[Cryptography] Some terminology issues

Phillip Hallam-Baker phill at hallambaker.com
Tue Oct 3 11:16:16 EDT 2017 

I am just putting together a little protocol to perform a key exchange over
some DH like protocol and spit out an opaque identifier which will
typically be a ticket of some sort.

[Oh yes, I am considering going down the tickets with embedded public keys
route, it solves a lot of server side issues maybe]

So, I don't actually have the usual opaque nonces in my code, I am doing
the signal trick of a multi-way handshake using one time use keys as
nonces. So my question is, should I be calling them a nonce or is that
going too far and going to confuse folk.

This is a presentation layer (i.e. HTTP) exchange which has the primary
purpose of authenticating the client to the server and establishing a
shared secret that will be used in future communications and binding it to
an opaque identifier which is typically a ticket.

So the client knows a, b, and in the initial connection sends:

{ClientCredential, ClientCredential} being e^a, e^b

The service knows x, y, replies with

{ServerCredential?, ServerNonce} being e^x, e^y

The agreed key is either e^aby or e^abxy and the usual key derivation is
used to establish the session key to be used on subsequent communications.

The response and all future messages are authenticated according to the
requirements specified in <Choice>. If encryption is specified, this is
used for all messages following the response (because the client has to be
able to read the response to decrypt it).

Authenticating at the message layer in this way achieves the following

1) Determines that the message was sent by the client.
2) Since each transaction MUST have separate authentication, frames
transactions to defeat script injection attacks.
3) Enables but does not provide defense against replay attack.


The protocol schema is shown below, assume that Algorithms contains
something sensible. Right now I am only supporting AES-CBC and
HMAC-SHA2-512 (truncated) because that is what my libraries support.


    Transaction Admin Exchange ExchangeRequest ExchangeResponse
Description
|Perform Key Exchange to establish shared key bound to a ticket.


Message ExchangeRequest
External Goedel.Protocol.Request
Description
|Initiate the key exchange request.
Struct Key ClientCredential
Description
|The client credential (required)
Struct Key ClientCredential
Description
|Additional key added into the exchange to serve as a nonce. (required)
Struct Algorithms Offer
Description
|Set of algorithms offered by the client

Message ExchangeResponse
External Goedel.Protocol.Response
Description
|Returns the server parameters.
Binary Ticket
Description
|Opaque session identifier.
Struct Key ServerCredential
Description
|Optional server credential
Struct Key ServerNonce
Description
|Additional key added into the exchange to serve as a nonce (required).
Struct Algorithms Choice
Description
|Set of algorithms chosen by the service
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171003/47ff8b60/attachment.html>

More information about the cryptography mailing list