1
0
mirror of https://github.com/moparisthebest/xeps synced 2024-12-22 07:38:52 -05:00

0.3 RC2 adjusted retained secrets communication, simplified other secret

git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@210 4b5297f7-1745-476d-ba37-a9c6900126ab
This commit is contained in:
Ian Paterson 2006-11-24 13:23:49 +00:00
parent 7c53a9d655
commit 5763c6cc78

View File

@ -7,12 +7,6 @@
<!ENTITY gsupx "g<span class='super'>x</span>">
<!ENTITY gsupy "g<span class='super'>y</span>">
<!ENTITY Hsube "He">
<!ENTITY AIDsubA "AID<span class='sub'>A</span>">
<!ENTITY AIDsubB "AID<span class='sub'>B</span>">
<!ENTITY HsubRSA "Hrs<span class='sub'>A</span>">
<!ENTITY HsubRSB "Hrs<span class='sub'>B</span>">
<!ENTITY HsubOSA "Hos<span class='sub'>A</span>">
<!ENTITY HsubOSB "Hos<span class='sub'>B</span>">
<!ENTITY isPKsubA "isPK<span class='sub'>A</span>">
<!ENTITY isPKsubB "isPK<span class='sub'>B</span>">
<!ENTITY NsubA "N<span class='sub'>A</span>">
@ -53,6 +47,9 @@
<!ENTITY x1xZ "x<span class='sub'>1</span>...x<span class='sub'>Z</span>">
<!ENTITY e1eZ "e<span class='sub'>1</span>...e<span class='sub'>Z</span>">
<!ENTITY He1HeZ "He<span class='sub'>1</span>...He<span class='sub'>Z</span>">
<!ENTITY RSA1RSAZ "RS<span class='sub'>1A</span>...RS<span class='sub'>ZA</span>">
<!ENTITY RSB1RSBZ "RS<span class='sub'>1B</span>...RS<span class='sub'>ZB</span>">
<!ENTITY RSH1ARSHZA "RSH<span class='sub'>1A</span>...RSH<span class='sub'>ZA</span>">
<!ENTITY rfc3711 "<span class='ref'>RFC 3711</span> <note>RFC 3711: Secure Real-time Transport Protocol &lt;<link url='http://www.ietf.org/rfc/rfc3711.txt'>http://www.ietf.org/rfc/rfc3711.txt</link>&gt;.</note>" >
@ -80,7 +77,7 @@
&ianpaterson;
<revision>
<version>0.3</version>
<date>2006-11-21</date>
<date>2006-11-24</date>
<initials>ip</initials>
<remark><p>Added PKI Independence and Robustness requirements; added optional public key independence, hash commitment, SAS authentication, retained secrets and other secrets to SIGMA-R key exchange</p></remark>
</revision>
@ -330,29 +327,33 @@
<td>The MAC values that Alice and Bob use to confirm the integrity of encrypted data</td>
</tr>
<tr>
<td>RS</td>
<td>Retained secret (derived from K in previous session)</td>
<td>SRS</td>
<td>Shared retained secret (derived from K in previous session between the clients)</td>
</tr>
<tr>
<td>&HsubRSA;, &HsubRSB;</td>
<td>Alice and Bob's hashes of the retained secret</td>
<td>&RSA1RSAZ;</td>
<td>Retained secrets Alice shares with Bob (one for each client he uses)</td>
</tr>
<tr>
<td>OS</td>
<td>Other secret of Alice and Bob (e.g. a shared password)</td>
<td>&RSB1RSBZ;</td>
<td>Retained secrets Bob shares with Alice (one for each client she uses)</td>
</tr>
<tr>
<td>&HsubOSA;, &HsubOSB;</td>
<td>Alice and Bob's hashes of the other secret</td>
<td>&RSH1ARSHZA;</td>
<td>HMACs of retained secrets Alice shares with Bob</td>
</tr>
<tr>
<td>SRSH</td>
<td>Bob's HMAC of SRS</td>
</tr>
<tr>
<td>OSS</td>
<td>Other shared secret of Alice and Bob (e.g. a shared password) defaults to "secret"</td>
</tr>
<tr>
<td>&isPKsubA;, &isPKsubB;</td>
<td>Whether or not Alice and Bob have a private key (booleans)</td>
</tr>
<tr>
<td>&AIDsubA;, &AIDsubB;</td>
<td>Anonymous IDs of Alice and Bob</td>
</tr>
</table>
</section2>
@ -467,12 +468,12 @@ e = &gsupx; mod p
<em>assert</em> 1 &lt; d &lt; p-1
K = HASH(&dsupx; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
<span class='highlight'>&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")</span>&#160;
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
<span class='highlight'>&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")</span>&#160;
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
<span class='highlight'><em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
<span class='highlight'>&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
<em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
{&pubKeyB;, &signB;} = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
<em>verify</em>(&signB;, &pubKeyB;, &macB;)</span>&#160;
@ -492,7 +493,7 @@ K = HASH(&dsupx; mod p)
<section2 topic='SIGMA-R with SAS Key Exchange' anchor='foundations-core-r'>
<p>The Short Authentication String technique enables protection against a Man in the Middle without the need to generate, distribute or authenticate any public keys. As long as a hash commitment is used at the start of the key exchange then only a short human-friendly string needs to be verified out-of-band (e.g. by recognizable voice communication).</p>
<p>Furthermore, if each entity (or each user of a client installation) is assigned a large random Anonymous ID (AID) upon first use, and if retained secrets associated with the AID are employed <em>consistently</em> during key exchanges, then the Man in the Middle would need to be present for every session, including the first, and the out-of-band verification would only need to be performed once to verify the absence of a Man in the Middle for all sessions between the parties (past, present and future). <note>This combination of techniques underpins the <cite>ZRTP</cite> key agreement protocol.</note></p>
<p>Furthermore, if retained secrets associated with a client/user combination are employed <em>consistently</em> during key exchanges, then the Man in the Middle would need to be present for every session, including the first, and the out-of-band verification would only need to be performed once to verify the absence of a Man in the Middle for all sessions between the parties (past, present and future). <note>This combination of techniques underpins the <cite>ZRTP</cite> key agreement protocol.</note></p>
<p>Public keys are optional in the diagram below. It describes the same SIGMA-R with SAS key exchange protocol as the <link url='#foundations-skeleton-r'>SIGMA-R Overview</link>. It provides much more detail including the use of retained secrets and other secrets. Note: These <em>optional</em> security enhancements are especially important when the protocol is being used without public keys.</p>
<p>The diagram does not specify any ESession-specific details. The differences between it and the <link url='#foundations-core-i'>SIGMA-I Key Exchange</link> are highlighted.</p>
<pre>
@ -517,25 +518,21 @@ e = &gsupx; mod p
<em>assert</em> 1 &lt; d &lt; p-1
K = HASH(&dsupx; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
<span class='highlight'>SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String"))
&HsubRSA; = <em>HMAC</em>(HASH, RS, "Initiator")
&HsubOSA; = <em>HMAC</em>(HASH, OS, "Initiator")
&RSH1ARSHZA; = <em>HMAC</em>(HASH, &RSA1RSAZ;, "Initiator Retained Secrets")
<em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &AIDsubA;, &HsubRSA;, &HsubOSA;})
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&AIDsubA;, &macA;})
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&RSH1ARSHZA;, &macA;})
<em>else:</em></span>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &HsubRSA;, &HsubOSA;})
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
&signA; = <em>sign</em>(&signKeyA;, &macA;)
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&pubKeyA;, &RSH1ARSHZA;, &signA;})
&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
&IDA;, &MsubA;, <span class='highlight'>e</span>
&IDA;
------------&gt;
<span class='highlight'>&HsubRSA;, &HsubOSA;&#160;
&MsubA;, <span class='highlight'>e
<em>assert</em>&#160;&Hsube; = HASH(e | &NsubA;)
SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String") ))
SAS
@ -544,58 +541,52 @@ K = HASH(&dsupx; mod p)
<em>assert</em> 1 &lt; e &lt; p-1
K = HASH(&esupy; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")</span>&#160;
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")</span>&#160;
<em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
<span class='highlight'><em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
{&AIDsubA;, &macA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
<em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &AIDsubA;, &HsubRSA;, &HsubOSA;})
{&RSH1ARSHZA;, &macA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
<em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
<em>else:</em></span>&#160;
{&pubKeyA;, &signA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &HsubRSA;, &HsubOSA;})
{&pubKeyA;, &RSH1ARSHZA;, &signA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
<em>verify</em>(&signA;, &pubKeyA;, &macA;)
<span class='highlight'>&HsubRSB; = <em>HMAC</em>(HASH, RS, "Responder")
&HsubOSB; = <em>HMAC</em>(HASH, OS, "Responder")
<em>assert</em>&#160;&HsubRSA; = <em>HMAC</em>(HASH, RS, "Initiator")
<em>assert</em>&#160;&HsubOSA; = <em>HMAC</em>(HASH, OS, "Initiator")
K = HASH(K | RS | OS)
<span class='highlight'>SRS = <em>choose</em>(&RSB1RSBZ;, &RSH1ARSHZA;)
K = HASH(K | SRS | OSS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
RS = <em>HMAC</em>(HASH, K, "Retained Secret")
SRSH = <em>HMAC</em>(HASH, SRS, "Shared Retained Secret")
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &AIDsubB;, &CsubA;, &HsubRSB;, &HsubOSB;})
&IDB; = <em>cipher</em>(&KCsubB;, &CsubB;, {&AIDsubB;, &macB;})&#160;
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;})
&IDB; = <em>cipher</em>(&KCsubB;, &CsubB;, &macB;)&#160;
<em>else:</em>&#160;
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;, &HsubRSB;, &HsubOSB;})
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
&signB; = <em>sign</em>(&signKeyB;, &macB;)
&IDB; = <em>cipher</em>(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
&IDB;, &MsubB;
&IDB;
&lt;------------
&HsubRSB;, &HsubOSB;&#160;
&MsubB;, SRSH&#160;
<em>assert</em>&#160;&HsubRSB; = <em>HMAC</em>(HASH, RS, "Responder")
<em>assert</em>&#160;&HsubOSB; = <em>HMAC</em>(HASH, OS, "Responder")
K = HASH(K | RS | OS)
SRS = <em>choose</em>(&RSA1RSAZ;, SRSH)
K = HASH(K | SRS | OSS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
RS = <em>HMAC</em>(HASH, K, "Retained Secret")
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
<em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
<span class='highlight'>{&AIDsubB;, &macB;} = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
<em>assert</em>&#160;&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &AIDsubB;, &CsubA;, &HsubRSB;, &HsubOSB;})
<span class='highlight'>&macB; = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
<em>assert</em>&#160;&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;})
<em>else:</em></span>&#160;
{&pubKeyB;, &signB;} = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;, &HsubRSB;, &HsubOSB;})
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
<em>verify</em>(&signB;, &pubKeyB;, &macB;)</span>
</pre>
</section2>
@ -731,6 +722,7 @@ VERIFY(&signB;, &pubKeyB;, &macB;)</span>&#160;
<section2 topic='Online ESession-R Negotiation' anchor='design-online-r'>
<p>This protocol is similar to the <link url='#design-online-i'>Online ESession-I Negotiation</link> above, except that Bob's identity is protected from active attacks (by by delaying communicating his identity to Alice until he has authenticated her). The optional use of SAS, retained secrets and other secrets means the protocol may be used without any public keys. The differences between this protocol and <link url='#design-online-i'>Online ESession-I Negotiation</link> are highlighted.</p>
<p>Note: Alice MUST mix a few random numbers with the &RSH1ARSHZA; that she sends to Bob to prevent an active attacker from discovering if she has communicated with Bob before and how many clients Bob has used to communicate with her.</p>
<pre>
<strong>ALICE</strong>&#160; <strong>BOB</strong>&#160;
@ -763,17 +755,16 @@ K = HASH(&dsupx; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
<span class='highlight'>SAS = <em>truncate</em>(HASH(e | d))
&HsubRSA; = <em>HMAC</em>(HASH, RS, "Initiator")
&HsubOSA; = <em>HMAC</em>(HASH, OS, "Initiator")
&form2A; = {e, &NsubB;, &HsubRSA;, &HsubOSA;}
<span class='highlight'>SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String"))
&RSH1ARSHZA; = <em>HMAC</em>(HASH, &RSA1RSAZ;, "Initiator Retained Secrets")
&form2A; = {e, &NsubB;}
<em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, &form2A;, &AIDsubA;, &form1A;})
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&AIDsubA;, &macA;})
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;, &form1A;, &form2A;})
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&RSH1ARSHZA;, &macA;})
<em>else:</em>&#160;</span>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, &form2A;, &pubKeyA;, &form1A;})
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;, &form1A;, &form2A;})
&signA; = SIGN(&signKeyA;, &macA;)
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &RSH1ARSHZA;, &signA;})
&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
&IDA;, &MsubA;
@ -781,7 +772,7 @@ K = HASH(&dsupx; mod p)
<span class='highlight'>&form2A;&#160;
<em>assert</em>&#160;&Hsube; = HASH(e | options | &NsubA; | &isPKsubA;)
SAS = <em>truncate</em>(HASH(e | d))
SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String"))
SAS
&lt;===========&gt;
@ -792,28 +783,27 @@ K = HASH(&dsupx; mod p)
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
</span><em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
<span class='highlight'><em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
{&AIDsubA;, &macA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
<em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, &form2A;, &AIDsubA;, &form1A;})
{&RSH1ARSHZA;, &macA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
<em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;, &form1A;, &form2A;})
<em>else:</em></span>&#160;
{&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, &form2A;, &pubKeyA;, &form1A;})
{&pubKeyA;, &RSH1ARSHZA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;, &form1A;, &form2A;})
VERIFY(&signA;, &pubKeyA;, &macA;)
<span class='highlight'>&HsubRSB; = <em>HMAC</em>(HASH, RS, "Responder")
&HsubOSB; = <em>HMAC</em>(HASH, OS, "Responder")
&form2B; = {&NsubA;, &HsubRSB;, &HsubOSB;}
<em>if</em>&#160;&HsubOSA;&#160;<em>equals</em>&#160;<em>HMAC</em>(HASH, OS, "Initiator") <em>then</em>:
K = HASH(K | OS)
<em>if</em>&#160;&HsubRSA;&#160;<em>equals</em>&#160;<em>HMAC</em>(HASH, RS, "Initiator") <em>then</em>:
K = HASH(K | RS)
<span class='highlight'>SRS = <em>choose</em>(&RSB1RSBZ;, &RSH1ARSHZA;)
K = HASH(K | SRS | OSS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
RS = <em>HMAC</em>(HASH, K, "Retained Secret")
<em>if</em> SRS <em>equals false then:</em>&#160;
SRS = <em>random</em>()
SRSH = <em>HMAC</em>(HASH, SRS, "Shared Retained Secret")
&form2B; = {&NsubA;, SRSH}
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &AIDsubB;, &form1B;, &form2B;})
&IDB; = CIPHER(&KCsubB;, &CsubB;, {&AIDsubB;, &macB;})&#160;
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &form1B;, &form2B;})
&IDB; = CIPHER(&KCsubB;, &CsubB;, &macB;)&#160;
<em>else:</em>&#160;
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &form1B;, &form2B;})
&signB; = SIGN(&signKeyB;, &macB;)
@ -824,20 +814,18 @@ K = HASH(&dsupx; mod p)
&lt;------------
&form2B;&#160;
<em>if</em>&#160;&HsubOSB;&#160;<em>equals</em>&#160;<em>HMAC</em>(HASH, OS, "Responder") <em>then</em>:
K = HASH(K | OS)
<em>if</em>&#160;&HsubRSB;&#160;<em>equals</em>&#160;<em>HMAC</em>(HASH, RS, "Responder") <em>then</em>:
K = HASH(K | RS)
SRS = <em>choose</em>(&RSA1RSAZ;, SRSH)
K = HASH(K | SRS | OSS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
RS = <em>HMAC</em>(HASH, K, "Retained Secret")
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
<em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
{&AIDsubB;, &macB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
<em>assert</em>&#160;&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &AIDsubB;, &form1B;, &form2B;})
&macB; = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
<em>assert</em>&#160;&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &form1B;, &form2B;})
<em>else:</em>&#160;
{&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &form1B;, &form2B;})
@ -858,13 +846,13 @@ RS = <em>HMAC</em>(HASH, K, "Retained Secret")
e = &gsupx; mod p
&formA; = {&e1eZ;, options, &NsubA;}
<span class='highlight'>&signsA; = <em>multi_sign</em>(&signKeysA;, &formA;)
<em>store</em>(&NsubA;, &x1xZ;, expireTime)</span>&#160;
<em>retain</em>(&NsubA;, &x1xZ;, expireTime)</span>&#160;
&formA;
--------&gt;
<span class='highlight'>&signsA;&#160;
<em>store</em>(&formA;, &signsA;)
<em>retain</em>(&formA;, &signsA;)
---------------------------------------------------------------------------------------------------------
<em>retrieve</em>(&formA;, &signsA;)</span>&#160;
@ -898,7 +886,7 @@ RS = <em>HMAC</em>(HASH, K, "Retained Secret")
&lt;--------
&IDB;, &MsubB;&#160;
<span class='highlight'><em>store</em>(&formB;,&IDB;,&MsubB;)
<span class='highlight'><em>retain</em>(&formB;,&IDB;,&MsubB;)
---------------------------------------------------------------------------------------------------------
<em>retrieve</em>(&formB;,&IDB;,&MsubB;)</span>&#160;
&formB;