diff --git a/xep-0116.xml b/xep-0116.xml index 4f5e134c..e4cc23f3 100644 --- a/xep-0116.xml +++ b/xep-0116.xml @@ -25,6 +25,8 @@ B"> A"> B"> +A2"> +B2"> A"> B"> A"> @@ -202,7 +204,7 @@

Note: If Alice believes Bob is offline then she SHOULD NOT use this negotiation protocol. However, she MAY use the protocol specified in Offline Encrypted Sessions to establish the ESession options and keys. Alternatively, she MAY send stanzas without encryption - in which case her client MUST make absolutely clear to her that the stanzas will not be protected and give her the option not to send the stanzas.

- +

This protocol supports both 3- and 4-message key negotiations.

The 3-message SIGMA-I-based key exchange protects the identity of the initiator against active attacks. This SHOULD NOT be used to establish client-to-client sessions since the responder's identity is not protected against active attacks. However, it SHOULD be used to establish client-to-service (server) sessions, especially where the identity of the service is well known to third parties.

The 4-message SIGMA-R-based key exchange with hash commitment defends the responder's identity against active attacks and facilitates detection of a Man in the Middle attack. It SHOULD be used to establish client-to-client sessions. The 4-message key exchange also includes the following optional security enhancements:

@@ -342,9 +344,29 @@ ]]> +
+ +

If Bob does not want to reveal presence to Alice for whatever reason then Bob SHOULD return no response or error.

-

If Bob supports none of the options for one or more ESession fields, then he SHOULD return a ¬acceptable; error and SHOULD specify the field(s) with unsupported options in a comma-separated list in the XMPP <text/> element:

- If Alice initiated a 3-message negotiation but Bob only supports 4-message negotiations (with Alice) then he SHOULD return a &feature; error specifying the 'dhkeys' field:

+ + ffd7076498744578d10edabfe7f4a866 + + ... + + + + + + + + + ]]> +

If Bob supports none of the options for one or more ESession fields, then he SHOULD return a ¬acceptable; error specifying the field(s) with unsupported options:

+ @@ -354,7 +376,10 @@ - modp,ver + + + + ]]> @@ -377,65 +402,31 @@ ]]>
- -

If Bob supports one or more of each of Alice's ESession options and is willing to start an ESession with Alice, then he MUST select one of the options from each of the ESession fields he received from Alice including one hash algorithm ("HASH"), and one of the MODP groups (see &rfc3766; or RFC 3526 for recommendations regarding balancing the sizes of symmetric cipher blocks and Diffie-Hellman moduli) and Alice's corresponding value of 'He' (for 4-message negotiations) or 'e' (for 3-message negotiations).

-

Note: Each MODP group has at least two well known constants: a large prime number p, and a generator g for a subgroup of GF(p).

-

For 3-message negotiations, Bob SHOULD return a &feature; error unless: 1 < e < p - 1

-

Bob MUST then perform the following computations (where n is the number of bits per cipher block for the selected block cipher algorithm):

-
    -
  1. Generate a random number &NsubB; (his ESession ID)

  2. -
  3. Generate an n-bit random number &CsubA; (the block cipher counter for stanzas sent from Alice to Bob)

  4. -
  5. Set &CBeCAx2n1; (where &CsubB; is the block counter for stanzas sent from Bob to Alice)

  6. -
  7. Generate a secret random number y (where &twosup2n; < y < p - 1)

  8. -
  9. Calculate d = &gsupy; mod p

  10. -
  11. Calculate K = HASH(&esupy; mod p) (the shared secret)

  12. -
-

If this is a 4-message negotiation Bob MUST skip the last step above and all the steps described in the next two sections. He can skip straight to the ESession Response section.

-
- -

Bob MUST use HMAC with the selected hash algorithm ("HASH") and the shared secret ("K") to generate two sets of three keys, one set for each direction of the ESession.

-

For stanzas that Alice will send to Bob, the keys are calculated as:

-
    -
  1. Encryption key &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")

  2. -
  3. Integrity key &KMsubA; = HMAC(HASH, K, "Initiator MAC Key")

  4. - -
  5. SIGMA key &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key")

  6. -
-

For stanzas that Bob will send to Alice the keys are calculated as:

-
    -
  1. Encryption key &KCsubB; = HMAC(HASH, K, "Responder Cipher Key")

  2. -
  3. Integrity key &KMsubB; = HMAC(HASH, K, "Responder MAC Key")

  4. -
  5. SIGMA key &KSsubB; = HMAC(HASH, K, "Responder SIGMA Key")

  6. -
-

Once the sets of keys have been calculated the value of K MUST be securely destroyed.

-

Note: As many bits of key data as are needed for each key MUST be taken from the least significant bits of the HMAC output. When negotiating a hash, entities MUST ensure that the hash output is no shorter than the required key data. For algorithms with variable-length keys the maximum length (up to the hash output length) SHOULD be used.

-
+ - -

Bob MUST perform the following steps before he can prove his identity to Alice while protecting it from third parties.

-
    -
  1. If the value of the 'pubkey' field that Alice sent Bob was not 'none' then Bob MUST set &pubKeyB; to a zero length string of characters. Otherwise Bob SHOULD select &pubKeyB;, the public key Alice will use to authenticate his signature with the signature algorithm he selected ("SIGN").

  2. -
  3. Set &formB; to the Normalized content of the reponse data form he will send back to Alice (including his responses for all the fields he received from Alice) - see ESession Response.

    -

    Bob MUST encapsulate the Base64 encoded values of &CsubA; and Alice's &NsubA; in two new 'counter' and 'nonce' fields and add them to &formB;. He MUST set the 'pubkey' field to specify what sort of identification he requires from Alice (see ESession Request). He MUST set the value of the 'rekey_freq' field to be less than &twosup32; and greater than or equal to the value specified by Alice. Bob MUST place his Base64 encoded values of &NsubB; and d in the 'my_nonce' and 'dhkeys' fields. Note: Bob MUST NOT return Alice's values of &NsubA; and e in these fields.

  4. -
  5. Concatenate Alice's ESession ID, Bob's ESession ID, d, &pubKeyB; and &formB;, and calculate the HMAC (as defined in Section 2 of &rfc2104;) of the resulting byte string using the selected hash algorithm ("HASH") and the key &KSsubB;.

    - &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
  6. -
  7. If the value of the 'pubkey' field that Alice sent Bob was not 'none' then Bob MUST calculate &signB;, the signature of the HMAC result using his private signature key that corresponds to &pubKeyB;

    - &signB; = SIGN(&signKeyB;, &macB;)
  8. -
  9. If the value of the 'pubkey' field that Alice sent Bob was 'hash' then Bob SHOULD set &pubKeyB; to the key's fingerprint

    - if (pubkey == 'hash') &pubKeyB; = HASH(&pubKeyB;)
  10. -
  11. Encrypt the byte string resulting from the concatenation of &pubKeyB; and &signB; (or, if the value of the 'pubkey' field that Alice sent Bob was 'none', encrypt just the HMAC result) with the agreed algorithm ("CIPHER") in counter mode (see &nistfips800-38a;), using the encryption key &KCsubB; and block counter &CsubB;. Note: &CsubB; MUST be incremented by 1 for each encrypted block or partial block (i.e. &CsubB; = (&CsubB; + 1) mod 2n, where n is the number of bits per cipher block for the agreed block cipher algorithm).

    - &IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;}) -

    or

    - &IDB; = CIPHER(&KCsubB;, &CsubB;, &macB;)
  12. -
  13. Calculate the HMAC of the encrypted identity (&IDB;) and the value of Bob's block cipher counter &CsubB; before the encryption above using the selected hash algorithm ("HASH") and the integrity key &KMsubB;.

    - &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;)
  14. -
-
+ +

If Bob supports one or more of each of Alice's ESession options and is willing to start an ESession with Alice, then he MUST select one of the options from each of the ESession fields he received from Alice including one hash algorithm ("HASH"), and one of the MODP groups (see &rfc3766; or RFC 3526 for recommendations regarding balancing the sizes of symmetric cipher blocks and Diffie-Hellman moduli) and Alice's corresponding value of 'He' (for 4-message negotiations) or 'e' (for 3-message negotiations).

+

Note: Each MODP group has at least two well known constants: a large prime number p, and a generator g for a subgroup of GF(p).

+

For 3-message negotiations, Bob SHOULD return a &feature; error unless: 1 < e < p - 1

+

Bob MUST then perform the following computations (where n is the number of bits per cipher block for the selected block cipher algorithm):

+
    +
  1. Generate a random number &NsubB; (his ESession ID)

  2. +
  3. Generate an n-bit random number &CsubA; (the block cipher counter for stanzas sent from Alice to Bob)

  4. +
  5. Set &CBeCAx2n1; (where &CsubB; is the block counter for stanzas sent from Bob to Alice)

  6. +
  7. Generate a secret random number y (where &twosup2n; < y < p - 1)

  8. +
  9. Calculate d = &gsupy; mod p

  10. +
  11. Calculate K = HASH(&esupy; mod p) (the shared secret)

  12. +
+

If this is a 4-message negotiation Bob MUST skip the last step above.

+
- -

Bob responds to Alice by sending her &formB;.

- +

Bob SHOULD generate the form that he will send back to Alice, including his responses for all the fields Alice sent him except that he MUST NOT include a 'dhhashes' field.

+

He MUST set the 'pubkey' field to specify what sort of identification he requires from Alice (see ESession Request). He MUST set the value of the 'rekey_freq' field to be less than &twosup32; and greater than or equal to the value specified by Alice. Bob MUST place his Base64 encoded values of &NsubB; and d in the 'my_nonce' and 'dhkeys' fields. Note: Bob MUST NOT return Alice's values of &NsubA; and e in these fields.

+

Bob MUST encapsulate the Base64 encoded values of &CsubA; and Alice's &NsubA; in two new 'counter' and 'nonce' fields and append them to the form.

+

If this is a 4-message negotiation Bob SHOULD respond to Alice by sending her the form (&formB;) immediately - there is nothing more for him to do until he receives Alice's next message (i.e. he can skip the following sections). If this is a 3-message negotiation Bob MUST NOT send the form until he has completed the steps in the following sections.

+ ffd7076498744578d10edabfe7f4a866 @@ -471,9 +462,51 @@ - ]]> -

If Bob prefers the RECOMMENDED 3-message ESession negotiation, where Alice's identity is protected from active attacks instead of his own, then he should encapsulate the Base64 encoded values of &IDB; and &MsubB; in data form fields ('identity' and 'mac'), and append the new fields to &formB; before sending it to Alice.

- + + + +

Bob MUST use HMAC with the selected hash algorithm ("HASH") and the shared secret ("K") to generate two sets of three keys, one set for each direction of the ESession.

+

For stanzas that Alice will send to Bob, the keys are calculated as:

+
    +
  1. Encryption key &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")

  2. +
  3. Integrity key &KMsubA; = HMAC(HASH, K, "Initiator MAC Key")

  4. + +
  5. SIGMA key &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key")

  6. +
+

For stanzas that Bob will send to Alice the keys are calculated as:

+
    +
  1. Encryption key &KCsubB; = HMAC(HASH, K, "Responder Cipher Key")

  2. +
  3. Integrity key &KMsubB; = HMAC(HASH, K, "Responder MAC Key")

  4. +
  5. SIGMA key &KSsubB; = HMAC(HASH, K, "Responder SIGMA Key")

  6. +
+

Once the sets of keys have been calculated the value of K MUST be securely destroyed.

+

Note: As many bits of key data as are needed for each key MUST be taken from the least significant bits of the HMAC output. When negotiating a hash, entities MUST ensure that the hash output is no shorter than the required key data. For algorithms with variable-length keys the maximum length (up to the hash output length) SHOULD be used.

+
+ + +

Bob MUST perform the following steps before he can prove his identity to Alice while protecting it from third parties.

+
    +
  1. If the value of the 'pubkey' field that Alice sent Bob was 'none' then Bob MUST set &pubKeyB; to a zero length string of characters. Otherwise Bob SHOULD select &pubKeyB;, the public key Alice will use to authenticate his signature with the signature algorithm he selected ("SIGN").

  2. +
  3. Set &formB; to be the full Normalized content of the reponse data form he generated above (see Response Form). Note: this MUST NOT include 'identity' or 'mac' fields.

  4. +
  5. Concatenate Alice's ESession ID, Bob's ESession ID, d, &pubKeyB; and &formB;, and calculate the HMAC (as defined in Section 2 of &rfc2104;) of the resulting byte string using the selected hash algorithm ("HASH") and the key &KSsubB;.

    + &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
  6. +
  7. If the value of the 'pubkey' field that Alice sent Bob was not 'none' then Bob MUST calculate &signB;, the signature of the HMAC result using his private signature key that corresponds to &pubKeyB;

    + &signB; = SIGN(&signKeyB;, &macB;)
  8. +
  9. If the value of the 'pubkey' field that Alice sent Bob was 'hash' then Bob SHOULD set &pubKeyB; to the key's fingerprint

    + if (pubkey == 'hash') &pubKeyB; = HASH(&pubKeyB;)
  10. +
  11. Encrypt the byte string resulting from the concatenation of &pubKeyB; and &signB; (or, if the value of the 'pubkey' field that Alice sent Bob was 'none', encrypt just the HMAC result) with the agreed algorithm ("CIPHER") in counter mode (see &nistfips800-38a;), using the encryption key &KCsubB; and block counter &CsubB;. Note: &CsubB; MUST be incremented by 1 for each encrypted block or partial block (i.e. &CsubB; = (&CsubB; + 1) mod 2n, where n is the number of bits per cipher block for the agreed block cipher algorithm).

    + &IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;}) +

    or

    + &IDB; = CIPHER(&KCsubB;, &CsubB;, &macB;)
  12. +
  13. Calculate the HMAC of the encrypted identity (&IDB;) and the value of Bob's block cipher counter &CsubB; before the encryption above using the selected hash algorithm ("HASH") and the integrity key &KMsubB;.

    + &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;)
  14. +
+
+ + +

For 3-message negotiations Bob should append the Base64 encoded values of &IDB; and &MsubB; to &formB; wrapped in 'identity' and 'mac' fields, and send the resulting form to Alice:

+ ffd7076498744578d10edabfe7f4a866 @@ -481,28 +514,9 @@ urn:xmpp:chatneg - 1 - true - never - e2e - 5 - aes256-ctr - sha256 - rsa - none - message - hash - 1.3 - 50 - - ** Bob's Base64 encoded ESession ID ** - - - ** Base64 encoded value of d ** - - - ** Alice's Base64 encoded ESession ID ** - + ... + ... + ... ** Base64 encoded block counter ** @@ -515,48 +529,60 @@ - ]]> + ]]>
+ +
- -

After Alice receives Bob's response, she MUST use the value of d and the ESession options specified in Bob's response to perform the following steps (where p and g are the constants associated with the selected MODP group, HASH is the selected hash algorithm, and n is the number of bits per cipher block for the agreed block cipher algorithm):

-
    -
  1. Return a &feature; error to Bob if she is not prepared to support any of the ESession options specified by Bob (if any of the options were not included in her initial ESession request)

  2. -
  3. Return a &feature; error to Bob unless: 1 < d < p - 1

  4. -
  5. Set &CBeCAx2n1; (where &CsubB; is the block counter for stanzas sent from Bob to Alice)

  6. -
  7. Select her values of x and e that correspond to the selected MODP group (from all the values of x and e she calculated previously)

  8. -
  9. Calculate K = HASH(&dsupx; mod p) (the shared secret)

  10. -
  11. Generate the session keys (&KCsubA;, &KMsubA;, &KSsubA;, &KCsubB;, &KMsubB; and &KSsubB;) in the same way as Bob did (see Generating Session Keys)

  12. -
-
- -

If Bob included 'identity' and 'mac' fields in his response then Alice MUST also perform the following steps:

-
    -
  1. Calculate the HMAC of the encrypted identity (&IDB;) and the value of Bob's block cipher counter using HASH and the integrity key &KMsubB;.

    - &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;)
  2. -
  3. Return a &feature; error to Bob unless the value of &MsubB; she calculated matches the one she received in the 'mac' field

  4. -
  5. Obtain &pubKeyB; and &signB; by decrypting &IDB; with the agreed symmetric block cipher algorithm ("DECIPHER") in counter mode, using the encryption key &KCsubB; and block counter &CsubB;. Note: &CsubB; MUST be incremented by 1 for each encrypted block or partial block (i.e. &CsubB; = (&CsubB; + 1) mod 2n, where n is the number of bits per cipher block for the agreed block cipher algorithm).

    - {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
  6. -
  7. If the value of the 'pubkey' field she sent to Bob in her ESession Request was 'hash', then Alice SHOULD change the value of &pubKeyB; to be her copy of the public key whose HASH matches the value of &pubKeyB; that she received from Bob. Note: If she cannot find a copy of the public key then Alice MUST terminate the ESession. She MAY then request a new ESession with the 'pubkey' field set to 'key' or 'none'.

  8. -
  9. Return a &feature; error to Bob unless she can confirm (or has previously confirmed) that &pubKeyB; really is Bob's public key, for examples, via secure out-of-band communication, or through a third-party authority (see Verifying Keys).

  10. -
  11. Set the value of &formB; to be the Normalized content of the form she received from Bob without any 'identity' or 'mac' fields.

  12. -
  13. Concatenate Alice's ESession ID, Bob's ESession ID, d, &pubKeyB; and &formB;, and calculate the HMAC of the resulting byte string using HASH and the key &KSsubB;.

    - &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
  14. -
  15. Return a &feature; error to Bob unless she can use &pubKeyB; with the selected signature verification algorithm ("VERIFY") to confirm that &signB; is the signature of the HMAC result (see Signature Verification).

    - VERIFY(&signB;, &pubKeyB;, &macB;)
  16. -
-
+ - -

Alice MUST then prove her identity to Bob while protecting it from third parties. She MUST perform the steps equivalent to those Bob performed above (see Hiding Identity for a more detailed description). Alice's calculations are summarised below (pay attention to the order of &NsubB; and &NsubA; when calculating &macA;). Note: &formA; is the Normalized content of the ESession Request data form that she sent to Bob previously.

- &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;}) - &signA; = SIGN(&signKeyA;, &macA;) - if (pubkey == 'hash') &pubKeyA; = HASH(&pubKeyA;) - &IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;}) - &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;) + +

After Alice receives Bob's response, she MUST use the value of d and the ESession options specified in Bob's response to perform the following steps (where p and g are the constants associated with the selected MODP group, HASH is the selected hash algorithm, and n is the number of bits per cipher block for the agreed block cipher algorithm):

+
    +
  1. Verify that the ESession options selected by Bob are acceptable

  2. +
  3. Return a ¬acceptable; error to Bob unless: 1 < d < p - 1

  4. +
  5. Set &CBeCAx2n1; (where &CsubB; is the block counter for stanzas sent from Bob to Alice)

  6. +
  7. Select her values of x and e that correspond to the selected MODP group (from all the values of x and e she calculated previously - see ESession Request)

  8. +
  9. Calculate K = HASH(&dsupx; mod p) (the shared secret)

  10. +
  11. Generate the session keys (&KCsubA;, &KMsubA;, &KSsubA;, &KCsubB;, &KMsubB; and &KSsubB;) in exactly the same way as Bob did (see Generating Session Keys). Note: In the case of 4-message negotiation it is only necessary to generate the keys for the messages Alice sends to Bob (&KCsubA;, &KMsubA;, &KSsubA;).

  12. +
+

If this is a 4-message negotiation then Alice MUST skip the next section and proceed by executing the steps in the Hiding Alice's Identity section.

+
+ +

If Bob included 'identity' and 'mac' fields in his response then Alice MUST also perform the following steps:

+
    +
  1. Calculate the HMAC of the encrypted identity (&IDB;) and the value of Bob's block cipher counter using HASH and the integrity key &KMsubB;.

    + &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;)
  2. +
  3. Return a &feature; error to Bob unless the value of &MsubB; she calculated matches the one she received in the 'mac' field

  4. +
  5. Obtain &macB; (if the value of the 'pubkey' field she sent to Bob in her ESession Request was 'none') or &pubKeyB; and &signB; (otherwise) by decrypting &IDB; with the agreed symmetric block cipher algorithm ("DECIPHER") in counter mode, using the encryption key &KCsubB; and block counter &CsubB;. Note: &CsubB; MUST be incremented by 1 for each encrypted block or partial block (i.e. &CsubB; = (&CsubB; + 1) mod 2n, where n is the number of bits per cipher block for the agreed block cipher algorithm).

    + &macB; = DECIPHER(&KCsubB;, &CsubB;, &IDB;) +

    or

    + {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
  6. +
  7. If the value of the 'pubkey' field that Alice sent Bob was 'none' then Bob MUST set pubKeyB to a zero length string of characters. Otherwise, if the value was 'hash', then Alice SHOULD change the value of &pubKeyB; to be her copy of the public key whose HASH matches the value of &pubKeyB; that she received from Bob.

    +

    Note: If she cannot find a copy of the public key then Alice MUST terminate the ESession. She MAY then request a new ESession with the 'pubkey' field set to 'key' or 'none'.

  8. +
  9. Set the value of &formB; to be the Normalized content of the form she received from Bob without any 'identity' or 'mac' fields.

  10. +
  11. Concatenate Alice's ESession ID, Bob's ESession ID, d, &pubKeyB; and &formB;, and calculate the HMAC of the resulting byte string using HASH and the key &KSsubB;.

    + &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
  12. +
  13. If the value of the 'pubkey' field that Alice sent Bob was 'none' then return a &feature; error to Bob if the two values of &macB; she calculated above do not match.

    +

    If the value of the 'pubkey' field was not 'none', return a &feature; error unless she can confirm (or has previously confirmed) that &pubKeyB; really is Bob's public key (see Verifying Keys) and she can use &pubKeyB; with the selected signature verification algorithm ("VERIFY") to confirm that &signB; is the signature of the HMAC result (see Signature Verification).

    + VERIFY(&signB;, &pubKeyB;, &macB;)
  14. +
+
-

Alice MUST send the Base64 encoded values of &NsubB;, &IDA; and &MsubA; to Bob. If Alice has already confirmed Bob's identity (i.e. if Bob included 'identity' and 'mac' fields in his response), then she MAY also send encrypted content (see &xep0200;) in the same stanza as the proof of her identity.

- +

Alice MUST then prove her identity to Bob while protecting it from third parties. She MUST perform the steps equivalent to those Bob performed above (see Hiding Bob's Identity for a more detailed description). Alice's calculations are summarised below. Note: When calculating &macA; pay attention to the order of &NsubB; and &NsubA; and to the inclusion of &formA2;.

+

Note: &formA; is the full Normalized content of the ESession Request data form that Alice sent to Bob at the start of the negotiation, while &formA2; is the full Normalized content of Alice's session negotiation completion form excluding the 'identity' or 'mac' fields (see Sending Alice's Identity below).

+ &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;}) + &signA; = SIGN(&signKeyA;, &macA;) + if (pubkey == 'hash') &pubKeyA; = HASH(&pubKeyA;) + &IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;}) OR  &IDA; = CIPHER(&KCsubA;, &CsubA;, &macA;) + &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;) + + + +

Alice MUST send the Base64 encoded values of &NsubB; (wrapped in a 'nonce' field), &IDA; (wrapped in an 'identity' field) and &MsubA; (wrapped in a 'mac' field) to Bob in her session negotiation completion message.

+

In the case of a 3-message negotiation Alice MAY also send encrypted content (see Stanza Encryption) in the same stanza as the proof of her identity:

+ ffd7076498744578d10edabfe7f4a866 @@ -573,15 +599,47 @@ ** Base64 encoded a_mac ** - ]]> -

If Alice also includes a 'terminate' field with its value set to "1" or "true" (see ESession Termination) within the form then the ESession is terminated immediately. Note: This special case, where a single stanza is encrypted and sent in isolation, is equivalent to object encryption (or object signing if no encryption is specified) and offers several significant advantages over non-session approaches - including perfect forward secrecy.

+ ]]>
+

Note: If Alice also includes a 'terminate' field with its value set to "1" or "true" (see ESession Termination) within the form then the ESession is terminated immediately. Note: This special case, where a single stanza is encrypted and sent in isolation, is equivalent to object encryption (or object signing if no encryption is specified) and offers several significant advantages over non-session approaches - including perfect forward secrecy.

+

In the case of a 4-message negotiation Alice MUST also include in the data form her Base64 encoded values of e (wrapped in a 'dhkeys' field) and the Base64 encoded HMAC (using HASH and the key &NsubA; The HMACs of the retained secrets are generated using Alice's unique session nonce to prevent her being identified by her retained secrets (only one secret changes each session, and some might not change very often).) of each secret that Alice has retained from her previous session with each of Bob's clients (wrapped in a 'rshashes' field) - see XXXXXXXXXX. Note: Alice MUST also append a few random numbers to the 'rshashes' field to make it difficult for an active attacker to discover if she has communicated with Bob before or how many clients Bob has used to communicate with her.

+ + ffd7076498744578d10edabfe7f4a866 + + + urn:xmpp:chatneg + 1 + ** Bob's Base64 encoded ESession ID ** + + ** Base64 encoded value of e5 ** + + + ** Base64 encoded hash of retained secret ** + ** Base64 encoded hash of retained secret ** + ** Base64 encoded random value ** + ** Base64 encoded random value ** + + ** Encrypted identity ** + ** Integrity of identity ** + + + + ** Base64 encoded m_final ** + ** Base64 encoded a_mac ** + + + ]]> + +
+ +

After receiving Alice's identity Bob MUST verify it by performing steps equivalent to those described in the section Verifying Bob's Identity above. Some of Bob's calculations are summarised below (pay attention to the order of &NsubB; and &NsubA; when calculating &macA;). Note: &formA; is the Normalized content of the ESession Request data form (the first form) that Alice sent him. Note: If Bob sends an error to Alice then he SHOULD ignore any encrypted content he received in the stanza.

&MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;) {&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;) &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;}) VERIFY(&signA;, &pubKeyA;, &macA;)

If Alice has already confirmed Bob's identity (i.e. if Bob included 'identity' and 'mac' fields in his response above), then the ESession negotiation is complete.

-

Otherwise, one more step is necessary. Bob MUST send Alice the Base64 encoded values of &NsubA;, &IDB; and &MsubB; that he calculated previously (see Hiding Identity). Note: He MAY also send encrypted content (see Stanza Encryption) in the same stanza.

+

Otherwise, one more step is necessary. Bob MUST send Alice the Base64 encoded values of &NsubA;, &IDB; and &MsubB; that he calculated previously (see Hiding Bob's Identity). Note: He MAY also send encrypted content (see Stanza Encryption) in the same stanza.

ffd7076498744578d10edabfe7f4a866 @@ -597,10 +655,6 @@ ]]>

After receiving Bob's identity Alice MUST verify it by performing steps described in the section Verifying Bob's Identity above. Note: If Alice sends an error to Bob then she SHOULD ignore any encrypted content she received in the stanza.

Once ESession negotiation is complete, Alice and Bob MUST exchange only encrypted forms of the one-to-one stanza types they agreed upon (e.g., &MESSAGE; and &IQ; stanzas).

- - - -