Proposition for a group - Key Renewal Algorithm
#--- Establish network group connection Affect each port binding a machine Request Authentication 802.1X + Ask machine’s Certificate Check their validity with the help of the Private Certificate Authority (CA) [optional] Check Certificate content for MAC, IP Address, correct binding [optional] Check Certificate program release and signing for malware detection Authentication - Valid or Reject on 802.1X Port based response (NAC) #--- PKI-CA or group Master - master key renewal algorithm (precompute for next renewal) Initiate the group SHA256-Hash with a random number. Hash a Session number and a Timestamp (date/hour), others parameters if needed… On all valid/activated port: Calculate a SHA256-Hash of All Certificates signature - port ordered Hash the total machines involved in the group, the result produces the master key Store the Master-key secret in a private protected area
#--- Method1 - Chacha20-Poly1305 cipher is used Create a Salt as a random number of 32 Bytes Create a Nonce as a random number of 12 Bytes # Nonce 12 Bytes is TLS Version Generate the secret-key SK with scrypt (Master_key, Salt, key_len = 32, N = 217, r = 8, p = 1) # Create a cipher object to encrypt data Create a new cipher ChaCha20_Poly1305 object using the SK and Nonce # ChaCha20-Counter is incremented according to packed number (init from Nonce) For each packet: Encrypt and digest plaintext data with the cipher object Send Packet and increment packet Number if packet Number overlap: use new (SK, Nonce) #--- Method2 - AES-128-GCM cipher used Create a Salt as a random number of 32 Bytes Create a Nonce as a random number of 16 Bytes for GCM # IV_Nonce Generate the secret-key SK with scrypt (Master_key, Salt, key_len = 16, N = 217, r = 8, p = 1) # Create a cipher object to encrypt data Create a new AES cipher in MODE_GCM and the Nonce # AES-GCM increment packed number from the starting IV Nonce For each packet: Encrypt the plaintext data with the cipher object (GCM mode) Send Packet and increment packet Number if packet Number overlap: use new (SK, Nonce)

Proposition for a group - Key Renewal Algorithm

#--- Establish network group connection

Affect each port binding a machine

Request Authentication 802.1X + Ask machine’s Certificate

Check their validity with the help of the Private Certificate Authority (CA)

[optional] Check Certificate content for MAC, IP Address, correct binding

[optional] Check Certificate program release and signing for malware detection

Authentication - Valid or Reject on 802.1X Port based response (NAC)

#--- PKI-CA or group Master - master key renewal algorithm (precompute for next renewal)

Initiate the group SHA256-Hash with a random number.

Hash a Session number and a Timestamp (date/hour), others parameters if needed…

On all valid/activated port:

Calculate a SHA256-Hash of All Certificates signature - port ordered

Hash the total machines involved in the group, the result produces the master key

Store the Master-key secret in a private protected area

#--- Method1 - Chacha20-Poly1305 cipher is used

Create a Salt as a random number of 32 Bytes

Create a Nonce as a random number of 12 Bytes # Nonce 12 Bytes is TLS Version

Generate the secret-key SK with scrypt (Master_key, Salt, key_len = 32, N = 2**17, r = 8, p = 1)

# Create a cipher object to encrypt data

Create a new cipher ChaCha20_Poly1305 object using the SK and Nonce

# ChaCha20-Counter is incremented according to packed number (init from Nonce)

For each packet:

Encrypt and digest plaintext data with the cipher object

Send Packet and increment packet Number

if packet Number overlap: use new (SK, Nonce)

#--- Method2 - AES-128-GCM cipher used

Create a Salt as a random number of 32 Bytes

Create a Nonce as a random number of 16 Bytes for GCM # IV_Nonce

Generate the secret-key SK with scrypt (Master_key, Salt, key_len = 16, N = 2**17, r = 8, p = 1)

# Create a cipher object to encrypt data

Create a new AES cipher in MODE_GCM and the Nonce

# AES-GCM increment packed number from the starting IV Nonce

For each packet:

Encrypt the plaintext data with the cipher object (GCM mode)

Send Packet and increment packet Number

if packet Number overlap: use new (SK, Nonce)