Ouroboros Flow Allocation Protocol: Difference between revisions
Jump to navigation
Jump to search
(→Header) |
|||
| Line 83: | Line 83: | ||
| 4. Sign header with client key | | | 4. Sign header with client key | | ||
| | | | | | ||
|-------- FLOW_REQ (OAP_HDR) ------------->| | |-------- FLOW_REQ (OAP_HDR) -------------> | | ||
| | | | | | ||
| | 5. Load server cert/key | | | 5. Load server cert/key | ||
| Line 93: | Line 93: | ||
| | 11. Sign with server key | | | 11. Sign with server key | ||
| | | | | | ||
|<------- FLOW_REPLY (OAP_HDR) ------------| | |<------- FLOW_REPLY (OAP_HDR) ------------ | | ||
| | | | | | ||
| 12. Verify server cert against CA | | | 12. Verify server cert against CA | | ||
Revision as of 09:21, 3 January 2026
This page is under construction
Header
OAP Header Structure ==================== 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + id (128 bits) + | Unique flow allocation ID | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + timestamp (64 bits) + | UTC nanoseconds since epoch | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---+ | crt_len (16 bits) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | | | + + | | certificate (variable) | | + X.509 certificate, DER encoded + | | | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | eph_len (16 bits) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | + + | | ephemeral_key (variable) | | Signed + public key, DER encoded + | Region | | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | data_len (16 bits) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | + data (variable) + | | Piggybacked application data | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | sig_len (16 bits) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---+ | | + + | signature (variable) | + DSA signature over signed region + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Field Summary: +---------------+----------+----------------------------------------+ | Field | Size | Description | +---------------+----------+----------------------------------------+ | id | 16 bytes | Random 128-bit flow allocation ID | | timestamp | 8 bytes | UTC time in nanoseconds (replay prot.) | | crt_len | 2 bytes | Certificate length (0 = no auth) | | certificate | variable | X.509 cert signed by CA (DER encoded) | | eph_len | 2 bytes | Ephemeral key length (0 = no encrypt) | | ephemeral_key | variable | DHE public key | | data_len | 2 bytes | Application data length | | data | variable | Piggybacked app data (future use) | | sig_len | 2 bytes | Signature length (0 = unsigned) | | signature | variable | Signature | +---------------+----------+----------------------------------------+ Minimum header size: 16 + 8 + 2 + 2 + 2 + 2 = 32 bytes (no optional fields)
Operation
Client (IRMd) Server (IRMd)
| |
| 1. Load client cert/key |
| 2. Generate ephemeral keypair |
| 3. Build OAP_HDR (id, ts, crt, eph) |
| 4. Sign header with client key |
| |
|-------- FLOW_REQ (OAP_HDR) -------------> |
| |
| | 5. Load server cert/key
| | 6. Verify client cert against CA
| | 7. Verify client signature
| | 8. Generate ephemeral keypair
| | 9. Derive symmetric key (ECDHE)
| | 10. Build response OAP_HDR
| | 11. Sign with server key
| |
|<------- FLOW_REPLY (OAP_HDR) ------------ |
| |
| 12. Verify server cert against CA |
| 13. Verify server signature |
| 14. Derive symmetric key (ECDHE) |
| |
|===========================================|
| Encrypted data channel |
|===========================================|