Browse Source

XEP-0188: Fix DTD

Sam Whited 2 years ago
parent
commit
caacf89081
1 changed files with 78 additions and 72 deletions
  1. 78
    72
      xep-0188.xml

+ 78
- 72
xep-0188.xml View File

@@ -219,7 +219,7 @@
219 219
 
220 220
   <section2 topic='SIGMA-I Overview' anchor='foundations-skeleton-i'>
221 221
     <p>The diagram below demonstrates the barest cryptographic skeleton of the SIGMA-I key exchange protocol. Here Bob allows Alice to protect her identity from active attacks, by allowing her to authenticate him before she communicates her identity. Note: The cipher keys (&KCsubA; and &KCsubB;) are different in each direction, making this exchange slightly more conservative than <cite>SIGMA</cite>.</p>
222
-    <pre>
222
+    <code>
223 223
 <strong>ALICE</strong>&#160;                                               <strong>BOB</strong>&#160;
224 224
                                             &gsupx;
225 225
                                       ------------&gt;
@@ -238,13 +238,13 @@
238 238
                                       ------------&gt;
239 239
 
240 240
                                                      <em>authenticate</em>(&IDA;)
241
-    </pre>
241
+    </code>
242 242
   </section2>
243 243
 
244 244
   <section2 topic='SAS-Only Overview' anchor='foundations-skeleton-sas'>
245 245
     <p>The diagram below demonstrates the skeleton of the Diffie-Hellman key exchange that employs out-of-band Short Authentication String (SAS) verification. If Alice and Bob's public keys are not yet trusted, or if their private keys have been compromised, then the hash commitment sent in the first step enables Alice and Bob to verify their copies of each other's Diffie-Hellman (and public) keys and detect a Man in the Middle more easily.</p>
246 246
     <p>If a Man in the Middle changes the public Diffie-Hellman keys that Alice and Bob receive, then he could potentially use his knowledge of the SAS that Bob will eventually calculate when choosing the key he will send to Alice in the second step. However, the fact that the value he received in the first step is only a hash means the Man in the Middle must choose the key he sends to Alice before he can predict the SAS that she will calculate with it. Therefore, even if the SAS is very short, he is unable to use his resources to choose a key that will (have a better than random chance to) result in a SAS that matches Bob's. So only a truncated version of the HASH of Alice and Bob's keys needs to be verified out-of-band in the final step.</p>
247
-    <pre>
247
+    <code>
248 248
 <strong>ALICE</strong>&#160;                                               <strong>BOB</strong>&#160;
249 249
                                             H&gsupx;
250 250
                                       ------------&gt;
@@ -259,12 +259,12 @@ SAS = <em>truncate</em>(HASH(&gsupx; | &gsupy;))
259 259
                                                      SAS = <em>truncate</em>(HASH(&gsupx; | &gsupy;))
260 260
                                            SAS
261 261
                                       &lt;===========&gt;
262
-    </pre>
262
+    </code>
263 263
   </section2>
264 264
 
265 265
   <section2 topic='SIGMA-R with SAS Overview' anchor='foundations-skeleton-r'>
266 266
     <p>The logic of the four-step SIGMA-R protocol is similar to the three-step SIGMA-I protocol. The difference being that Bob protects his identity from active attacks by by delaying communicating his identity to Alice until he has authenticated her. The diagram below demonstrates the skeleton of the key exchange. Note that it also takes advantage of the extra step required for SIGMA-R to incorporate a hash commitment, thus enabling <em>optional</em> out-of-band SAS authentication.</p>
267
-    <pre>
267
+    <code>
268 268
 <strong>ALICE</strong>&#160;                                               <strong>BOB</strong>&#160;
269 269
                                             H&gsupx;
270 270
                                       ------------&gt;
@@ -291,25 +291,25 @@ SAS = <em>truncate</em>(HASH(&gsupx; | &gsupy;))
291 291
                                            &IDB;
292 292
                                       &lt;------------
293 293
 <em>authenticate</em>(&IDB;)
294
-    </pre>
294
+    </code>
295 295
   </section2>
296 296
 
297 297
   <section2 topic='SIGMA-I Key Exchange' anchor='foundations-core-i'>
298 298
     <p>The diagram below describes exactly the same SIGMA-I key exchange protocol as the <link url='#foundations-skeleton-i'>SIGMA-I Overview</link> above. It provides much more detail, without specifying any ESession-specific details. The differences between it and the <link url='#foundations-core-r'>SIGMA-R with SAS Key Exchange</link> are highlighted.</p>
299
-    <pre>
299
+    <code>
300 300
 <strong>ALICE</strong>&#160;                                       <strong>BOB</strong>&#160;
301 301
 
302 302
 &NsubA; = <em>random</em>()
303 303
 x = <em>random</em>()
304 304
 e = &gsupx; mod p
305
-                                 <span class='highlight'>e,</span>&#160;&NsubA;
305
+                                 e,&#160;&NsubA;
306 306
                              ------------&gt;
307 307
                                              &NsubB; = <em>random</em>()
308 308
                                              &CsubA; = <em>random</em>()
309 309
                                              &CBeCAx2n1;&#160;
310 310
                                              y = <em>random</em>()
311 311
                                              d = &gsupy; mod p
312
-                                             <span class='highlight'><em>assert</em> 1 &lt; e &lt; p-1
312
+                                             <em>assert</em> 1 &lt; e &lt; p-1
313 313
                                              K = HASH(&esupy; mod p)
314 314
                                              &KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
315 315
                                              &KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
@@ -320,23 +320,23 @@ e = &gsupx; mod p
320 320
                                              &macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
321 321
                                              &signB; = <em>sign</em>(&signKeyB;, &macB;)
322 322
                                              &IDB; = <em>cipher</em>(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
323
-                                             &MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)</span>&#160;
323
+                                             &MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)&#160;
324 324
                                d, &CsubA;, &NsubB;
325 325
                              &lt;------------
326
-                                <span class='highlight'>&IDB;, &MsubB;</span>&#160;
326
+                                &IDB;, &MsubB;&#160;
327 327
 &CBeCAx2n1;&#160;
328 328
 <em>assert</em> 1 &lt; d &lt; p-1
329 329
 K = HASH(&dsupx; mod p)
330 330
 &KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
331
-<span class='highlight'>&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")</span>&#160;
331
+&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")&#160;
332 332
 &KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
333
-<span class='highlight'>&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")</span>&#160;
333
+&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")&#160;
334 334
 &KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
335
-<span class='highlight'>&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
335
+&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
336 336
 <em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
337 337
 {&pubKeyB;, &signB;} = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
338 338
 &macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
339
-<em>verify</em>(&signB;, &pubKeyB;, &macB;)</span>&#160;
339
+<em>verify</em>(&signB;, &pubKeyB;, &macB;)&#160;
340 340
 &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;})
341 341
 &signA; = <em>sign</em>(&signKeyA;, &macA;)
342 342
 &IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
@@ -348,7 +348,7 @@ K = HASH(&dsupx; mod p)
348 348
                                              {&pubKeyA;, &signA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
349 349
                                              &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;})
350 350
                                              <em>verify</em>(&signA;, &pubKeyA;, &macA;)
351
-    </pre>
351
+    </code>
352 352
   </section2>
353 353
 
354 354
   <section2 topic='SIGMA-R with SAS Key Exchange' anchor='foundations-core-r'>
@@ -356,16 +356,16 @@ K = HASH(&dsupx; mod p)
356 356
     <p>Furthermore, if retained secrets associated with a client/user combination are employed <em>consistently</em> during key exchanges, then the Man in the Middle would need to be present for every session, including the first, and the out-of-band verification would only need to be performed once to verify the absence of a Man in the Middle for all sessions between the parties (past, present and future). <note>This combination of techniques underpins the <cite>ZRTP</cite> key agreement protocol.</note></p>
357 357
     <p>Public keys are optional in the diagram below. It describes the same SIGMA-R with SAS key exchange protocol as the <link url='#foundations-skeleton-r'>SIGMA-R Overview</link>. It provides much more detail including the use of retained secrets and other secrets. The use of public keys is negotiated in the first two messages. Note: These <em>optional</em> security enhancements are especially important when the protocol is being used without public keys.</p>
358 358
     <p>The diagram does not specify any ESession-specific details. The differences between it and the <link url='#foundations-core-i'>SIGMA-I Key Exchange</link> are highlighted.</p>
359
-    <pre>
359
+    <code>
360 360
 <strong>ALICE</strong>&#160;                                       <strong>BOB</strong>&#160;
361 361
 
362 362
 &NsubA; = <em>random</em>()
363 363
 x = <em>random</em>()
364 364
 e = &gsupx; mod p
365
-<span class='highlight'>He = SHA256(e)
366
-                               He, &isPKsubA;</span>
365
+He = SHA256(e)
366
+                               He, &isPKsubA;
367 367
                              ------------&gt;
368
-                               <span class='highlight'>&isPKsubB;,</span>&#160;&NsubA;&#160;
368
+                               &isPKsubB;,&#160;&NsubA;&#160;
369 369
                                              &NsubB; = <em>random</em>()
370 370
                                              &CsubA; = <em>random</em>()
371 371
                                              &CBeCAx2n1;&#160;
@@ -373,27 +373,27 @@ e = &gsupx; mod p
373 373
                                              d = &gsupy; mod p
374 374
                                d, &CsubA;, &NsubB;
375 375
                              &lt;------------
376
-                              <span class='highlight'>&isPKsubA;, &isPKsubB;</span>&#160;
376
+                              &isPKsubA;, &isPKsubB;&#160;
377 377
 &CBeCAx2n1;&#160;
378 378
 <em>assert</em> 1 &lt; d &lt; p-1
379 379
 K = HASH(&dsupx; mod p)
380 380
 &KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
381 381
 &KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
382 382
 &KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
383
-<span class='highlight'>&RSH1ARSHZA; = <em>HMAC</em>(HASH, &NsubA;, &RS1ARSZA;)
383
+&RSH1ARSHZA; = <em>HMAC</em>(HASH, &NsubA;, &RS1ARSZA;)
384 384
 <em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
385 385
     &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
386 386
     &IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, &macA;)
387
-<em>else:</em></span>&#160;
387
+<em>else:</em>&#160;
388 388
     &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
389 389
     &signA; = <em>sign</em>(&signKeyA;, &macA;)
390 390
     &IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
391 391
 &MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
392
-<span class='highlight'>SAS = <em>truncate</em>(HASH(&MsubA; | d | "Short Authentication String"))</span>&#160;
392
+SAS = <em>truncate</em>(HASH(&MsubA; | d | "Short Authentication String"))&#160;
393 393
 
394 394
                                 &IDA;, &MsubA;
395 395
                              ------------&gt;
396
-                             <span class='highlight'>e, &RSH1ARSHZA;&#160;
396
+                             e, &RSH1ARSHZA;&#160;
397 397
 
398 398
                                              <em>assert</em>&#160;He = SHA256(e)
399 399
                                              SAS = <em>truncate</em>(HASH(&MsubA; | d | "Short Authentication String"))
@@ -404,16 +404,16 @@ K = HASH(&dsupx; mod p)
404 404
                                              K = HASH(&esupy; mod p)
405 405
                                              &KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
406 406
                                              &KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
407
-                                             &KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")</span>&#160;
407
+                                             &KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")&#160;
408 408
                                              <em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
409
-                                             <span class='highlight'><em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
409
+                                             <em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
410 410
                                                  &macA; = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
411 411
                                                  <em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
412
-                                             <em>else:</em></span>&#160;
412
+                                             <em>else:</em>&#160;
413 413
                                                  {&pubKeyA;, &signA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
414 414
                                                  &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
415 415
                                                  <em>verify</em>(&signA;, &pubKeyA;, &macA;)
416
-                                             <span class='highlight'>SRS = <em>choose</em>(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
416
+                                             SRS = <em>choose</em>(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
417 417
                                              K = HASH(K | SRS | OSS)
418 418
                                              &KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
419 419
                                              &KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
@@ -444,13 +444,13 @@ K = HASH(K | SRS | OSS)
444 444
 <em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
445 445
 <em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
446 446
 <em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
447
-    <span class='highlight'>&macB; = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
447
+    &macB; = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
448 448
     <em>assert</em>&#160;&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;})
449
-<em>else:</em></span>&#160;
449
+<em>else:</em>&#160;
450 450
     {&pubKeyB;, &signB;} = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
451 451
     &macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
452
-    <em>verify</em>(&signB;, &pubKeyB;, &macB;)</span>
453
-    </pre>
452
+    <em>verify</em>(&signB;, &pubKeyB;, &macB;)
453
+    </code>
454 454
   </section2>
455 455
 
456 456
 </section1>
@@ -522,26 +522,26 @@ K = HASH(K | SRS | OSS)
522 522
   <section2 topic='Online ESession-I Negotiation' anchor='design-online-i'>
523 523
     <p>Alice uses this protocol when Bob is Online. In addition to the key exchange described in the <link url='#foundations-core-i'>SIGMA-I Key Exchange</link> protocol above, she offers Bob a choice of Diffie-Hellman groups with her corresponding values of e, various algorithms and other parameters. The differences between this protocol and <link url='#design-online-r'>Online ESession-R Negotiation</link> are highlighted.</p>
524 524
     <!--The first two forms below negotiate policy, swap Diffie-Hellman public values and the ancillary data necessary for the exchange and authentication. The second message also authenticates the responder. The third message authenticates the initiator and exchanges the final Diffie-Hellman public value.-->
525
-    <pre>
525
+    <code>
526 526
 <strong>ALICE</strong>&#160;                                   <strong>BOB</strong>&#160;
527 527
 
528 528
 &NsubA; = <em>random</em>()
529 529
 <em>for</em> g,p &#8712; options
530 530
     x = <em>random</em>()
531 531
     e = &gsupx; mod p
532
-&formA; = {<span class='highlight'>&e1eZ;</span>, options, &NsubA;}
532
+&formA; = {&e1eZ;, options, &NsubA;}
533 533
                                 &formA;
534 534
                              ---------&gt;
535 535
 
536 536
                                          chosen = {p,g,HASH,CIPHER,SIGN...} = <em>choose</em>(options)
537
-                                         <span class='highlight'>e</span> = <em>choose</em>(<span class='highlight'>&e1eZ;</span>, p)
537
+                                         e = <em>choose</em>(&e1eZ;, p)
538 538
                                          &NsubB; = <em>random</em>()
539 539
                                          &CsubA; = <em>random</em>()
540 540
                                          &CBeCAx2n1;&#160;
541 541
                                          y = <em>random</em>()
542 542
                                          d = &gsupy; mod p
543 543
                                          &formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;}
544
-                                         <span class='highlight'><em>assert</em> 1 &lt; e &lt; p-1
544
+                                         <em>assert</em> 1 &lt; e &lt; p-1
545 545
                                          K = HASH(&esupy; mod p)
546 546
                                          &KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
547 547
                                          &KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
@@ -552,10 +552,10 @@ K = HASH(K | SRS | OSS)
552 552
                                          &macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
553 553
                                          &signB; = SIGN(&signKeyB;, &macB;)
554 554
                                          &IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
555
-                                         &MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)</span>&#160;
555
+                                         &MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)&#160;
556 556
                                 &formB;
557 557
                              &lt;---------
558
-                               <span class='highlight'>&IDB;, &MsubB;</span>&#160;
558
+                               &IDB;, &MsubB;&#160;
559 559
 <em>assert</em> chosen &#8712; options
560 560
 x = <em>choose</em>(&x1xZ;, p)
561 561
 e = &gsupx; mod p
@@ -563,46 +563,46 @@ e = &gsupx; mod p
563 563
 <em>assert</em> 1 &lt; d &lt; p-1
564 564
 K = HASH(&dsupx; mod p)
565 565
 &KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
566
-<span class='highlight'>&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")</span>&#160;
566
+&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")&#160;
567 567
 &KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
568
-<span class='highlight'>&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")</span>&#160;
568
+&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")&#160;
569 569
 &KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
570
-<span class='highlight'>&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
570
+&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
571 571
 <em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
572 572
 {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
573 573
 &macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
574
-VERIFY(&signB;, &pubKeyB;, &macB;)</span>&#160;
574
+VERIFY(&signB;, &pubKeyB;, &macB;)&#160;
575 575
 &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;})
576 576
 &signA; = SIGN(&signKeyA;, &macA;)
577 577
 &IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
578 578
 &MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
579 579
                                 &IDA;
580 580
                              ---------&gt;
581
-                               &MsubA;, <span class='highlight'>&NsubB;</span>&#160;
581
+                               &MsubA;, &NsubB;&#160;
582 582
                                          <em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
583 583
                                          {&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
584 584
                                          &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;})
585 585
                                          VERIFY(&signA;, &pubKeyA;, &macA;)
586
-    </pre>
586
+    </code>
587 587
   </section2>
588 588
 
589 589
   <section2 topic='Online ESession-R Negotiation' anchor='design-online-r'>
590 590
     <p>This protocol is similar to the <link url='#design-online-i'>Online ESession-I Negotiation</link> above, except that Bob's identity is protected from active attacks (by by delaying communicating his identity to Alice until he has authenticated her). The optional use of SAS, retained secrets and other secrets means the protocol may be used without any public keys. The differences between this protocol and <link url='#design-online-i'>Online ESession-I Negotiation</link> are highlighted.</p>
591
-    <pre>
591
+    <code>
592 592
 <strong>ALICE</strong>&#160;                                     <strong>BOB</strong>&#160;
593 593
 
594 594
 &NsubA; = <em>random</em>()
595 595
 <em>for</em> g,p &#8712; options
596 596
     x = <em>random</em>()
597 597
     e = &gsupx; mod p
598
-    <span class='highlight'>He = SHA256(e)</span>&#160;
599
-&formA; = {<span class='highlight'>&He1HeZ;</span>, options, &NsubA;}
598
+    He = SHA256(e)&#160;
599
+&formA; = {&He1HeZ;, options, &NsubA;}
600 600
 
601 601
                                  &formA;
602 602
                              ------------&gt;
603 603
 
604
-                                           chosen = {p,g,HASH,CIPHER,SIGN,SASGEN,<span class='highlight'>&isPKsubA;,&isPKsubB;</span>...} = <em>choose</em>(options)
605
-                                           <span class='highlight'>He</span> = <em>choose</em>(<span class='highlight'>&He1HeZ;</span>, p)
604
+                                           chosen = {p,g,HASH,CIPHER,SIGN,SASGEN,&isPKsubA;,&isPKsubB;...} = <em>choose</em>(options)
605
+                                           He = <em>choose</em>(&He1HeZ;, p)
606 606
                                            &NsubB; = <em>random</em>()
607 607
                                            &CsubA; = <em>random</em>()
608 608
                                            &CBeCAx2n1;&#160;
@@ -620,20 +620,20 @@ K = HASH(&dsupx; mod p)
620 620
 &KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
621 621
 &KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
622 622
 &KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
623
-<span class='highlight'>&RSH1ARSHZA; = <em>HMAC</em>(HASH, &NsubA;, &RS1ARSZA;)
623
+&RSH1ARSHZA; = <em>HMAC</em>(HASH, &NsubA;, &RS1ARSZA;)
624 624
 &formA2; = {&RSH1ARSHZA;, e, &NsubB;}
625 625
 <em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
626 626
     &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;})
627 627
     &IDA; = CIPHER(&KCsubA;, &CsubA;, &macA;)
628
-<em>else:</em>&#160;</span>&#160;
628
+<em>else:</em>&#160;&#160;
629 629
     &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;})
630 630
     &signA; = SIGN(&signKeyA;, &macA;)
631 631
     &IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
632 632
 &MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
633
-<span class='highlight'>SAS = SASGEN(&MsubA;, &formB;)</span>&#160;
633
+SAS = SASGEN(&MsubA;, &formB;)&#160;
634 634
                                 &IDA;, &MsubA;
635 635
                              ------------&gt;
636
-                                 <span class='highlight'>&formA2;&#160;
636
+                                 &formA2;&#160;
637 637
 
638 638
                                            <em>assert</em>&#160;He = SHA256(e)
639 639
                                            SAS = SASGEN(&MsubA;, &formB;)
@@ -645,15 +645,15 @@ K = HASH(&dsupx; mod p)
645 645
                                            &KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
646 646
                                            &KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
647 647
                                            &KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
648
-                                           </span><em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
649
-                                           <span class='highlight'><em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
648
+                                           <em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
649
+                                           <em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
650 650
                                                &macA; = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
651 651
                                                <em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;})
652
-                                           <em>else:</em></span>&#160;
652
+                                           <em>else:</em>&#160;
653 653
                                                {&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
654 654
                                                &macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;})
655 655
                                                VERIFY(&signA;, &pubKeyA;, &macA;)
656
-                                           <span class='highlight'>SRS = <em>choose</em>(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
656
+                                           SRS = <em>choose</em>(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
657 657
                                            K = HASH(K | SRS | OSS)
658 658
                                            &KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
659 659
                                            &KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
@@ -693,15 +693,15 @@ K = HASH(K | SRS | OSS)
693 693
 <em>else:</em>&#160;
694 694
     {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
695 695
     &macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;, &formB2;})
696
-    VERIFY(&signB;, &pubKeyB;, &macB;)</span>
697
-    </pre>
696
+    VERIFY(&signB;, &pubKeyB;, &macB;)
697
+    </code>
698 698
   </section2>
699 699
 
700 700
   <section2 topic='Offline ESession Negotiation' anchor='design-offline'>
701 701
     <p>Bob uses this protocol to send stanzas to Alice when she is Offline. Note: Since the full <cite>SIGMA</cite> protocol cannot be used if Alice is offline, her identity is not protected at all.</p>
702 702
     <p>The diagram is split into three phases. First Alice publishes her ESession options before going offline. Later Bob completes the key exchange (and sends her encrypted stanzas that are not shown below) these are all stored by Alice's server. Finally when Alice comes online again she verifies and calculates the decryption key.</p>
703 703
     <p>The differences between this offline protocol and the <link url='#design-online-i'>Online ESession-I Negotiation</link> protocol above are highlighted in the diagram below.</p>
704
-    <pre>
704
+    <code>
705 705
 <strong>ALICE</strong>&#160;                   <strong>ALICE'S SERVER</strong>&#160;             <strong>BOB</strong>&#160;
706 706
 
707 707
 &NsubA; = <em>random</em>()
@@ -709,22 +709,22 @@ K = HASH(K | SRS | OSS)
709 709
     x = <em>random</em>()
710 710
     e = &gsupx; mod p
711 711
 &formA; = {&e1eZ;, options, &NsubA;}
712
-<span class='highlight'>&signsA; = <em>multi_sign</em>(&signKeysA;, &formA;)
713
-<em>retain</em>(&NsubA;, &x1xZ;, expireTime)</span>&#160;
712
+&signsA; = <em>multi_sign</em>(&signKeysA;, &formA;)
713
+<em>retain</em>(&NsubA;, &x1xZ;, expireTime)&#160;
714 714
 
715 715
                    &formA;
716 716
                  --------&gt;
717
-                   <span class='highlight'>&signsA;&#160;
717
+                   &signsA;&#160;
718 718
 
719 719
                          <em>retain</em>(&formA;, &signsA;)
720 720
 ---------------------------------------------------------------------------------------------------------
721
-                         <em>retrieve</em>(&formA;, &signsA;)</span>&#160;
721
+                         <em>retrieve</em>(&formA;, &signsA;)&#160;
722 722
 
723 723
                                              &formA;
724 724
                                            --------&gt;
725
-                                             <span class='highlight'>&signsA;&#160;
725
+                                             &signsA;&#160;
726 726
 
727
-                                                     <em>verify_one</em>(&signsA;, &pubKeysA;, &formA;)</span>
727
+                                                     <em>verify_one</em>(&signsA;, &pubKeysA;, &formA;)
728 728
                                                      chosen = {p,g,HASH,CIPHER,SIGN...} = <em>choose</em>(options)
729 729
                                                      e = <em>choose</em>(&e1eZ;, p)
730 730
                                                      &CsubA; = <em>random</em>()
@@ -750,15 +750,21 @@ K = HASH(K | SRS | OSS)
750 750
                                            &lt;--------
751 751
                                             &IDB;, &MsubB;&#160;
752 752
 
753
-                         <span class='highlight'><em>retain</em>(&formB;,&IDB;,&MsubB;)
753
+                         <em>retain</em>(&formB;,&IDB;,&MsubB;)
754
+---------------------------------------------------------------------------------------------------------
755
+                         <em>retrieve</em>(&formB;,&IDB;,&MsubB;)(&formB;,&IDB;,&MsubB;)
756
+---------------------------------------------------------------------------------------------------------
757
+                         <em>retrieve</em>(&formB;,&IDB;,&MsubB;)(&formB;,&IDB;,&MsubB;)
758
+---------------------------------------------------------------------------------------------------------
759
+                         <em>retrieve</em>(&formB;,&IDB;,&MsubB;)(&formB;,&IDB;,&MsubB;)
754 760
 ---------------------------------------------------------------------------------------------------------
755
-                         <em>retrieve</em>(&formB;,&IDB;,&MsubB;)</span>&#160;
761
+                         <em>retrieve</em>(&formB;,&IDB;,&MsubB;)&#160;
756 762
                    &formB;
757 763
                  &lt;--------
758 764
                   &IDB;, &MsubB;&#160;
759 765
 
760
-<span class='highlight'><em>retrieve</em>(&NsubA;, &x1xZ;, expireTime)
761
-<em>assert</em> now &lt; expireTime</span>&#160;
766
+<em>retrieve</em>(&NsubA;, &x1xZ;, expireTime)
767
+<em>assert</em> now &lt; expireTime&#160;
762 768
 <em>assert</em> chosen &#8712; options
763 769
 x = <em>choose</em>(&x1xZ;, p)
764 770
 e = &gsupx; mod p
@@ -775,7 +781,7 @@ K = HASH(&dsupx; mod p)
775 781
 {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
776 782
 &macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
777 783
 VERIFY(&signB;, &pubKeyB;, &macB;)
778
-    </pre>
784
+    </code>
779 785
     <p>Note: &KMsubB; is necessary only to allow Bob to terminate the ESession if he comes online before Alice terminates it. The calculation of &KCsubB; and &KSsubB; is not strictly necessary.</p>
780 786
   </section2>
781 787
 </section1>

Loading…
Cancel
Save