--- Protocol-v3.html | 53 +++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 14 deletions(-)
diff --git a/Protocol-v3.html b/Protocol-v3.html index e598008..a27db55 100644 --- a/Protocol-v3.html +++ b/Protocol-v3.html @@ -24,7 +24,32 @@ messages from each of the sessions.</li> secure communication over a different channel (e.g., file transfer, voice chat).</li> </ul> -<h2>Very high level overview</h2> + +<h2>Table of contents</h2> +<ul> +<li><a href="#vhloverview">Very high level overview</a></li> +<li><a href="#hloverview">High level overview</a> + <ul> + <li><a href="#request">Requesting an OTR conversation</a> + <li><a href="#ake">Authenticated Key Exchange (AKE)</a> + <li><a href="#exchanging">Exchanging data</a> + <li><a href="#smp">Socialist Millionaires' Protocol (SMP)</a> + </ul> +</li> +<li><a href="#details">Details</a> + <ul> + <li><a href="#unencoded">Unencoded messages</a> + <li><a href="#encoded">Encoded messages</a> + <li><a href="#smpdetails">Socialist Millionaires' Protocol (SMP)</a> + <li><a href="#smpstatemachine">The SMP state machine</a> + <li><a href="#keymgmt">Key Management</a> + <li><a href="#fragmentation">Fragmentation</a> + <li><a href="#protocolstate">The protocol state machine</a> + </ul> +</li> +</ul> + +<h2 id="vhloverview">Very high level overview</h2> <p>OTR assumes a network model which provides in-order delivery of messages, but that some messages may not get delivered at all (for example, if the user disconnects). There may be @@ -40,8 +65,8 @@ Versions 2 and 3 of OTR use a variant of the SIGMA protocol as its AKE.</li> <li>Alice and Bob exchange Data Messages to send information to each other.</li> </ol> -<h2>High level overview</h2> -<h3>Requesting an OTR conversation</h3> +<h2 id="hloverview">High level overview</h2> +<h3 id="request">Requesting an OTR conversation</h3> <p>There are two ways Alice can inform Bob that she is willing to use the OTR protocol to speak with him: by sending him the OTR Query Message, or by including a special "tag" consisting of whitespace characters in @@ -57,7 +82,7 @@ conversation with him. If Bob has a policy of "only use OTR when it's explicitly requested", for example, then he <em>would</em> start an OTR conversation upon receiving an OTR Query Message, but <em>would not</em> upon receiving the whitespace tag.</p> -<h3>Authenticated Key Exchange (AKE)</h3> +<h3 id="ake">Authenticated Key Exchange (AKE)</h3> <p>This section outlines the version of the SIGMA protocol used as the AKE. All exponentiations are done modulo a particular 1536-bit prime, and g is a generator of that group, as indicated in the detailed @@ -137,7 +162,7 @@ other's Diffie-Hellman public keys, and share the value s. Alice is assured that s is known by someone with access to the private key corresponding to pub<sub>B</sub>, and similarly for Bob.</li> </ul> -<h3>Exchanging data</h3> +<h3 id="exchanging">Exchanging data</h3> <p>This section outlines the method used to protect data being exchanged between Alice and Bob. As above, all exponentiations are done modulo a particular 1536-bit prime, and g is a generator of @@ -183,7 +208,7 @@ AES-CTR<sub>ek,ctr</sub>(msg).</li> </ol> </li> </ul> -<h3>Socialist Millionaires' Protocol (SMP)</h3> +<h3 id="smp">Socialist Millionaires' Protocol (SMP)</h3> <p>While data messages are being exchanged, either Alice or Bob may run SMP to detect impersonation or man-in-the-middle attacks. As above, all exponentiations are done modulo a particular 1536-bit @@ -251,8 +276,8 @@ g<sub>2</sub><sup>a<sub>3</sub>b<sub>3</sub></sup> is a random number not known to any party, if x is not equal to y, no other information is revealed.</li> </ul> -<h2>Details of the protocol</h2> -<h3>Unencoded messages</h3> +<h2 id="details">Details of the protocol</h2> +<h3 id="unencoded">Unencoded messages</h3> <p>This section describes the messages in the OTR protocol that are not base-64 encoded binary.</p> <h4>OTR Query Messages</h4> @@ -324,7 +349,7 @@ of the AKE), she should stop sending him the whitespace tag.</p> <p>Any message containing the string "?OTR Error:" is an OTR Error Message. The following part of the message should contain human-readable details of the error.</p> -<h3>Encoded messages</h3> +<h3 id="encoded">Encoded messages</h3> <p>This section describes the byte-level format of the base-64 encoded binary OTR messages. The binary form of each of the messages is described below. To transmit one of these messages, construct the ASCII @@ -703,7 +728,7 @@ this message.</dd> <dt>Old MAC keys to be revealed (DATA)</dt> <dd>See "Revealing MAC Keys", below.</dd> </dl> -<h3>Socialist Millionaires' Protocol (SMP)</h3> +<h3 id="smpdetails">Socialist Millionaires' Protocol (SMP)</h3> <p>The Socialist Millionaires' Protocol allows two parties with secret information x and y respectively to check whether (x==y) without revealing any additional information about the secrets. The protocol used by OTR is @@ -733,7 +758,7 @@ using in the current conversation.</dd> actual secret (x or y) to be used in SMP. The additional fields insure that not only do both parties know the same secret input string, but no man-in-the-middle is capable of reading their communication either.</p> -<h3>The SMP state machine</h3> +<h3 id="smpstatemachine">The SMP state machine</h3> <p>Whenever the OTR message state machine has MSGSTATE_ENCRYPTED set (see below), the SMP state machine may progress. If at any point MSGSTATE_ENCRYPTED becomes unset, SMP must abandon its state and return @@ -1068,7 +1093,7 @@ Set smpstate to SMPSTATE_EXPECT2.</dd> <h4>User requests to abort SMP</h4> <p>In all cases, send a type 6 TLV (SMP abort) to the correspondent and set smpstate to SMPSTATE_EXPECT1.</p> -<h3>Key Management</h3> +<h3 id="keymgmt">Key Management</h3> <p>For each correspondent, keep track of:</p> <dl> <dt>Your two most recent DH public/private key pairs</dt> @@ -1246,7 +1271,7 @@ can modify an OTR message and still have it appear valid. But since we don't reveal the MAC keys until their corresponding pubkeys are being discarded, there is no danger of accepting a message as valid which uses a MAC key which has already been revealed.</p> -<h3>Fragmentation</h3> +<h3 id="fragmentation">Fragmentation</h3> <p>Some networks may have a maximum message size that is too small to contain an encoded OTR message. In that event, the sender may choose to split the message into a number of <em>fragments</em>. This section @@ -1369,7 +1394,7 @@ HwNiIi5Ms+4PsY/L2i, ?OTR|5a73a599|27e31597,00003,00003,pkTtquknfx6HodLvk3RAAAAAA ==., </pre></blockquote> -<h3>The protocol state machine</h3> +<h3 id="protocolstate">The protocol state machine</h3> <p>An OTR client maintains separate state for every correspondent. For example, Alice may have an active OTR conversation with Bob, while having an unprotected conversation with Charlie. This state consists of -- 2.1.2 _______________________________________________ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
