XEP-0188: Fix DTD

This commit is contained in:
Sam Whited 2017-01-01 19:56:45 -06:00
parent 424dd6c59b
commit caacf89081
1 changed files with 78 additions and 72 deletions

View File

@ -219,7 +219,7 @@
<section2 topic='SIGMA-I Overview' anchor='foundations-skeleton-i'>
<p>The diagram below demonstrates the barest cryptographic skeleton of the SIGMA-I key exchange protocol. Here Bob allows Alice to protect her identity from active attacks, by allowing her to authenticate him before she communicates her identity. Note: The cipher keys (&KCsubA; and &KCsubB;) are different in each direction, making this exchange slightly more conservative than <cite>SIGMA</cite>.</p>
<pre>
<code>
<strong>ALICE</strong>&#160; <strong>BOB</strong>&#160;
&gsupx;
------------&gt;
@ -238,13 +238,13 @@
------------&gt;
<em>authenticate</em>(&IDA;)
</pre>
</code>
</section2>
<section2 topic='SAS-Only Overview' anchor='foundations-skeleton-sas'>
<p>The diagram below demonstrates the skeleton of the Diffie-Hellman key exchange that employs out-of-band Short Authentication String (SAS) verification. If Alice and Bob's public keys are not yet trusted, or if their private keys have been compromised, then the hash commitment sent in the first step enables Alice and Bob to verify their copies of each other's Diffie-Hellman (and public) keys and detect a Man in the Middle more easily.</p>
<p>If a Man in the Middle changes the public Diffie-Hellman keys that Alice and Bob receive, then he could potentially use his knowledge of the SAS that Bob will eventually calculate when choosing the key he will send to Alice in the second step. However, the fact that the value he received in the first step is only a hash means the Man in the Middle must choose the key he sends to Alice before he can predict the SAS that she will calculate with it. Therefore, even if the SAS is very short, he is unable to use his resources to choose a key that will (have a better than random chance to) result in a SAS that matches Bob's. So only a truncated version of the HASH of Alice and Bob's keys needs to be verified out-of-band in the final step.</p>
<pre>
<code>
<strong>ALICE</strong>&#160; <strong>BOB</strong>&#160;
H&gsupx;
------------&gt;
@ -259,12 +259,12 @@ SAS = <em>truncate</em>(HASH(&gsupx; | &gsupy;))
SAS = <em>truncate</em>(HASH(&gsupx; | &gsupy;))
SAS
&lt;===========&gt;
</pre>
</code>
</section2>
<section2 topic='SIGMA-R with SAS Overview' anchor='foundations-skeleton-r'>
<p>The logic of the four-step SIGMA-R protocol is similar to the three-step SIGMA-I protocol. The difference being that Bob protects his identity from active attacks by by delaying communicating his identity to Alice until he has authenticated her. The diagram below demonstrates the skeleton of the key exchange. Note that it also takes advantage of the extra step required for SIGMA-R to incorporate a hash commitment, thus enabling <em>optional</em> out-of-band SAS authentication.</p>
<pre>
<code>
<strong>ALICE</strong>&#160; <strong>BOB</strong>&#160;
H&gsupx;
------------&gt;
@ -291,25 +291,25 @@ SAS = <em>truncate</em>(HASH(&gsupx; | &gsupy;))
&IDB;
&lt;------------
<em>authenticate</em>(&IDB;)
</pre>
</code>
</section2>
<section2 topic='SIGMA-I Key Exchange' anchor='foundations-core-i'>
<p>The diagram below describes exactly the same SIGMA-I key exchange protocol as the <link url='#foundations-skeleton-i'>SIGMA-I Overview</link> above. It provides much more detail, without specifying any ESession-specific details. The differences between it and the <link url='#foundations-core-r'>SIGMA-R with SAS Key Exchange</link> are highlighted.</p>
<pre>
<code>
<strong>ALICE</strong>&#160; <strong>BOB</strong>&#160;
&NsubA; = <em>random</em>()
x = <em>random</em>()
e = &gsupx; mod p
<span class='highlight'>e,</span>&#160;&NsubA;
e,&#160;&NsubA;
------------&gt;
&NsubB; = <em>random</em>()
&CsubA; = <em>random</em>()
&CBeCAx2n1;&#160;
y = <em>random</em>()
d = &gsupy; mod p
<span class='highlight'><em>assert</em> 1 &lt; e &lt; p-1
<em>assert</em> 1 &lt; e &lt; p-1
K = HASH(&esupy; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
@ -320,23 +320,23 @@ e = &gsupx; mod p
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
&signB; = <em>sign</em>(&signKeyB;, &macB;)
&IDB; = <em>cipher</em>(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)</span>&#160;
&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)&#160;
d, &CsubA;, &NsubB;
&lt;------------
<span class='highlight'>&IDB;, &MsubB;</span>&#160;
&IDB;, &MsubB;&#160;
&CBeCAx2n1;&#160;
<em>assert</em> 1 &lt; d &lt; p-1
K = HASH(&dsupx; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
<span class='highlight'>&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")</span>&#160;
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")&#160;
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
<span class='highlight'>&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")</span>&#160;
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")&#160;
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
<span class='highlight'>&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
<em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
{&pubKeyB;, &signB;} = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
<em>verify</em>(&signB;, &pubKeyB;, &macB;)</span>&#160;
<em>verify</em>(&signB;, &pubKeyB;, &macB;)&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;})
&signA; = <em>sign</em>(&signKeyA;, &macA;)
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
@ -348,7 +348,7 @@ K = HASH(&dsupx; mod p)
{&pubKeyA;, &signA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;})
<em>verify</em>(&signA;, &pubKeyA;, &macA;)
</pre>
</code>
</section2>
<section2 topic='SIGMA-R with SAS Key Exchange' anchor='foundations-core-r'>
@ -356,16 +356,16 @@ K = HASH(&dsupx; mod p)
<p>Furthermore, if retained secrets associated with a client/user combination are employed <em>consistently</em> during key exchanges, then the Man in the Middle would need to be present for every session, including the first, and the out-of-band verification would only need to be performed once to verify the absence of a Man in the Middle for all sessions between the parties (past, present and future). <note>This combination of techniques underpins the <cite>ZRTP</cite> key agreement protocol.</note></p>
<p>Public keys are optional in the diagram below. It describes the same SIGMA-R with SAS key exchange protocol as the <link url='#foundations-skeleton-r'>SIGMA-R Overview</link>. It provides much more detail including the use of retained secrets and other secrets. The use of public keys is negotiated in the first two messages. Note: These <em>optional</em> security enhancements are especially important when the protocol is being used without public keys.</p>
<p>The diagram does not specify any ESession-specific details. The differences between it and the <link url='#foundations-core-i'>SIGMA-I Key Exchange</link> are highlighted.</p>
<pre>
<code>
<strong>ALICE</strong>&#160; <strong>BOB</strong>&#160;
&NsubA; = <em>random</em>()
x = <em>random</em>()
e = &gsupx; mod p
<span class='highlight'>He = SHA256(e)
He, &isPKsubA;</span>
He = SHA256(e)
He, &isPKsubA;
------------&gt;
<span class='highlight'>&isPKsubB;,</span>&#160;&NsubA;&#160;
&isPKsubB;,&#160;&NsubA;&#160;
&NsubB; = <em>random</em>()
&CsubA; = <em>random</em>()
&CBeCAx2n1;&#160;
@ -373,27 +373,27 @@ e = &gsupx; mod p
d = &gsupy; mod p
d, &CsubA;, &NsubB;
&lt;------------
<span class='highlight'>&isPKsubA;, &isPKsubB;</span>&#160;
&isPKsubA;, &isPKsubB;&#160;
&CBeCAx2n1;&#160;
<em>assert</em> 1 &lt; d &lt; p-1
K = HASH(&dsupx; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
<span class='highlight'>&RSH1ARSHZA; = <em>HMAC</em>(HASH, &NsubA;, &RS1ARSZA;)
&RSH1ARSHZA; = <em>HMAC</em>(HASH, &NsubA;, &RS1ARSZA;)
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, &macA;)
<em>else:</em></span>&#160;
<em>else:</em>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
&signA; = <em>sign</em>(&signKeyA;, &macA;)
&IDA; = <em>cipher</em>(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
<span class='highlight'>SAS = <em>truncate</em>(HASH(&MsubA; | d | "Short Authentication String"))</span>&#160;
SAS = <em>truncate</em>(HASH(&MsubA; | d | "Short Authentication String"))&#160;
&IDA;, &MsubA;
------------&gt;
<span class='highlight'>e, &RSH1ARSHZA;&#160;
e, &RSH1ARSHZA;&#160;
<em>assert</em>&#160;He = SHA256(e)
SAS = <em>truncate</em>(HASH(&MsubA; | d | "Short Authentication String"))
@ -404,16 +404,16 @@ K = HASH(&dsupx; mod p)
K = HASH(&esupy; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")</span>&#160;
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")&#160;
<em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
<span class='highlight'><em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macA; = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
<em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
<em>else:</em></span>&#160;
<em>else:</em>&#160;
{&pubKeyA;, &signA;} = <em>decipher</em>(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
<em>verify</em>(&signA;, &pubKeyA;, &macA;)
<span class='highlight'>SRS = <em>choose</em>(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
SRS = <em>choose</em>(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
K = HASH(K | SRS | OSS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
@ -444,13 +444,13 @@ K = HASH(K | SRS | OSS)
<em>retain</em>(<em>HMAC</em>(HASH, K, "New Retained Secret"))
<em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
<em>if</em>&#160;&isPKsubA;&#160;<em>equals false then:</em>&#160;
<span class='highlight'>&macB; = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
<em>assert</em>&#160;&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;})
<em>else:</em></span>&#160;
<em>else:</em>&#160;
{&pubKeyB;, &signB;} = <em>decipher</em>(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
<em>verify</em>(&signB;, &pubKeyB;, &macB;)</span>
</pre>
<em>verify</em>(&signB;, &pubKeyB;, &macB;)
</code>
</section2>
</section1>
@ -522,26 +522,26 @@ K = HASH(K | SRS | OSS)
<section2 topic='Online ESession-I Negotiation' anchor='design-online-i'>
<p>Alice uses this protocol when Bob is Online. In addition to the key exchange described in the <link url='#foundations-core-i'>SIGMA-I Key Exchange</link> protocol above, she offers Bob a choice of Diffie-Hellman groups with her corresponding values of e, various algorithms and other parameters. The differences between this protocol and <link url='#design-online-r'>Online ESession-R Negotiation</link> are highlighted.</p>
<!--The first two forms below negotiate policy, swap Diffie-Hellman public values and the ancillary data necessary for the exchange and authentication. The second message also authenticates the responder. The third message authenticates the initiator and exchanges the final Diffie-Hellman public value.-->
<pre>
<code>
<strong>ALICE</strong>&#160; <strong>BOB</strong>&#160;
&NsubA; = <em>random</em>()
<em>for</em> g,p &#8712; options
x = <em>random</em>()
e = &gsupx; mod p
&formA; = {<span class='highlight'>&e1eZ;</span>, options, &NsubA;}
&formA; = {&e1eZ;, options, &NsubA;}
&formA;
---------&gt;
chosen = {p,g,HASH,CIPHER,SIGN...} = <em>choose</em>(options)
<span class='highlight'>e</span> = <em>choose</em>(<span class='highlight'>&e1eZ;</span>, p)
e = <em>choose</em>(&e1eZ;, p)
&NsubB; = <em>random</em>()
&CsubA; = <em>random</em>()
&CBeCAx2n1;&#160;
y = <em>random</em>()
d = &gsupy; mod p
&formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;}
<span class='highlight'><em>assert</em> 1 &lt; e &lt; p-1
<em>assert</em> 1 &lt; e &lt; p-1
K = HASH(&esupy; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
@ -552,10 +552,10 @@ K = HASH(K | SRS | OSS)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
&signB; = SIGN(&signKeyB;, &macB;)
&IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)</span>&#160;
&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)&#160;
&formB;
&lt;---------
<span class='highlight'>&IDB;, &MsubB;</span>&#160;
&IDB;, &MsubB;&#160;
<em>assert</em> chosen &#8712; options
x = <em>choose</em>(&x1xZ;, p)
e = &gsupx; mod p
@ -563,46 +563,46 @@ e = &gsupx; mod p
<em>assert</em> 1 &lt; d &lt; p-1
K = HASH(&dsupx; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
<span class='highlight'>&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")</span>&#160;
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")&#160;
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
<span class='highlight'>&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")</span>&#160;
&KMsubB; = <em>HMAC</em>(HASH, K, "Responder MAC Key")&#160;
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
<span class='highlight'>&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
&KSsubB; = <em>HMAC</em>(HASH, K, "Responder SIGMA Key")
<em>assert</em>&#160;&MsubB; = <em>HMAC</em>(HASH, &KMsubB;, &CsubB;, &IDB;)
{&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
VERIFY(&signB;, &pubKeyB;, &macB;)</span>&#160;
VERIFY(&signB;, &pubKeyB;, &macB;)&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;})
&signA; = SIGN(&signKeyA;, &macA;)
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
&IDA;
---------&gt;
&MsubA;, <span class='highlight'>&NsubB;</span>&#160;
&MsubA;, &NsubB;&#160;
<em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
{&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;})
VERIFY(&signA;, &pubKeyA;, &macA;)
</pre>
</code>
</section2>
<section2 topic='Online ESession-R Negotiation' anchor='design-online-r'>
<p>This protocol is similar to the <link url='#design-online-i'>Online ESession-I Negotiation</link> above, except that Bob's identity is protected from active attacks (by by delaying communicating his identity to Alice until he has authenticated her). The optional use of SAS, retained secrets and other secrets means the protocol may be used without any public keys. The differences between this protocol and <link url='#design-online-i'>Online ESession-I Negotiation</link> are highlighted.</p>
<pre>
<code>
<strong>ALICE</strong>&#160; <strong>BOB</strong>&#160;
&NsubA; = <em>random</em>()
<em>for</em> g,p &#8712; options
x = <em>random</em>()
e = &gsupx; mod p
<span class='highlight'>He = SHA256(e)</span>&#160;
&formA; = {<span class='highlight'>&He1HeZ;</span>, options, &NsubA;}
He = SHA256(e)&#160;
&formA; = {&He1HeZ;, options, &NsubA;}
&formA;
------------&gt;
chosen = {p,g,HASH,CIPHER,SIGN,SASGEN,<span class='highlight'>&isPKsubA;,&isPKsubB;</span>...} = <em>choose</em>(options)
<span class='highlight'>He</span> = <em>choose</em>(<span class='highlight'>&He1HeZ;</span>, p)
chosen = {p,g,HASH,CIPHER,SIGN,SASGEN,&isPKsubA;,&isPKsubB;...} = <em>choose</em>(options)
He = <em>choose</em>(&He1HeZ;, p)
&NsubB; = <em>random</em>()
&CsubA; = <em>random</em>()
&CBeCAx2n1;&#160;
@ -620,20 +620,20 @@ K = HASH(&dsupx; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
<span class='highlight'>&RSH1ARSHZA; = <em>HMAC</em>(HASH, &NsubA;, &RS1ARSZA;)
&RSH1ARSHZA; = <em>HMAC</em>(HASH, &NsubA;, &RS1ARSZA;)
&formA2; = {&RSH1ARSHZA;, e, &NsubB;}
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;})
&IDA; = CIPHER(&KCsubA;, &CsubA;, &macA;)
<em>else:</em>&#160;</span>&#160;
<em>else:</em>&#160;&#160;
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;})
&signA; = SIGN(&signKeyA;, &macA;)
&IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
<span class='highlight'>SAS = SASGEN(&MsubA;, &formB;)</span>&#160;
SAS = SASGEN(&MsubA;, &formB;)&#160;
&IDA;, &MsubA;
------------&gt;
<span class='highlight'>&formA2;&#160;
&formA2;&#160;
<em>assert</em>&#160;He = SHA256(e)
SAS = SASGEN(&MsubA;, &formB;)
@ -645,15 +645,15 @@ K = HASH(&dsupx; mod p)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KMsubA; = <em>HMAC</em>(HASH, K, "Initiator MAC Key")
&KSsubA; = <em>HMAC</em>(HASH, K, "Initiator SIGMA Key")
</span><em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
<span class='highlight'><em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
<em>assert</em>&#160;&MsubA; = <em>HMAC</em>(HASH, &KMsubA;, &CsubA;, &IDA;)
<em>if</em>&#160;&isPKsubB;&#160;<em>equals false then:</em>&#160;
&macA; = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
<em>assert</em>&#160;&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;})
<em>else:</em></span>&#160;
<em>else:</em>&#160;
{&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
&macA; = <em>HMAC</em>(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;})
VERIFY(&signA;, &pubKeyA;, &macA;)
<span class='highlight'>SRS = <em>choose</em>(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
SRS = <em>choose</em>(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
K = HASH(K | SRS | OSS)
&KCsubA; = <em>HMAC</em>(HASH, K, "Initiator Cipher Key")
&KCsubB; = <em>HMAC</em>(HASH, K, "Responder Cipher Key")
@ -693,15 +693,15 @@ K = HASH(K | SRS | OSS)
<em>else:</em>&#160;
{&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;, &formB2;})
VERIFY(&signB;, &pubKeyB;, &macB;)</span>
</pre>
VERIFY(&signB;, &pubKeyB;, &macB;)
</code>
</section2>
<section2 topic='Offline ESession Negotiation' anchor='design-offline'>
<p>Bob uses this protocol to send stanzas to Alice when she is Offline. Note: Since the full <cite>SIGMA</cite> protocol cannot be used if Alice is offline, her identity is not protected at all.</p>
<p>The diagram is split into three phases. First Alice publishes her ESession options before going offline. Later Bob completes the key exchange (and sends her encrypted stanzas that are not shown below) these are all stored by Alice's server. Finally when Alice comes online again she verifies and calculates the decryption key.</p>
<p>The differences between this offline protocol and the <link url='#design-online-i'>Online ESession-I Negotiation</link> protocol above are highlighted in the diagram below.</p>
<pre>
<code>
<strong>ALICE</strong>&#160; <strong>ALICE'S SERVER</strong>&#160; <strong>BOB</strong>&#160;
&NsubA; = <em>random</em>()
@ -709,22 +709,22 @@ K = HASH(K | SRS | OSS)
x = <em>random</em>()
e = &gsupx; mod p
&formA; = {&e1eZ;, options, &NsubA;}
<span class='highlight'>&signsA; = <em>multi_sign</em>(&signKeysA;, &formA;)
<em>retain</em>(&NsubA;, &x1xZ;, expireTime)</span>&#160;
&signsA; = <em>multi_sign</em>(&signKeysA;, &formA;)
<em>retain</em>(&NsubA;, &x1xZ;, expireTime)&#160;
&formA;
--------&gt;
<span class='highlight'>&signsA;&#160;
&signsA;&#160;
<em>retain</em>(&formA;, &signsA;)
---------------------------------------------------------------------------------------------------------
<em>retrieve</em>(&formA;, &signsA;)</span>&#160;
<em>retrieve</em>(&formA;, &signsA;)&#160;
&formA;
--------&gt;
<span class='highlight'>&signsA;&#160;
&signsA;&#160;
<em>verify_one</em>(&signsA;, &pubKeysA;, &formA;)</span>
<em>verify_one</em>(&signsA;, &pubKeysA;, &formA;)
chosen = {p,g,HASH,CIPHER,SIGN...} = <em>choose</em>(options)
e = <em>choose</em>(&e1eZ;, p)
&CsubA; = <em>random</em>()
@ -750,15 +750,21 @@ K = HASH(K | SRS | OSS)
&lt;--------
&IDB;, &MsubB;&#160;
<span class='highlight'><em>retain</em>(&formB;,&IDB;,&MsubB;)
<em>retain</em>(&formB;,&IDB;,&MsubB;)
---------------------------------------------------------------------------------------------------------
<em>retrieve</em>(&formB;,&IDB;,&MsubB;)</span>&#160;
<em>retrieve</em>(&formB;,&IDB;,&MsubB;)(&formB;,&IDB;,&MsubB;)
---------------------------------------------------------------------------------------------------------
<em>retrieve</em>(&formB;,&IDB;,&MsubB;)(&formB;,&IDB;,&MsubB;)
---------------------------------------------------------------------------------------------------------
<em>retrieve</em>(&formB;,&IDB;,&MsubB;)(&formB;,&IDB;,&MsubB;)
---------------------------------------------------------------------------------------------------------
<em>retrieve</em>(&formB;,&IDB;,&MsubB;)&#160;
&formB;
&lt;--------
&IDB;, &MsubB;&#160;
<span class='highlight'><em>retrieve</em>(&NsubA;, &x1xZ;, expireTime)
<em>assert</em> now &lt; expireTime</span>&#160;
<em>retrieve</em>(&NsubA;, &x1xZ;, expireTime)
<em>assert</em> now &lt; expireTime&#160;
<em>assert</em> chosen &#8712; options
x = <em>choose</em>(&x1xZ;, p)
e = &gsupx; mod p
@ -775,7 +781,7 @@ K = HASH(&dsupx; mod p)
{&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
&macB; = <em>HMAC</em>(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
VERIFY(&signB;, &pubKeyB;, &macB;)
</pre>
</code>
<p>Note: &KMsubB; is necessary only to allow Bob to terminate the ESession if he comes online before Alice terminates it. The calculation of &KCsubB; and &KSsubB; is not strictly necessary.</p>
</section2>
</section1>