X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/7ed14135434df136e971a43b1774b827714ef7f9..38c3bc8753411a533e2a36af1e9efee69dcba3f3:/keyexch.c diff --git a/keyexch.c b/keyexch.c index eb4fc9c8..f4125da2 100644 --- a/keyexch.c +++ b/keyexch.c @@ -1,6 +1,6 @@ /* -*-c-*- * - * $Id: keyexch.c,v 1.8 2003/07/13 11:19:49 mdw Exp $ + * $Id: keyexch.c,v 1.9 2003/07/13 11:53:14 mdw Exp $ * * Key exchange protocol * @@ -29,6 +29,9 @@ /*----- Revision history --------------------------------------------------* * * $Log: keyexch.c,v $ + * Revision 1.9 2003/07/13 11:53:14 mdw + * Add protocol commentary. + * * Revision 1.8 2003/07/13 11:19:49 mdw * Incopatible protocol fix! Include message type code under MAC tag to prevent * cut-and-paste from key-exchange messages to general packet transport. @@ -62,6 +65,56 @@ #include "tripe.h" +/*----- Brief protocol overview -------------------------------------------* + * + * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let + * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote + * application of the symmetric packet protocol to a message; let + * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$% + * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$% + * be Bob's public key. + * + * At the beginning of the session, Alice chooses + * + * %$\rho_A \inr \{0, \ldots q - 1\}$% + * + * We also have: + * + * %$r_A = g^{\rho_A}$% Alice's challenge + * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie + * %$v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})$% + * Alice's challenge check value + * %$r_B^\alpha = a^{\rho_B}$% Alice's reply + * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$% + * Alice and Bob's shared secret key + * %$w_A = H(\cookie{switch-request}, c_A, c_B)$% + * Alice's switch request value + * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$% + * Alice's switch confirm value + * + * The messages are then: + * + * %$\cookie{kx-pre-challenge}, r_A$% + * Initial greeting. In state @KXS_CHAL@. + * + * %$\cookie{kx-cookie}, r_A, c_B$% + * My table is full but I got your message. + * + * %$\cookie{kx-challenge}, r_A, c_B, v_A$% + * Here's a full challenge for you to answer. + * + * %$\cookie{kx-reply}, c_A, c_B, v_A, E_K(r_B^\alpha))$% + * Challenge accpeted: here's the answer. Commit to my challenge. Move + * to @KXS_COMMIT@. + * + * %$\cookie{kx-switch}, c_A, c_B, E_K(r_B^\alpha, w_A))$% + * Reply received: here's my reply. Committed; send data; move to + * @KXS_SWITCH@. + * + * %$\cookie{kx-switch-ok}, E_K(u_A))$% + * Switch received. Committed; send data; move to @KXS_SWITCH@. + */ + /*----- Tunable parameters ------------------------------------------------*/ #define T_VALID MIN(2) /* Challenge validity period */