moparisthebest
/
xeps
mirror of https://github.com/moparisthebest/xeps
1
0
Fork 0
Code Issues Releases Wiki Activity

0.3 RC3 minor stuff 

git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@215 4b5297f7-1745-476d-ba37-a9c6900126ab
This commit is contained in:
Ian Paterson 2006-11-27 02:11:48 +00:00
parent 3e61673a03
commit 9396e56794
1 changed files with 71 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

142
xep-0188.xml
View File

@ -6,7 +6,6 @@
<!ENTITY dsupx "d<span class='super'>x</span>">
<!ENTITY gsupx "g<span class='super'>x</span>">
<!ENTITY gsupy "g<span class='super'>y</span>">
<!ENTITY Hsube "He">
<!ENTITY isPKsubA "isPK<span class='sub'>A</span>">
<!ENTITY isPKsubB "isPK<span class='sub'>B</span>">
<!ENTITY NsubA "N<span class='sub'>A</span>">
@ -28,10 +27,8 @@
<!ENTITY IDB "ID<span class='sub'>B</span>">
<!ENTITY formA "form<span class='sub'>A</span>">
<!ENTITY formB "form<span class='sub'>B</span>">
<!ENTITY form1A "form<span class='sub'>1A</span>">
<!ENTITY form1B "form<span class='sub'>1B</span>">
<!ENTITY form2A "form<span class='sub'>2A</span>">
<!ENTITY form2B "form<span class='sub'>2B</span>">
<!ENTITY formA2 "form<span class='sub'>A2</span>">
<!ENTITY formB2 "form<span class='sub'>B2</span>">
<!ENTITY macA "mac<span class='sub'>A</span>">
<!ENTITY macB "mac<span class='sub'>B</span>">
<!ENTITY signA "sign<span class='sub'>A</span>">
@ -47,8 +44,8 @@
<!ENTITY x1xZ "x<span class='sub'>1</span>...x<span class='sub'>Z</span>">
<!ENTITY e1eZ "e<span class='sub'>1</span>...e<span class='sub'>Z</span>">
<!ENTITY He1HeZ "He<span class='sub'>1</span>...He<span class='sub'>Z</span>">
<!ENTITY RSA1RSAZ "RS<span class='sub'>1A</span>...RS<span class='sub'>ZA</span>">
<!ENTITY RSB1RSBZ "RS<span class='sub'>1B</span>...RS<span class='sub'>ZB</span>">
<!ENTITY RS1ARSZA "RS<span class='sub'>1A</span>...RS<span class='sub'>ZA</span>">
<!ENTITY RS1BRSZB "RS<span class='sub'>1B</span>...RS<span class='sub'>ZB</span>">
<!ENTITY RSH1ARSHZA "RSH<span class='sub'>1A</span>...RSH<span class='sub'>ZA</span>">
@ -77,7 +74,7 @@
&ianpaterson;
<revision>
<version>0.3</version>
<date>2006-11-24</date>
<date>2006-11-27</date>
<initials>ip</initials>
<remark><p>Added PKI Independence and Robustness requirements; added optional public key independence, hash commitment, SAS authentication, retained secrets and other secrets to SIGMA-R key exchange</p></remark>
</revision>
@ -295,7 +292,7 @@
<td>Alice and Bob's public Diffie-Hellman keys (the same as &gsupx;, &gsupy;)</td>
</tr>
<tr>
<td>&Hsube;</td>
<td>He</td>
<td>Hash of Alice's public Diffie-Hellman key</td>
</tr>
<tr>
@ -331,11 +328,11 @@
<td>Shared retained secret (derived from K in previous session between the clients)</td>
</tr>
<tr>
<td>&RSA1RSAZ;</td>
<td>&RS1ARSZA;</td>
<td>Retained secrets Alice shares with Bob (one for each client he uses)</td>
</tr>
<tr>
<td>&RSB1RSBZ;</td>
<td>&RS1BRSZB;</td>
<td>Retained secrets Bob shares with Alice (one for each client she uses)</td>
</tr>
<tr>
@ -352,7 +349,7 @@
</tr>
<tr>
<td>&isPKsubA;, &isPKsubB;</td>
<td>Whether or not Alice and Bob have a private key (booleans)</td>
<td>Whether or not Alice and Bob prefer to <em>receive</em> a public key (booleans)</td>
</tr>
</table>
</section2>
@ -444,11 +441,11 @@ x = <em>random</em>()
e = &gsupx; mod p
<span class='highlight'>e,</span>&#160;&NsubA;
------------&gt;
&NsubB; = <em>random</em>()
&CsubA; = <em>random</em>()
&CBeCAx2n1;&#160;
y = <em>random</em>()
d = &gsupy; mod p
&CBeCAx2n1;&#160;
&NsubB; = <em>random</em>()
<span class='highlight'><em>assert</em> 1 &lt; e &lt; p-1
K = HASH(&esupy; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
@ -502,15 +499,15 @@ K = HASH(&dsupx; mod p)
&NsubA; = <em>random</em>()
x = <em>random</em>()
e = &gsupx; mod p
<span class='highlight'>&Hsube; = HASH(e | &NsubA;)
&Hsube;, &isPKsubA;</span>
<span class='highlight'>He = SHA256(e)
He, &isPKsubA;</span>
------------&gt;
&NsubA;&#160;
&NsubB; = <em>random</em>()
&CsubA; = <em>random</em>()
&CBeCAx2n1;&#160;
y = <em>random</em>()
d = &gsupy; mod p
&CBeCAx2n1;&#160;
&NsubB; = <em>random</em>()
d, &CsubA;, &NsubB;
&lt;------------
<span class='highlight'>&isPKsubB;</span>&#160;
@ -521,19 +518,19 @@ K = HASH(&dsupx; mod p)
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
<span class='highlight'>SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String"))
&RSH1ARSHZA; = <em>HMAC</em>(HASH, &RSA1RSAZ;, "Initiator Retained Secrets")
<em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
&RSH1ARSHZA; = <em>HMAC</em>(HASH, &NsubA;, &RS1ARSZA;)
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&RSH1ARSHZA;, &macA;})
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, &macA;)
<em>else:</em></span>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
&signA; = <em>sign</em>(&signKeyA;, &macA;)
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&pubKeyA;, &RSH1ARSHZA;, &signA;})
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
&IDA;
&IDA;, &MsubA;
------------&gt;
&MsubA;, <span class='highlight'>e
<em>assert</em>&#160;&Hsube; = HASH(e | &NsubA;)
<span class='highlight'>e, &RSH1ARSHZA;
<em>assert</em>&#160;He = SHA256(e)
SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String") ))
SAS
&lt;===========&gt;
@ -544,14 +541,14 @@ K = HASH(&dsupx; mod p)
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")</span>&#160;
<em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
<span class='highlight'><em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
{&RSH1ARSHZA;, &macA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
<span class='highlight'><em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macA; = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
<em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
<em>else:</em></span>&#160;
{&pubKeyA;, &RSH1ARSHZA;, &signA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
{&pubKeyA;, &signA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
<em>verify</em>(&signA;, &pubKeyA;, &macA;)
<span class='highlight'>SRS = <em>choose</em>(&RSB1RSBZ;, &RSH1ARSHZA;)
<span class='highlight'>SRS = <em>choose</em>(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
K = HASH(K | SRS | OSS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
@ -560,7 +557,7 @@ K = HASH(&dsupx; mod p)
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
SRSH = <em>HMAC</em>(HASH, SRS, "Shared Retained Secret")
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
<em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;})
&IDB; = <em>cipher</em>(&KCsubB;, &CsubB;, &macB;)&#160;
<em>else:</em>&#160;
@ -572,7 +569,7 @@ K = HASH(&dsupx; mod p)
&lt;------------
&MsubB;, SRSH&#160;
SRS = <em>choose</em>(&RSA1RSAZ;, SRSH)
SRS = <em>choose</em>(&RS1ARSZA;, SRSH)
K = HASH(K | SRS | OSS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
@ -581,7 +578,7 @@ K = HASH(K | SRS | OSS)
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
<em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
<em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
<span class='highlight'>&macB; = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
<em>assert</em>&#160;&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;})
<em>else:</em></span>&#160;
@ -626,6 +623,10 @@ K = HASH(K | SRS | OSS)
<td>VERIFY</td>
<td>The selected signature verification algorithm (corresponds to SIGN)</td>
</tr>
<tr>
<td>SASGEN</td>
<td>The selected SAS generation algorithm</td>
</tr>
<tr>
<td>&x1xZ;</td>
<td>Alice's private Diffie-Hellman keys - each value corresponds to one of Z different DH groups</td>
@ -669,11 +670,11 @@ K = HASH(K | SRS | OSS)
chosen = {p,g,HASH,CIPHER,SIGN...} = <em>choose</em>(options)
<span class='highlight'>e</span> = <em>choose</em>(<span class='highlight'>&e1eZ;</span>, p)
&NsubB; = <em>random</em>()
&CsubA; = <em>random</em>()
&CBeCAx2n1;&#160;
y = <em>random</em>()
d = &gsupy; mod p
&CBeCAx2n1;&#160;
&NsubB; = <em>random</em>()
&formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;}
<span class='highlight'><em>assert</em> 1 &lt; e &lt; p-1
K = HASH(&esupy; mod p)
@ -722,7 +723,6 @@ VERIFY(&signB;, &pubKeyB;, &macB;)</span>&#160;
<section2 topic='Online ESession-R Negotiation' anchor='design-online-r'>
<p>This protocol is similar to the <link url='#design-online-i'>Online ESession-I Negotiation</link> above, except that Bob's identity is protected from active attacks (by by delaying communicating his identity to Alice until he has authenticated her). The optional use of SAS, retained secrets and other secrets means the protocol may be used without any public keys. The differences between this protocol and <link url='#design-online-i'>Online ESession-I Negotiation</link> are highlighted.</p>
<p>Note: Alice MUST mix a few random numbers with the &RSH1ARSHZA; that she sends to Bob to prevent an active attacker from discovering if she has communicated with Bob before and how many clients Bob has used to communicate with her.</p>
<pre>
<strong>ALICE</strong>&#160; <strong>BOB</strong>&#160;
@ -730,49 +730,49 @@ VERIFY(&signB;, &pubKeyB;, &macB;)</span>&#160;
<em>for</em> g,p &#8712; options
x = <em>random</em>()
e = &gsupx; mod p
<span class='highlight'>He = HASH(e | options | &NsubA; | &isPKsubA;)</span>&#160;
&form1A; = {<span class='highlight'>&He1HeZ;</span>, options, &NsubA;, <span class='highlight'>&isPKsubA;</span>}
<span class='highlight'>He = SHA256(e)</span>&#160;
&formA; = {<span class='highlight'>&He1HeZ;</span>, options, &NsubA;, <span class='highlight'>&isPKsubA;</span>}
&form1A;
&formA;
------------&gt;
chosen = {p,g,HASH,CIPHER,SIGN...} = <em>choose</em>(options)
<span class='highlight'>&Hsube;</span> = <em>choose</em>(<span class='highlight'>&He1HeZ;</span>, p)
chosen = {p,g,HASH,CIPHER,SIGN,SASGEN...} = <em>choose</em>(options)
<span class='highlight'>He</span> = <em>choose</em>(<span class='highlight'>&He1HeZ;</span>, p)
&NsubB; = <em>random</em>()
&CsubA; = <em>random</em>()
&CBeCAx2n1;&#160;
y = <em>random</em>()
d = &gsupy; mod p
&CBeCAx2n1;&#160;
&NsubB; = <em>random</em>()
&form1B; = {&CsubA;, chosen, d, &NsubA;, &NsubB;, <span class='highlight'>&isPKsubB;</span>}
&form1B;
&formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;, <span class='highlight'>&isPKsubB;</span>}
&formB;
&lt;------------
<em>assert</em> chosen &#8712; options
x = <em>choose</em>(&x1xZ;, p)
e = &gsupx; mod p
e = <em>choose</em>(&e1eZ;, p)
&CBeCAx2n1;&#160;
<em>assert</em> 1 &lt; d &lt; p-1
K = HASH(&dsupx; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
<span class='highlight'>SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String"))
&RSH1ARSHZA; = <em>HMAC</em>(HASH, &RSA1RSAZ;, "Initiator Retained Secrets")
&form2A; = {e, &NsubB;}
<em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;, &form1A;, &form2A;})
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&RSH1ARSHZA;, &macA;})
<span class='highlight'>SAS = SASGEN(e, d)
&RSH1ARSHZA; = <em>HMAC</em>(HASH, &NsubA;, &RS1ARSZA;)
&formA2; = {&RSH1ARSHZA;, e, &NsubB;}
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;})
&IDA; = CIPHER(&KCsubA;, &CsubA;, &macA;)
<em>else:</em>&#160;</span>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;, &form1A;, &form2A;})
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;})
&signA; = SIGN(&signKeyA;, &macA;)
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &RSH1ARSHZA;, &signA;})
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
&IDA;, &MsubA;
------------&gt;
<span class='highlight'>&form2A;&#160;
<span class='highlight'>&formA2;&#160;
<em>assert</em>&#160;&Hsube; = HASH(e | options | &NsubA; | &isPKsubA;)
SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String"))
<em>assert</em>&#160;He = SHA256(e)
SAS = SASGEN(e, d)
SAS
&lt;===========&gt;
@ -782,14 +782,14 @@ K = HASH(&dsupx; mod p)
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
</span><em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
<span class='highlight'><em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
{&RSH1ARSHZA;, &macA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
<em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;, &form1A;, &form2A;})
<span class='highlight'><em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macA; = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
<em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;})
<em>else:</em></span>&#160;
{&pubKeyA;, &RSH1ARSHZA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;, &form1A;, &form2A;})
{&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;})
VERIFY(&signA;, &pubKeyA;, &macA;)
<span class='highlight'>SRS = <em>choose</em>(&RSB1RSBZ;, &RSH1ARSHZA;)
<span class='highlight'>SRS = <em>choose</em>(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
K = HASH(K | SRS | OSS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
@ -799,22 +799,22 @@ K = HASH(&dsupx; mod p)
<em>if</em> SRS <em>equals false then:</em>&#160;
SRS = <em>random</em>()
SRSH = <em>HMAC</em>(HASH, SRS, "Shared Retained Secret")
&form2B; = {&NsubA;, SRSH}
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &form1B;, &form2B;})
&formB2; = {&NsubA;, SRSH}
<em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &formB;, &formB2;})
&IDB; = CIPHER(&KCsubB;, &CsubB;, &macB;)&#160;
<em>else:</em>&#160;
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &form1B;, &form2B;})
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;, &formB2;})
&signB; = SIGN(&signKeyB;, &macB;)
&IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
&IDB;, &MsubB;&#160;
&lt;------------
&form2B;&#160;
&formB2;&#160;
SRS = <em>choose</em>(&RSA1RSAZ;, SRSH)
SRS = <em>choose</em>(&RS1ARSZA;, SRSH)
K = HASH(K | SRS | OSS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
@ -823,12 +823,12 @@ K = HASH(K | SRS | OSS)
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
<em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
<em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
&macB; = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
<em>assert</em>&#160;&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &form1B;, &form2B;})
<em>assert</em>&#160;&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &formB;, &formB2;})
<em>else:</em>&#160;
{&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &form1B;, &form2B;})
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;, &formB2;})
VERIFY(&signB;, &pubKeyB;, &macB;)</span>
</pre>
</section2>