Services/Sync/P2P Key Exchange And Rotation: Difference between revisions

Jump to navigation Jump to search

Services/Sync/P2P Key Exchange And Rotation (view source)

Revision as of 06:23, 4 January 2016

214 bytes added ,  4 January 2016
Added note on benefit of QR code including entire key
(Added additional v2 registration protocol candidate)
(Added note on benefit of QR code including entire key)
Line 456: Line 456:
* The authcode (VCS + VCR) is a digest of Client A's identity key and ephemeral key and a random value respectively. This code must be entered on a registered device to verify the user is in possession of the device requesting authorisation. If the authcode displayed by Client A matches the VCS value generated on Client B and if Client A's hash commit matches the digest of Client A's public key then a man-in-the-middle attack impersonating Client A is highly unlikely. Finally if the VCRui value returned to Client A matches the original VCR random value then a man-in-the-middle attack impersonating Client B is highly unlikely.
* The authcode (VCS + VCR) is a digest of Client A's identity key and ephemeral key and a random value respectively. This code must be entered on a registered device to verify the user is in possession of the device requesting authorisation. If the authcode displayed by Client A matches the VCS value generated on Client B and if Client A's hash commit matches the digest of Client A's public key then a man-in-the-middle attack impersonating Client A is highly unlikely. Finally if the VCRui value returned to Client A matches the original VCR random value then a man-in-the-middle attack impersonating Client B is highly unlikely.
* To minimise errors during user input the authcode can be represented using a word list, i.e. [https://en.wikipedia.org/wiki/PGP_word_list PGP], [http://world.std.com/~reinhold/diceware.html Diceware], [https://tools.ietf.org/html/rfc1760 S/KEY] or optionally scanned using a QR code.
* To minimise errors during user input the authcode can be represented using a word list, i.e. [https://en.wikipedia.org/wiki/PGP_word_list PGP], [http://world.std.com/~reinhold/diceware.html Diceware], [https://tools.ietf.org/html/rfc1760 S/KEY] or optionally scanned using a QR code.
* A QR code including Client A's entire key (AEp) would allow step 2, 3 and 4 to be collapsed into a single step. See [[#Signal (TextSecure) Registration Protocol|Signal (TextSecure) Registration Protocol]] below.


'''ClientAuthV2Verifier JSON'''
'''ClientAuthV2Verifier JSON'''
Nickel chrome
113

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1111107"

Navigation menu