diff --git a/xep-0188.xml b/xep-0188.xml
index 138b59da..3cf61b5d 100644
--- a/xep-0188.xml
+++ b/xep-0188.xml
@@ -6,7 +6,6 @@
x">
x">
y">
-
A">
B">
A">
@@ -28,10 +27,8 @@
B">
A">
B">
-1A">
-1B">
-2A">
-2B">
+A2">
+B2">
A">
B">
A">
@@ -47,8 +44,8 @@
1...xZ">
1...eZ">
1...HeZ">
-1A...RSZA">
-1B...RSZB">
+1A...RSZA">
+1B...RSZB">
1A...RSHZA">
@@ -77,7 +74,7 @@
&ianpaterson;
Added PKI Independence and Robustness requirements; added optional public key independence, hash commitment, SAS authentication, retained secrets and other secrets to SIGMA-R key exchange
This protocol is similar to the Online ESession-I Negotiation above, except that Bob's identity is protected from active attacks (by by delaying communicating his identity to Alice until he has authenticated her). The optional use of SAS, retained secrets and other secrets means the protocol may be used without any public keys. The differences between this protocol and Online ESession-I Negotiation are highlighted.
-Note: Alice MUST mix a few random numbers with the &RSH1ARSHZA; that she sends to Bob to prevent an active attacker from discovering if she has communicated with Bob before and how many clients Bob has used to communicate with her.
ALICE BOB @@ -730,49 +730,49 @@ VERIFY(&signB;, &pubKeyB;, &macB;) for g,p ∈ options x = random() e = &gsupx; mod p - He = HASH(e | options | &NsubA; | &isPKsubA;) -&form1A; = {&He1HeZ;, options, &NsubA;, &isPKsubA;} + He = SHA256(e) +&formA; = {&He1HeZ;, options, &NsubA;, &isPKsubA;} - &form1A; + &formA; ------------> - chosen = {p,g,HASH,CIPHER,SIGN...} = choose(options) - &Hsube; = choose(&He1HeZ;, p) + chosen = {p,g,HASH,CIPHER,SIGN,SASGEN...} = choose(options) + He = choose(&He1HeZ;, p) + &NsubB; = random() &CsubA; = random() + &CBeCAx2n1; y = random() d = &gsupy; mod p - &CBeCAx2n1; - &NsubB; = random() - &form1B; = {&CsubA;, chosen, d, &NsubA;, &NsubB;, &isPKsubB;} - &form1B; + &formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;, &isPKsubB;} + &formB; <------------ assert chosen ∈ options x = choose(&x1xZ;, p) -e = &gsupx; mod p +e = choose(&e1eZ;, p) &CBeCAx2n1; assert 1 < d < p-1 K = HASH(&dsupx; mod p) &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") &KMsubA; = HMAC(HASH, K, "Initiator MAC Key") &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") -SAS = truncate(HASH(e | d | "Short Authentication String")) -&RSH1ARSHZA; = HMAC(HASH, &RSA1RSAZ;, "Initiator Retained Secrets") -&form2A; = {e, &NsubB;} -if &isPKsubA; equals false then: - &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;, &form1A;, &form2A;}) - &IDA; = CIPHER(&KCsubA;, &CsubA;, {&RSH1ARSHZA;, &macA;}) +SAS = SASGEN(e, d) +&RSH1ARSHZA; = HMAC(HASH, &NsubA;, &RS1ARSZA;) +&formA2; = {&RSH1ARSHZA;, e, &NsubB;} +if &isPKsubB; equals false then: + &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;}) + &IDA; = CIPHER(&KCsubA;, &CsubA;, &macA;) else: - &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;, &form1A;, &form2A;}) + &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;}) &signA; = SIGN(&signKeyA;, &macA;) - &IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &RSH1ARSHZA;, &signA;}) + &IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;}) &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;) &IDA;, &MsubA; ------------> - &form2A; + &formA2; - assert &Hsube; = HASH(e | options | &NsubA; | &isPKsubA;) - SAS = truncate(HASH(e | d | "Short Authentication String")) + assert He = SHA256(e) + SAS = SASGEN(e, d) SAS <===========> @@ -782,14 +782,14 @@ K = HASH(&dsupx; mod p) &KMsubA; = HMAC(HASH, K, "Initiator MAC Key") &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") assert &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;) - if &isPKsubA; equals false then: - {&RSH1ARSHZA;, &macA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;) - assert &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;, &form1A;, &form2A;}) + if &isPKsubB; equals false then: + &macA; = DECIPHER(&KCsubA;, &CsubA;, &IDA;) + assert &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;}) else: - {&pubKeyA;, &RSH1ARSHZA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;) - &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;, &form1A;, &form2A;}) + {&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;) + &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;}) VERIFY(&signA;, &pubKeyA;, &macA;) - SRS = choose(&RSB1RSBZ;, &RSH1ARSHZA;) + SRS = choose(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;) K = HASH(K | SRS | OSS) &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") &KCsubB; = HMAC(HASH, K, "Responder Cipher Key") @@ -799,22 +799,22 @@ K = HASH(&dsupx; mod p) if SRS equals false then: SRS = random() SRSH = HMAC(HASH, SRS, "Shared Retained Secret") - &form2B; = {&NsubA;, SRSH} retain(HMAC(HASH, K, "New Retained Secret")) - if &isPKsubB; equals false then: - &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &form1B;, &form2B;}) + &formB2; = {&NsubA;, SRSH} + if &isPKsubA; equals false then: + &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &formB;, &formB2;}) &IDB; = CIPHER(&KCsubB;, &CsubB;, &macB;) else: - &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &form1B;, &form2B;}) + &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;, &formB2;}) &signB; = SIGN(&signKeyB;, &macB;) &IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;}) &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) &IDB;, &MsubB; <------------ - &form2B; + &formB2; -SRS = choose(&RSA1RSAZ;, SRSH) +SRS = choose(&RS1ARSZA;, SRSH) K = HASH(K | SRS | OSS) &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") &KCsubB; = HMAC(HASH, K, "Responder Cipher Key") @@ -823,12 +823,12 @@ K = HASH(K | SRS | OSS) &KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") retain(HMAC(HASH, K, "New Retained Secret")) assert &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) -if &isPKsubB; equals false then: +if &isPKsubA; equals false then: &macB; = DECIPHER(&KCsubB;, &CsubB;, &IDB;) - assert &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &form1B;, &form2B;}) + assert &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &formB;, &formB2;}) else: {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;) - &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &form1B;, &form2B;}) + &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;, &formB2;}) VERIFY(&signB;, &pubKeyB;, &macB;)