From: Rudolf Polzer Date: Tue, 3 Aug 2010 06:15:04 +0000 (+0200) Subject: fix another MitM attack. Now the DH key exchange REALLY depends on the authentication. X-Git-Tag: xonotic-v0.1.0preview~38^2~4 X-Git-Url: https://git.rm.cloudns.org/?a=commitdiff_plain;h=4cc907468cad2997e9e87de9cf1c8d39733bc91b;p=xonotic%2Fd0_blind_id.git fix another MitM attack. Now the DH key exchange REALLY depends on the authentication. --- diff --git a/d0_blind_id.c b/d0_blind_id.c index 9c7a513..614f49a 100644 --- a/d0_blind_id.c +++ b/d0_blind_id.c @@ -60,8 +60,8 @@ struct d0_blind_id_s d0_bignum_t *schnorr_s; // public data (player ID public key, this is what the server gets to know) - d0_bignum_t *schnorr_4_to_s; - d0_bignum_t *schnorr_H_4_to_s_signature; // 0 when signature is invalid + d0_bignum_t *schnorr_g_to_s; + d0_bignum_t *schnorr_H_g_to_s_signature; // 0 when signature is invalid // as hash function H, we get the SHA1 and reinterpret as bignum - yes, it always is < 160 bits // temp data @@ -69,7 +69,8 @@ struct d0_blind_id_s d0_bignum_t *r; // random number for schnorr ID d0_bignum_t *t; // for DH key exchange - d0_bignum_t *other_4_to_t; // for DH key exchange + d0_bignum_t *g_to_t; // for DH key exchange + d0_bignum_t *other_g_to_t; // for DH key exchange d0_bignum_t *challenge; // challenge char msghash[SCHNORR_HASHSIZE]; // init hash @@ -301,13 +302,14 @@ void d0_blind_id_clear(d0_blind_id_t *ctx) if(ctx->rsa_d) d0_bignum_free(ctx->rsa_d); if(ctx->schnorr_G) d0_bignum_free(ctx->schnorr_G); if(ctx->schnorr_s) d0_bignum_free(ctx->schnorr_s); - if(ctx->schnorr_4_to_s) d0_bignum_free(ctx->schnorr_4_to_s); - if(ctx->schnorr_H_4_to_s_signature) d0_bignum_free(ctx->schnorr_H_4_to_s_signature); + if(ctx->schnorr_g_to_s) d0_bignum_free(ctx->schnorr_g_to_s); + if(ctx->schnorr_H_g_to_s_signature) d0_bignum_free(ctx->schnorr_H_g_to_s_signature); if(ctx->rsa_blind_signature_camouflage) d0_bignum_free(ctx->rsa_blind_signature_camouflage); if(ctx->r) d0_bignum_free(ctx->r); if(ctx->challenge) d0_bignum_free(ctx->challenge); if(ctx->t) d0_bignum_free(ctx->t); - if(ctx->other_4_to_t) d0_bignum_free(ctx->other_4_to_t); + if(ctx->g_to_t) d0_bignum_free(ctx->g_to_t); + if(ctx->other_g_to_t) d0_bignum_free(ctx->other_g_to_t); memset(ctx, 0, sizeof(*ctx)); } @@ -319,13 +321,14 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_copy(d0_blind_id_t *ctx, const d0_blind_id_t if(src->rsa_d) CHECK_ASSIGN(ctx->rsa_d, d0_bignum_mov(NULL, src->rsa_d)); if(src->schnorr_G) CHECK_ASSIGN(ctx->schnorr_G, d0_bignum_mov(NULL, src->schnorr_G)); if(src->schnorr_s) CHECK_ASSIGN(ctx->schnorr_s, d0_bignum_mov(NULL, src->schnorr_s)); - if(src->schnorr_4_to_s) CHECK_ASSIGN(ctx->schnorr_4_to_s, d0_bignum_mov(NULL, src->schnorr_4_to_s)); - if(src->schnorr_H_4_to_s_signature) CHECK_ASSIGN(ctx->schnorr_H_4_to_s_signature, d0_bignum_mov(NULL, src->schnorr_H_4_to_s_signature)); + if(src->schnorr_g_to_s) CHECK_ASSIGN(ctx->schnorr_g_to_s, d0_bignum_mov(NULL, src->schnorr_g_to_s)); + if(src->schnorr_H_g_to_s_signature) CHECK_ASSIGN(ctx->schnorr_H_g_to_s_signature, d0_bignum_mov(NULL, src->schnorr_H_g_to_s_signature)); if(src->rsa_blind_signature_camouflage) CHECK_ASSIGN(ctx->rsa_blind_signature_camouflage, d0_bignum_mov(NULL, src->rsa_blind_signature_camouflage)); if(src->r) CHECK_ASSIGN(ctx->r, d0_bignum_mov(NULL, src->r)); if(src->challenge) CHECK_ASSIGN(ctx->challenge, d0_bignum_mov(NULL, src->challenge)); if(src->t) CHECK_ASSIGN(ctx->t, d0_bignum_mov(NULL, src->t)); - if(src->other_4_to_t) CHECK_ASSIGN(ctx->other_4_to_t, d0_bignum_mov(NULL, src->other_4_to_t)); + if(src->g_to_t) CHECK_ASSIGN(ctx->g_to_t, d0_bignum_mov(NULL, src->g_to_t)); + if(src->other_g_to_t) CHECK_ASSIGN(ctx->other_g_to_t, d0_bignum_mov(NULL, src->other_g_to_t)); memcpy(ctx->msg, src->msg, sizeof(ctx->msg)); ctx->msglen = src->msglen; memcpy(ctx->msghash, src->msghash, sizeof(ctx->msghash)); @@ -502,12 +505,12 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_generate_private_id_start(d0_blind_id_t *ctx { // temps: temp0 = order USING(schnorr_G); - REPLACING(schnorr_s); REPLACING(schnorr_4_to_s); + REPLACING(schnorr_s); REPLACING(schnorr_g_to_s); CHECK(d0_dl_get_order(temp0, ctx->schnorr_G)); CHECK_ASSIGN(ctx->schnorr_s, d0_bignum_rand_range(ctx->schnorr_s, zero, temp0)); - CHECK_ASSIGN(ctx->schnorr_4_to_s, d0_bignum_mod_pow(ctx->schnorr_4_to_s, four, ctx->schnorr_s, ctx->schnorr_G)); - CHECK_ASSIGN(ctx->schnorr_H_4_to_s_signature, d0_bignum_zero(ctx->schnorr_H_4_to_s_signature)); + CHECK_ASSIGN(ctx->schnorr_g_to_s, d0_bignum_mod_pow(ctx->schnorr_g_to_s, four, ctx->schnorr_s, ctx->schnorr_G)); + CHECK_ASSIGN(ctx->schnorr_H_g_to_s_signature, d0_bignum_zero(ctx->schnorr_H_g_to_s_signature)); return 1; fail: @@ -521,7 +524,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_generate_private_id_request(d0_blind_id_t *c size_t sz; // temps: temp0 rsa_blind_signature_camouflage^challenge, temp1 (4^s)*rsa_blind_signature_camouflage^challenge - USING(rsa_n); USING(rsa_e); USING(schnorr_4_to_s); + USING(rsa_n); USING(rsa_e); USING(schnorr_g_to_s); REPLACING(rsa_blind_signature_camouflage); out = d0_iobuf_open_write(outbuf, *outbuflen); @@ -530,7 +533,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_generate_private_id_request(d0_blind_id_t *c CHECK(d0_bignum_mod_pow(temp0, ctx->rsa_blind_signature_camouflage, ctx->rsa_e, ctx->rsa_n)); // we will actually sign HA(4^s) to prevent a malleability attack! - CHECK(d0_bignum_mov(temp2, ctx->schnorr_4_to_s)); + CHECK(d0_bignum_mov(temp2, ctx->schnorr_g_to_s)); sz = (d0_bignum_size(ctx->rsa_n) + 7) / 8; // this is too long, so we have to take the value % rsa_n when "decrypting" if(sz > sizeof(shabuf)) sz = sizeof(shabuf); @@ -577,13 +580,13 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_finish_private_id_request(d0_blind_id_t *ctx // temps: temp0 input, temp1 rsa_blind_signature_camouflage^-1 USING(rsa_blind_signature_camouflage); USING(rsa_n); - REPLACING(schnorr_H_4_to_s_signature); + REPLACING(schnorr_H_g_to_s_signature); in = d0_iobuf_open_read(inbuf, inbuflen); CHECK(d0_iobuf_read_bignum(in, temp0)); CHECK(d0_bignum_mod_inv(temp1, ctx->rsa_blind_signature_camouflage, ctx->rsa_n)); - CHECK_ASSIGN(ctx->schnorr_H_4_to_s_signature, d0_bignum_mod_mul(ctx->schnorr_H_4_to_s_signature, temp0, temp1, ctx->rsa_n)); + CHECK_ASSIGN(ctx->schnorr_H_g_to_s_signature, d0_bignum_mod_mul(ctx->schnorr_H_g_to_s_signature, temp0, temp1, ctx->rsa_n)); return d0_iobuf_close(in, NULL); @@ -630,13 +633,13 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_read_private_id(d0_blind_id_t *ctx, const ch { d0_iobuf_t *in = NULL; - REPLACING(schnorr_s); REPLACING(schnorr_4_to_s); REPLACING(schnorr_H_4_to_s_signature); + REPLACING(schnorr_s); REPLACING(schnorr_g_to_s); REPLACING(schnorr_H_g_to_s_signature); in = d0_iobuf_open_read(inbuf, inbuflen); CHECK_ASSIGN(ctx->schnorr_s, d0_iobuf_read_bignum(in, ctx->schnorr_s)); - CHECK_ASSIGN(ctx->schnorr_4_to_s, d0_iobuf_read_bignum(in, ctx->schnorr_4_to_s)); - CHECK_ASSIGN(ctx->schnorr_H_4_to_s_signature, d0_iobuf_read_bignum(in, ctx->schnorr_H_4_to_s_signature)); + CHECK_ASSIGN(ctx->schnorr_g_to_s, d0_iobuf_read_bignum(in, ctx->schnorr_g_to_s)); + CHECK_ASSIGN(ctx->schnorr_H_g_to_s_signature, d0_iobuf_read_bignum(in, ctx->schnorr_H_g_to_s_signature)); return d0_iobuf_close(in, NULL); @@ -649,12 +652,12 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_read_public_id(d0_blind_id_t *ctx, const cha { d0_iobuf_t *in = NULL; - REPLACING(schnorr_4_to_s); REPLACING(schnorr_H_4_to_s_signature); + REPLACING(schnorr_g_to_s); REPLACING(schnorr_H_g_to_s_signature); in = d0_iobuf_open_read(inbuf, inbuflen); - CHECK_ASSIGN(ctx->schnorr_4_to_s, d0_iobuf_read_bignum(in, ctx->schnorr_4_to_s)); - CHECK_ASSIGN(ctx->schnorr_H_4_to_s_signature, d0_iobuf_read_bignum(in, ctx->schnorr_H_4_to_s_signature)); + CHECK_ASSIGN(ctx->schnorr_g_to_s, d0_iobuf_read_bignum(in, ctx->schnorr_g_to_s)); + CHECK_ASSIGN(ctx->schnorr_H_g_to_s_signature, d0_iobuf_read_bignum(in, ctx->schnorr_H_g_to_s_signature)); return d0_iobuf_close(in, NULL); @@ -667,13 +670,13 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_write_private_id(const d0_blind_id_t *ctx, c { d0_iobuf_t *out = NULL; - USING(schnorr_s); USING(schnorr_4_to_s); USING(schnorr_H_4_to_s_signature); + USING(schnorr_s); USING(schnorr_g_to_s); USING(schnorr_H_g_to_s_signature); out = d0_iobuf_open_write(outbuf, *outbuflen); CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_s)); - CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_4_to_s)); - CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_H_4_to_s_signature)); + CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_g_to_s)); + CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_H_g_to_s_signature)); return d0_iobuf_close(out, outbuflen); @@ -686,12 +689,12 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_write_public_id(const d0_blind_id_t *ctx, ch { d0_iobuf_t *out = NULL; - USING(schnorr_4_to_s); USING(schnorr_H_4_to_s_signature); + USING(schnorr_g_to_s); USING(schnorr_H_g_to_s_signature); out = d0_iobuf_open_write(outbuf, *outbuflen); - CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_4_to_s)); - CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_H_4_to_s_signature)); + CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_g_to_s)); + CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_H_g_to_s_signature)); return d0_iobuf_close(out, outbuflen); @@ -713,10 +716,10 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_start(d0_blind_ // temps: temp0 order, temp0 4^r if(is_first) { - USING(schnorr_4_to_s); USING(schnorr_H_4_to_s_signature); + USING(schnorr_g_to_s); USING(schnorr_H_g_to_s_signature); } USING(schnorr_G); - REPLACING(r); + REPLACING(r); REPLACING(t); REPLACING(g_to_t); out = d0_iobuf_open_write(outbuf, *outbuflen); @@ -725,8 +728,8 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_start(d0_blind_ // send ID if(send_modulus) CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_G)); - CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_4_to_s)); - CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_H_4_to_s_signature)); + CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_g_to_s)); + CHECK(d0_iobuf_write_bignum(out, ctx->schnorr_H_g_to_s_signature)); } // start schnorr ID scheme @@ -735,11 +738,19 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_start(d0_blind_ CHECK_ASSIGN(ctx->r, d0_bignum_rand_range(ctx->r, zero, temp0)); CHECK(d0_bignum_mod_pow(temp0, four, ctx->r, ctx->schnorr_G)); + // initialize Signed Diffie Hellmann + CHECK(d0_dl_get_order(temp1, ctx->schnorr_G)); + CHECK_ASSIGN(ctx->t, d0_bignum_rand_range(ctx->t, zero, temp1)); + CHECK_ASSIGN(ctx->g_to_t, d0_bignum_mod_pow(ctx->g_to_t, four, ctx->t, ctx->schnorr_G)); + // can we SOMEHOW do this with just one mod_pow? + // hash it, hash it, everybody hash it conv = d0_iobuf_open_write(convbuf, sizeof(convbuf)); CHECK(d0_iobuf_write_bignum(conv, temp0)); + CHECK(d0_iobuf_write_bignum(conv, ctx->g_to_t)); CHECK(d0_iobuf_write_packet(conv, msg, msglen)); CHECK(d0_iobuf_write_bignum(conv, temp0)); + CHECK(d0_iobuf_write_bignum(conv, ctx->g_to_t)); d0_iobuf_close(conv, &sz); conv = NULL; CHECK(d0_iobuf_write_raw(out, sha(convbuf, sz), SCHNORR_HASHSIZE) == SCHNORR_HASHSIZE); @@ -766,7 +777,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_challenge(d0_bl // temps: temp0 order, temp0 signature check if(is_first) { - REPLACING(schnorr_4_to_s); REPLACING(schnorr_H_4_to_s_signature); + REPLACING(schnorr_g_to_s); REPLACING(schnorr_H_g_to_s_signature); if(recv_modulus) REPLACING(schnorr_G); else @@ -774,7 +785,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_challenge(d0_bl } else { - USING(schnorr_4_to_s); USING(schnorr_H_4_to_s_signature); + USING(schnorr_g_to_s); USING(schnorr_H_g_to_s_signature); USING(schnorr_G); } USING(rsa_e); USING(rsa_n); @@ -791,18 +802,18 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_challenge(d0_bl CHECK(d0_bignum_cmp(ctx->schnorr_G, zero) > 0); CHECK(d0_bignum_cmp(ctx->schnorr_G, ctx->rsa_n) < 0); } - CHECK_ASSIGN(ctx->schnorr_4_to_s, d0_iobuf_read_bignum(in, ctx->schnorr_4_to_s)); - CHECK(d0_bignum_cmp(ctx->schnorr_4_to_s, zero) >= 0); - CHECK(d0_bignum_cmp(ctx->schnorr_4_to_s, ctx->schnorr_G) < 0); - CHECK_ASSIGN(ctx->schnorr_H_4_to_s_signature, d0_iobuf_read_bignum(in, ctx->schnorr_H_4_to_s_signature)); - CHECK(d0_bignum_cmp(ctx->schnorr_H_4_to_s_signature, zero) >= 0); - CHECK(d0_bignum_cmp(ctx->schnorr_H_4_to_s_signature, ctx->rsa_n) < 0); + CHECK_ASSIGN(ctx->schnorr_g_to_s, d0_iobuf_read_bignum(in, ctx->schnorr_g_to_s)); + CHECK(d0_bignum_cmp(ctx->schnorr_g_to_s, zero) >= 0); + CHECK(d0_bignum_cmp(ctx->schnorr_g_to_s, ctx->schnorr_G) < 0); + CHECK_ASSIGN(ctx->schnorr_H_g_to_s_signature, d0_iobuf_read_bignum(in, ctx->schnorr_H_g_to_s_signature)); + CHECK(d0_bignum_cmp(ctx->schnorr_H_g_to_s_signature, zero) >= 0); + CHECK(d0_bignum_cmp(ctx->schnorr_H_g_to_s_signature, ctx->rsa_n) < 0); // check signature of key (t = k^d, so, t^challenge = k) - CHECK(d0_bignum_mod_pow(temp0, ctx->schnorr_H_4_to_s_signature, ctx->rsa_e, ctx->rsa_n)); + CHECK(d0_bignum_mod_pow(temp0, ctx->schnorr_H_g_to_s_signature, ctx->rsa_e, ctx->rsa_n)); // we will actually sign SHA(4^s) to prevent a malleability attack! - CHECK(d0_bignum_mov(temp2, ctx->schnorr_4_to_s)); + CHECK(d0_bignum_mov(temp2, ctx->schnorr_g_to_s)); sz = (d0_bignum_size(ctx->rsa_n) + 7) / 8; // this is too long, so we have to take the value % rsa_n when "decrypting" if(sz > sizeof(shabuf)) sz = sizeof(shabuf); @@ -816,7 +827,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_challenge(d0_bl if(d0_bignum_cmp(temp0, temp1)) { // accept the key anyway, but mark as failed signature! will later return 0 in status - CHECK(d0_bignum_zero(ctx->schnorr_H_4_to_s_signature)); + CHECK(d0_bignum_zero(ctx->schnorr_H_g_to_s_signature)); } } @@ -835,7 +846,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_challenge(d0_bl CHECK(d0_iobuf_write_bignum(out, temp0)); if(status) - *status = !!d0_bignum_cmp(ctx->schnorr_H_4_to_s_signature, zero); + *status = !!d0_bignum_cmp(ctx->schnorr_H_g_to_s_signature, zero); d0_iobuf_close(in, NULL); return d0_iobuf_close(out, outbuflen); @@ -854,8 +865,8 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_response(d0_bli d0_iobuf_t *out = NULL; // temps: 0 order, 1 prod, 2 y, 3 challenge - REPLACING(other_4_to_t); REPLACING(t); - USING(schnorr_G); USING(schnorr_s); USING(r); + REPLACING(other_g_to_t); REPLACING(t); + USING(schnorr_G); USING(schnorr_s); USING(r); USING(g_to_t); in = d0_iobuf_open_read(inbuf, inbuflen); out = d0_iobuf_open_write(outbuf, *outbuflen); @@ -872,22 +883,11 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_response(d0_bli CHECK(d0_iobuf_write_bignum(out, temp2)); // Diffie Hellmann recv - CHECK_ASSIGN(ctx->other_4_to_t, d0_iobuf_read_bignum(in, ctx->other_4_to_t)); - CHECK(d0_bignum_cmp(ctx->other_4_to_t, zero) > 0); - CHECK(d0_bignum_cmp(ctx->other_4_to_t, ctx->schnorr_G) < 0); + CHECK_ASSIGN(ctx->other_g_to_t, d0_iobuf_read_bignum(in, ctx->other_g_to_t)); + CHECK(d0_bignum_cmp(ctx->other_g_to_t, zero) > 0); + CHECK(d0_bignum_cmp(ctx->other_g_to_t, ctx->schnorr_G) < 0); // Diffie Hellmann send - CHECK(d0_dl_get_order(temp0, ctx->schnorr_G)); - CHECK_ASSIGN(ctx->t, d0_bignum_rand_range(ctx->t, zero, temp0)); - // modify DH key value! (add |G|-r) - CHECK(d0_bignum_add(temp1, ctx->t, temp0)); - CHECK(d0_bignum_sub(temp2, temp1, ctx->r)); - // can be undone by multiplying with 4^r in the end - // ensures the party of the DH key exchange is the same party as the one of - // the auth protocol (MITM who changes DH key exchange must break auth protocol) - // trick is that MITM has no knowledge about g^r at this point, as he only - // knows it in hashed form - CHECK(d0_bignum_mod_pow(temp0, four, temp2, ctx->schnorr_G)); - CHECK(d0_iobuf_write_bignum(out, temp0)); + CHECK(d0_iobuf_write_bignum(out, ctx->g_to_t)); d0_iobuf_close(in, NULL); return d0_iobuf_close(out, outbuflen); @@ -910,7 +910,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_verify(d0_blind // temps: 0 y 1 order USING(challenge); USING(schnorr_G); - REPLACING(other_4_to_t); + REPLACING(other_g_to_t); in = d0_iobuf_open_read(inbuf, inbuflen); @@ -922,22 +922,22 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_verify(d0_blind // verify schnorr ID scheme // we need 4^r = 4^temp0 (g^s)^-challenge CHECK(d0_bignum_neg(temp1, ctx->challenge)); - CHECK(d0_bignum_mod_pow(temp2, ctx->schnorr_4_to_s, temp1, ctx->schnorr_G)); + CHECK(d0_bignum_mod_pow(temp2, ctx->schnorr_g_to_s, temp1, ctx->schnorr_G)); CHECK(d0_bignum_mod_pow(temp1, four, temp0, ctx->schnorr_G)); CHECK_ASSIGN(temp3, d0_bignum_mod_mul(temp3, temp1, temp2, ctx->schnorr_G)); // Diffie Hellmann recv - CHECK_ASSIGN(ctx->other_4_to_t, d0_iobuf_read_bignum(in, ctx->other_4_to_t)); - CHECK(d0_bignum_cmp(ctx->other_4_to_t, zero) > 0); - CHECK(d0_bignum_cmp(ctx->other_4_to_t, ctx->schnorr_G) < 0); - // recover DH key value! - CHECK(d0_bignum_mod_mul(ctx->other_4_to_t, ctx->other_4_to_t, temp3, ctx->schnorr_G)); + CHECK_ASSIGN(ctx->other_g_to_t, d0_iobuf_read_bignum(in, ctx->other_g_to_t)); + CHECK(d0_bignum_cmp(ctx->other_g_to_t, zero) > 0); + CHECK(d0_bignum_cmp(ctx->other_g_to_t, ctx->schnorr_G) < 0); // hash it, hash it, everybody hash it conv = d0_iobuf_open_write(convbuf, sizeof(convbuf)); CHECK(d0_iobuf_write_bignum(conv, temp3)); + CHECK(d0_iobuf_write_bignum(conv, ctx->other_g_to_t)); CHECK(d0_iobuf_write_packet(conv, ctx->msg, ctx->msglen)); CHECK(d0_iobuf_write_bignum(conv, temp3)); + CHECK(d0_iobuf_write_bignum(conv, ctx->other_g_to_t)); d0_iobuf_close(conv, &sz); conv = NULL; if(memcmp(sha(convbuf, sz), ctx->msghash, SCHNORR_HASHSIZE)) @@ -947,7 +947,7 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_authenticate_with_private_id_verify(d0_blind } if(status) - *status = !!d0_bignum_cmp(ctx->schnorr_H_4_to_s_signature, zero); + *status = !!d0_bignum_cmp(ctx->schnorr_H_g_to_s_signature, zero); if(ctx->msglen <= *msglen) memcpy(msg, ctx->msg, ctx->msglen); @@ -970,12 +970,12 @@ WARN_UNUSED_RESULT BOOL d0_blind_id_fingerprint64_public_id(const d0_blind_id_t d0_iobuf_t *conv = NULL; size_t sz, n; - USING(schnorr_4_to_s); + USING(schnorr_g_to_s); out = d0_iobuf_open_write(outbuf, *outbuflen); conv = d0_iobuf_open_write(convbuf, sizeof(convbuf)); - CHECK(d0_iobuf_write_bignum(conv, ctx->schnorr_4_to_s)); + CHECK(d0_iobuf_write_bignum(conv, ctx->schnorr_g_to_s)); CHECK(d0_iobuf_close(conv, &sz)); conv = NULL; @@ -996,10 +996,10 @@ fail: BOOL d0_blind_id_sessionkey_public_id(const d0_blind_id_t *ctx, char *outbuf, size_t *outbuflen) { - USING(t); USING(other_4_to_t); USING(schnorr_G); + USING(t); USING(other_g_to_t); USING(schnorr_G); // temps: temp0 result - CHECK(d0_bignum_mod_pow(temp0, ctx->other_4_to_t, ctx->t, ctx->schnorr_G)); + CHECK(d0_bignum_mod_pow(temp0, ctx->other_g_to_t, ctx->t, ctx->schnorr_G)); return d0_longhash_destructive(temp0, outbuf, *outbuflen); fail: diff --git a/d0_blind_id.txt b/d0_blind_id.txt index 2fa73ac..5234fe5 100644 --- a/d0_blind_id.txt +++ b/d0_blind_id.txt @@ -61,7 +61,8 @@ Authentication protocol: "start": - Client sends S, H if this is the first round of the protocol - Client generates r in [0, |G|[ at random - - Client sends x = h("g^r || m || g^r") + - Client generates t in [0, |G|[ at random + - Client sends x = h("g^r || g^t || m || g^r || g^t") - Client sends m in plain "challenge": - Server receives S, H if this is the first round of the protocol @@ -74,15 +75,14 @@ Authentication protocol: - Client receives c and g^T - Client verifies that the received values are in the allowed ranges - Client sends y = r + s * c mod |G| - - Client generates t in [0, |G|[ at random - - Client g^(t-r) + - Client sends g^t - Client calculates K = (g^T)^t "verify": - - Server receives y and g^(t-r) + - Server receives y and g^t - Server calculates z = g^y S^-c - Server calculates x' = h("z || m || z") - Server verifies x == x' - - Server calculates K = (g^(t-r) * z)^T + - Server calculates K = (g^t)^T Protocol variant: g and G can be also part of the public ID. In this case, g and G are sent as part of this protocol additionally to S, H.