grittygrease / draft-sullivan-tls-opaque Goto Github PK

You now have:
K = H(g^y ^ PrivU || PubU ^ x || PubS ^ PrivU || IdU || IdS )
S computes K = H(g^x ^ PrivS || PubS ^ y || PubU ^ PrivS || IdU || IdS )
I suggested removing the H and entering the concatenation of values

g^y ^ PrivU || PubU ^ x || PubS ^ PrivU || IdU || IdS

into the HKDF derivation of Master Secret (instead of the 0).,

IdU, IdS represent the identities of user (sent as identity in PAKEShareClient) and server (Certificate message).

What happens when there is no certificate?
Moreover, I think that for the sake of OPAQUE, the server identity needs to be set at the time of password registration and included in Env. A name in a certificate, if sent, maybe something the server sends momentarily and unrelated to the identity of the server the user would recognize (e.g., citibank.com) at time of password registration.
In the case that certificate-based authentication is included in addition to OPAQUE authentication then the name in the certificate will be authenticated via the regular certificate based authentication (essentially by including the certificate name under the Finished msg, following the SIGMA logic).

if PAKEShareServer is sent unencrypted then instead of inputting the value K (in both 3DH and HMQV) in lieu of the 0 in 0 -> HKDF-Extract = Master Secret, we would input it instead of (EC)DHE thus saving the computation g^xy . This is a performance and security gain (and is more elegant).

H is the HKDF function agreed upon in the TLS handshake.

change HKDF with "HKDF-Extract with salt=0"