moparisthebest
/
xeps
mirror of https://github.com/moparisthebest/xeps
1
0
Fork 0
Code Issues Releases Wiki Activity

major changes: added hash commit, SAS, retained secret, other secret, more HMAC... 

git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@208 4b5297f7-1745-476d-ba37-a9c6900126ab
This commit is contained in:
Ian Paterson 2006-11-23 20:24:50 +00:00
parent e3da935f20
commit 4388de65c9
1 changed files with 136 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

263
xep-0188.xml
View File

@ -9,12 +9,8 @@
<!ENTITY Hsube "He">
<!ENTITY AIDsubA "AID<span class='sub'>A</span>">
<!ENTITY AIDsubB "AID<span class='sub'>B</span>">
<!ENTITY RSsubA "RS<span class='sub'>A</span>">
<!ENTITY RSsubB "RS<span class='sub'>B</span>">
<!ENTITY HsubRSA "Hrs<span class='sub'>A</span>">
<!ENTITY HsubRSB "Hrs<span class='sub'>B</span>">
<!ENTITY OSsubA "OS<span class='sub'>A</span>">
<!ENTITY OSsubB "OS<span class='sub'>B</span>">
<!ENTITY HsubOSA "Hos<span class='sub'>A</span>">
<!ENTITY HsubOSB "Hos<span class='sub'>B</span>">
<!ENTITY isPKsubA "isPK<span class='sub'>A</span>">
@ -67,7 +63,7 @@
<xep>
<header>
<title>Cryptographic Design of Encrypted Sessions</title>
<abstract>This document describes the requirements and cryptographic design that underpin the XMPP protocol extensions Encrypted Sessions and Offline Encrypted Sessions.</abstract>
<abstract>This document describes the requirements and cryptographic design that underpin the XMPP protocol extensions Encrypted Session Negotiation, Offline Encrypted Sessions and Stanza Encryption.</abstract>
&LEGALNOTICE;
<number>0188</number>
<status>Experimental</status>
@ -75,6 +71,7 @@
<jig>Standards JIG</jig>
<dependencies>
<spec>XMPP Core</spec>
<spec>XMPP IM</spec>
<spec>RFC 2104</spec>
</dependencies>
<supersedes>None</supersedes>
@ -102,7 +99,7 @@
</header>
<section1 topic='Introduction' anchor='intro'>
<p><em>Note: The protocols developed according to the requirements and cryptographic design described in this document are described in &xep0116; and &xep0187;. The information in those documents should be sufficient for implementors. This purely informative document is primarily for people interested in the design and analysis of those protocols.</em></p>
<p><em>Note: The protocols developed according to the requirements and cryptographic design described in this document are described in &xep0116;, &xep0187; and &xep0200;. The information in those documents should be sufficient for implementors. This purely informative document is primarily for people interested in the design and analysis of those protocols.</em></p>
<p>As specified in &rfc3920;, XMPP is an XML streaming protocol that enables the near-real-time exchange of XML fragments between any two (or more) network endpoints. To date, the main application built on top of the core XML streaming layer is instant messaging (IM) and presence, the base extensions for which are specified in &rfc3921;. There are three first-level elements of XML streams (&MESSAGE;, &PRESENCE;, and &IQ;); each of these "XML stanza" types has different semantics, which can complicate the task of defining a generalized approach to end-to-end encryption for XMPP. In addition, XML stanzas can be extended (via properly-namespaced child elements) for a wide variety of functionality.</p>
<p>XMPP is a session-oriented communication technology: normally, a client authenticates with a server and maintains a long-lived connection that defines the client's XMPP session. Such stream-level sessions may be secured via channel encryption using Transport Level Security (&rfc2246;), as specified in Section 5 of <cite>RFC 3920</cite>. However, there is no guarantee that all hops will implement or enforce channel encryption (or that intermediate servers are trustworthy), which makes end-to-end encryption desirable.</p>
<p>The encrypted stanzas should be understood by an intermediate server only to the extent required to route them. (One complicating factor is that routing information may include not only the stanza's 'to', 'from', 'type, and 'id' attributes, but also &xep0079; extensions.)</p>
@ -122,7 +119,7 @@
<section1 topic='The Session Approach' anchor='approach'>
<p>Existing approaches to encryption of Internet communications have generally assumed that the "thing" to be encrypted has a stable identity or is best understood as a standalone object (e.g., a file or email message); the term "object encryption" well captures this assumption. Both &xep0027; and &rfc3923; assume that XMPP communications are more like the exchange of email messages than they are like an interactive session -- while <cite>Current Jabber OpenPGP Usage</cite> uses "old-style" PGP object encryption and <cite>RFC 3923</cite> uses "new-style" S/MIME object encryption, both specify the use of object encryption. <!--(Another object encryption technology is &w3xmlsig;, which was rejected as a possible approach to end-to-end encryption for XMPP systems because of its inherent complexity and difficulty of implementation.)--></p>
<p>However, because XMPP is a session-oriented communication technology, encryption schemes that are appropriate for other Internet technologies may not be appropriate for XMPP. XMPP, with its in-order delivery of XML stanzas, is able to take advantage of more secure approaches to encryption (including Perfect Forward Secrecy) that are not feasible for less dynamic technologies (like email).</p>
<p>However, because XMPP is a session-oriented communication technology, encryption schemes that are appropriate for other Internet technologies may not be appropriate for XMPP. XMPP, with its in-order delivery of XML stanzas, is able to take advantage of much more secure approaches to encryption (including Perfect Forward Secrecy) that are not feasible for less dynamic technologies (like email).</p>
<p>The session-oriented nature of XMPP implies that the focus should be on "session encryption" rather than "object encryption". The paradigm for XMPP encryption should be something closer to the widely-deployed Secure Shell technology (see &rfc4301; and &rfc4253;) or &zrtp; (an acclaimed &rfc3711; key agreement protocol) than to traditional encryption of files and standalone email messages.</p>
<p>Therefore, this document specifies a method for encrypted sessions ("ESessions") that takes advantage of the inherent possibilities and strengths of session encryption as opposed to object encryption. The conceptual model for this approach was inspired by "off-the-record" (OTR) communication, as implemented in the Gaim encryption plugin and described in &otr;. The basic concept is that of an encrypted session which acts as a secure tunnel between two endpoints. Once the tunnel is established, the content of all one-to-one XML stanzas exchanged between the endpoints will be encrypted and then transmitted within a "wrapper" protocol element.</p>
<p>Note: In order to gain a thorough understanding of this document, it is recommended that the <cite>Off-the-Record Communication</cite> paper and the <cite>ZRTP</cite> Internet-Draft are read first.</p>
@ -134,7 +131,7 @@
<li>"Alice" is the name of the initiator of the ESession.</li>
<li>"Bob" is the name of the other participant in the ESession started by Alice.</li>
</ol>
<p>While Alice and Bob are introduced as "end users", they are simply meant to be examples of Jabber entities. Any directly addressable Jabber entity may participate in an ESession.</p>
<p>While Alice and Bob are introduced as "end users", they are simply meant to be examples of XMPP entities. Any directly addressable XMPP entity may participate in an ESession.</p>
</section1>
<section1 topic='Requirements' anchor='reqs'>
@ -333,20 +330,20 @@
<td>The MAC values that Alice and Bob use to confirm the integrity of encrypted data</td>
</tr>
<tr>
<td>&RSsubA;, &RSsubB;</td>
<td>Retained secrets of Alice and Bob (derived from K in previous session)</td>
<td>RS</td>
<td>Retained secret (derived from K in previous session)</td>
</tr>
<tr>
<td>&HsubRSA;, &HsubRSB;</td>
<td>Hashes of retained secrets of Alice and Bob</td>
<td>Alice and Bob's hashes of the retained secret</td>
</tr>
<tr>
<td>&OSsubA;, &OSsubB;</td>
<td>Other secrets of Alice and Bob (e.g. hashes of known strings and a shared password)</td>
<td>OS</td>
<td>Other secret of Alice and Bob (e.g. a shared password)</td>
</tr>
<tr>
<td>&HsubOSA;, &HsubOSB;</td>
<td>Hashes of other secrets of Alice and Bob</td>
<td>Alice and Bob's hashes of the other secret</td>
</tr>
<tr>
<td>&isPKsubA;, &isPKsubB;</td>
@ -393,12 +390,12 @@
&gsupy;
&lt;------------
SAS = <em>truncate</em>(HASH(&gsupx;, &gsupy;))
SAS = <em>truncate</em>(HASH(&gsupx; | &gsupy;))
&gsupx;
------------&gt;
<em>assert</em> H&gsupx; = HASH(&gsupx;)
SAS = <em>truncate</em>(HASH(&gsupx;, &gsupy;))
SAS = <em>truncate</em>(HASH(&gsupx; | &gsupy;))
SAS
&lt;===========&gt;
</pre>
@ -417,12 +414,12 @@ SAS = <em>truncate</em>(HASH(&gsupx;, &gsupy;))
&macA; = <em>HMAC</em>(&KSsubA;, {&gsupy;, &gsupx;, &pubKeyA;})
&signA; = <em>sign</em>(&signKeyA;, &macA;)
&IDA; = <em>cipher</em>(&KCsubA;, {&pubKeyA;, &signA;})
SAS = <em>truncate</em>(HASH(&gsupx;, &gsupy;))
SAS = <em>truncate</em>(HASH(&gsupx; | &gsupy;))
&gsupx;, &IDA;
------------&gt;
<em>assert</em> H&gsupx; = HASH(&gsupx;)
SAS = <em>truncate</em>(HASH(&gsupx;, &gsupy;))
SAS = <em>truncate</em>(HASH(&gsupx; | &gsupy;))
SAS
&lt;===========&gt;
@ -453,12 +450,12 @@ e = &gsupx; mod p
&NsubB; = <em>random</em>()
<span class='highlight'><em>assert</em> 1 &lt; e &lt; p-1
K = HASH(&esupy; mod p)
&KCsubA; = HASH(0, K)
&KCsubB; = HASH(1, K)
&KMsubA; = HASH(2, K)
&KMsubB; = HASH(3, K)
&KSsubA; = HASH(4, K)
&KSsubB; = HASH(5, K)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
&signB; = <em>sign</em>(&signKeyB;, &macB;)
&IDB; = <em>cipher</em>(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
@ -469,12 +466,12 @@ e = &gsupx; mod p
&CBeCAx2n1;&#160;
<em>assert</em> 1 &lt; d &lt; p-1
K = HASH(&dsupx; mod p)
&KCsubA; = HASH(0, K)
&KCsubB; = HASH(1, K)
&KMsubA; = HASH(2, K)
&KMsubB; = HASH(3, K)
&KSsubA; = HASH(4, K)
&KSsubB; = HASH(5, K)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
<span class='highlight'><em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
{&pubKeyB;, &signB;} = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
@ -504,7 +501,7 @@ K = HASH(&dsupx; mod p)
&NsubA; = <em>random</em>()
x = <em>random</em>()
e = &gsupx; mod p
<span class='highlight'>&Hsube; = HASH(e, &NsubA;)
<span class='highlight'>&Hsube; = HASH(e | &NsubA;)
&Hsube;, &isPKsubA;</span>
------------&gt;
&NsubA;&#160;
@ -519,14 +516,16 @@ e = &gsupx; mod p
&CBeCAx2n1;&#160;
<em>assert</em> 1 &lt; d &lt; p-1
K = HASH(&dsupx; mod p)
&KCsubA; = HASH(0, K)
&KCsubB; = HASH(1, K)
&KMsubA; = HASH(2, K)
&KMsubB; = HASH(3, K)
&KSsubA; = HASH(4, K)
&KSsubB; = HASH(5, K)
<span class='highlight'>SAS = <em>truncate</em>(HASH(e, d))
<em>if</em>&#160;&isPKsubA;&#160;<em>is false:</em>&#160;
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
<span class='highlight'>SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String"))
&HsubRSA; = <em>HMAC</em>(HASH, RS, "Initiator")
&HsubOSA; = <em>HMAC</em>(HASH, OS, "Initiator")
<em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &AIDsubA;, &HsubRSA;, &HsubOSA;})
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&AIDsubA;, &macA;})
<em>else:</em></span>&#160;
@ -537,34 +536,39 @@ K = HASH(&dsupx; mod p)
&IDA;, &MsubA;, <span class='highlight'>e</span>
------------&gt;
<span class='highlight'>&HsubRSA;, &HsubOSA;&#160;
<em>assert</em>&#160;&Hsube; = HASH(e, &NsubA;)
SAS = <em>truncate</em>(HASH(e, d))
<em>assert</em>&#160;&Hsube; = HASH(e | &NsubA;)
SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String") ))
SAS
&lt;===========&gt;
<em>assert</em> 1 &lt; e &lt; p-1
K = HASH(&esupy; mod p)
&KCsubA; = HASH(0, K)
&KCsubB; = HASH(1, K)
&KMsubA; = HASH(2, K)
&KMsubB; = HASH(3, K)
&KSsubA; = HASH(4, K)
&KSsubB; = HASH(5, K)</span>&#160;
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")</span>&#160;
<em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
<span class='highlight'><em>if</em>&#160;&isPKsubA;&#160;<em>is false:</em>&#160;
<span class='highlight'><em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
{&AIDsubA;, &macA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
<em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &AIDsubA;, &HsubRSA;, &HsubOSA;})
<em>else:</em></span>&#160;
{&pubKeyA;, &signA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &HsubRSA;, &HsubOSA;})
<em>verify</em>(&signA;, &pubKeyA;, &macA;)
<span class='highlight'><em>assert</em>&#160;&HsubRSA; = HASH(&RSsubA;)
<em>assert</em>&#160;&HsubOSA; = HASH(&OSsubA;)
&KCsubA; = HASH(&KCsubA;, &RSsubA;, &OSsubA;)
&KCsubB; = HASH(&KCsubB;, &RSsubB;, &OSsubB;)
&RSsubA; = HASH(6, K)
&RSsubB; = HASH(7, K)
<em>if</em>&#160;&isPKsubB;&#160;<em>is false:</em>&#160;
<span class='highlight'>&HsubRSB; = <em>HMAC</em>(HASH, RS, "Responder")
&HsubOSB; = <em>HMAC</em>(HASH, OS, "Responder")
<em>assert</em>&#160;&HsubRSA; = <em>HMAC</em>(HASH, RS, "Initiator")
<em>assert</em>&#160;&HsubOSA; = <em>HMAC</em>(HASH, OS, "Initiator")
K = HASH(K | RS | OS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
RS = <em>HMAC</em>(HASH, K, "Retained Secret")
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &AIDsubB;, &CsubA;, &HsubRSB;, &HsubOSB;})
&IDB; = <em>cipher</em>(&KCsubB;, &CsubB;, {&AIDsubB;, &macB;})&#160;
<em>else:</em>&#160;
@ -576,20 +580,23 @@ K = HASH(&dsupx; mod p)
&lt;------------
&HsubRSB;, &HsubOSB;&#160;
<em>assert</em>&#160;&HsubRSB; = <em>HMAC</em>(HASH, RS, "Responder")
<em>assert</em>&#160;&HsubOSB; = <em>HMAC</em>(HASH, OS, "Responder")
K = HASH(K | RS | OS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
RS = <em>HMAC</em>(HASH, K, "Retained Secret")
<em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
<em>if</em>&#160;&isPKsubB;&#160;<em>is false:</em>&#160;
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
<span class='highlight'>{&AIDsubB;, &macB;} = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
<em>assert</em>&#160;&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &AIDsubB;, &CsubA;, &HsubRSB;, &HsubOSB;})
<em>else:</em></span>&#160;
{&pubKeyB;, &signB;} = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;, &HsubRSB;, &HsubOSB;})
<em>verify</em>(&signB;, &pubKeyB;, &macB;)
<em>assert</em>&#160;&HsubRSB; = HASH(&RSsubB;)
<em>assert</em>&#160;&HsubOSB; = HASH(&OSsubB;)
&KCsubA; = HASH(&KCsubA;, &RSsubA;, &OSsubA;)
&KCsubB; = HASH(&KCsubB;, &RSsubB;, &OSsubB;)
&RSsubA; = HASH(6, K)
&RSsubB; = HASH(7, K)</span>
<em>verify</em>(&signB;, &pubKeyB;, &macB;)</span>
</pre>
</section2>
@ -606,7 +613,7 @@ K = HASH(&dsupx; mod p)
</tr>
<tr>
<td>options</td>
<td>Includes a set of possible values for each and every ESession parameter (see the ESession Request sub-section in <cite>Encrypted Sessions</cite>), including sets of possible values for p, g, HASH, CIPHER, SIGN</td>
<td>Includes a set of possible values for each and every ESession parameter (see the ESession Request sub-section in <cite>Encrypted Session Negotiation</cite>), including sets of possible values for p, g, HASH, CIPHER, SIGN</td>
</tr>
<tr>
<td>chosen</td>
@ -679,12 +686,12 @@ K = HASH(&dsupx; mod p)
&formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;}
<span class='highlight'><em>assert</em> 1 &lt; e &lt; p-1
K = HASH(&esupy; mod p)
&KCsubA; = HASH(0, K)
&KCsubB; = HASH(1, K)
&KMsubA; = HASH(2, K)
&KMsubB; = HASH(3, K)
&KSsubA; = HASH(4, K)
&KSsubB; = HASH(5, K)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
&signB; = SIGN(&signKeyB;, &macB;)
&IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
@ -698,13 +705,13 @@ e = &gsupx; mod p
&CBeCAx2n1;&#160;
<em>assert</em> 1 &lt; d &lt; p-1
K = HASH(&dsupx; mod p)
&KCsubA; = HASH(0, K)
&KCsubB; = HASH(1, K)
&KMsubA; = HASH(2, K)
&KMsubB; = HASH(3, K)
&KSsubA; = HASH(4, K)
&KSsubB; = HASH(5, K)
<span class='highlight'><em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
<span class='highlight'>&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")</span>&#160;
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
<span class='highlight'>&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")</span>&#160;
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
<span class='highlight'>&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
<em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
{&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
VERIFY(&signB;, &pubKeyB;, &macB;)</span>&#160;
@ -731,7 +738,7 @@ VERIFY(&signB;, &pubKeyB;, &macB;)</span>&#160;
<em>for</em> g,p &#8712; options
x = <em>random</em>()
e = &gsupx; mod p
<span class='highlight'>He = HASH(e, &NsubA;)</span>&#160;
<span class='highlight'>He = HASH(e | options | &NsubA; | &isPKsubA;)</span>&#160;
&form1A; = {<span class='highlight'>&He1HeZ;</span>, options, &NsubA;, <span class='highlight'>&isPKsubA;</span>}
&form1A;
@ -753,15 +760,14 @@ e = &gsupx; mod p
&CBeCAx2n1;&#160;
<em>assert</em> 1 &lt; d &lt; p-1
K = HASH(&dsupx; mod p)
&KCsubA; = HASH(0, K)
&KCsubB; = HASH(1, K)
&KMsubA; = HASH(2, K)
&KMsubB; = HASH(3, K)
&KSsubA; = HASH(4, K)
&KSsubB; = HASH(5, K)
<span class='highlight'>SAS = <em>truncate</em>(HASH(e, d))
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
<span class='highlight'>SAS = <em>truncate</em>(HASH(e | d))
&HsubRSA; = <em>HMAC</em>(HASH, RS, "Initiator")
&HsubOSA; = <em>HMAC</em>(HASH, OS, "Initiator")
&form2A; = {e, &NsubB;, &HsubRSA;, &HsubOSA;}
<em>if</em>&#160;&isPKsubA;&#160;<em>equals false:</em>&#160;
<em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, &form2A;, &AIDsubA;, &form1A;})
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&AIDsubA;, &macA;})
<em>else:</em>&#160;</span>&#160;
@ -774,37 +780,38 @@ K = HASH(&dsupx; mod p)
------------&gt;
<span class='highlight'>&form2A;&#160;
<em>assert</em>&#160;&Hsube; = HASH(e, &NsubA;)
SAS = <em>truncate</em>(HASH(e, d))
<em>assert</em>&#160;&Hsube; = HASH(e | options | &NsubA; | &isPKsubA;)
SAS = <em>truncate</em>(HASH(e | d))
SAS
&lt;===========&gt;
<em>assert</em> 1 &lt; e &lt; p-1
K = HASH(&esupy; mod p)
&KCsubA; = HASH(0, K)
&KCsubB; = HASH(1, K)
&KMsubA; = HASH(2, K)
&KMsubB; = HASH(3, K)
&KSsubA; = HASH(4, K)
&KSsubB; = HASH(5, K)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
</span><em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
<span class='highlight'><em>if</em>&#160;&isPKsubA;&#160;<em>equals false:</em>&#160;
<span class='highlight'><em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
{&AIDsubA;, &macA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
<em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, &form2A;, &AIDsubA;, &form1A;})
<em>else:</em></span>&#160;
{&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, &form2A;, &pubKeyA;, &form1A;})
VERIFY(&signA;, &pubKeyA;, &macA;)
<span class='highlight'><em>if</em>&#160;&HsubOSA;&#160;<em>equals</em> HASH(&OSsubA;)
&KCsubA; = HASH(&KCsubA;, &OSsubA;)
&KCsubB; = HASH(&KCsubB;, &OSsubB;)
<em>if</em>&#160;&HsubRSA;&#160;<em>equals</em> HASH(&RSsubA;)
&KCsubA; = HASH(&KCsubA;, &RSsubA;)
&KCsubB; = HASH(&KCsubB;, &RSsubB;)
&RSsubA; = HASH(6, K)
&RSsubB; = HASH(7, K)
<span class='highlight'>&HsubRSB; = <em>HMAC</em>(HASH, RS, "Responder")
&HsubOSB; = <em>HMAC</em>(HASH, OS, "Responder")
&form2B; = {&NsubA;, &HsubRSB;, &HsubOSB;}
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false:</em>&#160;
<em>if</em>&#160;&HsubOSA;&#160;<em>equals</em>&#160;<em>HMAC</em>(HASH, OS, "Initiator") <em>then</em>:
K = HASH(K | OS)
<em>if</em>&#160;&HsubRSA;&#160;<em>equals</em>&#160;<em>HMAC</em>(HASH, RS, "Initiator") <em>then</em>:
K = HASH(K | RS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
RS = <em>HMAC</em>(HASH, K, "Retained Secret")
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &AIDsubB;, &form1B;, &form2B;})
&IDB; = CIPHER(&KCsubB;, &CsubB;, {&AIDsubB;, &macB;})&#160;
<em>else:</em>&#160;
@ -817,22 +824,24 @@ K = HASH(&dsupx; mod p)
&lt;------------
&form2B;&#160;
<em>if</em>&#160;&HsubOSB;&#160;<em>equals</em>&#160;<em>HMAC</em>(HASH, OS, "Responder") <em>then</em>:
K = HASH(K | OS)
<em>if</em>&#160;&HsubRSB;&#160;<em>equals</em>&#160;<em>HMAC</em>(HASH, RS, "Responder") <em>then</em>:
K = HASH(K | RS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
RS = <em>HMAC</em>(HASH, K, "Retained Secret")
<em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false:</em>&#160;
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
{&AIDsubB;, &macB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
<em>assert</em>&#160;&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &AIDsubB;, &form1B;, &form2B;})
<em>else:</em>&#160;
{&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &form1B;, &form2B;})
VERIFY(&signB;, &pubKeyB;, &macB;)
<em>if</em>&#160;&HsubOSB;&#160;<em>equals</em> HASH(&OSsubB;)
&KCsubA; = HASH(&KCsubA;, &OSsubA;)
&KCsubB; = HASH(&KCsubB;, &OSsubB;)
<em>if</em>&#160;&HsubRSB;&#160;<em>equals</em> HASH(&RSsubB;)
&KCsubA; = HASH(&KCsubA;, &RSsubA;)
&KCsubB; = HASH(&KCsubB;, &RSsubB;)
&RSsubA; = HASH(6, K)
&RSsubB; = HASH(7, K)</span>
VERIFY(&signB;, &pubKeyB;, &macB;)</span>
</pre>
</section2>
@ -874,12 +883,12 @@ K = HASH(&dsupx; mod p)
&formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;}
<em>assert</em> 1 &lt; e &lt; p-1
K = HASH(&esupy; mod p)
&KCsubA; = HASH(0, K)
&KCsubB; = HASH(1, K)
&KMsubA; = HASH(2, K)
&KMsubB; = HASH(3, K)
&KSsubA; = HASH(4, K)
&KSsubB; = HASH(5, K)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
&signB; = SIGN(&signKeyB;, &macB;)
&IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
@ -904,12 +913,12 @@ e = &gsupx; mod p
&CBeCAx2n1;&#160;
<em>assert</em> 1 &lt; d &lt; p-1
K = HASH(&dsupx; mod p)
&KCsubA; = HASH(0, K)
&KCsubB; = HASH(1, K)
&KMsubA; = HASH(2, K)
&KMsubB; = HASH(3, K)
&KSsubA; = HASH(4, K)
&KSsubB; = HASH(5, K)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
<em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
{&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
@ -920,7 +929,7 @@ VERIFY(&signB;, &pubKeyB;, &macB;)
</section1>
<section1 topic='Security Considerations' anchor='sec'>
<p>The security considerations are described in <cite>Encrypted Sessions</cite> and <cite>Offline Encrypted Sessions</cite>.</p>
<p>The security considerations are described in <cite>Encrypted Session Negotiation</cite> and <cite>Offline Encrypted Sessions</cite>.</p>
</section1>
<section1 topic='IANA Considerations' anchor='iana'>