Skip to main content

Mathematical Mesh Part III : Data At Rest Encryption (DARE)
draft-hallambaker-mesh-dare-00

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Expired".
Author Phillip Hallam-Baker
Last updated 2019-02-25
RFC stream (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-hallambaker-mesh-dare-00
Network Working Group                                    P. Hallam-Baker
Internet-Draft                                         February 25, 2019
Intended status: Informational
Expires: August 29, 2019

      Mathematical Mesh Part III : Data At Rest Encryption (DARE)
                     draft-hallambaker-mesh-dare-00

Abstract

   This document describes the Data At Rest Encryption (DARE) Message
   and Container syntax.

   The DARE Message syntax is used to digitally sign, digest,
   authenticate, or encrypt arbitrary message content.

   The DARE Container syntax describes an append-only sequence of data
   frames, each containing a DARE Message.  DARE Containers may support
   cryptographic integrity verification of the entire data container
   content by means of a Merkle tree.

   This document is also available online at
   http://mathmesh.com/Documents/draft-hallambaker-mesh-dare.html [1] .

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 29, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Hallam-Baker             Expires August 29, 2019                [Page 1]
Internet-Draft                DARE Message                 February 2019

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
     1.1.  Encryption and Integrity  . . . . . . . . . . . . . . . .   4
       1.1.1.  Key Exchange  . . . . . . . . . . . . . . . . . . . .   5
       1.1.2.  Data Erasure  . . . . . . . . . . . . . . . . . . . .   6
     1.2.  Signature . . . . . . . . . . . . . . . . . . . . . . . .   6
       1.2.1.  Signing Individual Plaintext Messages . . . . . . . .   7
       1.2.2.  Signing Individual Encrypted Messages . . . . . . . .   7
       1.2.3.  Signing Sequences of Messages . . . . . . . . . . . .   7
     1.3.  Container . . . . . . . . . . . . . . . . . . . . . . . .   8
       1.3.1.  Container Format  . . . . . . . . . . . . . . . . . .   8
       1.3.2.  Write . . . . . . . . . . . . . . . . . . . . . . . .   9
       1.3.3.  Encryption and Authentication . . . . . . . . . . . .   9
       1.3.4.  Integrity and Signature . . . . . . . . . . . . . . .  10
       1.3.5.  Redaction . . . . . . . . . . . . . . . . . . . . . .  10
       1.3.6.  Alternative approaches  . . . . . . . . . . . . . . .  11
       1.3.7.  Efficiency  . . . . . . . . . . . . . . . . . . . . .  11
   2.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .  12
     2.1.  Related Specifications  . . . . . . . . . . . . . . . . .  12
     2.2.  Requirements Language . . . . . . . . . . . . . . . . . .  13
     2.3.  Defined terms . . . . . . . . . . . . . . . . . . . . . .  13
   3.  DARE Message Architecture . . . . . . . . . . . . . . . . . .  14
     3.1.  Processing Considerations . . . . . . . . . . . . . . . .  15
     3.2.  Content Metadata and Annotations  . . . . . . . . . . . .  15
     3.3.  Encoded Data Sequence . . . . . . . . . . . . . . . . . .  16
     3.4.  Encryption and Integrity  . . . . . . . . . . . . . . . .  17
       3.4.1.  Key Exchange  . . . . . . . . . . . . . . . . . . . .  17
       3.4.2.  Key Identifiers . . . . . . . . . . . . . . . . . . .  18
       3.4.3.  Salt Derivation . . . . . . . . . . . . . . . . . . .  19
       3.4.4.  Key Derivation  . . . . . . . . . . . . . . . . . . .  19
     3.5.  Signature . . . . . . . . . . . . . . . . . . . . . . . .  20
     3.6.  Algorithms  . . . . . . . . . . . . . . . . . . . . . . .  20
       3.6.1.  Field: kwd  . . . . . . . . . . . . . . . . . . . . .  20
   4.  DARE Container Architecture . . . . . . . . . . . . . . . . .  21
     4.1.  Container Navigation  . . . . . . . . . . . . . . . . . .  21
       4.1.1.  Tree  . . . . . . . . . . . . . . . . . . . . . . . .  22
       4.1.2.  Position Index  . . . . . . . . . . . . . . . . . . .  22

Hallam-Baker             Expires August 29, 2019                [Page 2]
Internet-Draft                DARE Message                 February 2019

       4.1.3.  Metadata Index  . . . . . . . . . . . . . . . . . . .  22
     4.2.  Integrity Mechanisms  . . . . . . . . . . . . . . . . . .  22
       4.2.1.  Digest Chain calculation  . . . . . . . . . . . . . .  23
       4.2.2.  Binary Merkle tree calculation  . . . . . . . . . . .  23
       4.2.3.  Signature . . . . . . . . . . . . . . . . . . . . . .  23
   5.  DARE Message Schema . . . . . . . . . . . . . . . . . . . . .  24
     5.1.  Message Classes . . . . . . . . . . . . . . . . . . . . .  24
       5.1.1.  Structure: DareMessageSequence  . . . . . . . . . . .  24
     5.2.  Header and Trailer Classes  . . . . . . . . . . . . . . .  25
       5.2.1.  Structure: DareTrailer  . . . . . . . . . . . . . . .  25
       5.2.2.  Structure: DareHeader . . . . . . . . . . . . . . . .  25
     5.3.  Cryptographic Data  . . . . . . . . . . . . . . . . . . .  27
       5.3.1.  Structure: DareSigner . . . . . . . . . . . . . . . .  27
       5.3.2.  Structure: X509Certificate  . . . . . . . . . . . . .  27
       5.3.3.  Structure: DareSignature  . . . . . . . . . . . . . .  27
       5.3.4.  Structure: DareRecipient  . . . . . . . . . . . . . .  28
   6.  DARE Container Schema . . . . . . . . . . . . . . . . . . . .  28
     6.1.  Container Headers . . . . . . . . . . . . . . . . . . . .  28
       6.1.1.  Structure: ContainerEntry . . . . . . . . . . . . . .  28
       6.1.2.  Structure: ContainerHeaderFirst . . . . . . . . . . .  28
       6.1.3.  Structure: ContainerHeader  . . . . . . . . . . . . .  29
     6.2.  Content Metadata Structure  . . . . . . . . . . . . . . .  30
       6.2.1.  Structure: ContentMeta  . . . . . . . . . . . . . . .  30
     6.3.  Index Structures  . . . . . . . . . . . . . . . . . . . .  30
       6.3.1.  Structure: ContainerIndex . . . . . . . . . . . . . .  30
       6.3.2.  Structure: IndexPosition  . . . . . . . . . . . . . .  30
       6.3.3.  Structure: KeyValue . . . . . . . . . . . . . . . . .  31
       6.3.4.  Structure: IndexMeta  . . . . . . . . . . . . . . . .  31
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  31
     7.1.  Encryption/Signature nesting  . . . . . . . . . . . . . .  31
     7.2.  Side channel  . . . . . . . . . . . . . . . . . . . . . .  31
     7.3.  Salt reuse  . . . . . . . . . . . . . . . . . . . . . . .  31
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  31
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  31
   10. Appendix A: DARE Message Examples and Test Vectors  . . . . .  31
   11. Test Examples . . . . . . . . . . . . . . . . . . . . . . . .  31
     11.1.  Plaintext Message  . . . . . . . . . . . . . . . . . . .  32
     11.2.  Plaintext Message with EDS . . . . . . . . . . . . . . .  32
     11.3.  Encrypted Message  . . . . . . . . . . . . . . . . . . .  33
     11.4.  Signed Message . . . . . . . . . . . . . . . . . . . . .  34
     11.5.  Signed and Encrypted Message . . . . . . . . . . . . . .  35
   12. Appendix B: DARE Container Examples and Test Vectors  . . . .  36
     12.1.  Simple container . . . . . . . . . . . . . . . . . . . .  36
     12.2.  Payload and chain digests  . . . . . . . . . . . . . . .  37
     12.3.  Merkle Tree  . . . . . . . . . . . . . . . . . . . . . .  38
     12.4.  Signed container . . . . . . . . . . . . . . . . . . . .  40
     12.5.  Encrypted container  . . . . . . . . . . . . . . . . . .  41
   13. Appendix C: Previous Frame Function . . . . . . . . . . . . .  45

Hallam-Baker             Expires August 29, 2019                [Page 3]
Internet-Draft                DARE Message                 February 2019

   14. Appendix D: Outstanding Issues  . . . . . . . . . . . . . . .  45
   15. References  . . . . . . . . . . . . . . . . . . . . . . . . .  45
     15.1.  Normative References . . . . . . . . . . . . . . . . . .  45
     15.2.  Informative References . . . . . . . . . . . . . . . . .  47
     15.3.  URIs . . . . . . . . . . . . . . . . . . . . . . . . . .  47
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  47

1.  Introduction

   This document describes the Data At Rest Encryption (DARE) Message
   and Container Syntax.  The DARE Message syntax is used to digitally
   sign, digest, authenticate, or encrypt arbitrary message content.
   The DARE Container syntax describes an append-only sequence of data
   frames, each containing a DARE Message that supports efficient
   incremental signature and encryption.

   The DARE Message Syntax is based on a subset of the JSON Web
   Signature [RFC7515] and JSON Web Encryption [RFC7516] standards and
   shares many fields and semantics.  The processing model and data
   structures have been streamlined to remove alternative means of
   specifying the same content and to enable multiple data sequences to
   be signed and encrypted under a single master encryption key without
   compromise to security.

   A DARE Message consists of a Header, Payload and an optional Trailer.
   To enable single pass encoding and decoding, the Header contains all
   the information required to perform cryptographic processing of the
   Payload and authentication data (digest, MAC, signature values) MAY
   be deferred to the Trailer section.

   A DARE Container is an append-only log format consisting of a
   sequence of frames.  Cryptographic enhancements (signature,
   encryption) may be applied to individual frames or to sets of frames.
   Thus, a single key exchange may be used to provide a master key to
   encrypt multiple frames and a single signature may be used to
   authenticate all the frames in the container up to and including the
   frame in which the signature is presented.

   The DARE Message syntax may be used either as a standalone
   cryptographic message syntax or as a means of presenting a single
   DARE Container frame together with the complete cryptographic context
   required to verify the contents and decrypt them.

1.1.  Encryption and Integrity

   An important innovation in the DARE Message Syntax is the separation
   of key exchange and data encryption operations so that a Master Key
   (MK) established in a single exchange to be applied to multiple data

Hallam-Baker             Expires August 29, 2019                [Page 4]
Internet-Draft                DARE Message                 February 2019

   sequences.  This means that a single public key operation MAY be used
   to encrypt and/or authenticate multiple parts of the same DARE
   Message or multiple frames in a DARE Container.

   To avoid reuse of the key and to avoid the need to communicate
   separate IVs, each octet sequence is encrypted under a different
   encryption key (and IV if required) derived from the Master Key by
   means of a salt that is unique for each octet sequence that is
   encrypted.  The same approach is used to generate keys for
   calculating a MAC over the octet sequence if required.  This approach
   allows encryption and integrity protections to be applied to the
   message payload, to header or trailer fields or to application
   defined Enhanced Data Sequences in the header or trailer.

1.1.1.  Key Exchange

   Traditional cryptographic containers describe the application of a
   single key exchange to encryption of a single octet sequence.
   Examples include PCKS#7/CMS [RFC2315] , OpenPGP [RFC4880] and JSON
   Web Encryption [RFC7516] .

   To encrypt a message using RSA, the encoder first generates a random
   encryption key and initialization vector (IV).  The encryption key is
   encrypted under the public key of each recipient to create a per-
   recipient decryption entry.  The encryption key, plaintext and IV are
   used to generate the ciphertext (figure 1).

   [[This figure is not viewable in this format.  The figure is
   available at http://mathmesh.com/Documents/draft-hallambaker-mesh-
   dare.html [2].]]

   Monolithic Key Exchange and Encrypt

   This approach is adequate for the task of encrypting a single octet
   stream.  It is less than satisfactory when encrypting multiple octet
   streams or very long streams for which a rekeying operation is
   desirable.

   In the DARE approach, key exchange and key derivation are separate
   operations and keys MAY be derived for encryption or integrity
   purposes or both.  A single key exchange MAY be used to derive keys
   to apply encryption and integrity enhancements to multiple data
   sequences.

   The DARE key exchange begins with the same key exchange used to
   produce the CEK in JWE but instead of using the CEK to encipher data
   directly, it is used as one of the inputs to a Key Derivation

Hallam-Baker             Expires August 29, 2019                [Page 5]
Internet-Draft                DARE Message                 February 2019

   Function (KDF) that is used to derive parameters for each block of
   data to be encrypted.  To avoid the need to introduce additional
   terminology, the term 'CEK' is still used to describe the output of
   the key agreement algorithm (including key unwrapping if required)
   but it is more appropriately described as a Master Key (figure 2).

   [[This figure is not viewable in this format.  The figure is
   available at http://mathmesh.com/Documents/draft-hallambaker-mesh-
   dare.html [3].]]

   Exchange of Master Key

   A Master Key may be used to encrypt any number of data items.  Each
   data item is encrypted under a different encryption key and IV (if
   required).  This data is derived from the Master Key using the HKDF
   function [RFC5869] using a different salt for each data item and
   separate info tags for each cryptographic function (figure 3).

   [[This figure is not viewable in this format.  The figure is
   available at http://mathmesh.com/Documents/draft-hallambaker-mesh-
   dare.html [4].]]

   Data item encryption under Master Key and per-item salt.

   This approach to encryption offers considerably greater flexibility
   allowing the same format for data item encryption to be applied at
   the transport, message or field level.

1.1.2.  Data Erasure

   Each encrypted DARE Message specifies a unique Master Salt value of
   at least 128 bits which is used to derive the salt values used to
   derive cryptographic keys for the message payload and annotations.

   Erasure of the Master Salt value MAY be used to effectively render
   the message payload and annotations undecipherable without altering
   the message payload data.  The work factor for decryption will be
   O(2^128) even if the decryption key is compromised.

1.2.  Signature

   As with encryption, DARE Message signatures MAY be applied to an
   individual message or a sequence of messages.

Hallam-Baker             Expires August 29, 2019                [Page 6]
Internet-Draft                DARE Message                 February 2019

1.2.1.  Signing Individual Plaintext Messages

   When an individual plaintext message is signed, the digest value used
   to create the signature is calculated over the binary value of the
   payload data.  That is, the value of the payload before the encoding
   (Base-64, JSON-B) is applied.

1.2.2.  Signing Individual Encrypted Messages

   When an individual plaintext message is signed, the digest value used
   to create the signature is calculated over the binary value of the
   payload data.  That is, the value of the payload after encryption but
   before the encoding (Base-64, JSON-B) is applied.

   Use of signing and encryption in combination presents the risk of
   subtle attacks depending on the order in which signing and encryption
   take place [Davis2001] .

   Na?ve approaches in which a message is encrypted and then signed
   present the possibility of a surreptitious forwarding attack.  For
   example, Alice signs a message and sends it to Mallet who then strips
   off Alice's signature and sends the message to Bob.

   Na?ve approaches in which a message is signed and then encrypted
   present the possibility of an attacker claiming authorship of a
   ciphertext.  For example, Alice encrypts a ciphertext for Bob and
   then signs it.  Mallet then intercepts the message and sends it to
   Bob.

   While neither attack is a concern in all applications, both attacks
   pose potential hazards for the unwary and require close inspection of
   application protocol design to avoid exploitation.

   To prevent these attacks, each signature on a message that is signed
   and encrypted MUST include a witness value that is calculated by
   applying a MAC function to the signature value as described in
   section XXX.

1.2.3.  Signing Sequences of Messages

   To sign multiple messages with a single signature, we first construct
   a Merkle tree of the message payload digest values and then sign the
   root of the Merkle tree.

   [This is not yet implemented but will be soon.]

Hallam-Baker             Expires August 29, 2019                [Page 7]
Internet-Draft                DARE Message                 February 2019

1.3.  Container

   DARE Container is a message and file syntax that allows a sequence of
   data frames to be represented with cryptographic integrity,
   signature, and encryption enhancements to be constructed in an append
   only format.

   The format is designed to meet the requirements of a wide range of
   use cases including:

   o  Recording transactions in persistent storage.

   o  Synchronizing transaction logs between hosts.

   o  File archive.

   o  Message spool.

   o  Signing and encrypting single data items.

   o  Incremental encryption and authentication of server logs.

1.3.1.  Container Format

   A Container consists of a sequence of variable length Frames.  Each
   frame consists of a forward length indicator, the framed data and a
   reverse length indicator.  The reverse length indicator is written
   out backwards allowing the length and thus the frame to be read in
   the reverse direction:

   [[This figure is not viewable in this format.  The figure is
   available at http://mathmesh.com/Documents/draft-hallambaker-mesh-
   dare.html [5].]]

   JBCD Bidirectional Frame

   Each frame contains a single DARE Message consisting of a Header,
   Payload and Trailer (if required).  The first frame in a container
   describes the container format options and defaults.  These include
   the range of encoding options for frame metadata supported and the
   container profiles to which the container conforms.

   All internal data formats support use of pointers of up to 64 bits
   allowing containers of up to 18 exabytes to be written.

   Five container types are currently specified:

Hallam-Baker             Expires August 29, 2019                [Page 8]
Internet-Draft                DARE Message                 February 2019

   Simple  The container does not provide any index or content integrity
      checks.

   Tree  Frame headers contain entries that specify the start position
      of previous frames at the apex of the immediately enclosing binary
      tree.  This enables efficient random access to any frame in the
      file.

   Digest  Each frame trailer contains a PayloadDigest field.
      Modification of the payload will cause verification of the
      PayloadDigest value to fail on that frame.

   Chain  Each frame trailer contains PayloadDigest and ChainDigest
      fields allowing modifications to the payload data to be detected.
      Modification of the payload will cause verification of the
      PayloadDigest value to fail on that frame and verification of the
      ChainDigest value to fail on all subsequent frames.

   Merkle Tree  Frame headers contain entries that specify the start
      position of previous frames at the apex of the immediately
      enclosing binary tree.  Frame Trailers contain
      TreeDigestPartial and TreeDigestFinal entries forming a Merkle
      digest tree.

1.3.2.  Write

   In normal circumstances, Containers are written as an append only
   log.  As with Messages, integrity information (payload digest,
   signatures) is written to the message trailer.  Thus, large payloads
   may be written without the need to buffer the payload data provided
   that the content length is known in advance.

   Should exceptional circumstances require, Container entries MAY be
   erased by overwriting the Payload and/or parts of the Header content
   without compromising the ability to verify other entries in the
   container.  If the entry Payload is encrypted, it is sufficient to
   erase the container salt value to render the container entry
   effectively inaccessible (though recovery might still be possible if
   the original salt value can be recovered from the storage media.

1.3.3.  Encryption and Authentication

   Frame payloads and associated attributes MAY be encrypted and/or
   authenticated in the same manner as Messages.

   Incremental encryption is supported allowing encryption parameters
   from a single public key exchange operation to be applied to encrypt
   multiple frames.  The public key exchange information is specified in

Hallam-Baker             Expires August 29, 2019                [Page 9]
Internet-Draft                DARE Message                 February 2019

   the first encrypted frame and subsequent frames encrypted under those
   parameters specify the location at which the key exchange information
   is to be found by means of the ExchangePosition field which MUST
   specify a location that is earlier in the file.

   To avoid cryptographic vulnerabilities resulting from key re-use, the
   DARE key exchange requires that each encrypted sequence use an
   encryption key and initialization vector derived from the master key
   established in the public key exchange by means of a unique salt.

   Each Message and by extension, each Container frame MUST specify a
   unique salt value of at least 128 bits.  Since the encryption key is
   derived from the salt value by means of a Key Derivation Function,
   erasure of the salt MAY be used as a means of rendering the payload
   plaintext value inaccessible without changing the payload value.

1.3.4.  Integrity and Signature

   Signatures MAY be applied to a payload digest, the final digest in a
   chain or tree.  The chain and tree digest modes allow a single
   signature to be used to authenticate all frame payloads in a
   container.

   The tree signature mode is particularly suited to applications such
   as file archives as it allows files to be verified individually
   without requiring the signer to sign each individually.  Furthermore,
   in applications such as code signing, it allows a single signature to
   be used to verify both the integrity of the code and its membership
   of the distribution.

   As with DARE Message, the signature mechanism does not specify the
   interpretation of the signature semantics.  The presence of a
   signature demonstrates that the holder of the private key applied it
   to the specified digest value but not their motive for doing so.
   Describing such semantics is beyond the scope of this document and is
   deferred to future work.

1.3.5.  Redaction

   The chief disadvantage of using an append-only format is that
   containers only increase in size.  In many applications, much of the
   data in the container becomes redundant or obsolete and a process
   analogous to garbage collection is required.  This process is called
   redaction.

   The simplest method of redaction is to create a new container and
   sequentially copy each entry from the old container to the new,
   discarding redundant frames and obsolete header information.

Hallam-Baker             Expires August 29, 2019               [Page 10]
Internet-Draft                DARE Message                 February 2019

   For example, partial index records may be consolidated into a single
   index record placed in the last frame of the container.  Unnecessary
   signature and integrity data may be discarded and so on.

   While redaction could in principle be effected by moving data in-
   place in the existing container, supporting this approach in a robust
   fashion is considerably more complex as it requires backward
   references in subsequent frames to be overridden as each frame is
   moved.

1.3.6.  Alternative approaches

   Many file proprietary formats are in use that support some or all of
   these capabilities but only a handful have public, let alone open,
   standards.  DARE Container is designed to provide a superset of the
   capabilities of existing message and file syntaxes, including:

   o  Cryptographic Message Syntax [RFC5652] defines a syntax used to
      digitally sign, digest, authenticate, or encrypt arbitrary message
      content.

   o  The.ZIP File Format specification [ZIPFILE] developed by Phil
      Katz.

   o  The BitCoin Block chain [BLOCKCHAIN] .

   o  JSON Web Encryption and JSON Web Signature

   Attempting to make use of these specifications in a layered fashion
   would require at least three separate encoders and introduce
   unnecessary complexity.  Furthermore, there is considerable overlap
   between the specifications providing multiple means of achieving the
   same ends, all of which must be supported if decoders are to work
   reliably.

1.3.7.  Efficiency

   Every data format represents a compromise between different concerns,
   in particular:

   Compactness  The space required to record data in the encoding.

   Memory Overhead  The additional volatile storage (RAM) required to
      maintain indexes etc. to support efficient retrieval operations.

   Number of Operations  The number of operations required to retrieve
      data from or append data to an existing encoded sequence.

Hallam-Baker             Expires August 29, 2019               [Page 11]
Internet-Draft                DARE Message                 February 2019

   Number of Disk Seek Operations  Optimizing the response time of
      magnetic storage media to random access read requests has
      traditionally been one of the central concerns of database design.
      The DARE Container format is designed to the assumption that this
      will cease to be a concern as solid state media replaces magnetic.

   While the cost of storage of all types has declined rapidly over the
   past decades, so has the amount of data to be stored.  DARE Container
   represents a pragmatic balance of these considerations for current
   technology.  In particular, since payload volumes are likely to be
   very large, memory and operational efficiency are considered higher
   priorities than compactness.

2.  Definitions

2.1.  Related Specifications

   The DARE Message and Container formats are based on the following
   existing standards and specifications.

   DARE Container makes use of the following related standards and
   specifications.

   Object serialization  The JSON-B [draft-hallambaker-jsonbcd] encoding
      is used for object serialization.  This encoding is an extension
      of the JavaScript Object Notation (JSON) [RFC7159] .

   Message syntax  The cryptographic processing model is based on JSON
      Web Signature (JWS) [RFC7515] , JSON Web Encryption (JWE)
      [RFC7516] and JSON Web Key (JWK) [RFC7517] .

   Cryptographic primitives.  The HMAC-based Extract-and-Expand Key
      Derivation Function [RFC5869] and Advanced Encryption Standard
      (AES) Key Wrap with Padding Algorithm [RFC3394] are used.

      The Uniform Data Fingerprint method of presenting data digests is
      used for key identifiers and other purposes
      [draft-hallambaker-mesh-udf] .

   Cryptographic algorithms  The cryptographic algorithms and
      identifiers described in JSON Web Algorithms (JWA) [RFC7518] are
      used together with additional algorithms as defined in the JSON
      Object Signing and Encryption IANA registry [IANAJOSE] .

Hallam-Baker             Expires August 29, 2019               [Page 12]
Internet-Draft                DARE Message                 February 2019

2.2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119] .

2.3.  Defined terms

   The terms "Authentication Tag", "Content Encryption Key", "Key
   Management Mode", "Key Encryption", "Direct Key Agreement", "Key
   Agreement with Key Wrapping" and "Direct Encryption" are defined in
   the JWE specification [RFC7516] .

   The terms "Authentication", "Ciphertext", "Digital Signature",
   "Encryption", "Initialization Vector (IV)", "Message Authentication
   Code (MAC)", "Plaintext" and "Salt" are defined by the Internet
   Security Glossary, Version 2 [RFC4949] .

   Annotated Message  A DARE Message that contains an Annotations field
      with at least one entry.

   Authentication Data  A Message Authentication Code or authentication
      tag.

   Complete Message  A DARE message that contains the key exchange
      information necessary for the intended recipient(s) to decrypt it.

   Detached Message  A DARE message that does not contain the key
      exchange information necessary for the intended recipient(s) to
      decrypt it.

   Encryption Context  The master key, encryption algorithms and
      associated parameters used to generate a set of one or more
      enhanced data sequences.

   Encoded data sequence (EDS)  A sequence consisting of a salt, content
      data and authentication data (if required by the encryption
      context).

   Enhancement  Applying a cryptographic operation to a data sequence.
      This includes encryption, authentication and both at the same
      time.

   Generator  The party that generates a DARE message.

   Group Encryption Key  A key used to encrypt data to be read by a
      group of users.  This is typically achieved by means of some form
      of proxy re-encryption or distributed key generation.

Hallam-Baker             Expires August 29, 2019               [Page 13]
Internet-Draft                DARE Message                 February 2019

   Group Encryption Key Identifier  A key identifier for a group
      encryption key.

   Master Key (MK)  The master secret from which keys are derived for
      authenticating enhanced data sequences.

   Recipient  Any party that receives and processes at least some part
      of a DARE message.

   Related Message  A set of DARE messages that share the same key
      exchange information and hence the same Master Key.

   Uniform Data Fingerprint (UDF)  The means of presenting the result of
      a cryptographic digest function over a data sequence and content
      type identifier specified in the Uniform Data Fingerprint
      specification [draft-hallambaker-mesh-udf]

3.  DARE Message Architecture

   A DARE Message is a sequence of three parts:

   Header  A JSON object containing information a reader requires to
      begin processing the message.

   Payload  An array of octets.

   Trailer  A JSON object containing information calculated from the
      message payload.

   For example, the following sequence is a JSON encoded Message with an
   empty header, a payload of zero length and an empty trailer:

   [ {}, "", {} ]

   DARE Messages MAY be encoded using JSON serialization or a binary
   serialization for greater efficiency.

   JSON  Offers compatibility with applications and libraries that
      support JSON.  Payload data is encoded using Base64 incurring a
      33% overhead.

   JSON-B  A superset of JSON encoding that permits binary data to be
      encoded as a sequence of length-data segments.  This avoids the
      Base64 overhead incurred by JSON encoding.  Since JSON-B is a
      superset of JSON encoding, an application can use a single decoder
      for either format.

Hallam-Baker             Expires August 29, 2019               [Page 14]
Internet-Draft                DARE Message                 February 2019

   JSON-C  A superset of JSON-C which provides additional efficiency by
      allowing field tags and other repeated string data to be encoded
      by reference to a dictionary.  Since JSON-C is a superset of JSON
      and JSON-B encodings, an application can use a single decoder for
      all three formats.

   DARE Message processors MUST support JSON serialization and SHOULD
   support JSON-B serialization.

3.1.  Processing Considerations

   The DARE Message Syntax supports single pass encoding and decoding
   without buffering of data.  All the information required to begin
   processing a DARE message (key agreement information, digest
   algorithms), is provided in the message header.  All the information
   that is derived from message processing (authentication codes, digest
   values, signatures) is presented in the message trailer.

   The choice of message encoding does not affect the semantics of
   message processing.  A DARE Message MAY be reserialized under the
   same serialization or converted from any of the specified
   serialization to any other serialization without changing the
   semantics or integrity properties of the message.

3.2.  Content Metadata and Annotations

   A header MAY contain header fields describing the payload content.
   These include:

   ContentType  Specifies the IANA Media Type [RFC6838] .

   Annotations  A list of Encoded Data Sequences that provide
      application specific annotations to the message.

   For example, consider the following mail message:

   From: Alice@example.com
   To: bob@example.com
   Subject: TOP-SECRET Product Launch Today!

   The CEO told me the product launch is today. Tell no-one!

   Existing encryption approaches require that header fields such as the
   subject line be encrypted with the body of the message or not
   encrypted at all.  Neither approach is satisfactory.  In this
   example, the subject line gives away important information that the
   sender probably assumed would be encrypted.  But if the subject line
   is encrypted together with the message body, a mail client must

Hallam-Baker             Expires August 29, 2019               [Page 15]
Internet-Draft                DARE Message                 February 2019

   retrieve at least part of the message body to provide a 'folder'
   view.

   The plaintext form of the equivalent DARE Message encoding is:

   [{
       "cty":"application/example-mail",
       "Annotations":["iAEBiBdGcm9tOiBBbGljZUBleGFtcGxlLmNvbYgA",
         "iAECiBNUbzogYm9iQGV4YW1wbGUuY29tiAA",
         "iAEDiClTdWJqZWN0OiBUT1AtU0VDUkVUIFByb2R1Y3QgTGF1bmNoIFRvZGF5
     IYgA"
         ]},
     "VGhlIENFTyB0b2xkIG1lIHRoZSBwcm9kdWN0IGxhdW5jaCBpcyB0b2RheS4gVGVs
     bCBuby1vbmUh"
     ]

   This contains the same information as before but the mail message
   headers are now presented as a list of Encoded Data Sequences.

3.3.  Encoded Data Sequence

   An encoded data sequence (EDS) is a sequence of octets that encodes a
   data sequence according to cryptographic enhancements specified in
   the context in which it is presented.  An EDS MAY be encrypted and
   MAY be authenticated by means of a MAC.  The keys and other
   cryptographic parameters used to apply these enhancements are derived
   from the cryptographic context and a Salt prefix specified in the EDS
   itself.

   An EDS sequence contains exactly three binary fields encoded in
   JSON-B serialization as follows:

   Salt Prefix  A sequence of octets used to derive the encryption key,
      Initialization Vector and MAC key as required.

   Body  The plaintext or encrypted content.

   Authentication Tag  The authentication code value in the case that
      the cryptographic context specifies use of authenticated
      encryption or a MAC, otherwise is a zero-length field.

   Requiring all three fields to be present, even in cases where they
   are unnecessary simplifies processing at the cost of up to six
   additional data bytes.

   The encoding of the 'From' header of the previous example as a
   plaintext EDS is as follows:

Hallam-Baker             Expires August 29, 2019               [Page 16]
Internet-Draft                DARE Message                 February 2019

   88 01
     01
   88 17
     46 72 6f 6d 3a 20 41 6c   69 63 65 40 65 78 61 6d
     70 6c 65 2e 63 6f 6d
   88 00

3.4.  Encryption and Integrity

   Encryption and integrity protections MAY be applied to any DARE
   Message Payload and Annotations.

   The following is an encrypted version of the message shown earlier.
   The payload and annotations have both increased in size as a result
   of the block cipher padding.  The header now includes Recipients and
   Salt fields to enable the content to be decoded.

   [{
       "enc":"A256CBC",
       "Salt":"l7Bjy_Coev9KRuyWNCXtSQ",
       "cty":"application/example-mail",
       "Annotations":["iAEBiCBmbTo0Y_C8B9eb1PXr_a-WEQok8bbDUsaiMPZMNcnJ
     Kw",
         "iAECiCAOBQoaB0LWg1HE1mY0Opu-GmohOzU5ljvX46f_A-CmCg",
         "iAEDiDB0HJBmP45XDzL3ClFUtLfpkvrwunNQCHoUXG6oph5-ZFwYCI6fxwNU
     ie5xRdLaaFw"
         ],
       "recipients":[{
           "kid":"MAH7-QQI4-53WD-S32X-4SQW-TIAY-42LA",
           "epk":{
             "PublicKeyECDH":{
               "crv":"Ed25519",
               "Public":"-6jMG5xqSL1kjle0k2xkHzF8nVfXFZcpGSIRF1DAKuc"}},
           "wmk":"dLS9PZNbyDfEZEDfesatSb2KvTO26YCOH-5uPRphA_M25huz0z2j
     -A"}
         ]},
     "992eB-VqCRFQvg9qiPk_iLGG-zruhqWA1n1A1_BE1W7Hc6GdRr99uGFYrHc-J_4_
     m-lPXVMJkBhFEbmlSBtZDg"
     ]

3.4.1.  Key Exchange

   The DARE key exchange is based on the JWE key exchange except that
   encryption modes are intentionally limited and the output of the key
   exchange is the DARE Master Key rather than the Content Encryption
   Key.

Hallam-Baker             Expires August 29, 2019               [Page 17]
Internet-Draft                DARE Message                 February 2019

   A DARE Key Exchange MAY contain any number of Recipient entries, each
   providing a means of decrypting the Master Key using a different
   private key.

   If the Key Exchange mechanism supports message recovery, Direct Key
   Agreement is used, in all other cases, Key Wrapping is used.

   This approach allows messages with one intended recipient to be
   handled in the exact same fashion as messages with multiple
   recipients.  While this does require an additional key wrapping
   operation, that could be avoided if a message has exactly one
   intended recipient, this is offset by the reduction in code
   complexity.

   If the key exchange algorithm does not support message recovery (e.g.
   Diffie Hellman and Elliptic Curve Diffie-Hellman), the HKDF Extract-
   and-Expand Key Derivation Function is used to derive a master key
   using the following info tag:

   "dare-master" [64 61 72 65 2d 6d 61 73 74 65 72]  Key derivation info
      field used when deriving a master key from the output of a key
      exchange.

   The master key length is the maximum of the key size of the
   encryption algorithm specified by the key exchange header, the key
   size of the MAC algorithm specified by the key exchange header (if
   used) and 256.

3.4.2.  Key Identifiers

   The JWE/JWS specifications define a kid field for use as a key
   identifier but not how the identifier itself is constructed.  All
   DARE key identifiers are either UDF key fingerprints
   [draft-hallambaker-mesh-udf] or Mesh/Recrypt Group Key Identifiers.

   A UDF fingerprint is formed as the digest of an IANA content type and
   the digested data.  A UDF key fingerprint is formed with the content
   type application/pkix-keyinfo and the digested data is the ASN.1 DER
   encoded PKIX certificate keyInfo sequence for the corresponding
   public key.

   A Group Key Identifier has the form <fingerprint>@<domain>.  Where
   <fingerprint> is a UDF key fingerprint and <domain> is the DNS
   address of a service that provides the encryption service to support
   decryption by group members.

Hallam-Baker             Expires August 29, 2019               [Page 18]
Internet-Draft                DARE Message                 February 2019

3.4.3.  Salt Derivation

   A Master Salt is a sequence of 16 or more octets that is specified in
   the Salt field of the header.

   The Master Salt is used to derive salt values for the message payload
   and associated encoded data sequences as follows.

   Payload  Salt = Master Salt

   EDS  Salt = Concatenate (Payload Salt Prefix, Master Salt)

   Encoders SHOULD NOT generate salt values that exceed 1024 octets.

   The salt value is opaque to the DARE encoding but MAY be used to
   encode application specific semantics including:

   o  Frame number to allow reassembly of a data sequence split over a
      sequence of messages which may be delivered out of order.

   o  Transmit the Master Key in the manner of a Kerberos ticket.

   o  Identify the Master Key under which the Enhanced Data Sequence was
      generated.

   o  Enable access to the plaintext to be eliminated by erasure of the
      encryption key.

   For data erasure to be effective, the salt MUST be constructed so
   that the difficulty of recovering the key is sufficiently high that
   it is infeasible.  For most purposes, a salt with 128 bits of
   appropriately random data is sufficient.

3.4.4.  Key Derivation

   Encryption and/or authentication keys are derived from the Master Key
   using a Extract-and-Expand Key Derivation Function as follows:

   1.  The Master Key and salt value are used to extract the PRK
       (pseudorandom key)

   2.  The PRK is used to derive the algorithm keys using the
       application specific information input for that key type.

   The application specific information inputs are:

   "dare-encrypt" [64 61 72 65 2d 65 6e 63 72 79 70 74]  To generate an
      encryption or encryption with authentication key.

Hallam-Baker             Expires August 29, 2019               [Page 19]
Internet-Draft                DARE Message                 February 2019

   "dare-iv" [64 61 72 65 2d 65 6e 63 72 79 70 74]  To generate an
      initialization vector.

   "dare-mac" [dare-mac]  To generate a Message Authentication Code key.

3.5.  Signature

   While encryption and integrity enhancements can be applied to any
   part of a DARE message, signatures are only applied to payload digest
   values calculated over one or more message payloads.

   The payload digest value for a message is calculated over the binary
   payload data.  That is, after any encryption enhancement has been
   applied but before the message encoding is applied.  This allows
   messages to be converted from one encoding to another without
   affecting signature verification.

   Single Payload  The signed value is the payload digest of the message
      payload.

   Multiple Payload.  The signed value is the root of a Merkle Tree in
      which the payload digest of the message is one of the leaves.

   Verification of a multiple payload signature naturally requires the
   additional digest values required to construct the Merkle Tree.
   These are provided in the Trailer in a format that permits multiple
   signers to reference the same tree data.

3.6.  Algorithms

3.6.1.  Field: kwd

   The key wrapping and derivation algorithms.

   Since the means of public key exchange is determined by the key
   identifier of the recipient key, it is only necessary to specify the
   algorithms used for key wrapping and derivation.

   The default (and so far only) algorithm is kwd-aes-sha2-256-256.

   Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm
   [RFC3394] is used to wrap the Master Exchange Key. AES 256 is used.

   HMAC-based Extract-and-Expand Key Derivation Function [RFC5869] is
   used for key derivation.  SHA-2-256 is used for the hash function.

Hallam-Baker             Expires August 29, 2019               [Page 20]
Internet-Draft                DARE Message                 February 2019

4.  DARE Container Architecture

4.1.  Container Navigation

   Three means of locating frames in a container are supported:

   Sequential  Access frames sequentially starting from the start or the
      end of the container.

   Binary search  Access any container frame by frame number in
      O(log_2(n)) time by means of a binary tree constructed while the
      container is written.

   Index  Access and container frame by frame number or by key by means
      of an index record.

   All DARE Containers support sequential access.  Only tree and Merkle
   tree containers support binary search access.  An index frame MAY be
   written appended to any container and provides O(1) access to any
   frame listed in the index.

   Two modes of compilation are considered:

   Monolithic  Frames are added to the container in a single operation,
      e.g. file archives,

   Incremental  Additional frames are written to the container at
      various intervals after it was originally created, e.g. server
      logs, message spools.

   In the monolithic mode, navigation requirements are best met by
   writing an index frame to the end of the container when it is
   complete.  It is not necessary to construct a binary search tree
   unless a Merkle tree integrity check is required.

   In the incremental mode, Binary search provides an efficient means of
   locating frames by frame number but not by key.  Writing a complete
   index to the container every m write operations provides O(m) search
   access but requires O(n^2) storage.

   Use of partial indexes provides a better compromise between speed and
   efficiency.  A partial index is written out every m frames where m is
   a power of two.  A complete index is written every time a binary tree
   apex record is written.  This approach provides for O(log_2(n))
   search with incremental compilation with approximately double the
   overhead of the monolithic case.

Hallam-Baker             Expires August 29, 2019               [Page 21]
Internet-Draft                DARE Message                 February 2019

4.1.1.  Tree

   Binary search is supported by means of the TreePosition parameter
   specified in the FrameHeader.  This parameter specifies the value of
   the immediately preceding apex.

   Calculation of the immediately preceding apex is most easily
   described by representing the array index in binary with base of 1
   (rather than 0).  An array index that is a power of 2 (2, 4, 8, 16,
   etc.) will be the apex of a complete tree.  Every other array index
   has the value of the sum of a set of powers of 2 and the immediately
   preceding apex will be the value of the next smallest power of 2 in
   the sum.

   For example, to find the immediately preceding apex for frame 5, we
   add 1 to get 6. 6 = 4 + 2, so we ignore the 2 and the preceding frame
   is 4.

   The values of Tree Position are shown for the first 8 frames in
   figure xx below:

   [[This figure is not viewable in this format.  The figure is
   available at http://mathmesh.com/Documents/draft-hallambaker-mesh-
   dare.html [6].]]

   Merkle Tree Integrity check

   An algorithm for efficiently calculating the immediately preceding
   apex is provided in Appendix C.

4.1.2.  Position Index

   Contains a table of frame number, position pairs pointing to prior
   locations in the file.

4.1.3.  Metadata Index

   Contains a list of IndexMeta entries.  Each entry contains a metadata
   description and a list of frame indexes (not positions) of frames
   that match the description.

4.2.  Integrity Mechanisms

   Frame sequences in a DARE container MAY be protected against a frame
   insertion attack by means of a digest chain, a binary Merkle tree or
   both.

Hallam-Baker             Expires August 29, 2019               [Page 22]
Internet-Draft                DARE Message                 February 2019

4.2.1.  Digest Chain calculation

   A digest chain is simple to implement but can only be verified if the
   full chain of values is known.  Appending a frame to the chain has
   O(1) complexity but verification has O(n) complexity:

   [[This figure is not viewable in this format.  The figure is
   available at http://mathmesh.com/Documents/draft-hallambaker-mesh-
   dare.html [7].]]

   Hash chain integrity check

   The value of the chain digest for the first frame (frame 0) is
   H(H(null)+H(Payload_0)), where null is a zero length octet sequence
   and payloadn is the sequence of payload data bytes for frame n

   The value of the chain digest for frame n is H(H(Payload_n-1
   +H(Payloadn)), where A+B stands for concatenation of the byte
   sequences A and B.

4.2.2.  Binary Merkle tree calculation

   The tree index mechanism describe earlier may be used to implement a
   binary Merkle tree.  The value TreeDigest specifies the apex value of
   the tree for that node.

   Appending a frame to the chain has O(log_2 (n)) complexity provided
   that the container format supports at least the binary tree index.
   Verifying a chain has O(log_2 (n)) complexity, provided that the set
   of necessary digest inputs is known.

   To calculate the value of the tree digest for a node, we first
   calculate the values of all the sub trees that have their apex at
   that node and then calculate the digest of that value and the
   immediately preceding local apex.

4.2.3.  Signature

   Payload data MAY be signed using a JWS [RFC7515] as applied in the
   Message.

   Signatures are specified by the Signatures parameter in the content
   header.  The data that the signature is calculated over is defined by
   the typ parameter of the Signature as follows.

   Payload  The value of the PayloadDigest parameter

Hallam-Baker             Expires August 29, 2019               [Page 23]
Internet-Draft                DARE Message                 February 2019

   Chain  The value of the ChainDigest parameter

   Tree  The value of the TreeDigestFinal parameter

   If the typ parameter is absent, the value Payload is implied.

   A frame MAY contain multiple signatures created with the same signing
   key and different typ values.

   The use of signatures over chain and tree digest values permit
   multiple frames to be validated using a single signature verification
   operation.

5.  DARE Message Schema

   A DARE Message consists of a Header, an Enhanced Data Sequence (EDS)
   and an optional trailer.  This section describes the JSON data fields
   used to construct headers, trailers and complete messages.

   Wherever possible, fields from JWE, JWS and JWK have been used.  In
   these cases, the fields have the exact same semantics.  Note however
   that the classes in which these fields are presented have different
   structure and nesting.

5.1.  Message Classes

   A DARE Message contains a single DAREMessageSequence in either the
   JSON or Compact serialization as directed by the protocol in which it
   is applied.

5.1.1.  Structure: DareMessageSequence

   A DARE Message containing Header, EDS and Trailer in JSON object
   encoding.  Since a DAREMessage is almost invariably presented in JSON
   sequence or compact encoding, use of the DAREMessage subclass is
   preferred.

   Although a DARE Message is functionally an object, it is serialized
   as an ordered sequence.  This ensures that the message header field
   will always precede the body in a serialization, this allowing
   processing of the header information to be performed before the
   entire body has been received.

   Header: DareHeader (Optional)  The message header.  May specify the
      key exchange data, pre-signature or signature data, cloaked
      headers and/or encrypted data sequences.

   Body: Binary (Optional)  The message body

Hallam-Baker             Expires August 29, 2019               [Page 24]
Internet-Draft                DARE Message                 February 2019

   Trailer: DareTrailer (Optional)  The message trailer.  If present,
      this contains the signature.

5.2.  Header and Trailer Classes

   A DARE Message sequence MUST contain a (possibly empty) DAREHeader
   and MAY contain a DARETrailer.

5.2.1.  Structure: DareTrailer

   A DARE Message Trailer

   Signatures: DareSignature [0..Many]  A list of signatures.  A message
      trailer MUST NOT contain a signatures field if the header contains
      a signatures field.

   SignedData: Binary (Optional)  Contains a DAREHeader object

   PayloadDigest: Binary (Optional)  If present, contains the digest of
      the Payload.

   ChainDigest: Binary (Optional)  If present, contains the digest of
      the PayloadDigest values of this frame and the frame immediately
      preceding.

   TreeDigest: Binary (Optional)  If present, contains the Binary Merkle
      Tree digest value.

5.2.2.  Structure: DareHeader

   Inherits: DareTrailer

   A DARE Message Header.  Since any field that is present in a trailer
   MAY be placed in a header instead, the message header inherits from
   the trailer.

   EncryptionAlgorithm: String (Optional)  The encryption algorithm as
      specified in JWE

   DigestAlgorithm: String (Optional)  Digest Algorithm.  If specified,
      tells decoder that the digest algorithm is used to construct a
      signature over the message payload.

   Salt: Binary (Optional)  Salt value used to derrive cryptographic
      parameters for the content data.

   Malt: Binary (Optional)  Hash of the Salt value used to derrive
      cryptographic parameters for the content data.  This field SHOULD

Hallam-Baker             Expires August 29, 2019               [Page 25]
Internet-Draft                DARE Message                 February 2019

      NOT be present if the Salt field is present.  It is used to allow
      the salt value to be erased (thus rendering the payload content
      irrecoverable) without affecting the ability to calculate the
      payload digest value.

   Signed: Binary (Optional)  Contains signed headers.

   Cloaked: Binary (Optional)  If present in a header or trailer,
      specifies an encrypted data block containing additional header
      fields whose values override those specified in the message and
      context headers.

      When specified in a header, a cloaked field MAY be used to conceal
      metadata (content type, compression) and/or to specify an
      additional layer of key exchange.  That applies to both the
      Message body and to headers specified within the cloaked header.

      Processing of cloaked data is described in...

   ContentType: String (Optional)  The content type field as specified
      in JWE

   EDSS: Binary [0..Many]  If present, the Annotations field contains a
      sequence of Encrypted Data Segments encrypted under the message
      Master Key. The interpretation of these fields is application
      specific.

   Signers: DareSigner [0..Many]  A list of 'presignature'

   Recipients: DareRecipient [0..Many]  A list of recipient key exchange
      information blocks.

   UniqueID: String (Optional)  Unique object identifier

   Filename: String (Optional)  The original filename under which the
      data was stored.

   Event: String (Optional)  Operation on the header

   Labels: String [0..Many]  List of labels that are applied to the
      payload of the frame.

   KeyValues: KeyValue [0..Many]  List of key/value pairs describing the
      payload of the frame.

Hallam-Baker             Expires August 29, 2019               [Page 26]
Internet-Draft                DARE Message                 February 2019

5.3.  Cryptographic Data

   DARE Message uses the same fields as JWE and JWS but with different
   structure.  In particular, DARE messages MAY have multiple recipients
   and multiple signers.

5.3.1.  Structure: DareSigner

   The signature value

   Dig: String (Optional)  Digest algorithm hint.  Specifying the digest
      algorithm to be applied to the message body allows the body to be
      processed in streaming mode.

   Alg: String (Optional)  Key exchange algorithm

   KeyIdentifier: String (Optional)  Key identifier of the signature
      key.

   Certificate: X509Certificate (Optional)  PKIX certificate of signer.

   Path: X509Certificate (Optional)  PKIX certificates that establish a
      trust path for the signer.

5.3.2.  Structure: X509Certificate

   X5u: String (Optional)  URL identifying an X.509 public key
      certificate

   X5: Binary (Optional)  An X.509 public key certificate

5.3.3.  Structure: DareSignature

   Inherits: DareSigner

   The signature value

   Manifest: Binary (Optional)  The data description that was signed.

   SignatureValue: Binary (Optional)  The signature value as an Enhanced
      Data Sequence under the message Master Key.

   WitnessValue: Binary (Optional)  The signature witness value used on
      an encrypted message to demonstrate that the signature was
      authorized by a party with actual knowledge of the encryption key
      used to encrypt the message.

Hallam-Baker             Expires August 29, 2019               [Page 27]
Internet-Draft                DARE Message                 February 2019

5.3.4.  Structure: DareRecipient

   Recipient information

   KeyIdentifier: String (Optional)  Key identifier for the encryption
      key.

      The Key identifier MUST be either a UDF fingerprint of a key or a
      Group Key Identifier

   KeyWrapDerivation: String (Optional)  The key wrapping and derivation
      algorithms.

   WrappedMasterKey: Binary (Optional)  The wrapped master key.  The
      master key is encrypted under the result of the key exchange.

   RecipientKeyData: String (Optional)  The per-recipient key exchange
      data.

6.  DARE Container Schema

   TBS stuff

6.1.  Container Headers

   TBS stuff

6.1.1.  Structure: ContainerEntry

   Inherits: ContainerHeader

   Inherits: ContainerHeader

   Body: Binary (Optional)  The container data.

6.1.2.  Structure: ContainerHeaderFirst

   Inherits: ContainerHeader

   Inherits: ContainerHeader

   DataEncoding: String (Optional)  Specifies the data encoding for the
      header section of for the following frames.  This value is ONLY
      valid in Frame 0 which MUST have a header encoded in JSON.

Hallam-Baker             Expires August 29, 2019               [Page 28]
Internet-Draft                DARE Message                 February 2019

6.1.3.  Structure: ContainerHeader

   Inherits: DareHeader

   Describes a container header.  A container header MAY contain any
   DARE Message header.

   Index: Integer (Optional)  The record index within the file.  This
      MUST be unique and satisfy any additional requirements determined
      by the ContainerType.

   ContainerType: String (Optional)  Specifies the container type for
      the following records.

   IsMeta: Boolean (Optional)  If true, the current frame is a meta
      frame and does not contain a payload.

      Note: Meta frames MAY be present in any container.  Applications
      MUST accept containers that contain meta frames at any position in
      the file.  Applications MUST NOT interpret a meta frame as a data
      frame with an enpty payload.

   Default: Boolean (Optional)  If set true in a persistent container,
      specifies that this record contains the default object for the
      container.

   ContentMeta: ContentMeta (Optional)  Content meta data.

   TreePosition: Integer (Optional)  Position of the frame containing
      the apex of the preceding sub-tree.

   IndexPosition: Integer (Optional)  Specifies the position in the file
      at which the last index entry is to be found

   ExchangePosition: Integer (Optional)  Specifies the position in the
      file at which the key exchange data is to be found

   ContainerIndex: ContainerIndex (Optional)  An index of records in the
      current container up to but not including this one.

   First: Integer (Optional)  Frame number of the first object instance
      value.

   Previous: Integer (Optional)  Frame number of the immediately prior
      object instance value

Hallam-Baker             Expires August 29, 2019               [Page 29]
Internet-Draft                DARE Message                 February 2019

6.2.  Content Metadata Structure

   TBS stuff

6.2.1.  Structure: ContentMeta

   Information describing the object instance

   ContentType: String (Optional)  The content type field as specified
      in JWE

   Paths: String [0..Many]  List of filename paths for the payload of
      the frame.

   UniqueID: String (Optional)  Unique object identifier

   Created: DateTime (Optional)  Initial creation date.

   Modified: DateTime (Optional)  Date of last modification.

6.3.  Index Structures

   TBS stuff

6.3.1.  Structure: ContainerIndex

   A container index

   Full: Boolean (Optional)  If true, the index is complete and contains
      position entries for all the frames in the file.  If absent or
      false, the index is incremental and only contains position entries
      for records added since the last frame containing a
      ContainerIndex.

   Positions: IndexPosition [0..Many]  List of container position
      entries

   Metas: IndexMeta [0..Many]  List of container position entries

6.3.2.  Structure: IndexPosition

   Specifies the position in a file at which a specified record index is
   found

   Index: Integer (Optional)  The record index within the file.

   Position: Integer (Optional)  The record position within the file
      relative to the index base.

Hallam-Baker             Expires August 29, 2019               [Page 30]
Internet-Draft                DARE Message                 February 2019

6.3.3.  Structure: KeyValue

   Specifies a key/value entry

   Key: String (Optional)  The key

   Value: String (Optional)  The value corresponding to the key

6.3.4.  Structure: IndexMeta

   Specifies the list of index entries at which a record with the
   specified metadata occurrs.

   Index: Integer [0..Many]  List of record indicies within the file
      where frames matching the specified criteria are found.

   ContentType: String (Optional)  Content type parameter

   Paths: String [0..Many]  List of filename paths for the current
      frame.

   Labels: String [0..Many]  List of labels that are applied to the
      current frame.

7.  Security Considerations

7.1.  Encryption/Signature nesting

7.2.  Side channel

7.3.  Salt reuse

8.  IANA Considerations

9.  Acknowledgements

10.  Appendix A: DARE Message Examples and Test Vectors

11.  Test Examples

   In the following examples, Alice's encryption private key parameters
   are:

   {
     "PrivateKeyECDH":{
       "crv":"Ed25519",
       "Private":"wYvPNxiLPk4y8UHQdEZRXABHj-S4H0ouc2swMPMndlY"}}

Hallam-Baker             Expires August 29, 2019               [Page 31]
Internet-Draft                DARE Message                 February 2019

   Alice's signature private key parameters are:

   {
     "PrivateKeyECDH":{
       "crv":"Ed25519",
       "Private":"afuqx3CxGxZPvFBE12FBXbZWmBlC9TZldd2B6sC15_Y"}}

   The body of the test message is the UTF8 representation of the
   following string:

   "This is a test long enough to require multiple blocks"

   The EDS sequences, are the UTF8 representation of the following
   strings:

   "Subject: Message metadata should be encrypted"
   "2018-02-01"

11.1.  Plaintext Message

   A plaintext message without associated EDS sequences is an empty
   header followed by the message body:

   {
     "DareMessage":[{},
       "VGhpcyBpcyBhIHRlc3QgbG9uZyBlbm91Z2ggdG8gcmVxdWlyZSBtdWx0aXBsZS
     BibG9ja3M"
       ]}

11.2.  Plaintext Message with EDS

   If a plaintext message contains EDS sequences, these are also in
   plaintext:

   {
     "DareMessage":[{
         "Annotations":["iAEBiC1TdWJqZWN0OiBNZXNzYWdlIG1ldGFkYXRhIHNob3
     VsZCBiZSBlbmNyeXB0ZWSIAA",
           "iAECiAoyMDE4LTAyLTAxiAA"
           ]},
       "VGhpcyBpcyBhIHRlc3QgbG9uZyBlbm91Z2ggdG8gcmVxdWlyZSBtdWx0aXBsZS
     BibG9ja3M"
       ]}

Hallam-Baker             Expires August 29, 2019               [Page 32]
Internet-Draft                DARE Message                 February 2019

11.3.  Encrypted Message

   The creator generates a master session key:

     AB 5A 07 19  EC E4 56 4A  57 89 06 E8  D6 E6 F8 08
     05 28 80 8F  9B 10 88 A8  CA A7 CB F5  FA 37 81 C5

   For each recipient of the message:

   The creator generates an ephemeral key:

   {
     "PrivateKeyECDH":{
       "crv":"Ed25519",
       "Private":"NyutcLUma0D-0LJhnifp-VERQhFWAC1tVqGBeS2eE_g"}}

   The key agreement value is calculated:

     D3 E3 62 FB  2D 6F 09 0E  68 E4 6A E2  73 44 D5 31
     77 43 98 F6  A1 57 96 8E  7F 63 74 BE  72 1D 83 2B

   The key agreement value is used as the input to a HKDF key derivation
   function with the info parameter master to create the key used to
   wrap the master key:

     AE C6 64 CE  7F 54 E9 7F  C7 B5 43 A4  77 12 6D B7
     99 71 CE 20  99 67 2B D6  C0 21 91 AA  F7 9B 65 0D

   The wrapped master key is:

     74 AC E9 02  79 5C 41 CD  15 68 71 BF  B8 DC E5 C6
     E0 47 6C 66  AB 8C 19 79  16 C7 3A BA  6E 94 BA BB
     4E 72 FE 61  CD AC 2C FE

   This information is used to calculate the Recipient information shown
   in the example below.

   To encrypt a message, we first generate a unique salt value:

     D7 CA AF C2  D7 54 E6 AB  AE 77 AA D2  6B CA 5C 1B

   The salt value and master key are used to generate the payload
   encryption key:

Hallam-Baker             Expires August 29, 2019               [Page 33]
Internet-Draft                DARE Message                 February 2019

     C9 C7 62 F3  A7 80 E8 95  A3 34 A8 85  43 26 0C DE
     A0 D5 AB 97  04 6E 45 29  63 6F FB 43  DE 7E 1C 1C

   Since AES is a block cipher, we also require an initializarion
   vector:

     42 46 96 03  9C AB FC 0B  BD 3F 33 A5  15 89 D6 E4

   The output sequence is the encrypted bytes:

     9B E5 6A 7A  2A D8 F7 D7  BF 26 73 A8  F0 D9 EF 70
     4C 63 A9 51  03 F2 89 DD  E6 3C 8C 82  A9 83 04 75
     E5 E6 08 41  37 CD 77 2D  C8 A6 49 6A  3E 76 98 88
     31 38 1D B5  84 DB 6C 00  BA 58 7A F6  E4 F1 B8 EF

   Since the message is not signed, there is no need for a trailer.  The
   completed message is:

 {
   "DareMessage":[{
       "enc":"A256CBC",
       "Salt":"18qvwtdU5quud6rSa8pcGw",
       "recipients":[{
           "kid":"MAH7-QQI4-53WD-S32X-4SQW-TIAY-42LA",
           "epk":{
             "PublicKeyECDH":{
               "crv":"Ed25519",
               "Public":"zfqzSaFFgPiFgwx1mZ0BkxIQOfIM0Q_9KO8JX3NqG3k"}},
           "wmk":"dKzpAnlcQc0VaHG_uNzlxuBHbGarjBl5Fsc6um6UurtOcv5hza
   ws_g"}
         ]},
     "m-VqeirY99e_JnOo8NnvcExjqVED8ond5jyMgqmDBHXl5ghBN813LcimSWo-dp
   iIMTgdtYTbbAC6WHr25PG47w"
     ]}

11.4.  Signed Message

   Signed messages specify the digest algorithm to be used in the header
   and the signature value in the trailer.  Note that the digest
   algorithm is not optional since it serves as notice that a decoder
   should digest the payload value to enable signature verification.

Hallam-Baker             Expires August 29, 2019               [Page 34]
Internet-Draft                DARE Message                 February 2019

   {
     "DareMessage":[{
         "dig":"S512"},
       "VGhpcyBpcyBhIHRlc3QgbG9uZyBlbm91Z2ggdG8gcmVxdWlyZSBtdWx0aXBsZS
     BibG9ja3M",
       {
         "signatures":[{
             "signature":"O0vj8U_uYZ1Ch3J2NbSpx1qIfpRrXfFqLmJs2TlEMIzi
     8n7j-qaFZ5uYEjiNd3PFVXiKWzb1AVYom-ejnQ9UAA"}
           ],
         "PayloadDigest":"raim8SV5adPbWWn8FMM4mrRAQCO9A2jZ0NZAnFXWlG0x
     F6sWGJbnKSdtIJMmMU_hjarlIPEoY3vy9UdVlH5KAg"}
       ]}

11.5.  Signed and Encrypted Message

   A signed and encrypted message is encrypted and then signed.  The
   signer proves knowledge of the payload plaintext by providing the
   plaintext witness value.

 {
   "DareMessage":[{
       "enc":"A256CBC",
       "dig":"S512",
       "Salt":"2Tsh-k3YV510oXqzEbr66w",
       "recipients":[{
           "kid":"MAH7-QQI4-53WD-S32X-4SQW-TIAY-42LA",
           "epk":{
             "PublicKeyECDH":{
               "crv":"Ed25519",
               "Public":"RBLZdDmqPcfowl3LfW8dGICuuMQZjm4aqBDqBtlbbcs"}},
           "wmk":"NBdP-PrkLTc6jFtFiumRY0juzaOwgw3_OOVGhYgGQ00KJAvC8P
   sGuw"}
         ]},
     "baRmxuK2ohiubNFniF3EzK4AxXECC95yL72dkPNQX7ONJUvKDSuPE77epzPWHx
   DtBWAg_hXObzt3c9mFe3YXyw",
     {
       "signatures":[{
           "signature":"u3rCsnF0FqerBp06Ge3qfXBMAqBb7FLEwGYcxqwtm-_8
   JN9hHsrY1dxcOHBOZOaaVAP_3rw0wE6QWIqY3_2zBw",
           "witness":"7QrVnDmsV_BNhdWLea1TJk4Fwsfl9TnXuS_OB_cVgdY"}
         ],
       "PayloadDigest":"dVFiiXqdJvpqPWmKKKZXW6hEo7w0pJ6cmnbw4WcvBcps
   bU3O11JrNJCfaKj_Z-BXZkTrm79uGqyjCEzwm0bh2Q"}
     ]}

Hallam-Baker             Expires August 29, 2019               [Page 35]
Internet-Draft                DARE Message                 February 2019

12.  Appendix B: DARE Container Examples and Test Vectors

   The data payloads in all the following examples are identical, only
   the authentication and/or encryption is different.

   o  Frame 1..n consists of 300 bytes being the byte sequence 00, 01,
      02, etc.  repeating after 256 bytes.

   For conciseness, the raw data format is omitted for examples after
   the first, except where the data payload has been transformed, (i.e.
   encrypted).

12.1.  Simple container

   the following example shows a simple container with first frame and a
   single data frame:

   f4 5d
   f0 59
   f0 00
   5d f4
   f5 01 40
   f0 0f
   f1 01 2c
   40 01 f5

   Since there is no integrity check, there is no need for trailer
   entries.  The header values are:

   Frame 0

   {
     "Index":0,
     "ContainerType":"List",
     "ContentMeta":{},
     "DataEncoding":"JSON"}

   [Empty trailer]

   Frame 1

   {
     "Index":1}

   [Empty trailer]

Hallam-Baker             Expires August 29, 2019               [Page 36]
Internet-Draft                DARE Message                 February 2019

12.2.  Payload and chain digests

   The following example shows a chain container with a first frame and
   three data frames.  The headers of these frames is the same as before
   but the frames now have trailers specifying the PayloadDigest and
   ChainDigest values:

   Frame 0

   {
     "Index":0,
     "ContainerType":"Chain",
     "ContentMeta":{},
     "DataEncoding":"JSON"}

   [Empty trailer]

   Frame 1

   {
     "Index":1}

   {
     "PayloadDigest":"8dyi62d7MDJlsLm6_w4GEgKBjzXBRwppu6qbtmAl6UjZDlZe
     aWQlBsYhOu88-ekpNXpZ2iY96zTRI229zaJ5sw",
     "ChainDigest":"T7S1FcrgY3AaWD4L-t5W1K-3XYkPTcOdGEGyjglTD6yMYVRVz9
     tn_KQc6GdA-P4VSRigBygV65OEd2Vv3YDhww"}

   Frame 2

   {
     "Index":2}

   {
     "PayloadDigest":"8dyi62d7MDJlsLm6_w4GEgKBjzXBRwppu6qbtmAl6UjZDlZe
     aWQlBsYhOu88-ekpNXpZ2iY96zTRI229zaJ5sw",
     "ChainDigest":"T7S1FcrgY3AaWD4L-t5W1K-3XYkPTcOdGEGyjglTD6yMYVRVz9
     tn_KQc6GdA-P4VSRigBygV65OEd2Vv3YDhww"}

   Frame 3

Hallam-Baker             Expires August 29, 2019               [Page 37]
Internet-Draft                DARE Message                 February 2019

   {
     "Index":3}

   {
     "PayloadDigest":"8dyi62d7MDJlsLm6_w4GEgKBjzXBRwppu6qbtmAl6UjZDlZe
     aWQlBsYhOu88-ekpNXpZ2iY96zTRI229zaJ5sw",
     "ChainDigest":"T7S1FcrgY3AaWD4L-t5W1K-3XYkPTcOdGEGyjglTD6yMYVRVz9
     tn_KQc6GdA-P4VSRigBygV65OEd2Vv3YDhww"}

12.3.  Merkle Tree

   The following example shows a chain container with a first frame and
   six data frames.  The trailers now contain the TreePosition and
   TreeDigest values:

   Frame 0

   {
     "Index":0,
     "ContainerType":"Merkle",
     "ContentMeta":{},
     "DataEncoding":"JSON"}

   [Empty trailer]

   Frame 1

   {
     "Index":1,
     "TreePosition":0}

   {
     "PayloadDigest":"8dyi62d7MDJlsLm6_w4GEgKBjzXBRwppu6qbtmAl6UjZDlZe
     aWQlBsYhOu88-ekpNXpZ2iY96zTRI229zaJ5sw",
     "TreeDigest":"T7S1FcrgY3AaWD4L-t5W1K-3XYkPTcOdGEGyjglTD6yMYVRVz9t
     n_KQc6GdA-P4VSRigBygV65OEd2Vv3YDhww"}

   Frame 2

   {
     "Index":2,
     "TreePosition":319}

   {
     "PayloadDigest":"8dyi62d7MDJlsLm6_w4GEgKBjzXBRwppu6qbtmAl6UjZDlZe
     aWQlBsYhOu88-ekpNXpZ2iY96zTRI229zaJ5sw",
     "TreeDigest":"7fHmkEIsPkN6sDYAOLvpIJn5Dg3PxDDAaq-ll2kh8722kokkFnZ
     QcYtjuVC71aHNXI18q-lPnfRkmwryG-bhqQ"}

Hallam-Baker             Expires August 29, 2019               [Page 38]
Internet-Draft                DARE Message                 February 2019

   Frame 3

   {
     "Index":3,
     "TreePosition":319}

   {
     "PayloadDigest":"8dyi62d7MDJlsLm6_w4GEgKBjzXBRwppu6qbtmAl6UjZDlZe
     aWQlBsYhOu88-ekpNXpZ2iY96zTRI229zaJ5sw",
     "TreeDigest":"T7S1FcrgY3AaWD4L-t5W1K-3XYkPTcOdGEGyjglTD6yMYVRVz9t
     n_KQc6GdA-P4VSRigBygV65OEd2Vv3YDhww"}

   Frame 4

   {
     "Index":4,
     "TreePosition":1451}

   {
     "PayloadDigest":"8dyi62d7MDJlsLm6_w4GEgKBjzXBRwppu6qbtmAl6UjZDlZe
     aWQlBsYhOu88-ekpNXpZ2iY96zTRI229zaJ5sw",
     "TreeDigest":"vJ6ngNATvZcXSMALi5IUqzl1GBxBnTNVcC87VL_BhMRCbAvKSj8
     gs0VFgxxLkZ2myrtaDIwhHoswiTiBMLNWug"}

   Frame 5

   {
     "Index":5,
     "TreePosition":1451}

   {
     "PayloadDigest":"8dyi62d7MDJlsLm6_w4GEgKBjzXBRwppu6qbtmAl6UjZDlZe
     aWQlBsYhOu88-ekpNXpZ2iY96zTRI229zaJ5sw",
     "TreeDigest":"T7S1FcrgY3AaWD4L-t5W1K-3XYkPTcOdGEGyjglTD6yMYVRVz9t
     n_KQc6GdA-P4VSRigBygV65OEd2Vv3YDhww"}

   Frame 6

   {
     "Index":6,
     "TreePosition":2586}

   {
     "PayloadDigest":"8dyi62d7MDJlsLm6_w4GEgKBjzXBRwppu6qbtmAl6UjZDlZe
     aWQlBsYhOu88-ekpNXpZ2iY96zTRI229zaJ5sw",
     "TreeDigest":"WgHlz3EHczVPqgtpc39Arv7CFIsCbFVsk8wg0j2qLlEfur9SZ0m
     dr65Ka-HF0Qx8gg_DAoiJwUrwADDXyxVJOg"}

Hallam-Baker             Expires August 29, 2019               [Page 39]
Internet-Draft                DARE Message                 February 2019

12.4.  Signed container

   The following example shows a tree container with a signature in the
   final record.  The signing key parameters are:

   {
     "PrivateKeyRSA":{
       "kid":"MCPPA-FZ42U-62G6A-4KQDY-2PGB3-275F2-A",
       "n":"6Mcc04EmN5ukjMOd9j7jpsSLbmQDBexDpAFRPmNxUHuzjlPnk8AZCxMYiH
     eXEgSeYMVeo2hLq46h6bJWOrqrKWDNfpKVnHKo6HPGZac3U6kJvteUreQ3X_p5Dzt
     ABEWiD4A-JgsM_zUSWk_VZcWHln5yCW8qAJdvTWNFPmIXH3QayTDtWKPNho35x1VQ
     Xk823CjjX-Uim0Ob9WWpEeobArZaEH50cdFF4kdAntzN4Kwq4YzR-Kn4AA4zuxGWD
     ungSkGeCZ2htB47-GvZn2CYjG5JtaCAVlMJ1JsZFmrr4Kp6qJemZaDbpatHGSiCUy
     Xz1xIk-Fm0sXeKQtUTx_ypXQ",
       "e":"AQAB",
       "d":"MShbXg8YEwY7ab6lzSrayI0ZJObZ_JY4cpoUnihB9c0pzhTKAtm-cChINg
     mLTbLL_4OuyLNtx30HlGKk8yIYo1ReESzDi5ZrNSu96hm2BWTdOgAs1cwsJYivqBf
     LHRvXbY6XkVEkHYEHryrM1gEw8Qci7fsb06QnTSB5rwLn_ywOi741BycfKRx0RyOc
     c2RWwOVimVUDAmmOGn6Hu0Esq_IZvHml2_KmULjtyFZshK4cQFo6c7KdEqJP2SxXJ
     inivqlSmyOQchUuFkF5D74XRzBULzyT-ZSSZgbWKK5VPmfATVUELVXkdox5rDAq1T
     ets4yoNZm9jAYxaBnYFnnXwQ",
       "p":"_jEQ0s0Al3E0VD0J2FwBoZVFsk82QiFBewL4aKgRdZWxKzucX-x8Sf_htE
     t9sQJqrL8VcLAZAX3FypOn0PtJKaVm-yOZalK8xSM9DhK42QQ0fxll3J55p9sXAzR
     0oS2vZvPOZRalAua4oVQMGmFfE-HLZqzlvgwIydqwZJghurM",
       "q":"6m8MQrIuyN9FkfDYRsBKb5gM20MmgoWdMuzdrEFujFKz_Iu4Trhf5HEPdA
     i2oBD2mWQMV0Jnz6RUM_c-QjgCzimDmju6mwMp0l3r7BT1KH-AnCdQL0tfOmqyB2P
     NfRJVXeWFKGeoWrxEU6FqHKwuZ5fb-4Pxr4K8oowKowwCU68",
       "dp":"8rYE-1N1uiUEs16o9Oc9Q31V1GFgTJqWfI-kg8HfEeiCB-bedJVJRBtI9
     y-R75-AHjxCi5wJ9GuUnc6JUblu7Y4am7gtN-GSj6YLGVH1IHqsaaPlqFfFj-pZud
     yvdGs77VDlBY8utmt5Zcnr2JCbCU_zOLHkmKfDCIKBJTxCEJM",
       "dq":"ZWS8H8ijFXwDwfgyAn--cf-IZ_jmGgOiFtl9krgGESjf8bWYdGuoBcyki
     2INYrOThIpSEBeHgLYpOQSRZ-CDzhkEc1ur_MlkeDjpBgWWdvqWbHNQafQmbsSg1T
     NkN9kLFP5lFjGnDf9paeZhV59cvq9elKzfhjJ8Va1OGHDkPL8",
       "qi":"aDVzJXJj_7Ra1C_9l18367qgpYv6GHMHPf0VSLdU-Pr_VZnLKv8-yZzzm
     KzvqJrevHhwFdI3o5WgkPZpEn70yBHqEl3904_XVFwq2IJcELekfJuPT2FtqrCsvF
     baNo5Dew26U4COOYm7i2ep0tAw1ACYvfoYJzz6HAJ4FNty5FI"}}

   The container headers and trailers are:

   Frame 0

   {
     "Index":0,
     "ContainerType":"Merkle",
     "ContentMeta":{},
     "DataEncoding":"JSON"}

   [Empty trailer]

Hallam-Baker             Expires August 29, 2019               [Page 40]
Internet-Draft                DARE Message                 February 2019

   Frame 1

   {
     "Index":1,
     "TreePosition":0}

   {
     "PayloadDigest":"8dyi62d7MDJlsLm6_w4GEgKBjzXBRwppu6qbtmAl6UjZDlZe
     aWQlBsYhOu88-ekpNXpZ2iY96zTRI229zaJ5sw",
     "TreeDigest":"T7S1FcrgY3AaWD4L-t5W1K-3XYkPTcOdGEGyjglTD6yMYVRVz9t
     n_KQc6GdA-P4VSRigBygV65OEd2Vv3YDhww"}

   Frame 2

   {
     "dig":"S512",
     "Index":2,
     "TreePosition":319}

   {
     "PayloadDigest":"8dyi62d7MDJlsLm6_w4GEgKBjzXBRwppu6qbtmAl6UjZDlZe
     aWQlBsYhOu88-ekpNXpZ2iY96zTRI229zaJ5sw",
     "TreeDigest":"7fHmkEIsPkN6sDYAOLvpIJn5Dg3PxDDAaq-ll2kh8722kokkFnZ
     QcYtjuVC71aHNXI18q-lPnfRkmwryG-bhqQ"}

12.5.  Encrypted container

   The following example shows a container in which all the frame
   payloads are encrypted under the same master secret established in a
   key agreement specified in the first frame.

   Frame 0

Hallam-Baker             Expires August 29, 2019               [Page 41]
Internet-Draft                DARE Message                 February 2019

   {
     "enc":"A256CBC",
     "Salt":"Fc_nf3yQEvdwSdd0UALUmA",
     "recipients":[{
         "kid":"MBQ6H-JWPME-H3HSZ-UVK52-NNFKJ-QQSCF-A",
         "epk":{
           "PublicKeyDH":{
             "kid":"MB375-SC7O6-VVF4W-CLGHA-NBDO5-KFYQE-A",
             "Domain":"YE6bnq1MlX5ojaJto6PLP_PEwA",
             "Public":"kUDwY_s4cWGYuRChZuFwgMaYAm-SkTtnRsbIn8CQ8ES2_tX
     6j_0pv8BhiWkOKltzLSP6TJK4zf0FIwhHY9OtPbyBHIIrXt7aDF610GojHZK_Jo56
     Qr5hhmQoOEN7lEKOckWqP1kxyPrIZaaFqLKbQZlMsPNIlm1P7ZwXIvHDwevWSxxcD
     drkutlq39TxSDKVcCkeraebAPnG5F8MUcNMKfGMgLKc9NIkoiHW5ne_FY-7xk2EyB
     fXhjUu2zn-xQmvX19r_H_U8s5Vp2tjKjt1VyTFFVKOtKnJVbVlvpIiTD-xyE-l6vi
     rMkEWS3_OfaxlxnFCAAnWXjF3YhFaR1NmNg"}},
         "wmk":"JhHpmQTRzE0abJQMDrxeE00zJtizWM3uw8LsCJduDohSkejI3tD75g"}
       ],
     "Index":0,
     "ContainerType":"List",
     "ContentMeta":{},
     "DataEncoding":"JSON"}

   [Empty trailer]

   Frame 1

   {
     "enc":"A256CBC",
     "Salt":"Ai8LZZ-SBC0_01xoTOj_1Q",
     "Index":1}

   [Empty trailer]

   Frame 2

   {
     "enc":"A256CBC",
     "Salt":"KEojFF6aVeKvsjwoAPcMYQ",
     "Index":2}

   [Empty trailer]

   Here are the container bytes.  Note that the content is now encrypted
   and has expanded by 25 bytes.  These are the salt (16 bytes), the AES
   padding (4 bytes) and the JSON-B framing (5 bytes).

Hallam-Baker             Expires August 29, 2019               [Page 42]
Internet-Draft                DARE Message                 February 2019

   f5 03 3c
   f1 03 27
   f0 10
   3c 03 f5
   f5 01 7c
   f0 47
   f1 01 30
   7c 01 f5
   f5 01 7c
   f0 47
   f1 01 30
   7c 01 f5

   The following example shows a container in which all the frame
   payloads are encrypted under separate key agreements specified in the
   payload frames.

   Frame 0

   {
     "Index":0,
     "ContainerType":"List",
     "ContentMeta":{},
     "DataEncoding":"JSON"}

   [Empty trailer]

   Frame 1

Hallam-Baker             Expires August 29, 2019               [Page 43]
Internet-Draft                DARE Message                 February 2019

   {
     "enc":"A256CBC",
     "Salt":"wBh8Sh9sxLCyCvVR77hQdA",
     "recipients":[{
         "kid":"MBQ6H-JWPME-H3HSZ-UVK52-NNFKJ-QQSCF-A",
         "epk":{
           "PublicKeyDH":{
             "kid":"MB4NV-OI7U5-DVVA6-MRRED-TWWM5-QOXCH-A",
             "Domain":"YE6bnq1MlX5ojaJto6PLP_PEwA",
             "Public":"8qRDdAjDoInDBHu_wnKE97qEH5g7z-ckqS4IrVYhQqrMOY0
     v-JBu-NuIWmaFGAWIWQyuPPfnBZ-mmbnd15r-OWor8UYoB8y4D11cTyU-tK2zxnmj
     U2ptrsYESGEkQ36WZkiowA9pclwfZja13yzmP1TkGjTTa0VkIxZasAMs6dBNV-MVW
     2t5_abxa2VP4UJ1msGpAWvGFpQAQ6fRXY9PGWHOb4Qx-TJl2CLbCdSy6tAQAoI92u
     ngTjUjoAFKdUJ9qb17BMtE9h-j43HZCJY1aqKEEwL5ZLpjNGkeGpFYbNTZcCAcEpq
     aP1wWc41WZmDYAnklm5KJtV-k_4o_s1lo4AA"}},
         "wmk":"D21ATeW3LFDoVnndoHF5RauWOTFadma_v5RdkP4qW4i6hIs8ftQR4A"}
       ],
     "Index":1}

   [Empty trailer]

   Frame 2

   {
     "enc":"A256CBC",
     "Salt":"u8cxDZjL9PsMpF39V-9xEA",
     "recipients":[{
         "kid":"MBQ6H-JWPME-H3HSZ-UVK52-NNFKJ-QQSCF-A",
         "epk":{
           "PublicKeyDH":{
             "kid":"MBMCE-OH2G3-7MAQK-LXRBT-EGP44-YBFQR-A",
             "Domain":"YE6bnq1MlX5ojaJto6PLP_PEwA",
             "Public":"tXxkcN_tJLkR1mODljurZvu_B1VELqo4oGCjhFF76R_0VJm
     MbSxnH9_wzv4-d7OHKPWzk6ewvgyzCKnMq7sGhY1wITMsdTpkSMPzCu6uzxOwQ1Nx
     mf8Vhel0UeIx6cvSWPRYfBbY33nAA2SV5UNM1Gab_NDT3odTz_3iMWrAv6MuVrYhQ
     jb2KbpBESsZhibfuPWUPtZ8IM1SrTiwPHpio0QGzl2wCFPX2mUKK9_pyZshy4iQPQ
     2yJqqpclbw3Ct4SfjmO7hlZCT8NJRMwO-w5fDUUWoZlIRLN0I81YEavZmj-Pmfgiv
     mGSWxjUlT-MXUkKm6_B1jTHj_rtkPcdDZmQA"}},
         "wmk":"cGRj2HVHBB0iGkXUgpQxf_DQpmMGmtgllUgvRjofH5dByhmJ-pnlIw"}
       ],
     "Index":2}

   [Empty trailer]

Hallam-Baker             Expires August 29, 2019               [Page 44]
Internet-Draft                DARE Message                 February 2019

13.  Appendix C: Previous Frame Function

   public long PreviousFrame (long Frame) {
       long x2 = Frame + 1;
       long d = 1;

       while (x2 > 0) {
           if ((x2 & 1) == 1) {
               return x2 == 1 ? (d / 2) - 1 : Frame - d;
               }
           d = d * 2;
           x2 = x2 / 2;
           }
       return 0;
       }

14.  Appendix D: Outstanding Issues

   The following issues need to be addressed.

   +----------------+--------------------------------------------------+
   | Issue          | Description                                      |
   +----------------+--------------------------------------------------+
   | X25519         | The examples currently use Edwards Curve25519    |
   |                | for encryption. This should be Curve25519        |
   | Indexing       | No examples are given of indexing a container    |
   | Archive        | Should include a file archive example            |
   | File Path      | Mention the file path security issue in the      |
   |                | security considerations                          |
   | Security       | Write Security considerations                    |
   | Considerations |                                                  |
   | AES-GCM        | Switch to using AES GCM in the examples          |
   | Witness        | Complete handling of witness values.             |
   +----------------+--------------------------------------------------+

                                  Table 1

15.  References

15.1.  Normative References

   [draft-hallambaker-jsonbcd]
              Hallam-Baker, P., "Binary Encodings for JavaScript Object
              Notation: JSON-B, JSON-C, JSON-D", draft-hallambaker-
              jsonbcd-13 (work in progress), July 2018.

Hallam-Baker             Expires August 29, 2019               [Page 45]
Internet-Draft                DARE Message                 February 2019

   [draft-hallambaker-mesh-udf]
              Hallam-Baker, P., "Mathematical Mesh Part II: Uniform Data
              Fingerprint.", draft-hallambaker-mesh-udf-01 (work in
              progress), February 2019.

   [IANAJOSE]
              "[Reference Not Found!]".

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997.

   [RFC2315]  Kaliski, B., "PKCS #7: Cryptographic Message Syntax
              Version 1.5", RFC 2315, DOI 10.17487/RFC2315, March 1998.

   [RFC3394]  Schaad, J. and R. Housley, "Advanced Encryption Standard
              (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394,
              September 2002.

   [RFC4880]  Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
              Thayer, "OpenPGP Message Format", RFC 4880,
              DOI 10.17487/RFC4880, November 2007.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007.

   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869,
              DOI 10.17487/RFC5869, May 2010.

   [RFC6838]  Freed, N., Klensin, J., and T. Hansen, "Media Type
              Specifications and Registration Procedures", BCP 13,
              RFC 6838, DOI 10.17487/RFC6838, January 2013.

   [RFC7159]  Bray, T., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
              2014.

   [RFC7515]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web
              Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
              2015.

   [RFC7516]  Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
              RFC 7516, DOI 10.17487/RFC7516, May 2015.

   [RFC7517]  Jones, M., "JSON Web Key (JWK)", RFC 7517,
              DOI 10.17487/RFC7517, May 2015.

Hallam-Baker             Expires August 29, 2019               [Page 46]
Internet-Draft                DARE Message                 February 2019

   [RFC7518]  Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
              DOI 10.17487/RFC7518, May 2015.

15.2.  Informative References

   [BLOCKCHAIN]
              Chain.com, "Blockchain Specification".

   [Davis2001]
              Davis, D., "Defective Sign & Encrypt in S/MIME, PKCS#7,
              MOSS, PEM, PGP, and XML", May 2001.

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, DOI 10.17487/RFC5652, September 2009.

   [ZIPFILE]  PKWARE Inc, "APPNOTE.TXT - .ZIP File Format
              Specification", October 2014.

15.3.  URIs

   [1] http://mathmesh.com/Documents/draft-hallambaker-mesh-dare.html

   [2] http://mathmesh.com/Documents/draft-hallambaker-mesh-dare.html

   [3] http://mathmesh.com/Documents/draft-hallambaker-mesh-dare.html

   [4] http://mathmesh.com/Documents/draft-hallambaker-mesh-dare.html

   [5] http://mathmesh.com/Documents/draft-hallambaker-mesh-dare.html

   [6] http://mathmesh.com/Documents/draft-hallambaker-mesh-dare.html

   [7] http://mathmesh.com/Documents/draft-hallambaker-mesh-dare.html

Author's Address

   Phillip Hallam-Baker

   Email: phill@hallambaker.com

Hallam-Baker             Expires August 29, 2019               [Page 47]