Hi all, I have a question about the protocol of OTRv3:
> Bob will be initiating the AKE with Alice. > > * Bob: > 1. Picks a random value r (128 bits) > 2. Picks a random value x (at least 320 bits) > 3. Sends Alice AES_r (g^x ), HASH(g^x ) > * Alice: > 1. Picks a random value y (at least 320 bits) > 2. Sends Bob g^y > * Bob: > 1. Verifies that Alice's g^y is a legal value (2 <= g^y <= modulus-2) > 2. Computes s = (g^y )^x > 3. Computes two AES keys c, c' and four MAC keys m1, m1', m2, m2' > by hashing s in various ways > 4. Picks keyid_B , a serial number for his D-H key g^x > 5. Computes M_B = MAC_m1 (g^x , g^y , pub_B , keyid_B ) > 6. Computes X_B = pub_B , keyid_B , sig_B (M_B ) > 7. Sends Alice r, AES_c (X_B ), MAC_m2 (AES_c (X_B )) > * Alice: > 1. Uses r to decrypt the value of g^x sent earlier > 2. Verifies that HASH(g^x ) matches the value sent earlier > 3. ...... > 4. Sends Bob AES_c' (X_A ), MAC_m2' (AES_c' (X_A )) > What is the point to send AES_r (g^x ) and r later, rather than g^x in plain-text form?
_______________________________________________ OTR-users mailing list OTR-users@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-users
