Difference between revisions of "Server MAC"

From SQRLauth.net
Jump to: navigation, search
m
m
Line 8: Line 8:
 
Messages from server to client must be protected from being altered or replaced with similar messages. This requires the server to be able to prove that a response message it gets on an echo from the client was exactly the one it sent on the preceding response.  
 
Messages from server to client must be protected from being altered or replaced with similar messages. This requires the server to be able to prove that a response message it gets on an echo from the client was exactly the one it sent on the preceding response.  
 
=== Example Methods ===
 
=== Example Methods ===
Functions:-MAC = HMAC ($key, $string),
+
Functions:-
Method:-1/ MAC sent to client and not stored on server.$key = server stored secret, $string = Entire content of server response message2/ MAC not sent but stored on server referenced by nut$key = server secret, $string = Entire content of server response message
+
MAC = HMAC ($key, $string)
 +
 
 +
Method:-
 +
#/ MAC sent to client and not stored on server.
 +
$key = server stored secret
 +
$string = Entire content of server response message
 +
 
 +
#/ MAC not sent but stored on server referenced by nut
 +
$key = server secret
 +
$string = Entire content of server response message

Revision as of 16:40, 25 March 2015

Contents

Threat Model

Ability of MITM attacker to modify, redact or replay messages between server and client. This safeguard covers protection of the Server=>Client communication flow, for Client=>Server flow protections see SQRL Signatures.

Assisting Safeguards

All response messages (Excluding terminating message) sent by server are echoed back by client and signed with clients private key/s. All response message sent by server contain entropy as NUT / QRY parameter that effectively renders them unique for the purpose of this safeguard.

Requirements

Messages from server to client must be protected from being altered or replaced with similar messages. This requires the server to be able to prove that a response message it gets on an echo from the client was exactly the one it sent on the preceding response.

Example Methods

Functions:- MAC = HMAC ($key, $string)

Method:-

  1. / MAC sent to client and not stored on server.

$key = server stored secret $string = Entire content of server response message

  1. / MAC not sent but stored on server referenced by nut

$key = server secret $string = Entire content of server response message