diff --git a/xep-0188.xml b/xep-0188.xml index 2fe434cc..64aabce1 100644 --- a/xep-0188.xml +++ b/xep-0188.xml @@ -9,12 +9,8 @@ A"> B"> -A"> -B"> A"> B"> -A"> -B"> A"> B"> A"> @@ -67,7 +63,7 @@
Cryptographic Design of Encrypted Sessions - This document describes the requirements and cryptographic design that underpin the XMPP protocol extensions Encrypted Sessions and Offline Encrypted Sessions. + This document describes the requirements and cryptographic design that underpin the XMPP protocol extensions Encrypted Session Negotiation, Offline Encrypted Sessions and Stanza Encryption. &LEGALNOTICE; 0188 Experimental @@ -75,6 +71,7 @@ Standards JIG XMPP Core + XMPP IM RFC 2104 None @@ -102,7 +99,7 @@
-

Note: The protocols developed according to the requirements and cryptographic design described in this document are described in &xep0116; and &xep0187;. The information in those documents should be sufficient for implementors. This purely informative document is primarily for people interested in the design and analysis of those protocols.

+

Note: The protocols developed according to the requirements and cryptographic design described in this document are described in &xep0116;, &xep0187; and &xep0200;. The information in those documents should be sufficient for implementors. This purely informative document is primarily for people interested in the design and analysis of those protocols.

As specified in &rfc3920;, XMPP is an XML streaming protocol that enables the near-real-time exchange of XML fragments between any two (or more) network endpoints. To date, the main application built on top of the core XML streaming layer is instant messaging (IM) and presence, the base extensions for which are specified in &rfc3921;. There are three first-level elements of XML streams (&MESSAGE;, &PRESENCE;, and &IQ;); each of these "XML stanza" types has different semantics, which can complicate the task of defining a generalized approach to end-to-end encryption for XMPP. In addition, XML stanzas can be extended (via properly-namespaced child elements) for a wide variety of functionality.

XMPP is a session-oriented communication technology: normally, a client authenticates with a server and maintains a long-lived connection that defines the client's XMPP session. Such stream-level sessions may be secured via channel encryption using Transport Level Security (&rfc2246;), as specified in Section 5 of RFC 3920. However, there is no guarantee that all hops will implement or enforce channel encryption (or that intermediate servers are trustworthy), which makes end-to-end encryption desirable.

The encrypted stanzas should be understood by an intermediate server only to the extent required to route them. (One complicating factor is that routing information may include not only the stanza's 'to', 'from', 'type, and 'id' attributes, but also &xep0079; extensions.)

@@ -122,7 +119,7 @@

Existing approaches to encryption of Internet communications have generally assumed that the "thing" to be encrypted has a stable identity or is best understood as a standalone object (e.g., a file or email message); the term "object encryption" well captures this assumption. Both &xep0027; and &rfc3923; assume that XMPP communications are more like the exchange of email messages than they are like an interactive session -- while Current Jabber OpenPGP Usage uses "old-style" PGP object encryption and RFC 3923 uses "new-style" S/MIME object encryption, both specify the use of object encryption.

-

However, because XMPP is a session-oriented communication technology, encryption schemes that are appropriate for other Internet technologies may not be appropriate for XMPP. XMPP, with its in-order delivery of XML stanzas, is able to take advantage of more secure approaches to encryption (including Perfect Forward Secrecy) that are not feasible for less dynamic technologies (like email).

+

However, because XMPP is a session-oriented communication technology, encryption schemes that are appropriate for other Internet technologies may not be appropriate for XMPP. XMPP, with its in-order delivery of XML stanzas, is able to take advantage of much more secure approaches to encryption (including Perfect Forward Secrecy) that are not feasible for less dynamic technologies (like email).

The session-oriented nature of XMPP implies that the focus should be on "session encryption" rather than "object encryption". The paradigm for XMPP encryption should be something closer to the widely-deployed Secure Shell technology (see &rfc4301; and &rfc4253;) or &zrtp; (an acclaimed &rfc3711; key agreement protocol) than to traditional encryption of files and standalone email messages.

Therefore, this document specifies a method for encrypted sessions ("ESessions") that takes advantage of the inherent possibilities and strengths of session encryption as opposed to object encryption. The conceptual model for this approach was inspired by "off-the-record" (OTR) communication, as implemented in the Gaim encryption plugin and described in &otr;. The basic concept is that of an encrypted session which acts as a secure tunnel between two endpoints. Once the tunnel is established, the content of all one-to-one XML stanzas exchanged between the endpoints will be encrypted and then transmitted within a "wrapper" protocol element.

Note: In order to gain a thorough understanding of this document, it is recommended that the Off-the-Record Communication paper and the ZRTP Internet-Draft are read first.

@@ -134,7 +131,7 @@
  • "Alice" is the name of the initiator of the ESession.
  • "Bob" is the name of the other participant in the ESession started by Alice.
    • -

    While Alice and Bob are introduced as "end users", they are simply meant to be examples of Jabber entities. Any directly addressable Jabber entity may participate in an ESession.

    +

    While Alice and Bob are introduced as "end users", they are simply meant to be examples of XMPP entities. Any directly addressable XMPP entity may participate in an ESession.

     @@ -333,20 +330,20 @@ The MAC values that Alice and Bob use to confirm the integrity of encrypted data - &RSsubA;, &RSsubB; - Retained secrets of Alice and Bob (derived from K in previous session) + RS + Retained secret (derived from K in previous session) &HsubRSA;, &HsubRSB; - Hashes of retained secrets of Alice and Bob + Alice and Bob's hashes of the retained secret - &OSsubA;, &OSsubB; - Other secrets of Alice and Bob (e.g. hashes of known strings and a shared password) + OS + Other secret of Alice and Bob (e.g. a shared password) &HsubOSA;, &HsubOSB; - Hashes of other secrets of Alice and Bob + Alice and Bob's hashes of the other secret &isPKsubA;, &isPKsubB; @@ -393,12 +390,12 @@ &gsupy; <------------ -SAS = truncate(HASH(&gsupx;, &gsupy;)) +SAS = truncate(HASH(&gsupx; | &gsupy;)) &gsupx; ------------> assert H&gsupx; = HASH(&gsupx;) - SAS = truncate(HASH(&gsupx;, &gsupy;)) + SAS = truncate(HASH(&gsupx; | &gsupy;)) SAS <===========> @@ -417,12 +414,12 @@ SAS = truncate(HASH(&gsupx;, &gsupy;)) &macA; = HMAC(&KSsubA;, {&gsupy;, &gsupx;, &pubKeyA;}) &signA; = sign(&signKeyA;, &macA;) &IDA; = cipher(&KCsubA;, {&pubKeyA;, &signA;}) -SAS = truncate(HASH(&gsupx;, &gsupy;)) +SAS = truncate(HASH(&gsupx; | &gsupy;)) &gsupx;, &IDA; ------------> assert H&gsupx; = HASH(&gsupx;) - SAS = truncate(HASH(&gsupx;, &gsupy;)) + SAS = truncate(HASH(&gsupx; | &gsupy;)) SAS <===========> @@ -453,12 +450,12 @@ e = &gsupx; mod p &NsubB; = random() assert 1 < e < p-1 K = HASH(&esupy; mod p) - &KCsubA; = HASH(0, K) - &KCsubB; = HASH(1, K) - &KMsubA; = HASH(2, K) - &KMsubB; = HASH(3, K) - &KSsubA; = HASH(4, K) - &KSsubB; = HASH(5, K) + &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") + &KCsubB; = HMAC(HASH, K, "Responder Cipher Key") + &KMsubA; = HMAC(HASH, K, "Initiator MAC Key") + &KMsubB; = HMAC(HASH, K, "Responder MAC Key") + &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") + &KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;}) &signB; = sign(&signKeyB;, &macB;) &IDB; = cipher(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;}) @@ -469,12 +466,12 @@ e = &gsupx; mod p &CBeCAx2n1;  assert 1 < d < p-1 K = HASH(&dsupx; mod p) -&KCsubA; = HASH(0, K) -&KCsubB; = HASH(1, K) -&KMsubA; = HASH(2, K) -&KMsubB; = HASH(3, K) -&KSsubA; = HASH(4, K) -&KSsubB; = HASH(5, K) +&KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") +&KCsubB; = HMAC(HASH, K, "Responder Cipher Key") +&KMsubA; = HMAC(HASH, K, "Initiator MAC Key") +&KMsubB; = HMAC(HASH, K, "Responder MAC Key") +&KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") +&KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") assert &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) {&pubKeyB;, &signB;} = decipher(&KCsubB;, &CsubB;, &IDB;) &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;}) @@ -504,7 +501,7 @@ K = HASH(&dsupx; mod p) &NsubA; = random() x = random() e = &gsupx; mod p -&Hsube; = HASH(e, &NsubA;) +&Hsube; = HASH(e | &NsubA;) &Hsube;, &isPKsubA; ------------> &NsubA;  @@ -519,14 +516,16 @@ e = &gsupx; mod p &CBeCAx2n1;  assert 1 < d < p-1 K = HASH(&dsupx; mod p) -&KCsubA; = HASH(0, K) -&KCsubB; = HASH(1, K) -&KMsubA; = HASH(2, K) -&KMsubB; = HASH(3, K) -&KSsubA; = HASH(4, K) -&KSsubB; = HASH(5, K) -SAS = truncate(HASH(e, d)) -if &isPKsubA; is false:  +&KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") +&KCsubB; = HMAC(HASH, K, "Responder Cipher Key") +&KMsubA; = HMAC(HASH, K, "Initiator MAC Key") +&KMsubB; = HMAC(HASH, K, "Responder MAC Key") +&KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") +&KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") +SAS = truncate(HASH(e | d | "Short Authentication String")) +&HsubRSA; = HMAC(HASH, RS, "Initiator") +&HsubOSA; = HMAC(HASH, OS, "Initiator") +if &isPKsubA; equals false then:  &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &AIDsubA;, &HsubRSA;, &HsubOSA;}) &IDA; = cipher(&KCsubA;, &CsubA;, {&AIDsubA;, &macA;}) else:  @@ -537,34 +536,39 @@ K = HASH(&dsupx; mod p) &IDA;, &MsubA;, e ------------> &HsubRSA;, &HsubOSA;  - assert &Hsube; = HASH(e, &NsubA;) - SAS = truncate(HASH(e, d)) + assert &Hsube; = HASH(e | &NsubA;) + SAS = truncate(HASH(e | d | "Short Authentication String") )) SAS <===========> assert 1 < e < p-1 K = HASH(&esupy; mod p) - &KCsubA; = HASH(0, K) - &KCsubB; = HASH(1, K) - &KMsubA; = HASH(2, K) - &KMsubB; = HASH(3, K) - &KSsubA; = HASH(4, K) - &KSsubB; = HASH(5, K)  + &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") + &KCsubB; = HMAC(HASH, K, "Responder Cipher Key") + &KMsubA; = HMAC(HASH, K, "Initiator MAC Key") + &KMsubB; = HMAC(HASH, K, "Responder MAC Key") + &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") + &KSsubB; = HMAC(HASH, K, "Responder SIGMA Key")  assert &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;) - if &isPKsubA; is false:  + if &isPKsubA; equals false then:  {&AIDsubA;, &macA;} = decipher(&KCsubA;, &CsubA;, &IDA;) assert &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &AIDsubA;, &HsubRSA;, &HsubOSA;}) else:  {&pubKeyA;, &signA;} = decipher(&KCsubA;, &CsubA;, &IDA;) &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &HsubRSA;, &HsubOSA;}) verify(&signA;, &pubKeyA;, &macA;) - assert &HsubRSA; = HASH(&RSsubA;) - assert &HsubOSA; = HASH(&OSsubA;) - &KCsubA; = HASH(&KCsubA;, &RSsubA;, &OSsubA;) - &KCsubB; = HASH(&KCsubB;, &RSsubB;, &OSsubB;) - &RSsubA; = HASH(6, K) - &RSsubB; = HASH(7, K) - if &isPKsubB; is false:  + &HsubRSB; = HMAC(HASH, RS, "Responder") + &HsubOSB; = HMAC(HASH, OS, "Responder") + assert &HsubRSA; = HMAC(HASH, RS, "Initiator") + assert &HsubOSA; = HMAC(HASH, OS, "Initiator") + K = HASH(K | RS | OS) + &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") + &KCsubB; = HMAC(HASH, K, "Responder Cipher Key") + &KMsubA; = HMAC(HASH, K, "Initiator MAC Key") + &KMsubB; = HMAC(HASH, K, "Responder MAC Key") + &KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") + RS = HMAC(HASH, K, "Retained Secret") + if &isPKsubB; equals false then:  &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &AIDsubB;, &CsubA;, &HsubRSB;, &HsubOSB;}) &IDB; = cipher(&KCsubB;, &CsubB;, {&AIDsubB;, &macB;})  else:  @@ -576,20 +580,23 @@ K = HASH(&dsupx; mod p) <------------ &HsubRSB;, &HsubOSB;  +assert &HsubRSB; = HMAC(HASH, RS, "Responder") +assert &HsubOSB; = HMAC(HASH, OS, "Responder") +K = HASH(K | RS | OS) +&KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") +&KCsubB; = HMAC(HASH, K, "Responder Cipher Key") +&KMsubA; = HMAC(HASH, K, "Initiator MAC Key") +&KMsubB; = HMAC(HASH, K, "Responder MAC Key") +&KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") +RS = HMAC(HASH, K, "Retained Secret") assert &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) -if &isPKsubB; is false:  +if &isPKsubB; equals false then:  {&AIDsubB;, &macB;} = decipher(&KCsubB;, &CsubB;, &IDB;) assert &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &AIDsubB;, &CsubA;, &HsubRSB;, &HsubOSB;}) else:  {&pubKeyB;, &signB;} = decipher(&KCsubB;, &CsubB;, &IDB;) &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;, &HsubRSB;, &HsubOSB;}) - verify(&signB;, &pubKeyB;, &macB;) -assert &HsubRSB; = HASH(&RSsubB;) -assert &HsubOSB; = HASH(&OSsubB;) -&KCsubA; = HASH(&KCsubA;, &RSsubA;, &OSsubA;) -&KCsubB; = HASH(&KCsubB;, &RSsubB;, &OSsubB;) -&RSsubA; = HASH(6, K) -&RSsubB; = HASH(7, K) + verify(&signB;, &pubKeyB;, &macB;) @@ -606,7 +613,7 @@ K = HASH(&dsupx; mod p) options - Includes a set of possible values for each and every ESession parameter (see the ESession Request sub-section in Encrypted Sessions), including sets of possible values for p, g, HASH, CIPHER, SIGN + Includes a set of possible values for each and every ESession parameter (see the ESession Request sub-section in Encrypted Session Negotiation), including sets of possible values for p, g, HASH, CIPHER, SIGN chosen @@ -679,12 +686,12 @@ K = HASH(&dsupx; mod p) &formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;} assert 1 < e < p-1 K = HASH(&esupy; mod p) - &KCsubA; = HASH(0, K) - &KCsubB; = HASH(1, K) - &KMsubA; = HASH(2, K) - &KMsubB; = HASH(3, K) - &KSsubA; = HASH(4, K) - &KSsubB; = HASH(5, K) + &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") + &KCsubB; = HMAC(HASH, K, "Responder Cipher Key") + &KMsubA; = HMAC(HASH, K, "Initiator MAC Key") + &KMsubB; = HMAC(HASH, K, "Responder MAC Key") + &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") + &KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;}) &signB; = SIGN(&signKeyB;, &macB;) &IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;}) @@ -698,13 +705,13 @@ e = &gsupx; mod p &CBeCAx2n1;  assert 1 < d < p-1 K = HASH(&dsupx; mod p) -&KCsubA; = HASH(0, K) -&KCsubB; = HASH(1, K) -&KMsubA; = HASH(2, K) -&KMsubB; = HASH(3, K) -&KSsubA; = HASH(4, K) -&KSsubB; = HASH(5, K) -assert &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) +&KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") +&KCsubB; = HMAC(HASH, K, "Responder Cipher Key")  +&KMsubA; = HMAC(HASH, K, "Initiator MAC Key") +&KMsubB; = HMAC(HASH, K, "Responder MAC Key")  +&KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") +&KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") +assert &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;) &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;}) VERIFY(&signB;, &pubKeyB;, &macB;)  @@ -731,7 +738,7 @@ VERIFY(&signB;, &pubKeyB;, &macB;)  for g,p ∈ options x = random() e = &gsupx; mod p - He = HASH(e, &NsubA;)  + He = HASH(e | options | &NsubA; | &isPKsubA;)  &form1A; = {&He1HeZ;, options, &NsubA;, &isPKsubA;} &form1A; @@ -753,15 +760,14 @@ e = &gsupx; mod p &CBeCAx2n1;  assert 1 < d < p-1 K = HASH(&dsupx; mod p) -&KCsubA; = HASH(0, K) -&KCsubB; = HASH(1, K) -&KMsubA; = HASH(2, K) -&KMsubB; = HASH(3, K) -&KSsubA; = HASH(4, K) -&KSsubB; = HASH(5, K) -SAS = truncate(HASH(e, d)) +&KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") +&KMsubA; = HMAC(HASH, K, "Initiator MAC Key") +&KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") +SAS = truncate(HASH(e | d)) +&HsubRSA; = HMAC(HASH, RS, "Initiator") +&HsubOSA; = HMAC(HASH, OS, "Initiator") &form2A; = {e, &NsubB;, &HsubRSA;, &HsubOSA;} -if &isPKsubA; equals false:  +if &isPKsubA; equals false then:  &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, &form2A;, &AIDsubA;, &form1A;}) &IDA; = CIPHER(&KCsubA;, &CsubA;, {&AIDsubA;, &macA;}) else:   @@ -774,37 +780,38 @@ K = HASH(&dsupx; mod p) ------------> &form2A;  - assert &Hsube; = HASH(e, &NsubA;) - SAS = truncate(HASH(e, d)) + assert &Hsube; = HASH(e | options | &NsubA; | &isPKsubA;) + SAS = truncate(HASH(e | d)) SAS <===========> assert 1 < e < p-1 K = HASH(&esupy; mod p) - &KCsubA; = HASH(0, K) - &KCsubB; = HASH(1, K) - &KMsubA; = HASH(2, K) - &KMsubB; = HASH(3, K) - &KSsubA; = HASH(4, K) - &KSsubB; = HASH(5, K) + &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") + &KMsubA; = HMAC(HASH, K, "Initiator MAC Key") + &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") assert &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;) - if &isPKsubA; equals false:  + if &isPKsubA; equals false then:  {&AIDsubA;, &macA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;) assert &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, &form2A;, &AIDsubA;, &form1A;}) else:  {&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;) &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, &form2A;, &pubKeyA;, &form1A;}) VERIFY(&signA;, &pubKeyA;, &macA;) - if &HsubOSA; equals HASH(&OSsubA;) - &KCsubA; = HASH(&KCsubA;, &OSsubA;) - &KCsubB; = HASH(&KCsubB;, &OSsubB;) - if &HsubRSA; equals HASH(&RSsubA;) - &KCsubA; = HASH(&KCsubA;, &RSsubA;) - &KCsubB; = HASH(&KCsubB;, &RSsubB;) - &RSsubA; = HASH(6, K) - &RSsubB; = HASH(7, K) + &HsubRSB; = HMAC(HASH, RS, "Responder") + &HsubOSB; = HMAC(HASH, OS, "Responder") &form2B; = {&NsubA;, &HsubRSB;, &HsubOSB;} - if &isPKsubB; equals false:  + if &HsubOSA; equals HMAC(HASH, OS, "Initiator") then: + K = HASH(K | OS) + if &HsubRSA; equals HMAC(HASH, RS, "Initiator") then: + K = HASH(K | RS) + &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") + &KCsubB; = HMAC(HASH, K, "Responder Cipher Key") + &KMsubA; = HMAC(HASH, K, "Initiator MAC Key") + &KMsubB; = HMAC(HASH, K, "Responder MAC Key") + &KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") + RS = HMAC(HASH, K, "Retained Secret") + if &isPKsubB; equals false then:  &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &AIDsubB;, &form1B;, &form2B;}) &IDB; = CIPHER(&KCsubB;, &CsubB;, {&AIDsubB;, &macB;})  else:  @@ -817,22 +824,24 @@ K = HASH(&dsupx; mod p) <------------ &form2B;  +if &HsubOSB; equals HMAC(HASH, OS, "Responder") then: + K = HASH(K | OS) +if &HsubRSB; equals HMAC(HASH, RS, "Responder") then: + K = HASH(K | RS) +&KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") +&KCsubB; = HMAC(HASH, K, "Responder Cipher Key") +&KMsubA; = HMAC(HASH, K, "Initiator MAC Key") +&KMsubB; = HMAC(HASH, K, "Responder MAC Key") +&KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") +RS = HMAC(HASH, K, "Retained Secret") assert &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) -if &isPKsubB; equals false:  +if &isPKsubB; equals false then:  {&AIDsubB;, &macB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;) assert &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &AIDsubB;, &form1B;, &form2B;}) else:  {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;) &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &form1B;, &form2B;}) - VERIFY(&signB;, &pubKeyB;, &macB;) -if &HsubOSB; equals HASH(&OSsubB;) - &KCsubA; = HASH(&KCsubA;, &OSsubA;) - &KCsubB; = HASH(&KCsubB;, &OSsubB;) -if &HsubRSB; equals HASH(&RSsubB;) - &KCsubA; = HASH(&KCsubA;, &RSsubA;) - &KCsubB; = HASH(&KCsubB;, &RSsubB;) -&RSsubA; = HASH(6, K) -&RSsubB; = HASH(7, K) + VERIFY(&signB;, &pubKeyB;, &macB;) @@ -874,12 +883,12 @@ K = HASH(&dsupx; mod p) &formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;} assert 1 < e < p-1 K = HASH(&esupy; mod p) - &KCsubA; = HASH(0, K) - &KCsubB; = HASH(1, K) - &KMsubA; = HASH(2, K) - &KMsubB; = HASH(3, K) - &KSsubA; = HASH(4, K) - &KSsubB; = HASH(5, K) + &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") + &KCsubB; = HMAC(HASH, K, "Responder Cipher Key") + &KMsubA; = HMAC(HASH, K, "Initiator MAC Key") + &KMsubB; = HMAC(HASH, K, "Responder MAC Key") + &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") + &KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;}) &signB; = SIGN(&signKeyB;, &macB;) &IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;}) @@ -904,12 +913,12 @@ e = &gsupx; mod p &CBeCAx2n1;  assert 1 < d < p-1 K = HASH(&dsupx; mod p) -&KCsubA; = HASH(0, K) -&KCsubB; = HASH(1, K) -&KMsubA; = HASH(2, K) -&KMsubB; = HASH(3, K) -&KSsubA; = HASH(4, K) -&KSsubB; = HASH(5, K) +&KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") +&KCsubB; = HMAC(HASH, K, "Responder Cipher Key") +&KMsubA; = HMAC(HASH, K, "Initiator MAC Key") +&KMsubB; = HMAC(HASH, K, "Responder MAC Key") +&KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") +&KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") assert &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;) &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;}) @@ -920,7 +929,7 @@ VERIFY(&signB;, &pubKeyB;, &macB;) -

    The security considerations are described in Encrypted Sessions and Offline Encrypted Sessions.

    +

    The security considerations are described in Encrypted Session Negotiation and Offline Encrypted Sessions.