From 9396e5679498ed050248d15144f832fed2ff4390 Mon Sep 17 00:00:00 2001 From: Ian Paterson Date: Mon, 27 Nov 2006 02:11:48 +0000 Subject: [PATCH] 0.3 RC3 minor stuff git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@215 4b5297f7-1745-476d-ba37-a9c6900126ab --- xep-0188.xml | 142 +++++++++++++++++++++++++-------------------------- 1 file changed, 71 insertions(+), 71 deletions(-) diff --git a/xep-0188.xml b/xep-0188.xml index 138b59da..3cf61b5d 100644 --- a/xep-0188.xml +++ b/xep-0188.xml @@ -6,7 +6,6 @@ x"> x"> y"> - A"> B"> A"> @@ -28,10 +27,8 @@ B"> A"> B"> -1A"> -1B"> -2A"> -2B"> +A2"> +B2"> A"> B"> A"> @@ -47,8 +44,8 @@ 1...xZ"> 1...eZ"> 1...HeZ"> -1A...RSZA"> -1B...RSZB"> +1A...RSZA"> +1B...RSZB"> 1A...RSHZA"> @@ -77,7 +74,7 @@ &ianpaterson; 0.3 - 2006-11-24 + 2006-11-27 ip

Added PKI Independence and Robustness requirements; added optional public key independence, hash commitment, SAS authentication, retained secrets and other secrets to SIGMA-R key exchange

@@ -295,7 +292,7 @@ Alice and Bob's public Diffie-Hellman keys (the same as &gsupx;, &gsupy;) - &Hsube; + He Hash of Alice's public Diffie-Hellman key @@ -331,11 +328,11 @@ Shared retained secret (derived from K in previous session between the clients) - &RSA1RSAZ; + &RS1ARSZA; Retained secrets Alice shares with Bob (one for each client he uses) - &RSB1RSBZ; + &RS1BRSZB; Retained secrets Bob shares with Alice (one for each client she uses) @@ -352,7 +349,7 @@ &isPKsubA;, &isPKsubB; - Whether or not Alice and Bob have a private key (booleans) + Whether or not Alice and Bob prefer to receive a public key (booleans) @@ -444,11 +441,11 @@ x = random() e = &gsupx; mod p e, &NsubA; ------------> + &NsubB; = random() &CsubA; = random() + &CBeCAx2n1;  y = random() d = &gsupy; mod p - &CBeCAx2n1;  - &NsubB; = random() assert 1 < e < p-1 K = HASH(&esupy; mod p) &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") @@ -502,15 +499,15 @@ K = HASH(&dsupx; mod p) &NsubA; = random() x = random() e = &gsupx; mod p -&Hsube; = HASH(e | &NsubA;) - &Hsube;, &isPKsubA; +He = SHA256(e) + He, &isPKsubA; ------------> &NsubA;  + &NsubB; = random() &CsubA; = random() + &CBeCAx2n1;  y = random() d = &gsupy; mod p - &CBeCAx2n1;  - &NsubB; = random() d, &CsubA;, &NsubB; <------------ &isPKsubB;  @@ -521,19 +518,19 @@ K = HASH(&dsupx; mod p) &KMsubA; = HMAC(HASH, K, "Initiator MAC Key") &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") SAS = truncate(HASH(e | d | "Short Authentication String")) -&RSH1ARSHZA; = HMAC(HASH, &RSA1RSAZ;, "Initiator Retained Secrets") -if &isPKsubA; equals false then:  +&RSH1ARSHZA; = HMAC(HASH, &NsubA;, &RS1ARSZA;) +if &isPKsubB; equals false then:  &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;}) - &IDA; = cipher(&KCsubA;, &CsubA;, {&RSH1ARSHZA;, &macA;}) + &IDA; = cipher(&KCsubA;, &CsubA;, &macA;) else:  &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;}) &signA; = sign(&signKeyA;, &macA;) - &IDA; = cipher(&KCsubA;, &CsubA;, {&pubKeyA;, &RSH1ARSHZA;, &signA;}) + &IDA; = cipher(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;}) &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;) - &IDA; + &IDA;, &MsubA; ------------> - &MsubA;, e - assert &Hsube; = HASH(e | &NsubA;) + e, &RSH1ARSHZA; + assert He = SHA256(e) SAS = truncate(HASH(e | d | "Short Authentication String") )) SAS <===========> @@ -544,14 +541,14 @@ K = HASH(&dsupx; mod p) &KMsubA; = HMAC(HASH, K, "Initiator MAC Key") &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key")  assert &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;) - if &isPKsubA; equals false then:  - {&RSH1ARSHZA;, &macA;} = decipher(&KCsubA;, &CsubA;, &IDA;) + if &isPKsubB; equals false then:  + &macA; = decipher(&KCsubA;, &CsubA;, &IDA;) assert &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;}) else:  - {&pubKeyA;, &RSH1ARSHZA;, &signA;} = decipher(&KCsubA;, &CsubA;, &IDA;) + {&pubKeyA;, &signA;} = decipher(&KCsubA;, &CsubA;, &IDA;) &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;}) verify(&signA;, &pubKeyA;, &macA;) - SRS = choose(&RSB1RSBZ;, &RSH1ARSHZA;) + SRS = choose(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;) K = HASH(K | SRS | OSS) &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") &KCsubB; = HMAC(HASH, K, "Responder Cipher Key") @@ -560,7 +557,7 @@ K = HASH(&dsupx; mod p) &KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") SRSH = HMAC(HASH, SRS, "Shared Retained Secret") retain(HMAC(HASH, K, "New Retained Secret")) - if &isPKsubB; equals false then:  + if &isPKsubA; equals false then:  &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;}) &IDB; = cipher(&KCsubB;, &CsubB;, &macB;)  else:  @@ -572,7 +569,7 @@ K = HASH(&dsupx; mod p) <------------ &MsubB;, SRSH  -SRS = choose(&RSA1RSAZ;, SRSH) +SRS = choose(&RS1ARSZA;, SRSH) K = HASH(K | SRS | OSS) &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key") &KCsubB; = HMAC(HASH, K, "Responder Cipher Key") @@ -581,7 +578,7 @@ K = HASH(K | SRS | OSS) &KSsubB; = HMAC(HASH, K, "Responder SIGMA Key") retain(HMAC(HASH, K, "New Retained Secret")) assert &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) -if &isPKsubB; equals false then:  +if &isPKsubA; equals false then:  &macB; = decipher(&KCsubB;, &CsubB;, &IDB;) assert &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;}) else:  @@ -626,6 +623,10 @@ K = HASH(K | SRS | OSS) VERIFY The selected signature verification algorithm (corresponds to SIGN) + + SASGEN + The selected SAS generation algorithm + &x1xZ; Alice's private Diffie-Hellman keys - each value corresponds to one of Z different DH groups @@ -669,11 +670,11 @@ K = HASH(K | SRS | OSS) chosen = {p,g,HASH,CIPHER,SIGN...} = choose(options) e = choose(&e1eZ;, p) + &NsubB; = random() &CsubA; = random() + &CBeCAx2n1;  y = random() d = &gsupy; mod p - &CBeCAx2n1;  - &NsubB; = random() &formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;} assert 1 < e < p-1 K = HASH(&esupy; mod p) @@ -722,7 +723,6 @@ VERIFY(&signB;, &pubKeyB;, &macB;) 

This protocol is similar to the Online ESession-I Negotiation above, except that Bob's identity is protected from active attacks (by by delaying communicating his identity to Alice until he has authenticated her). The optional use of SAS, retained secrets and other secrets means the protocol may be used without any public keys. The differences between this protocol and Online ESession-I Negotiation are highlighted.

-

Note: Alice MUST mix a few random numbers with the &RSH1ARSHZA; that she sends to Bob to prevent an active attacker from discovering if she has communicated with Bob before and how many clients Bob has used to communicate with her.

 ALICE                                      BOB 
 
@@ -730,49 +730,49 @@ VERIFY(&signB;, &pubKeyB;, &macB;) 
 for g,p ∈ options
     x = random()
     e = &gsupx; mod p
-    He = HASH(e | options | &NsubA; | &isPKsubA;) 
-&form1A; = {&He1HeZ;, options, &NsubA;, &isPKsubA;}
+    He = SHA256(e) 
+&formA; = {&He1HeZ;, options, &NsubA;, &isPKsubA;}
 
-                                 &form1A;
+                                 &formA;
                              ------------>
 
-                                           chosen = {p,g,HASH,CIPHER,SIGN...} = choose(options)
-                                           &Hsube; = choose(&He1HeZ;, p)
+                                           chosen = {p,g,HASH,CIPHER,SIGN,SASGEN...} = choose(options)
+                                           He = choose(&He1HeZ;, p)
+                                           &NsubB; = random()
                                            &CsubA; = random()
+                                           &CBeCAx2n1; 
                                            y = random()
                                            d = &gsupy; mod p
-                                           &CBeCAx2n1; 
-                                           &NsubB; = random()
-                                           &form1B; = {&CsubA;, chosen, d, &NsubA;, &NsubB;, &isPKsubB;}
-                                 &form1B;
+                                           &formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;, &isPKsubB;}
+                                 &formB;
                              <------------
 assert chosen ∈ options
 x = choose(&x1xZ;, p)
-e = &gsupx; mod p
+e = choose(&e1eZ;, p)
 &CBeCAx2n1; 
 assert 1 < d < p-1
 K = HASH(&dsupx; mod p)
 &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
 &KMsubA; = HMAC(HASH, K, "Initiator MAC Key")
 &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key")
-SAS = truncate(HASH(e | d | "Short Authentication String"))
-&RSH1ARSHZA; = HMAC(HASH, &RSA1RSAZ;, "Initiator Retained Secrets")
-&form2A; = {e, &NsubB;}
-if &isPKsubA; equals false then: 
-    &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;, &form1A;, &form2A;})
-    &IDA; = CIPHER(&KCsubA;, &CsubA;, {&RSH1ARSHZA;, &macA;})
+SAS = SASGEN(e, d)
+&RSH1ARSHZA; = HMAC(HASH, &NsubA;, &RS1ARSZA;)
+&formA2; = {&RSH1ARSHZA;, e, &NsubB;}
+if &isPKsubB; equals false then: 
+    &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;})
+    &IDA; = CIPHER(&KCsubA;, &CsubA;, &macA;)
 else:  
-    &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;, &form1A;, &form2A;})
+    &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;})
     &signA; = SIGN(&signKeyA;, &macA;)
-    &IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &RSH1ARSHZA;, &signA;})
+    &IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
 &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;)
 
                                 &IDA;, &MsubA;
                              ------------>
-                                 &form2A; 
+                                 &formA2; 
 
-                                           assert &Hsube; = HASH(e | options | &NsubA; | &isPKsubA;)
-                                           SAS = truncate(HASH(e | d | "Short Authentication String"))
+                                           assert He = SHA256(e)
+                                           SAS = SASGEN(e, d)
                                   SAS
                              <===========>
 
@@ -782,14 +782,14 @@ K = HASH(&dsupx; mod p)
                                            &KMsubA; = HMAC(HASH, K, "Initiator MAC Key")
                                            &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key")
                                            assert &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;)
-                                           if &isPKsubA; equals false then: 
-                                               {&RSH1ARSHZA;, &macA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
-                                               assert &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;, &form1A;, &form2A;})
+                                           if &isPKsubB; equals false then: 
+                                               &macA; = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
+                                               assert &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;})
                                            else: 
-                                               {&pubKeyA;, &RSH1ARSHZA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
-                                               &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;, &form1A;, &form2A;})
+                                               {&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
+                                               &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;})
                                                VERIFY(&signA;, &pubKeyA;, &macA;)
-                                           SRS = choose(&RSB1RSBZ;, &RSH1ARSHZA;)
+                                           SRS = choose(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
                                            K = HASH(K | SRS | OSS)
                                            &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
                                            &KCsubB; = HMAC(HASH, K, "Responder Cipher Key")
@@ -799,22 +799,22 @@ K = HASH(&dsupx; mod p)
                                            if SRS equals false then: 
                                                SRS = random()
                                            SRSH = HMAC(HASH, SRS, "Shared Retained Secret")
-                                           &form2B; = {&NsubA;, SRSH}
                                            retain(HMAC(HASH, K, "New Retained Secret"))
-                                           if &isPKsubB; equals false then: 
-                                               &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &form1B;, &form2B;})
+                                           &formB2; = {&NsubA;, SRSH}
+                                           if &isPKsubA; equals false then: 
+                                               &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &formB;, &formB2;})
                                                &IDB; = CIPHER(&KCsubB;, &CsubB;, &macB;) 
                                            else: 
-                                               &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &form1B;, &form2B;})
+                                               &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;, &formB2;})
                                                &signB; = SIGN(&signKeyB;, &macB;)
                                                &IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
                                            &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;)
 
                                 &IDB;, &MsubB; 
                              <------------
-                                 &form2B; 
+                                 &formB2; 
 
-SRS = choose(&RSA1RSAZ;, SRSH)
+SRS = choose(&RS1ARSZA;, SRSH)
 K = HASH(K | SRS | OSS)
 &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
 &KCsubB; = HMAC(HASH, K, "Responder Cipher Key")
@@ -823,12 +823,12 @@ K = HASH(K | SRS | OSS)
 &KSsubB; = HMAC(HASH, K, "Responder SIGMA Key")
 retain(HMAC(HASH, K, "New Retained Secret"))
 assert &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;)
-if &isPKsubB; equals false then: 
+if &isPKsubA; equals false then: 
     &macB; = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
-    assert &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &form1B;, &form2B;})
+    assert &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &formB;, &formB2;})
 else: 
     {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
-    &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &form1B;, &form2B;})
+    &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;, &formB2;})
     VERIFY(&signB;, &pubKeyB;, &macB;)