X-Git-Url: https://git.xonotic.org/?a=blobdiff_plain;f=d0_blind_id.txt;h=deb008aaab9a953b34b7a09abfe595238fa7b8d0;hb=05bd48b2c96375765c0c7dae9bb3aa4854670a3a;hp=5b7db0765fb45d7c75eeeb93e656aaad7335d739;hpb=2321e66d739eb155797bb85d30aea1e024cfb7d3;p=xonotic%2Fd0_blind_id.git diff --git a/d0_blind_id.txt b/d0_blind_id.txt index 5b7db07..deb008a 100644 --- a/d0_blind_id.txt +++ b/d0_blind_id.txt @@ -61,26 +61,28 @@ Authentication protocol: "start": - Client sends S, H if this is the first round of the protocol - Client generates r in [0, |G|[ at random - - Client sends x = h("g^r || m || g^r") + - Client generates t in [0, |G|[ at random + - Client sends x = h("g^r || g^t || m || g^r || g^t") - Client sends m in plain "challenge": - Server receives S, H if this is the first round of the protocol - Server verifies H = h'(I(S)) - Server receives x, m - Server generates c in [0, 2^k0[ at random - - Server generates R in [0, |G|[ at random - - Server sends c and g^R + - Server generates T in [0, |G|[ at random + - Server sends c and g^T "response": - - Client receives c and g^R + - Client receives c and g^T - Client verifies that the received values are in the allowed ranges - - Client sends y = r + s * c mod |G| - - Client calculates K = (g^R)^r + - Client sends y = r - s * c mod |G| + - Client sends g^t + - Client calculates K = (g^T)^t "verify": - - Server receives y - - Server calculates z = g^y S^-c - - Server calculates x' = h("z || m || z") + - Server receives y and g^t + - Server calculates z = g^y S^c + - Server calculates x' = h("z || g^t || m || z || g^t") - Server verifies x == x' - - Server calculates K = z^R + - Server calculates K = (g^t)^T Protocol variant: g and G can be also part of the public ID. In this case, g and G are sent as part of this protocol additionally to S, H. @@ -91,6 +93,20 @@ the same values on both sides only if the Schnorr identification scheme succeeds. If the protocol succeeds, the authenticity of m has been verified too. +Signature protocol: + Client provides a message m that is to be signed as part of the protocol + "start": + - Client sends S, H if this is the first round of the protocol + - Client generates r in [0, |G|[ at random + - Client sends c = h("m || g^r") + - Client sends y = r - s * c + - Client sends m in plain + "verify": + - Server receives c, y, and m + - Server calculates z = g^y S^c + - Server calculates c' = h("m || z") + - Server verifies c == c' + Low level protocol: @@ -111,3 +127,31 @@ Low level protocol: "packet" - a value in double quotes is also defined in terms of this protocol, i.e. the length is preceded + + + +NOTE: to generate NON blind IDs, the process is not very straightforward. It +works like this: + +Server shall: +- load private key + +Both shall: +- perform authentication as usual + +Server shall: +- notice that the status is false +- call d0_blind_id_authenticate_with_private_id_generate_missing_signature +- write public ID +- send that data to client + +Client shall: +- read own private ID +- get fingerprint +- read received public ID (leaves the private part alone) +- verify fingerprint +- possibly verify ID +- write own private ID again + +This ensures that only the ID the client authenticated with is signed by the +server