/* -*-c-*-
*
- * $Id: keyexch.c,v 1.8 2003/07/13 11:19:49 mdw Exp $
+ * $Id: keyexch.c,v 1.9 2003/07/13 11:53:14 mdw Exp $
*
* Key exchange protocol
*
/*----- Revision history --------------------------------------------------*
*
* $Log: keyexch.c,v $
+ * Revision 1.9 2003/07/13 11:53:14 mdw
+ * Add protocol commentary.
+ *
* Revision 1.8 2003/07/13 11:19:49 mdw
* Incopatible protocol fix! Include message type code under MAC tag to prevent
* cut-and-paste from key-exchange messages to general packet transport.
#include "tripe.h"
+/*----- Brief protocol overview -------------------------------------------*
+ *
+ * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
+ * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
+ * application of the symmetric packet protocol to a message; let
+ * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
+ * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
+ * be Bob's public key.
+ *
+ * At the beginning of the session, Alice chooses
+ *
+ * %$\rho_A \inr \{0, \ldots q - 1\}$%
+ *
+ * We also have:
+ *
+ * %$r_A = g^{\rho_A}$% Alice's challenge
+ * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
+ * %$v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})$%
+ * Alice's challenge check value
+ * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
+ * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
+ * Alice and Bob's shared secret key
+ * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
+ * Alice's switch request value
+ * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
+ * Alice's switch confirm value
+ *
+ * The messages are then:
+ *
+ * %$\cookie{kx-pre-challenge}, r_A$%
+ * Initial greeting. In state @KXS_CHAL@.
+ *
+ * %$\cookie{kx-cookie}, r_A, c_B$%
+ * My table is full but I got your message.
+ *
+ * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
+ * Here's a full challenge for you to answer.
+ *
+ * %$\cookie{kx-reply}, c_A, c_B, v_A, E_K(r_B^\alpha))$%
+ * Challenge accpeted: here's the answer. Commit to my challenge. Move
+ * to @KXS_COMMIT@.
+ *
+ * %$\cookie{kx-switch}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
+ * Reply received: here's my reply. Committed; send data; move to
+ * @KXS_SWITCH@.
+ *
+ * %$\cookie{kx-switch-ok}, E_K(u_A))$%
+ * Switch received. Committed; send data; move to @KXS_SWITCH@.
+ */
+
/*----- Tunable parameters ------------------------------------------------*/
#define T_VALID MIN(2) /* Challenge validity period */