[OTR-users] Question about the protocol of OTRv3
Persmule
persmule at gmail.com
Fri Feb 15 03:24:51 EST 2019
Hi all,
I have a question about the protocol of OTRv3:
> Bob will be initiating the AKE with Alice.
>
> * Bob:
> 1. Picks a random value r (128 bits)
> 2. Picks a random value x (at least 320 bits)
> 3. Sends Alice AES_r (g^x ), HASH(g^x )
> * Alice:
> 1. Picks a random value y (at least 320 bits)
> 2. Sends Bob g^y
> * Bob:
> 1. Verifies that Alice's g^y is a legal value (2 <= g^y <= modulus-2)
> 2. Computes s = (g^y )^x
> 3. Computes two AES keys c, c' and four MAC keys m1, m1', m2, m2'
> by hashing s in various ways
> 4. Picks keyid_B , a serial number for his D-H key g^x
> 5. Computes M_B = MAC_m1 (g^x , g^y , pub_B , keyid_B )
> 6. Computes X_B = pub_B , keyid_B , sig_B (M_B )
> 7. Sends Alice r, AES_c (X_B ), MAC_m2 (AES_c (X_B ))
> * Alice:
> 1. Uses r to decrypt the value of g^x sent earlier
> 2. Verifies that HASH(g^x ) matches the value sent earlier
> 3. ......
> 4. Sends Bob AES_c' (X_A ), MAC_m2' (AES_c' (X_A ))
>
What is the point to send AES_r (g^x ) and r later, rather than g^x in
plain-text form?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20190215/e2e83872/attachment.html>
More information about the OTR-users
mailing list