... | ... | @@ -109,11 +109,11 @@ If the adversary has not modified the KEY records, both devices should calculate |
|
|
|
|
|
Each device knows it has calculated the correct shared secret because it has compared the received public key to the commitment in the QR code. However, each device also needs to know that the other device has calculated the correct shared secret. To confirm this, both devices derive a confirmation key from the shared secret and use it to calculate two message authentication codes over the payloads of the QR codes, q_a and q_b, and the public keys, pub_a and pub_b:
|
|
|
|
|
|
* k_c = KDF(s, "CONFIRMATION_KEY")
|
|
|
* sent_a = len(q_a) || q_a || len(pub_a) || pub_a
|
|
|
* sent_b = len(q_b) || q_b || len(pub_b) || pub_b
|
|
|
* mac_a = MAC(k_c, sent_a || sent_b)
|
|
|
* mac_b = MAC(k_c, sent_b || sent_a)
|
|
|
* `k_c = KDF(s, "CONFIRMATION_KEY")`
|
|
|
* `sent_a = len(q_a) || q_a || len(pub_a) || pub_a`
|
|
|
* `sent_b = len(q_b) || q_b || len(pub_b) || pub_b`
|
|
|
* `mac_a = MAC(k_c, sent_a || sent_b)`
|
|
|
* `mac_b = MAC(k_c, sent_b || sent_a)`
|
|
|
|
|
|
Alice sends a CONFIRM record containing mac_a. Bob compares the received mac_a to the mac_a he calculated. If the codes do not match, Bob sends an ABORT record and aborts the protocol.
|
|
|
|
... | ... | @@ -123,7 +123,7 @@ Bob sends a CONFIRM record containing mac_b. Alice compares the received mac_b t |
|
|
|
|
|
Finally, the devices upgrade the insecure channel to a secure channel by deriving two keys from the shared secret:
|
|
|
|
|
|
* k_a = KDF(s, "ALICE_STREAM_KEY")
|
|
|
* k_b = KDF(s, "BOB_STREAM_KEY")
|
|
|
* `k_a = KDF(s, "ALICE_STREAM_KEY")`
|
|
|
* `k_b = KDF(s, "BOB_STREAM_KEY")`
|
|
|
|
|
|
Alice uses k_a to encrypt and authenticate a [BTP] stream to Bob over one side of the transport connection, and Bob uses k_b to encrypt and authenticate a BTP stream to Alice over the other side of the connection. The streams do not have pseudo-random tags or stream headers: each stream just consists of one or more BTP frames. |