Again, last minute reviews...
It would appear that the exact computations that both the client and the server
need to perform needs to be explicitly spelled out, as there are several
possibilities.
Here is the one I could see that appear to have the security properties that
you appear to be looking for:
Variable names:
g - Well known group generator
h - The secret generator that is private to the client and the
server
z - The secret value known to the client; g^z = h
x - The client's ephemeral DH private value
y - The server's ephemeral DH private value:
Client keyshare:
This is the value g^x
When the server receives this, he selects y (and retrieves the value h); he
then transmits (as his keyshare) the value:
h^y
and stirs the value (g^x)^y into his KDF
When the client receives this (h^y), he computes:
(h^y) ^ (x z^-1)
(where z^-1 is the modular inverse of z modulo the group order), and stirs that
value into his KDF.
With this protocol, it appears that the client needs to know not only h, but
also the value z. However, this really needs to be spelled out (and run past
the CFRG to check for subtle issues)
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
