From caacf890818f164164f0cfada35e90030ae01404 Mon Sep 17 00:00:00 2001 From: Sam Whited Date: Sun, 1 Jan 2017 19:56:45 -0600 Subject: [PATCH] XEP-0188: Fix DTD --- xep-0188.xml | 150 ++++++++++++++++++++++++++------------------------- 1 file changed, 78 insertions(+), 72 deletions(-) diff --git a/xep-0188.xml b/xep-0188.xml index 747d6056..82130ca8 100644 --- a/xep-0188.xml +++ b/xep-0188.xml @@ -219,7 +219,7 @@

The diagram below demonstrates the barest cryptographic skeleton of the SIGMA-I key exchange protocol. Here Bob allows Alice to protect her identity from active attacks, by allowing her to authenticate him before she communicates her identity. Note: The cipher keys (&KCsubA; and &KCsubB;) are different in each direction, making this exchange slightly more conservative than SIGMA.

- 
+    
 ALICE                                                BOB 
                                             &gsupx;
                                       ------------>
@@ -238,13 +238,13 @@
                                       ------------>
 
                                                      authenticate(&IDA;)
-
+

The diagram below demonstrates the skeleton of the Diffie-Hellman key exchange that employs out-of-band Short Authentication String (SAS) verification. If Alice and Bob's public keys are not yet trusted, or if their private keys have been compromised, then the hash commitment sent in the first step enables Alice and Bob to verify their copies of each other's Diffie-Hellman (and public) keys and detect a Man in the Middle more easily.

If a Man in the Middle changes the public Diffie-Hellman keys that Alice and Bob receive, then he could potentially use his knowledge of the SAS that Bob will eventually calculate when choosing the key he will send to Alice in the second step. However, the fact that the value he received in the first step is only a hash means the Man in the Middle must choose the key he sends to Alice before he can predict the SAS that she will calculate with it. Therefore, even if the SAS is very short, he is unable to use his resources to choose a key that will (have a better than random chance to) result in a SAS that matches Bob's. So only a truncated version of the HASH of Alice and Bob's keys needs to be verified out-of-band in the final step.

- 
+    
 ALICE                                                BOB 
                                             H&gsupx;
                                       ------------>
@@ -259,12 +259,12 @@ SAS = truncate(HASH(&gsupx; | &gsupy;))
                                                      SAS = truncate(HASH(&gsupx; | &gsupy;))
                                            SAS
                                       <===========>
-
+

The logic of the four-step SIGMA-R protocol is similar to the three-step SIGMA-I protocol. The difference being that Bob protects his identity from active attacks by by delaying communicating his identity to Alice until he has authenticated her. The diagram below demonstrates the skeleton of the key exchange. Note that it also takes advantage of the extra step required for SIGMA-R to incorporate a hash commitment, thus enabling optional out-of-band SAS authentication.

- 
+    
 ALICE                                                BOB 
                                             H&gsupx;
                                       ------------>
@@ -291,25 +291,25 @@ SAS = truncate(HASH(&gsupx; | &gsupy;))
                                            &IDB;
                                       <------------
 authenticate(&IDB;)
-
+

The diagram below describes exactly the same SIGMA-I key exchange protocol as the SIGMA-I Overview above. It provides much more detail, without specifying any ESession-specific details. The differences between it and the SIGMA-R with SAS Key Exchange are highlighted.

- 
+    
 ALICE                                        BOB 
 
 &NsubA; = random()
 x = random()
 e = &gsupx; mod p
-                                 e, &NsubA;
+                                 e, &NsubA;
                              ------------>
                                              &NsubB; = random()
                                              &CsubA; = random()
                                              &CBeCAx2n1; 
                                              y = random()
                                              d = &gsupy; mod p
-                                             assert 1 < e < p-1
+                                             assert 1 < e < p-1
                                              K = HASH(&esupy; mod p)
                                              &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
                                              &KCsubB; = HMAC(HASH, K, "Responder Cipher Key")
@@ -320,23 +320,23 @@ e = &gsupx; mod p
                                              &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
                                              &signB; = sign(&signKeyB;, &macB;)
                                              &IDB; = cipher(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
-                                             &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) 
+                                             &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) 
                                d, &CsubA;, &NsubB;
                              <------------
-                                &IDB;, &MsubB; 
+                                &IDB;, &MsubB; 
 &CBeCAx2n1; 
 assert 1 < d < p-1
 K = HASH(&dsupx; mod p)
 &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
-&KCsubB; = HMAC(HASH, K, "Responder Cipher Key") 
+&KCsubB; = HMAC(HASH, K, "Responder Cipher Key") 
 &KMsubA; = HMAC(HASH, K, "Initiator MAC Key")
-&KMsubB; = HMAC(HASH, K, "Responder MAC Key") 
+&KMsubB; = HMAC(HASH, K, "Responder MAC Key") 
 &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key")
-&KSsubB; = HMAC(HASH, K, "Responder SIGMA Key")
+&KSsubB; = HMAC(HASH, K, "Responder SIGMA Key")
 assert &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;)
 {&pubKeyB;, &signB;} = decipher(&KCsubB;, &CsubB;, &IDB;)
 &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
-verify(&signB;, &pubKeyB;, &macB;) 
+verify(&signB;, &pubKeyB;, &macB;) 
 &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;})
 &signA; = sign(&signKeyA;, &macA;)
 &IDA; = cipher(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
@@ -348,7 +348,7 @@ K = HASH(&dsupx; mod p)
                                              {&pubKeyA;, &signA;} = decipher(&KCsubA;, &CsubA;, &IDA;)
                                              &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;})
                                              verify(&signA;, &pubKeyA;, &macA;)
-
+ @@ -356,16 +356,16 @@ K = HASH(&dsupx; mod p)

Furthermore, if retained secrets associated with a client/user combination are employed consistently during key exchanges, then the Man in the Middle would need to be present for every session, including the first, and the out-of-band verification would only need to be performed once to verify the absence of a Man in the Middle for all sessions between the parties (past, present and future). This combination of techniques underpins the ZRTP key agreement protocol.

Public keys are optional in the diagram below. It describes the same SIGMA-R with SAS key exchange protocol as the SIGMA-R Overview. It provides much more detail including the use of retained secrets and other secrets. The use of public keys is negotiated in the first two messages. Note: These optional security enhancements are especially important when the protocol is being used without public keys.

The diagram does not specify any ESession-specific details. The differences between it and the SIGMA-I Key Exchange are highlighted.

- 
+    
 ALICE                                        BOB 
 
 &NsubA; = random()
 x = random()
 e = &gsupx; mod p
-He = SHA256(e)
-                               He, &isPKsubA;
+He = SHA256(e)
+                               He, &isPKsubA;
                              ------------>
-                               &isPKsubB;, &NsubA; 
+                               &isPKsubB;, &NsubA; 
                                              &NsubB; = random()
                                              &CsubA; = random()
                                              &CBeCAx2n1; 
@@ -373,27 +373,27 @@ e = &gsupx; mod p
                                              d = &gsupy; mod p
                                d, &CsubA;, &NsubB;
                              <------------
-                              &isPKsubA;, &isPKsubB; 
+                              &isPKsubA;, &isPKsubB; 
 &CBeCAx2n1; 
 assert 1 < d < p-1
 K = HASH(&dsupx; mod p)
 &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
 &KMsubA; = HMAC(HASH, K, "Initiator MAC Key")
 &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key")
-&RSH1ARSHZA; = HMAC(HASH, &NsubA;, &RS1ARSZA;)
+&RSH1ARSHZA; = HMAC(HASH, &NsubA;, &RS1ARSZA;)
 if &isPKsubB; equals false then: 
     &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
     &IDA; = cipher(&KCsubA;, &CsubA;, &macA;)
-else: 
+else: 
     &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
     &signA; = sign(&signKeyA;, &macA;)
     &IDA; = cipher(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
 &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;)
-SAS = truncate(HASH(&MsubA; | d | "Short Authentication String")) 
+SAS = truncate(HASH(&MsubA; | d | "Short Authentication String")) 
 
                                 &IDA;, &MsubA;
                              ------------>
-                             e, &RSH1ARSHZA; 
+                             e, &RSH1ARSHZA; 
 
                                              assert He = SHA256(e)
                                              SAS = truncate(HASH(&MsubA; | d | "Short Authentication String"))
@@ -404,16 +404,16 @@ K = HASH(&dsupx; mod p)
                                              K = HASH(&esupy; mod p)
                                              &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
                                              &KMsubA; = HMAC(HASH, K, "Initiator MAC Key")
-                                             &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") 
+                                             &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key") 
                                              assert &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;)
-                                             if &isPKsubB; equals false then: 
+                                             if &isPKsubB; equals false then: 
                                                  &macA; = decipher(&KCsubA;, &CsubA;, &IDA;)
                                                  assert &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &RSH1ARSHZA;})
-                                             else: 
+                                             else: 
                                                  {&pubKeyA;, &signA;} = decipher(&KCsubA;, &CsubA;, &IDA;)
                                                  &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &RSH1ARSHZA;})
                                                  verify(&signA;, &pubKeyA;, &macA;)
-                                             SRS = choose(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
+                                             SRS = choose(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
                                              K = HASH(K | SRS | OSS)
                                              &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
                                              &KCsubB; = HMAC(HASH, K, "Responder Cipher Key")
@@ -444,13 +444,13 @@ K = HASH(K | SRS | OSS)
 retain(HMAC(HASH, K, "New Retained Secret"))
 assert &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;)
 if &isPKsubA; equals false then: 
-    &macB; = decipher(&KCsubB;, &CsubB;, &IDB;)
+    &macB; = decipher(&KCsubB;, &CsubB;, &IDB;)
     assert &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &CsubA;})
-else: 
+else: 
     {&pubKeyB;, &signB;} = decipher(&KCsubB;, &CsubB;, &IDB;)
     &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &CsubA;})
-    verify(&signB;, &pubKeyB;, &macB;)
-
+ verify(&signB;, &pubKeyB;, &macB;) + @@ -522,26 +522,26 @@ K = HASH(K | SRS | OSS)

Alice uses this protocol when Bob is Online. In addition to the key exchange described in the SIGMA-I Key Exchange protocol above, she offers Bob a choice of Diffie-Hellman groups with her corresponding values of e, various algorithms and other parameters. The differences between this protocol and Online ESession-R Negotiation are highlighted.

- 
+    
 ALICE                                    BOB 
 
 &NsubA; = random()
 for g,p ∈ options
     x = random()
     e = &gsupx; mod p
-&formA; = {&e1eZ;, options, &NsubA;}
+&formA; = {&e1eZ;, options, &NsubA;}
                                 &formA;
                              --------->
 
                                          chosen = {p,g,HASH,CIPHER,SIGN...} = choose(options)
-                                         e = choose(&e1eZ;, p)
+                                         e = choose(&e1eZ;, p)
                                          &NsubB; = random()
                                          &CsubA; = random()
                                          &CBeCAx2n1; 
                                          y = random()
                                          d = &gsupy; mod p
                                          &formB; = {&CsubA;, chosen, d, &NsubA;, &NsubB;}
-                                         assert 1 < e < p-1
+                                         assert 1 < e < p-1
                                          K = HASH(&esupy; mod p)
                                          &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
                                          &KCsubB; = HMAC(HASH, K, "Responder Cipher Key")
@@ -552,10 +552,10 @@ K = HASH(K | SRS | OSS)
                                          &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
                                          &signB; = SIGN(&signKeyB;, &macB;)
                                          &IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})
-                                         &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) 
+                                         &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;) 
                                 &formB;
                              <---------
-                               &IDB;, &MsubB; 
+                               &IDB;, &MsubB; 
 assert chosen ∈ options
 x = choose(&x1xZ;, p)
 e = &gsupx; mod p
@@ -563,46 +563,46 @@ e = &gsupx; mod p
 assert 1 < d < p-1
 K = HASH(&dsupx; mod p)
 &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
-&KCsubB; = HMAC(HASH, K, "Responder Cipher Key") 
+&KCsubB; = HMAC(HASH, K, "Responder Cipher Key") 
 &KMsubA; = HMAC(HASH, K, "Initiator MAC Key")
-&KMsubB; = HMAC(HASH, K, "Responder MAC Key") 
+&KMsubB; = HMAC(HASH, K, "Responder MAC Key") 
 &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key")
-&KSsubB; = HMAC(HASH, K, "Responder SIGMA Key")
+&KSsubB; = HMAC(HASH, K, "Responder SIGMA Key")
 assert &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;)
 {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
 &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
-VERIFY(&signB;, &pubKeyB;, &macB;) 
+VERIFY(&signB;, &pubKeyB;, &macB;) 
 &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;})
 &signA; = SIGN(&signKeyA;, &macA;)
 &IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
 &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;)
                                 &IDA;
                              --------->
-                               &MsubA;, &NsubB; 
+                               &MsubA;, &NsubB; 
                                          assert &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;)
                                          {&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
                                          &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;})
                                          VERIFY(&signA;, &pubKeyA;, &macA;)
-
+

This protocol is similar to the Online ESession-I Negotiation above, except that Bob's identity is protected from active attacks (by by delaying communicating his identity to Alice until he has authenticated her). The optional use of SAS, retained secrets and other secrets means the protocol may be used without any public keys. The differences between this protocol and Online ESession-I Negotiation are highlighted.

- 
+    
 ALICE                                      BOB 
 
 &NsubA; = random()
 for g,p ∈ options
     x = random()
     e = &gsupx; mod p
-    He = SHA256(e) 
-&formA; = {&He1HeZ;, options, &NsubA;}
+    He = SHA256(e) 
+&formA; = {&He1HeZ;, options, &NsubA;}
 
                                  &formA;
                              ------------>
 
-                                           chosen = {p,g,HASH,CIPHER,SIGN,SASGEN,&isPKsubA;,&isPKsubB;...} = choose(options)
-                                           He = choose(&He1HeZ;, p)
+                                           chosen = {p,g,HASH,CIPHER,SIGN,SASGEN,&isPKsubA;,&isPKsubB;...} = choose(options)
+                                           He = choose(&He1HeZ;, p)
                                            &NsubB; = random()
                                            &CsubA; = random()
                                            &CBeCAx2n1; 
@@ -620,20 +620,20 @@ K = HASH(&dsupx; mod p)
 &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
 &KMsubA; = HMAC(HASH, K, "Initiator MAC Key")
 &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key")
-&RSH1ARSHZA; = HMAC(HASH, &NsubA;, &RS1ARSZA;)
+&RSH1ARSHZA; = HMAC(HASH, &NsubA;, &RS1ARSZA;)
 &formA2; = {&RSH1ARSHZA;, e, &NsubB;}
 if &isPKsubB; equals false then: 
     &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;})
     &IDA; = CIPHER(&KCsubA;, &CsubA;, &macA;)
-else:  
+else:  
     &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;})
     &signA; = SIGN(&signKeyA;, &macA;)
     &IDA; = CIPHER(&KCsubA;, &CsubA;, {&pubKeyA;, &signA;})
 &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;)
-SAS = SASGEN(&MsubA;, &formB;) 
+SAS = SASGEN(&MsubA;, &formB;) 
                                 &IDA;, &MsubA;
                              ------------>
-                                 &formA2; 
+                                 &formA2; 
 
                                            assert He = SHA256(e)
                                            SAS = SASGEN(&MsubA;, &formB;)
@@ -645,15 +645,15 @@ K = HASH(&dsupx; mod p)
                                            &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
                                            &KMsubA; = HMAC(HASH, K, "Initiator MAC Key")
                                            &KSsubA; = HMAC(HASH, K, "Initiator SIGMA Key")
-                                           assert &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;)
-                                           if &isPKsubB; equals false then: 
+                                           assert &MsubA; = HMAC(HASH, &KMsubA;, &CsubA;, &IDA;)
+                                           if &isPKsubB; equals false then: 
                                                &macA; = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
                                                assert &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &formA;, &formA2;})
-                                           else: 
+                                           else: 
                                                {&pubKeyA;, &signA;} = DECIPHER(&KCsubA;, &CsubA;, &IDA;)
                                                &macA; = HMAC(HASH, &KSsubA;, {&NsubB;, &NsubA;, e, &pubKeyA;, &formA;, &formA2;})
                                                VERIFY(&signA;, &pubKeyA;, &macA;)
-                                           SRS = choose(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
+                                           SRS = choose(&RS1BRSZB;, &RSH1ARSHZA;, &NsubA;)
                                            K = HASH(K | SRS | OSS)
                                            &KCsubA; = HMAC(HASH, K, "Initiator Cipher Key")
                                            &KCsubB; = HMAC(HASH, K, "Responder Cipher Key")
@@ -693,15 +693,15 @@ K = HASH(K | SRS | OSS)
 else: 
     {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
     &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;, &formB2;})
-    VERIFY(&signB;, &pubKeyB;, &macB;)
-
+ VERIFY(&signB;, &pubKeyB;, &macB;) +

Bob uses this protocol to send stanzas to Alice when she is Offline. Note: Since the full SIGMA protocol cannot be used if Alice is offline, her identity is not protected at all.

The diagram is split into three phases. First Alice publishes her ESession options before going offline. Later Bob completes the key exchange (and sends her encrypted stanzas that are not shown below) these are all stored by Alice's server. Finally when Alice comes online again she verifies and calculates the decryption key.

The differences between this offline protocol and the Online ESession-I Negotiation protocol above are highlighted in the diagram below.

- 
+    
 ALICE                    ALICE'S SERVER              BOB 
 
 &NsubA; = random()
@@ -709,22 +709,22 @@ K = HASH(K | SRS | OSS)
     x = random()
     e = &gsupx; mod p
 &formA; = {&e1eZ;, options, &NsubA;}
-&signsA; = multi_sign(&signKeysA;, &formA;)
-retain(&NsubA;, &x1xZ;, expireTime) 
+&signsA; = multi_sign(&signKeysA;, &formA;)
+retain(&NsubA;, &x1xZ;, expireTime) 
 
                    &formA;
                  -------->
-                   &signsA; 
+                   &signsA; 
 
                          retain(&formA;, &signsA;)
 ---------------------------------------------------------------------------------------------------------
-                         retrieve(&formA;, &signsA;) 
+                         retrieve(&formA;, &signsA;) 
 
                                              &formA;
                                            -------->
-                                             &signsA; 
+                                             &signsA; 
 
-                                                     verify_one(&signsA;, &pubKeysA;, &formA;)
+                                                     verify_one(&signsA;, &pubKeysA;, &formA;)
                                                      chosen = {p,g,HASH,CIPHER,SIGN...} = choose(options)
                                                      e = choose(&e1eZ;, p)
                                                      &CsubA; = random()
@@ -750,15 +750,21 @@ K = HASH(K | SRS | OSS)
                                            <--------
                                             &IDB;, &MsubB; 
 
-                         retain(&formB;,&IDB;,&MsubB;)
+                         retain(&formB;,&IDB;,&MsubB;)
 ---------------------------------------------------------------------------------------------------------
-                         retrieve(&formB;,&IDB;,&MsubB;) 
+                         retrieve(&formB;,&IDB;,&MsubB;)(&formB;,&IDB;,&MsubB;)
+---------------------------------------------------------------------------------------------------------
+                         retrieve(&formB;,&IDB;,&MsubB;)(&formB;,&IDB;,&MsubB;)
+---------------------------------------------------------------------------------------------------------
+                         retrieve(&formB;,&IDB;,&MsubB;)(&formB;,&IDB;,&MsubB;)
+---------------------------------------------------------------------------------------------------------
+                         retrieve(&formB;,&IDB;,&MsubB;) 
                    &formB;
                  <--------
                   &IDB;, &MsubB; 
 
-retrieve(&NsubA;, &x1xZ;, expireTime)
-assert now < expireTime 
+retrieve(&NsubA;, &x1xZ;, expireTime)
+assert now < expireTime 
 assert chosen ∈ options
 x = choose(&x1xZ;, p)
 e = &gsupx; mod p
@@ -775,7 +781,7 @@ K = HASH(&dsupx; mod p)
 {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)
 &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})
 VERIFY(&signB;, &pubKeyB;, &macB;)
-
+

Note: &KMsubB; is necessary only to allow Bob to terminate the ESession if he comes online before Alice terminates it. The calculation of &KCsubB; and &KSsubB; is not strictly necessary.