MozillaWiki

Services/Sync/P2P Key Exchange And Rotation: Difference between revisions

Page Discussion

Services/Sync/P2P Key Exchange And Rotation (view source)

Revision as of 10:32, 21 October 2015

23 bytes removed ,  21 October 2015
Minor edits
(Generalised v2 message structure)
(Minor edits)
Line 331: Line 331:


=== Registration Protocol v2 ===
=== Registration Protocol v2 ===
Importantly for version 2 of the eXfio Peer protocol the starting assumption is that an attacker has full access to the storage, i.e. a hostile systems administrator, '''and''' knows the password.
Importantly for version 2 of the eXfio Peer protocol the starting assumption is that an attacker has full access to the storage '''and''' knows the password, i.e. a hostile systems administrator.


When Alice registers a new device with the Weave Sync server the client first checks if there are other authorised clients, if not it initialises the storage, if so it requests authorisation by following the procedure below.
When Alice registers a new device with the Weave Sync server the client first checks if there are other authorised clients, if not it initialises the storage, if so it requests authorisation by following the procedure below.
Line 337: Line 337:
<ol start="0">
<ol start="0">
<li>Client A: Authenticate to sync server and create client record with status of 'pending'</li>
<li>Client A: Authenticate to sync server and create client record with status of 'pending'</li>
<li>Client A: Send ClientAuthSessionRequestMessage to existing authorised clients, providing an ephemeral key and nominating an ephemeral key digest of other party, i.e. Client B</li>
<li>Client A: Send SessionRequestMessage to existing authorised clients, providing an ephemeral key and nominating an ephemeral key digest of other party, i.e. Client B</li>
<li>Client B: Send ClientAuthSessionResponseMessage including ephemeral key nominated by Client A. Display authcode generated from session key and master key</li>
<li>Client B: Send SessionResponseMessage including ephemeral key nominated by Client A. Display authcode generated from session key and master key</li>
<li>Client A: User enters authcode. If session key verified (VCS) then send ClientAuthKeyRequestMessage including proof of possessing Client B, i.e. master key component of authcode (VCM)</li>
<li>Client A: User enters authcode. If session key verified (VCS) then send ClientAuthV2RequestMessage including proof of possessing Client B, i.e. master key component of authcode (VCM)</li>
<li>Client B: If Client A responds with proof of possessing master key then send ClientAuthKeyResponseMessage including the master key</li>
<li>Client B: If Client A responds with proof of possessing master key then send ClientAuthV2ResponseMessage including the master key</li>
</ol>
</ol>
Finally Alice is notified of registration status and if successful client record is updated with status of 'approved'
Finally Alice is notified of registration status and if successful client record is updated with status of 'approved'
Nickel chrome
113

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1101611"