Internet-Draft | The GNU Taler Protocol | March 2024 |
Gütschow | Expires 29 September 2024 | [Page] |
[ TBW ]¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 29 September 2024.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
[ TBW ]¶
Beware that this document is still work-in-progress and may contain errors. Use at your own risk!¶
The Hashed Key Derivation Function (HKDF) used in Taler is an instantiation of [RFC5869]
with two different hash functions for the Extract and Expand step as suggested in [HKDF].
HMAC-SHA512 (HMAC [RFC2104] instantiated with SHA-512, cf. Section 3.1.2) is used for HKDF-Extract
.
HMAC-SHA256 (HMAC [RFC2104] instantiated with SHA-256, cf. Section 3.1.1) is used for HKDF-Expand
.¶
HKDF(salt, IKM, info, L) -> OKM Inputs: salt optional salt value (a non-secret random value); if not provided, it is set to a string of 64 zeros. IKM input keying material info optional context and application specific information (can be a zero-length string) L length of output keying material in octets (<= 255*32 = 8160) Output: OKM output keying material (of L octets)¶
The output OKM is calculated as follows:¶
PRK = HKDF-Extract(salt, IKM) with Hash = SHA-512, HashLen = 64 OKM = HKDF-Expand(PRK, info, L) with Hash = SHA-256, HashLen = 32¶
Based on the HKDF defined in Section 3.2.1, this function returns an OKM that is smaller than a given big number N.¶
HKDF-Mod(N, salt, IKM, info) -> OKM Inputs: N big number; Nbits denotes the length of N in bits salt optional salt value (a non-secret random value); if not provided, it is set to a string of 64 zeros. IKM input keying material info optional context and application specific information (can be a zero-length string) Output: OKM output keying material (smaller than N)¶
The output OKM is calculated as follows:¶
Nlen = ceil(Nbits / 8) while true: counter = 0 c = 2 least significant octets of counter in network-byte order x = HKDF(salt, IKM, info | c, NLen) reset all but lower Nbits bits in x if x < N: OKM = x break counter += 1¶
[ TBD ]¶
None.¶
[ TBD ]¶
This work was supported in part by the German Federal Ministry of Education and Research (BMBF) within the project Concrete Contracts.¶