Script updating gh-pages from ddf9800. [ci skip]

draft-ietf-sframe-enc.html

@@ -1986,10 +1986,10 @@ <h4 id="name-key-derivation">
   sframe_secret = HKDF-Extract("", base_key)
 
   sframe_key_label = "SFrame 1.0 Secret key " + KID + cipher_suite
-  sframe_key = HKDF-Expand(sframe_secret, info, AEAD.Nk)
+  sframe_key = HKDF-Expand(sframe_secret, sframe_key_label, AEAD.Nk)
 
   sframe_salt_label = "SFrame 1.0 Secret salt " + KID + cipher_suite
-  sframe_salt = HKDF-Expand(sframe_secret, info, AEAD.Nn)
+  sframe_salt = HKDF-Expand(sframe_secret, sframe_salt_label, AEAD.Nn)
 
   return sframe_key, sframe_salt
 </pre><a href="#section-4.4.2-2" class="pilcrow">¶</a>
@@ -2346,8 +2346,12 @@ <h4 id="name-aes-ctr-with-sha2">
 <div class="lang-pseudocode sourcecode" id="section-4.5.1-3">
 <pre>
 def derive_subkeys(sframe_key):
+  # The encryption key comprises the first Nka bytes
   enc_key = sframe_key[..Nka]
+
+  # The authentication key comprises Nh remaining bytes
   auth_key = sframe_key[Nka..]
+
   return enc_key, auth_key
 </pre><a href="#section-4.5.1-3" class="pilcrow">¶</a>
 </div>
@@ -3046,6 +3050,13 @@ <h3 id="name-header-value-uniqueness">
 the CTR field as a monotonic counter, incrementing for each plaintext that is
 encrypted. In addition to its simplicity, this scheme minimizes overhead by
 keeping CTR values as small as possible.<a href="#section-9.1-1" class="pilcrow">¶</a></p>
+<p id="section-9.1-2">In applications where an SFrame context might be written to persistent storage,
+this context needs to include the last used CTR value.  When the context is used
+later, the application should use the stored CTR value to determine the next CTR
+value to be used in an encryption operation, and then write the next CTR value
+back to storage before using the CTR value for encryption.  Storing the CTR
+value before usage (vs. after) helps ensure that a storage failure will not
+cause reuse of the same (<code>base_key</code>, KID, CTR) combination.<a href="#section-9.1-2" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="key-management-framework">

draft-ietf-sframe-enc.txt

@@ -495,10 +495,10 @@ Alice |          (per-frame)         (per-packet)   |        |       |
      sframe_secret = HKDF-Extract("", base_key)
 
      sframe_key_label = "SFrame 1.0 Secret key " + KID + cipher_suite
-     sframe_key = HKDF-Expand(sframe_secret, info, AEAD.Nk)
+     sframe_key = HKDF-Expand(sframe_secret, sframe_key_label, AEAD.Nk)
 
      sframe_salt_label = "SFrame 1.0 Secret salt " + KID + cipher_suite
-     sframe_salt = HKDF-Expand(sframe_secret, info, AEAD.Nn)
+     sframe_salt = HKDF-Expand(sframe_secret, sframe_salt_label, AEAD.Nn)
 
      return sframe_key, sframe_salt
 
@@ -723,8 +723,12 @@ Alice |          (per-frame)         (per-packet)   |        |       |
    bytes.
 
    def derive_subkeys(sframe_key):
+     # The encryption key comprises the first Nka bytes
      enc_key = sframe_key[..Nka]
+
+     # The authentication key comprises Nh remaining bytes
      auth_key = sframe_key[Nka..]
+
      return enc_key, auth_key
 
    The AEAD encryption and decryption functions are then composed of
@@ -1197,6 +1201,15 @@ Alice |          (per-frame)         (per-packet)   |        |       |
    In addition to its simplicity, this scheme minimizes overhead by
    keeping CTR values as small as possible.
 
+   In applications where an SFrame context might be written to
+   persistent storage, this context needs to include the last used CTR
+   value.  When the context is used later, the application should use
+   the stored CTR value to determine the next CTR value to be used in an
+   encryption operation, and then write the next CTR value back to
+   storage before using the CTR value for encryption.  Storing the CTR
+   value before usage (vs. after) helps ensure that a storage failure
+   will not cause reuse of the same (base_key, KID, CTR) combination.
+
 9.2.  Key Management Framework
 
    It is up to the application to provision SFrame with a mapping of KID