Updating auth app with modern transcript flow
This commit is contained in:
parent
de80a0285f
commit
1cadc489c9
20
src/tapir.md
20
src/tapir.md
|
@ -61,10 +61,10 @@ I,I_e \rightarrow C \\\\
|
||||||
P,P_e \leftarrow C \\\\
|
P,P_e \leftarrow C \\\\
|
||||||
\\\\
|
\\\\
|
||||||
k = \mathrm{KDF}({P_e}^{i} + {P}^{i_e} + {P_e}^{i_e}) \\\\
|
k = \mathrm{KDF}({P_e}^{i} + {P}^{i_e} + {P_e}^{i_e}) \\\\
|
||||||
c = \mathrm{E}(k, I) \\\\
|
c = \mathrm{E}(k, transcript.Commit()) \\\\
|
||||||
c \rightarrow C \\\\
|
c \rightarrow C \\\\
|
||||||
c_p \leftarrow C \\\\
|
c_p \leftarrow C \\\\
|
||||||
\mathrm{D}(k, c_p) \stackrel{?}{=} P \\\\
|
\mathrm{D}(k, c_p) \stackrel{?}{=} transcript.LatestCommit() \\\\
|
||||||
\\]
|
\\]
|
||||||
|
|
||||||
The above represents a sketch protocol, in reality there are a few
|
The above represents a sketch protocol, in reality there are a few
|
||||||
|
@ -85,10 +85,24 @@ key of the outbound connection.
|
||||||
This strict ordering ensures both sides of the connection derive the *same*
|
This strict ordering ensures both sides of the connection derive the *same*
|
||||||
session key.
|
session key.
|
||||||
|
|
||||||
|
### transcript.Commit()
|
||||||
|
|
||||||
|
The merlin transcript derived challenge is based on all the messages sent in
|
||||||
|
the auth flow (and any that were sent prior to the Auth App)
|
||||||
|
|
||||||
|
// Derive a challenge from the transcript of the public parameters of this authentication protocol
|
||||||
|
transcript := ea.Transcript()
|
||||||
|
transcript.NewProtocol("auth-app")
|
||||||
|
transcript.AddToTranscript("outbound-hostname", []byte(outboundHostname))
|
||||||
|
transcript.AddToTranscript("inbound-hostname", []byte(inboundHostname))
|
||||||
|
transcript.AddToTranscript("outbound-challenge", outboundAuthMessage)
|
||||||
|
transcript.AddToTranscript("inbound-challenge", inboundAuthMessage)
|
||||||
|
challengeBytes := transcript.CommitToTranscript("3dh-auth-challenge")
|
||||||
|
|
||||||
#### Asymmetry
|
#### Asymmetry
|
||||||
|
|
||||||
The client connection is guaranteed to possess the long term identity of the
|
The client connection is guaranteed to possess the long term identity of the
|
||||||
server connection through the propreties of the underlying tor v3 onion
|
server connection through the properties of the underlying tor v3 onion
|
||||||
connection.
|
connection.
|
||||||
|
|
||||||
As such if the server attempts to send a different long term identity to the
|
As such if the server attempts to send a different long term identity to the
|
||||||
|
|
Loading…
Reference in New Issue