X-Git-Url: https://git.distorted.org.uk/~mdw/secnet/blobdiff_plain/974d0468ad285d9ddbc5b052110076d7adf0ed2e..9d3a4132788b198345116624761c12ed7bc936b6:/NOTES

diff --git a/NOTES b/NOTES
index a815905..8e53ac7 100644
--- a/NOTES
+++ b/NOTES
@@ -77,14 +77,14 @@ is always fresh.
 
 Messages:
 
-1) A->B: *,iA,msg1,A,B,nA
+1) A->B: *,iA,msg1,A,B,protorange-A,nA
 
-2) B->A: iA,iB,msg2,B,A,nB,nA
+2) B->A: iA,iB,msg2,B,A,chosen-protocol,nB,nA
 
 (The order of B and A reverses in alternate messages so that the same
 code can be used to construct them...)
 
-3) A->B: {iB,iA,msg3,A,B,nA,nB,g^x mod m}_PK_A^-1
+3) A->B: {iB,iA,msg3,A,B,protorange-A,chosen-protocol,nA,nB,g^x mod m}_PK_A^-1
 
 If message 1 was a replay then A will not generate message 3, because
 it doesn't recognise nA.
@@ -92,11 +92,18 @@ it doesn't recognise nA.
 If message 2 was from an attacker then B will not generate message 4,
 because it doesn't recognise nB.
 
-4) B->A: {iA,iB,msg4,B,A,nB,nA,g^y mod m}_PK_B^-1
+If an attacker is trying to manipulate the chosen protocol, B can spot
+this when it sees A's message 3.
+
+4) B->A: {iA,iB,msg4,B,A,protorange-B,chosen-protocol,nB,nA,g^y mod m}_PK_B^-1
 
 At this point, A and B share a key, k. B must keep retransmitting
 message 4 until it receives a packet encrypted using key k.
 
+A can abandon the exchange if the chosen protocol is not the one that
+it would have chosen knowing the acceptable protocol ranges of A and
+B.
+
 5) A: iB,iA,msg5,(ping/msg5)_k
 
 6) B: iA,iB,msg6,(pong/msg6)_k