From: Mark Wooding <mdw@distorted.org.uk>
Date: Sat, 24 May 2014 13:00:03 +0000 (+0100)
Subject: udpkey.c: Describe the proposed new forward-secure protocol.
X-Git-Url: https://git.distorted.org.uk/~mdw/udpkey/commitdiff_plain/refs/heads/mdw/fwd-sec

udpkey.c: Describe the proposed new forward-secure protocol.
---

diff --git a/udpkey.c b/udpkey.c
index 2715c65..1a623d6 100644
--- a/udpkey.c
+++ b/udpkey.c
@@ -471,6 +471,8 @@ static void debug_ge(const char *what, group *g, ge *X)
 
 /*----- Protocol summary --------------------------------------------------*
  *
+ * There are two protocol versions.  The original version works as follows.
+ *
  *   * Request
  *	memz		KEYTAG	tag of wanted secret
  *	ge		U	public vector
@@ -480,8 +482,39 @@ static void debug_ge(const char *what, group *g, ge *X)
  *	ge		W	encrypted clue: W = R - Y = r P - v U
  *	mem[TAGSZ]	TAG	MAC tag on ciphertext
  *	mem[KSZ]	CT	secret, encrypted with Z = r X
+ *
+ * The new version provides forward secrecy, which involves additional flows.
+ *
+ *   * Greeting
+ *	u8		0	marker byte for new protocol
+ *	u8		1	packet type
+ *	mem8		KEYTAG	wanted secret tag
+ *
+ *   * Challenge
+ *	u8		17	packet type
+ *	u32		REF	server's reference
+ *	ge		R	public DLIES vector: R = r P
+ *	ge		W	masked DH vector: W = V - Y = v P - r X
+ *
+ *   * Response
+ *	u8		0	marker byte for new protocol
+ *	u8		2	packet type
+ *	mem8		KEYTAG	wanted secret tag
+ *	u32		REF	reference from challenge
+ *	ge		U	public DH vector
+ *	mem[HASHSZ]	H0	hash; H0||H1 = H(U, V, Z), where Z = v U
+ *
+ *   * Reply
+ *	u8		18	packet type
+ *	mem[TAGSZ]	TAG	MAC tag on ciphertext
+ *	mem[KSZ]	CT	secret, encrypted with H1
  */
 
+#define FWS_GREET 0x01
+#define FWS_CHALL 0x11
+#define FWS_RESP 0x02
+#define FWS_REPLY 0x12
+
 /*----- Listening for requests --------------------------------------------*/
 
 /* Rate limiting parameters.