becomes impractical if we have a very large number of
198+
clients.
199+
Each client would have to pro-actively and a-priori exchange PSRD with each of the other clients
200+
on the network that it could potentially wish to communicate with at some point in the future.
201+
202+
For this reason, we introduce a second type of node that we refer to as a DSKE security hub,
203+
or simply hub for short.
204+
205+
Instead of establishing a key directly between a pair of clients, we use the hubs as trusted relay
206+
nodes.
207+
The clients do not establish PSRD with directly with each other;
208+
instead, the clients establish PSRD with the hubs.
209+
210+
As an example, let's say we have two clients Carol and Celia, and one hub Hank.
211+
And let's say Carol and Celia want to agree on a key.
212+
First, Carol and Hank agree on a local Carol-Hank key using the mechanism described above.
213+
Then, Celia and Hank agree on a local Celia-Hank key, also using the mechanism described above.
214+
Finally, the end-to-end Carol-Celia key is established.
215+
Carol allocates some random bytes as the end-to-end Carol-Celia key.
216+
Carol sends the end-to-end Carol-Celia key to Hank, encrypting it using the local Carol-Hank key.
217+
And then Hank forwards the end-to-end Carol-Celia key to Celia, encrypting it using the
218+
local Celia-Hank key.
219+
220+
Note that the end-to-end Carol-Celia key is decrypted and re-encrypted at Hank in this process.
221+
In other words, for a brief moment, Hank knows what the end-to-end Carol-Celia key is.
222+
We have to trust Hank not to abuse that knowledge or be hacked by an attacker to steal that
223+
knowledge.
224+
Because Hank needs to be trusted, Hank is called a Trusted Relay Node (TRN).
225+
226+
Also, hub Hank becomes a Single Point of Failure (SPoF).
227+
If hub Hank fails, the clients relying on Hank are enable to establish keys.
228+
229+
To ameliorate both the problem of having to trust the hub node and the problem of the hub node
230+
being a single point of failure, we introduce the concept of using multiple hub nodes in
231+
parallel.
232+
This is where the "Distributed" in "Distributed Symmetric Key Establishment" comes from.
233+
234+
To understand how using multiple hubs works, we fist need to understand
235+
[Shamir's Secret Sharing (SSS)](https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing)
236+
algorithm.
237+
238+
Shamir's secret sharing allows us to split the end-to-end Carol-Celia key into some number (_n_)
239+
of parts.
240+
Here, _n_ is the number of hubs that we will use in parallel to relay the key.
241+
Each part is called a share of the key.
242+
The original key can be reconstructed if you have at least _k_ out of the original _n_ shares
243+
(were _k_ is some number smaller than _n_).
244+
If you have fewer than _k_ shares, no information about the secret can be extracted.
245+
246+
We use Shamir's secret sharing as follows.
247+
After Carol allocates the end-to-end Carol-Celia key, she splits the key up into _n_ shares.
248+
She then relays each of these _n_ shares to Celia using a different hub.
249+
Thus, she uses _n_ hubs in parallel to relay each of the _n_ shares.
250+
251+
This solves both the trusting problem and the single point of failure problem.
252+
253+
Each hub only has knowledge of a single share of the end-to-end key.
254+
It would require _k_ hubs to conspire with each other (or _k_ hubs to be hacked)
255+
for the hubs or the attacker to reconstruct the end-to-end key.
256+
As long as fewer than _k_ shares are leaked, no information whatsoever about the end-to-end key
257+
is leaker.
258+
259+
Also, if some of the hubs fail, the end-to-end key establishment can still complete successfully.
260+
The protocol continues to work as long as at least _k_ hubs remain (i.e. as longs as no more than
261+
_n_ - _k_ nodes fail).
262+
263263
## Interfaces
264264

265265
The topology contains the following software interfaces:

0 commit comments

Comments
 (0)