Proposition for a group - Key Renewal Algorithm |
#--- Establish network group connection Affect each port binding a machine Request Authentication 802.1X + Ask machine’s Certificate Check their validity with the help of the Private Certificate Authority (CA) [optional] Check Certificate content for MAC, IP Address, correct binding [optional] Check Certificate program release and signing for malware detection Authentication - Valid or Reject on 802.1X Port based response (NAC)
#--- PKI-CA or group Master - master key renewal algorithm (precompute for next renewal) Initiate the group SHA256-Hash with a random number. Hash a Session number and a Timestamp (date/hour), others parameters if needed… On all valid/activated port: Calculate a SHA256-Hash of All Certificates signature - port ordered Hash the total machines involved in the group, the result produces the master key Store the Master-key secret in a private protected area |
#--- Method1 - Chacha20-Poly1305 cipher is used Create a Salt as a random number of 32 Bytes Create a Nonce as a random number of 12 Bytes # Nonce 12 Bytes is TLS Version Generate the secret-key SK with scrypt (Master_key, Salt, key_len = 32, N = 2**17, r = 8, p = 1)
# Create a cipher object to encrypt data Create a new cipher ChaCha20_Poly1305 object using the SK and Nonce # ChaCha20-Counter is incremented according to packed number (init from Nonce) For each packet: Encrypt and digest plaintext data with the cipher object Send Packet and increment packet Number if packet Number overlap: use new (SK, Nonce)
#--- Method2 - AES-128-GCM cipher used Create a Salt as a random number of 32 Bytes Create a Nonce as a random number of 16 Bytes for GCM # IV_Nonce Generate the secret-key SK with scrypt (Master_key, Salt, key_len = 16, N = 2**17, r = 8, p = 1)
# Create a cipher object to encrypt data Create a new AES cipher in MODE_GCM and the Nonce # AES-GCM increment packed number from the starting IV Nonce For each packet: Encrypt the plaintext data with the cipher object (GCM mode) Send Packet and increment packet Number if packet Number overlap: use new (SK, Nonce) |