X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=blobdiff_plain;f=NOTES;h=8619ee5d9911c420b248277a360cd731fcb923aa;hp=09c083e0c8ed6c49cde3e61ea6685fdb52c448c3;hb=1ce2f8bc69bc1bef98b48f450081d96e2c29cc00;hpb=5c21ea51197108524fae54c3fdd6c8048816c08c diff --git a/NOTES b/NOTES index 09c083e..8619ee5 100644 --- a/NOTES +++ b/NOTES @@ -174,8 +174,9 @@ quite stable so the feature doesn't gain us much. Definitions: -A is the originating gateway machine -B is the destination gateway machine +A is the originating gateway machine name +B is the destination gateway machine name +A+ and B+ are the names with optional additional data, see below PK_A is the public RSA key of A PK_B is the public RSA key of B PK_A^-1 is the private RSA key of A @@ -193,21 +194,45 @@ i? is appropriate index for receiver Note that 'i' may be re-used from one session to the next, whereas 'n' is always fresh. -The protocol version selection stuff is not yet implemented: I'm not -yet convinced it's a good idea. Instead, the initiator could try -using its preferred protocol (which starts with a different magic -number) and fall back if there's no reply. +The optional additional data after the sender's name consists of some +initial subset of the following list of items: + * A 32-bit integer with a set of capability flags, representing the + abilities of the sender. + * More data which is yet to be defined and which must be ignored + by receivers. +The optional additional data after the receiver's name is not +currently used. If any is seen, it must be ignored. + +Capability flag bits must be in one the following two categories: + +1. Early capability flags must be advertised in MSG1 or MSG2, as + applicable. If MSG3 or MSG4 advertise any "early" capability bits, + MSG1 or MSG3 (as applicable) must have advertised them too. Sadly, + advertising an early capability flag will produce MSG1s which are + not understood by versions of secnet which predate the capability + mechanism. + +2. Late capability flags are advertised in MSG2 or MSG3, as + applicable. They may also appear in MSG1, but this is not + guaranteed. MSG4 must advertise the same set as MSG2. + +No capability flags are currently defined. Unknown capability flags +should be treated as late ones. + Messages: -1) A->B: *,iA,msg1,A,B,protorange-A,nA +1) A->B: *,iA,msg1,A+,B+,nA + +i* must be encoded as 0. (However, it is permitted for a site to use +zero as its "index" for another site.) -2) B->A: iA,iB,msg2,B,A,chosen-protocol,nB,nA +2) B->A: iA,iB,msg2,B+,A+,nB,nA (The order of B and A reverses in alternate messages so that the same code can be used to construct them...) -3) A->B: {iB,iA,msg3,A,B,protorange-A,chosen-protocol,nA,nB,g^x mod m}_PK_A^-1 +3) A->B: {iB,iA,msg3,A+,B+,nA,nB,g^x mod m}_PK_A^-1 If message 1 was a replay then A will not generate message 3, because it doesn't recognise nA. @@ -215,18 +240,11 @@ it doesn't recognise nA. If message 2 was from an attacker then B will not generate message 4, because it doesn't recognise nB. -If an attacker is trying to manipulate the chosen protocol, B can spot -this when it sees A's message 3. - -4) B->A: {iA,iB,msg4,B,A,protorange-B,chosen-protocol,nB,nA,g^y mod m}_PK_B^-1 +4) B->A: {iA,iB,msg4,B+,A+,nB,nA,g^y mod m}_PK_B^-1 At this point, A and B share a key, k. B must keep retransmitting message 4 until it receives a packet encrypted using key k. -A can abandon the exchange if the chosen protocol is not the one that -it would have chosen knowing the acceptable protocol ranges of A and -B. - 5) A: iB,iA,msg5,(ping/msg5)_k 6) B: iA,iB,msg6,(pong/msg6)_k