canmove, Confirmed users
640
edits
Services/KeyExchange: Difference between revisions
Jump to navigation
Jump to search
m
Cleanup.
Tarek.ziade (talk | contribs) |
m (Cleanup.) |
||
| Line 22: | Line 22: | ||
#On a device that is authenticated, user chooses "add another device" and is prompted for that key | #On a device that is authenticated, user chooses "add another device" and is prompted for that key | ||
#The two devices exchange messages to build the secure tunnel | #The two devices exchange messages to build the secure tunnel | ||
#The already-authenticated device passes all credentials (username/password/ | #The already-authenticated device passes all credentials (username/password/sync key) to the new device | ||
#New device completes setup and starts syncing | #New device completes setup and starts syncing | ||
| Line 38: | Line 38: | ||
<ul> | <ul> | ||
<li>Mobile and Desktop complete the two roundtrips of | <li>Mobile and Desktop complete the two roundtrips of J-PAKE messages to agree upon a strong secret K</li> | ||
<li>A 256 bit key is derived from K using HMAC-SHA256 using a fixed extraction key.</li> | <li>A 256 bit key is derived from K using HMAC-SHA256 using a fixed extraction key.</li> | ||
<li>The encryption and HMAC keys are derived from that 256 bit key using HMAC-SHA256.</li> | <li>The encryption and HMAC keys are derived from that 256 bit key using HMAC-SHA256.</li> | ||
| Line 126: | Line 126: | ||
When the API is called, The id returned is guaranteed to be unique. | When the API is called, The id returned is guaranteed to be unique. | ||
The channel created will have a limited | The channel created will have a limited TTL (currently configured to | ||
5 minutes). | 5 minutes). | ||
| Line 172: | Line 172: | ||
'''POST''' '''https://''server''/''report'' ''' | '''POST''' '''https://''server''/''report'' ''' | ||
Reports a log to the server, and | Reports a log to the server, and optionally ask for a channel deletion. | ||
The log is the body of the request. If the | The log is the body of the request. If the | ||
request contains a ''X- | request contains a ''X-KeyExchange-Log'' header, its value is prepended | ||
to the log provided in the body. In other words, the header can be used | to the log provided in the body. In other words, the header can be used | ||
for small logs, and the body for more info. The body size is limited to | for small logs, and the body for more info. The body size is limited to | ||
2000 chars. If both body and headers are empty, a 400 is raised. | 2000 chars. If both body and headers are empty, a 400 is raised. | ||
Optionally, if the request contains the ''X- | Optionally, if the request contains the ''X-KeyExchange-Id'' header and a | ||
''X- | ''X-KeyExchange-Cid'' header containing the channel id, the channel will | ||
be deleted by the server. | be deleted by the server. | ||
| Line 189: | Line 189: | ||
- 400: bad request (missing log or bad ids) | - 400: bad request (missing log or bad ids) | ||
The messages reported are described at {{J-PAKE Report API}} | The messages reported are described at {{J-PAKE Report API}}. | ||
== Detailed Flow == | == Detailed Flow == | ||
| Line 490: | Line 490: | ||
** Examples: Flood of requests from a single IP | ** Examples: Flood of requests from a single IP | ||
* Client fallback to original sync method | * Client fallback to original sync method | ||
** Examples: Client unable to complete | ** Examples: Client unable to complete J-PAKE sync for any number of reasons and falls back to original sync approach | ||
** Reported by client to server via reporting API | ** Reported by client to server via reporting API | ||