mirror of
https://github.com/moparisthebest/xeps
synced 2024-12-21 23:28:51 -05:00
0.3 RC3 minor stuff
git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@215 4b5297f7-1745-476d-ba37-a9c6900126ab
This commit is contained in:
parent
3e61673a03
commit
9396e56794
142
xep-0188.xml
142
xep-0188.xml
@ -6,7 +6,6 @@
|
|||||||
<!ENTITY dsupx "d<span class='super'>x</span>">
|
<!ENTITY dsupx "d<span class='super'>x</span>">
|
||||||
<!ENTITY gsupx "g<span class='super'>x</span>">
|
<!ENTITY gsupx "g<span class='super'>x</span>">
|
||||||
<!ENTITY gsupy "g<span class='super'>y</span>">
|
<!ENTITY gsupy "g<span class='super'>y</span>">
|
||||||
<!ENTITY Hsube "He">
|
|
||||||
<!ENTITY isPKsubA "isPK<span class='sub'>A</span>">
|
<!ENTITY isPKsubA "isPK<span class='sub'>A</span>">
|
||||||
<!ENTITY isPKsubB "isPK<span class='sub'>B</span>">
|
<!ENTITY isPKsubB "isPK<span class='sub'>B</span>">
|
||||||
<!ENTITY NsubA "N<span class='sub'>A</span>">
|
<!ENTITY NsubA "N<span class='sub'>A</span>">
|
||||||
@ -28,10 +27,8 @@
|
|||||||
<!ENTITY IDB "ID<span class='sub'>B</span>">
|
<!ENTITY IDB "ID<span class='sub'>B</span>">
|
||||||
<!ENTITY formA "form<span class='sub'>A</span>">
|
<!ENTITY formA "form<span class='sub'>A</span>">
|
||||||
<!ENTITY formB "form<span class='sub'>B</span>">
|
<!ENTITY formB "form<span class='sub'>B</span>">
|
||||||
<!ENTITY form1A "form<span class='sub'>1A</span>">
|
<!ENTITY formA2 "form<span class='sub'>A2</span>">
|
||||||
<!ENTITY form1B "form<span class='sub'>1B</span>">
|
<!ENTITY formB2 "form<span class='sub'>B2</span>">
|
||||||
<!ENTITY form2A "form<span class='sub'>2A</span>">
|
|
||||||
<!ENTITY form2B "form<span class='sub'>2B</span>">
|
|
||||||
<!ENTITY macA "mac<span class='sub'>A</span>">
|
<!ENTITY macA "mac<span class='sub'>A</span>">
|
||||||
<!ENTITY macB "mac<span class='sub'>B</span>">
|
<!ENTITY macB "mac<span class='sub'>B</span>">
|
||||||
<!ENTITY signA "sign<span class='sub'>A</span>">
|
<!ENTITY signA "sign<span class='sub'>A</span>">
|
||||||
@ -47,8 +44,8 @@
|
|||||||
<!ENTITY x1xZ "x<span class='sub'>1</span>...x<span class='sub'>Z</span>">
|
<!ENTITY x1xZ "x<span class='sub'>1</span>...x<span class='sub'>Z</span>">
|
||||||
<!ENTITY e1eZ "e<span class='sub'>1</span>...e<span class='sub'>Z</span>">
|
<!ENTITY e1eZ "e<span class='sub'>1</span>...e<span class='sub'>Z</span>">
|
||||||
<!ENTITY He1HeZ "He<span class='sub'>1</span>...He<span class='sub'>Z</span>">
|
<!ENTITY He1HeZ "He<span class='sub'>1</span>...He<span class='sub'>Z</span>">
|
||||||
<!ENTITY RSA1RSAZ "RS<span class='sub'>1A</span>...RS<span class='sub'>ZA</span>">
|
<!ENTITY RS1ARSZA "RS<span class='sub'>1A</span>...RS<span class='sub'>ZA</span>">
|
||||||
<!ENTITY RSB1RSBZ "RS<span class='sub'>1B</span>...RS<span class='sub'>ZB</span>">
|
<!ENTITY RS1BRSZB "RS<span class='sub'>1B</span>...RS<span class='sub'>ZB</span>">
|
||||||
<!ENTITY RSH1ARSHZA "RSH<span class='sub'>1A</span>...RSH<span class='sub'>ZA</span>">
|
<!ENTITY RSH1ARSHZA "RSH<span class='sub'>1A</span>...RSH<span class='sub'>ZA</span>">
|
||||||
|
|
||||||
|
|
||||||
@ -77,7 +74,7 @@
|
|||||||
&ianpaterson;
|
&ianpaterson;
|
||||||
<revision>
|
<revision>
|
||||||
<version>0.3</version>
|
<version>0.3</version>
|
||||||
<date>2006-11-24</date>
|
<date>2006-11-27</date>
|
||||||
<initials>ip</initials>
|
<initials>ip</initials>
|
||||||
<remark><p>Added PKI Independence and Robustness requirements; added optional public key independence, hash commitment, SAS authentication, retained secrets and other secrets to SIGMA-R key exchange</p></remark>
|
<remark><p>Added PKI Independence and Robustness requirements; added optional public key independence, hash commitment, SAS authentication, retained secrets and other secrets to SIGMA-R key exchange</p></remark>
|
||||||
</revision>
|
</revision>
|
||||||
@ -295,7 +292,7 @@
|
|||||||
<td>Alice and Bob's public Diffie-Hellman keys (the same as &gsupx;, &gsupy;)</td>
|
<td>Alice and Bob's public Diffie-Hellman keys (the same as &gsupx;, &gsupy;)</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>&Hsube;</td>
|
<td>He</td>
|
||||||
<td>Hash of Alice's public Diffie-Hellman key</td>
|
<td>Hash of Alice's public Diffie-Hellman key</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
@ -331,11 +328,11 @@
|
|||||||
<td>Shared retained secret (derived from K in previous session between the clients)</td>
|
<td>Shared retained secret (derived from K in previous session between the clients)</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>&RSA1RSAZ;</td>
|
<td>&RS1ARSZA;</td>
|
||||||
<td>Retained secrets Alice shares with Bob (one for each client he uses)</td>
|
<td>Retained secrets Alice shares with Bob (one for each client he uses)</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>&RSB1RSBZ;</td>
|
<td>&RS1BRSZB;</td>
|
||||||
<td>Retained secrets Bob shares with Alice (one for each client she uses)</td>
|
<td>Retained secrets Bob shares with Alice (one for each client she uses)</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
@ -352,7 +349,7 @@
|
|||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>&isPKsubA;, &isPKsubB;</td>
|
<td>&isPKsubA;, &isPKsubB;</td>
|
||||||
<td>Whether or not Alice and Bob have a private key (booleans)</td>
|
<td>Whether or not Alice and Bob prefer to <em>receive</em> a public key (booleans)</td>
|
||||||
</tr>
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
</section2>
|
</section2>
|
||||||
@ -444,11 +441,11 @@ x = <em>random</em>()
|
|||||||
e = &gsupx; mod p
|
e = &gsupx; mod p
|
||||||
<span class='highlight'>e,</span> &NsubA;
|
<span class='highlight'>e,</span> &NsubA;
|
||||||
------------>
|
------------>
|
||||||
|
&NsubB; = <em>random</em>()
|
||||||
&CsubA; = <em>random</em>()
|
&CsubA; = <em>random</em>()
|
||||||
|
&CBeCAx2n1; 
|
||||||
y = <em>random</em>()
|
y = <em>random</em>()
|
||||||
d = &gsupy; mod p
|
d = &gsupy; mod p
|
||||||
&CBeCAx2n1; 
|
|
||||||
&NsubB; = <em>random</em>()
|
|
||||||
<span class='highlight'><em>assert</em> 1 < e < p-1
|
<span class='highlight'><em>assert</em> 1 < e < p-1
|
||||||
K = HASH(&esupy; mod p)
|
K = HASH(&esupy; mod p)
|
||||||
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
|
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
|
||||||
@ -502,15 +499,15 @@ K = HASH(&dsupx; mod p)
|
|||||||
&NsubA; = <em>random</em>()
|
&NsubA; = <em>random</em>()
|
||||||
x = <em>random</em>()
|
x = <em>random</em>()
|
||||||
e = &gsupx; mod p
|
e = &gsupx; mod p
|
||||||
<span class='highlight'>&Hsube; = HASH(e | &NsubA;)
|
<span class='highlight'>He = SHA256(e)
|
||||||
&Hsube;, &isPKsubA;</span>
|
He, &isPKsubA;</span>
|
||||||
------------>
|
------------>
|
||||||
&NsubA; 
|
&NsubA; 
|
||||||
|
&NsubB; = <em>random</em>()
|
||||||
&CsubA; = <em>random</em>()
|
&CsubA; = <em>random</em>()
|
||||||
|
&CBeCAx2n1; 
|
||||||
y = <em>random</em>()
|
y = <em>random</em>()
|
||||||
d = &gsupy; mod p
|
d = &gsupy; mod p
|
||||||
&CBeCAx2n1; 
|
|
||||||
&NsubB; = <em>random</em>()
|
|
||||||
d, &CsubA;, &NsubB;
|
d, &CsubA;, &NsubB;
|
||||||
<------------
|
<------------
|
||||||
<span class='highlight'>&isPKsubB;</span> 
|
<span class='highlight'>&isPKsubB;</span> 
|
||||||
@ -521,19 +518,19 @@ K = HASH(&dsupx; mod p)
|
|||||||
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
|
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
|
||||||
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
|
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
|
||||||
<span class='highlight'>SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String"))
|
<span class='highlight'>SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String"))
|
||||||
&RSH1ARSHZA; = <em>HMAC</em>(HASH, &RSA1RSAZ;, "Initiator Retained Secrets")
|
&RSH1ARSHZA; = <em>HMAC</em>(HASH, &NsubA;, &RS1ARSZA;)
|
||||||
<em>if</em> &isPKsubA; <em>equals false then:</em> 
|
<em>if</em> &isPKsubB; <em>equals false then:</em> 
|
||||||
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
|
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
|
||||||
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&RSH1ARSHZA;, &macA;})
|
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, &macA;)
|
||||||
<em>else:</em></span> 
|
<em>else:</em></span> 
|
||||||
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
|
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
|
||||||
&signA; = <em>sign</em>(&signKeyA;, &macA;)
|
&signA; = <em>sign</em>(&signKeyA;, &macA;)
|
||||||
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&pubKeyA;, &RSH1ARSHZA;, &signA;})
|
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
|
||||||
&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
|
&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
|
||||||
&IDA;
|
&IDA;, &MsubA;
|
||||||
------------>
|
------------>
|
||||||
&MsubA;, <span class='highlight'>e
|
<span class='highlight'>e, &RSH1ARSHZA;
|
||||||
<em>assert</em> &Hsube; = HASH(e | &NsubA;)
|
<em>assert</em> He = SHA256(e)
|
||||||
SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String") ))
|
SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String") ))
|
||||||
SAS
|
SAS
|
||||||
<===========>
|
<===========>
|
||||||
@ -544,14 +541,14 @@ K = HASH(&dsupx; mod p)
|
|||||||
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
|
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
|
||||||
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")</span> 
|
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")</span> 
|
||||||
<em>assert</em> &MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
|
<em>assert</em> &MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
|
||||||
<span class='highlight'><em>if</em> &isPKsubA; <em>equals false then:</em> 
|
<span class='highlight'><em>if</em> &isPKsubB; <em>equals false then:</em> 
|
||||||
{&RSH1ARSHZA;, &macA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
|
&macA; = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
|
||||||
<em>assert</em> &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
|
<em>assert</em> &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
|
||||||
<em>else:</em></span> 
|
<em>else:</em></span> 
|
||||||
{&pubKeyA;, &RSH1ARSHZA;, &signA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
|
{&pubKeyA;, &signA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
|
||||||
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
|
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
|
||||||
<em>verify</em>(&signA;, &pubKeyA;, &macA;)
|
<em>verify</em>(&signA;, &pubKeyA;, &macA;)
|
||||||
<span class='highlight'>SRS = <em>choose</em>(&RSB1RSBZ;, &RSH1ARSHZA;)
|
<span class='highlight'>SRS = <em>choose</em>(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
|
||||||
K = HASH(K | SRS | OSS)
|
K = HASH(K | SRS | OSS)
|
||||||
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
|
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
|
||||||
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
|
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
|
||||||
@ -560,7 +557,7 @@ K = HASH(&dsupx; mod p)
|
|||||||
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
|
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
|
||||||
SRSH = <em>HMAC</em>(HASH, SRS, "Shared Retained Secret")
|
SRSH = <em>HMAC</em>(HASH, SRS, "Shared Retained Secret")
|
||||||
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
|
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
|
||||||
<em>if</em> &isPKsubB; <em>equals false then:</em> 
|
<em>if</em> &isPKsubA; <em>equals false then:</em> 
|
||||||
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;})
|
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;})
|
||||||
&IDB; = <em>cipher</em>(&KCsubB;, &CsubB;, &macB;) 
|
&IDB; = <em>cipher</em>(&KCsubB;, &CsubB;, &macB;) 
|
||||||
<em>else:</em> 
|
<em>else:</em> 
|
||||||
@ -572,7 +569,7 @@ K = HASH(&dsupx; mod p)
|
|||||||
<------------
|
<------------
|
||||||
&MsubB;, SRSH 
|
&MsubB;, SRSH 
|
||||||
|
|
||||||
SRS = <em>choose</em>(&RSA1RSAZ;, SRSH)
|
SRS = <em>choose</em>(&RS1ARSZA;, SRSH)
|
||||||
K = HASH(K | SRS | OSS)
|
K = HASH(K | SRS | OSS)
|
||||||
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
|
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
|
||||||
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
|
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
|
||||||
@ -581,7 +578,7 @@ K = HASH(K | SRS | OSS)
|
|||||||
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
|
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
|
||||||
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
|
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
|
||||||
<em>assert</em> &MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
|
<em>assert</em> &MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
|
||||||
<em>if</em> &isPKsubB; <em>equals false then:</em> 
|
<em>if</em> &isPKsubA; <em>equals false then:</em> 
|
||||||
<span class='highlight'>&macB; = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
|
<span class='highlight'>&macB; = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
|
||||||
<em>assert</em> &macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;})
|
<em>assert</em> &macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;})
|
||||||
<em>else:</em></span> 
|
<em>else:</em></span> 
|
||||||
@ -626,6 +623,10 @@ K = HASH(K | SRS | OSS)
|
|||||||
<td>VERIFY</td>
|
<td>VERIFY</td>
|
||||||
<td>The selected signature verification algorithm (corresponds to SIGN)</td>
|
<td>The selected signature verification algorithm (corresponds to SIGN)</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>SASGEN</td>
|
||||||
|
<td>The selected SAS generation algorithm</td>
|
||||||
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>&x1xZ;</td>
|
<td>&x1xZ;</td>
|
||||||
<td>Alice's private Diffie-Hellman keys - each value corresponds to one of Z different DH groups</td>
|
<td>Alice's private Diffie-Hellman keys - each value corresponds to one of Z different DH groups</td>
|
||||||
@ -669,11 +670,11 @@ K = HASH(K | SRS | OSS)
|
|||||||
|
|
||||||
chosen = {p,g,HASH,CIPHER,SIGN...} = <em>choose</em>(options)
|
chosen = {p,g,HASH,CIPHER,SIGN...} = <em>choose</em>(options)
|
||||||
<span class='highlight'>e</span> = <em>choose</em>(<span class='highlight'>&e1eZ;</span>, p)
|
<span class='highlight'>e</span> = <em>choose</em>(<span class='highlight'>&e1eZ;</span>, p)
|
||||||
|
&NsubB; = <em>random</em>()
|
||||||
&CsubA; = <em>random</em>()
|
&CsubA; = <em>random</em>()
|
||||||
|
&CBeCAx2n1; 
|
||||||
y = <em>random</em>()
|
y = <em>random</em>()
|
||||||
d = &gsupy; mod p
|
d = &gsupy; mod p
|
||||||
&CBeCAx2n1; 
|
|
||||||
&NsubB; = <em>random</em>()
|
|
||||||
&formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;}
|
&formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;}
|
||||||
<span class='highlight'><em>assert</em> 1 < e < p-1
|
<span class='highlight'><em>assert</em> 1 < e < p-1
|
||||||
K = HASH(&esupy; mod p)
|
K = HASH(&esupy; mod p)
|
||||||
@ -722,7 +723,6 @@ VERIFY(&signB;, &pubKeyB;, &macB;)</span> 
|
|||||||
|
|
||||||
<section2 topic='Online ESession-R Negotiation' anchor='design-online-r'>
|
<section2 topic='Online ESession-R Negotiation' anchor='design-online-r'>
|
||||||
<p>This protocol is similar to the <link url='#design-online-i'>Online ESession-I Negotiation</link> above, except that Bob's identity is protected from active attacks (by by delaying communicating his identity to Alice until he has authenticated her). The optional use of SAS, retained secrets and other secrets means the protocol may be used without any public keys. The differences between this protocol and <link url='#design-online-i'>Online ESession-I Negotiation</link> are highlighted.</p>
|
<p>This protocol is similar to the <link url='#design-online-i'>Online ESession-I Negotiation</link> above, except that Bob's identity is protected from active attacks (by by delaying communicating his identity to Alice until he has authenticated her). The optional use of SAS, retained secrets and other secrets means the protocol may be used without any public keys. The differences between this protocol and <link url='#design-online-i'>Online ESession-I Negotiation</link> are highlighted.</p>
|
||||||
<p>Note: Alice MUST mix a few random numbers with the &RSH1ARSHZA; that she sends to Bob to prevent an active attacker from discovering if she has communicated with Bob before and how many clients Bob has used to communicate with her.</p>
|
|
||||||
<pre>
|
<pre>
|
||||||
<strong>ALICE</strong>  <strong>BOB</strong> 
|
<strong>ALICE</strong>  <strong>BOB</strong> 
|
||||||
|
|
||||||
@ -730,49 +730,49 @@ VERIFY(&signB;, &pubKeyB;, &macB;)</span> 
|
|||||||
<em>for</em> g,p ∈ options
|
<em>for</em> g,p ∈ options
|
||||||
x = <em>random</em>()
|
x = <em>random</em>()
|
||||||
e = &gsupx; mod p
|
e = &gsupx; mod p
|
||||||
<span class='highlight'>He = HASH(e | options | &NsubA; | &isPKsubA;)</span> 
|
<span class='highlight'>He = SHA256(e)</span> 
|
||||||
&form1A; = {<span class='highlight'>&He1HeZ;</span>, options, &NsubA;, <span class='highlight'>&isPKsubA;</span>}
|
&formA; = {<span class='highlight'>&He1HeZ;</span>, options, &NsubA;, <span class='highlight'>&isPKsubA;</span>}
|
||||||
|
|
||||||
&form1A;
|
&formA;
|
||||||
------------>
|
------------>
|
||||||
|
|
||||||
chosen = {p,g,HASH,CIPHER,SIGN...} = <em>choose</em>(options)
|
chosen = {p,g,HASH,CIPHER,SIGN,SASGEN...} = <em>choose</em>(options)
|
||||||
<span class='highlight'>&Hsube;</span> = <em>choose</em>(<span class='highlight'>&He1HeZ;</span>, p)
|
<span class='highlight'>He</span> = <em>choose</em>(<span class='highlight'>&He1HeZ;</span>, p)
|
||||||
|
&NsubB; = <em>random</em>()
|
||||||
&CsubA; = <em>random</em>()
|
&CsubA; = <em>random</em>()
|
||||||
|
&CBeCAx2n1; 
|
||||||
y = <em>random</em>()
|
y = <em>random</em>()
|
||||||
d = &gsupy; mod p
|
d = &gsupy; mod p
|
||||||
&CBeCAx2n1; 
|
&formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;, <span class='highlight'>&isPKsubB;</span>}
|
||||||
&NsubB; = <em>random</em>()
|
&formB;
|
||||||
&form1B; = {&CsubA;, chosen, d, &NsubA;, &NsubB;, <span class='highlight'>&isPKsubB;</span>}
|
|
||||||
&form1B;
|
|
||||||
<------------
|
<------------
|
||||||
<em>assert</em> chosen ∈ options
|
<em>assert</em> chosen ∈ options
|
||||||
x = <em>choose</em>(&x1xZ;, p)
|
x = <em>choose</em>(&x1xZ;, p)
|
||||||
e = &gsupx; mod p
|
e = <em>choose</em>(&e1eZ;, p)
|
||||||
&CBeCAx2n1; 
|
&CBeCAx2n1; 
|
||||||
<em>assert</em> 1 < d < p-1
|
<em>assert</em> 1 < d < p-1
|
||||||
K = HASH(&dsupx; mod p)
|
K = HASH(&dsupx; mod p)
|
||||||
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
|
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
|
||||||
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
|
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
|
||||||
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
|
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
|
||||||
<span class='highlight'>SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String"))
|
<span class='highlight'>SAS = SASGEN(e, d)
|
||||||
&RSH1ARSHZA; = <em>HMAC</em>(HASH, &RSA1RSAZ;, "Initiator Retained Secrets")
|
&RSH1ARSHZA; = <em>HMAC</em>(HASH, &NsubA;, &RS1ARSZA;)
|
||||||
&form2A; = {e, &NsubB;}
|
&formA2; = {&RSH1ARSHZA;, e, &NsubB;}
|
||||||
<em>if</em> &isPKsubA; <em>equals false then:</em> 
|
<em>if</em> &isPKsubB; <em>equals false then:</em> 
|
||||||
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;, &form1A;, &form2A;})
|
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;})
|
||||||
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&RSH1ARSHZA;, &macA;})
|
&IDA; = CIPHER(&KCsubA;, &CsubA;, &macA;)
|
||||||
<em>else:</em> </span> 
|
<em>else:</em> </span> 
|
||||||
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;, &form1A;, &form2A;})
|
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;})
|
||||||
&signA; = SIGN(&signKeyA;, &macA;)
|
&signA; = SIGN(&signKeyA;, &macA;)
|
||||||
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &RSH1ARSHZA;, &signA;})
|
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
|
||||||
&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
|
&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
|
||||||
|
|
||||||
&IDA;, &MsubA;
|
&IDA;, &MsubA;
|
||||||
------------>
|
------------>
|
||||||
<span class='highlight'>&form2A; 
|
<span class='highlight'>&formA2; 
|
||||||
|
|
||||||
<em>assert</em> &Hsube; = HASH(e | options | &NsubA; | &isPKsubA;)
|
<em>assert</em> He = SHA256(e)
|
||||||
SAS = <em>truncate</em>(HASH(e | d | "Short Authentication String"))
|
SAS = SASGEN(e, d)
|
||||||
SAS
|
SAS
|
||||||
<===========>
|
<===========>
|
||||||
|
|
||||||
@ -782,14 +782,14 @@ K = HASH(&dsupx; mod p)
|
|||||||
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
|
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
|
||||||
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
|
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
|
||||||
</span><em>assert</em> &MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
|
</span><em>assert</em> &MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
|
||||||
<span class='highlight'><em>if</em> &isPKsubA; <em>equals false then:</em> 
|
<span class='highlight'><em>if</em> &isPKsubB; <em>equals false then:</em> 
|
||||||
{&RSH1ARSHZA;, &macA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
|
&macA; = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
|
||||||
<em>assert</em> &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;, &form1A;, &form2A;})
|
<em>assert</em> &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;})
|
||||||
<em>else:</em></span> 
|
<em>else:</em></span> 
|
||||||
{&pubKeyA;, &RSH1ARSHZA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
|
{&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
|
||||||
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;, &form1A;, &form2A;})
|
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;})
|
||||||
VERIFY(&signA;, &pubKeyA;, &macA;)
|
VERIFY(&signA;, &pubKeyA;, &macA;)
|
||||||
<span class='highlight'>SRS = <em>choose</em>(&RSB1RSBZ;, &RSH1ARSHZA;)
|
<span class='highlight'>SRS = <em>choose</em>(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
|
||||||
K = HASH(K | SRS | OSS)
|
K = HASH(K | SRS | OSS)
|
||||||
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
|
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
|
||||||
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
|
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
|
||||||
@ -799,22 +799,22 @@ K = HASH(&dsupx; mod p)
|
|||||||
<em>if</em> SRS <em>equals false then:</em> 
|
<em>if</em> SRS <em>equals false then:</em> 
|
||||||
SRS = <em>random</em>()
|
SRS = <em>random</em>()
|
||||||
SRSH = <em>HMAC</em>(HASH, SRS, "Shared Retained Secret")
|
SRSH = <em>HMAC</em>(HASH, SRS, "Shared Retained Secret")
|
||||||
&form2B; = {&NsubA;, SRSH}
|
|
||||||
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
|
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
|
||||||
<em>if</em> &isPKsubB; <em>equals false then:</em> 
|
&formB2; = {&NsubA;, SRSH}
|
||||||
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &form1B;, &form2B;})
|
<em>if</em> &isPKsubA; <em>equals false then:</em> 
|
||||||
|
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &formB;, &formB2;})
|
||||||
&IDB; = CIPHER(&KCsubB;, &CsubB;, &macB;) 
|
&IDB; = CIPHER(&KCsubB;, &CsubB;, &macB;) 
|
||||||
<em>else:</em> 
|
<em>else:</em> 
|
||||||
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &form1B;, &form2B;})
|
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;, &formB2;})
|
||||||
&signB; = SIGN(&signKeyB;, &macB;)
|
&signB; = SIGN(&signKeyB;, &macB;)
|
||||||
&IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
|
&IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
|
||||||
&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
|
&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
|
||||||
|
|
||||||
&IDB;, &MsubB; 
|
&IDB;, &MsubB; 
|
||||||
<------------
|
<------------
|
||||||
&form2B; 
|
&formB2; 
|
||||||
|
|
||||||
SRS = <em>choose</em>(&RSA1RSAZ;, SRSH)
|
SRS = <em>choose</em>(&RS1ARSZA;, SRSH)
|
||||||
K = HASH(K | SRS | OSS)
|
K = HASH(K | SRS | OSS)
|
||||||
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
|
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
|
||||||
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
|
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
|
||||||
@ -823,12 +823,12 @@ K = HASH(K | SRS | OSS)
|
|||||||
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
|
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
|
||||||
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
|
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
|
||||||
<em>assert</em> &MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
|
<em>assert</em> &MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
|
||||||
<em>if</em> &isPKsubB; <em>equals false then:</em> 
|
<em>if</em> &isPKsubA; <em>equals false then:</em> 
|
||||||
&macB; = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
|
&macB; = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
|
||||||
<em>assert</em> &macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &form1B;, &form2B;})
|
<em>assert</em> &macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &formB;, &formB2;})
|
||||||
<em>else:</em> 
|
<em>else:</em> 
|
||||||
{&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
|
{&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
|
||||||
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &form1B;, &form2B;})
|
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;, &formB2;})
|
||||||
VERIFY(&signB;, &pubKeyB;, &macB;)</span>
|
VERIFY(&signB;, &pubKeyB;, &macB;)</span>
|
||||||
</pre>
|
</pre>
|
||||||
</section2>
|
</section2>
|
||||||
|
Loading…
Reference in New Issue
Block a user