Updating auth app with modern transcript flow
This commit is contained in:
parent
de80a0285f
commit
1cadc489c9
20
src/tapir.md
20
src/tapir.md
|
@ -61,10 +61,10 @@ I,I_e \rightarrow C \\\\
|
|||
P,P_e \leftarrow C \\\\
|
||||
\\\\
|
||||
k = \mathrm{KDF}({P_e}^{i} + {P}^{i_e} + {P_e}^{i_e}) \\\\
|
||||
c = \mathrm{E}(k, I) \\\\
|
||||
c = \mathrm{E}(k, transcript.Commit()) \\\\
|
||||
c \rightarrow C \\\\
|
||||
c_p \leftarrow C \\\\
|
||||
\mathrm{D}(k, c_p) \stackrel{?}{=} P \\\\
|
||||
\mathrm{D}(k, c_p) \stackrel{?}{=} transcript.LatestCommit() \\\\
|
||||
\\]
|
||||
|
||||
The above represents a sketch protocol, in reality there are a few
|
||||
|
@ -85,10 +85,24 @@ key of the outbound connection.
|
|||
This strict ordering ensures both sides of the connection derive the *same*
|
||||
session key.
|
||||
|
||||
### transcript.Commit()
|
||||
|
||||
The merlin transcript derived challenge is based on all the messages sent in
|
||||
the auth flow (and any that were sent prior to the Auth App)
|
||||
|
||||
// Derive a challenge from the transcript of the public parameters of this authentication protocol
|
||||
transcript := ea.Transcript()
|
||||
transcript.NewProtocol("auth-app")
|
||||
transcript.AddToTranscript("outbound-hostname", []byte(outboundHostname))
|
||||
transcript.AddToTranscript("inbound-hostname", []byte(inboundHostname))
|
||||
transcript.AddToTranscript("outbound-challenge", outboundAuthMessage)
|
||||
transcript.AddToTranscript("inbound-challenge", inboundAuthMessage)
|
||||
challengeBytes := transcript.CommitToTranscript("3dh-auth-challenge")
|
||||
|
||||
#### Asymmetry
|
||||
|
||||
The client connection is guaranteed to possess the long term identity of the
|
||||
server connection through the propreties of the underlying tor v3 onion
|
||||
server connection through the properties of the underlying tor v3 onion
|
||||
connection.
|
||||
|
||||
As such if the server attempts to send a different long term identity to the
|
||||
|
|
Loading…
Reference in New Issue