1.9 KiB
1.9 KiB
Zero Trust nKode with aPAKE (OPAQUE)
sequenceDiagram
participant Client
participant Server
Note over Client, Server: Enrollment
Client ->> Server: Signup Session: email
Client ->> Client: Create 128-bit Secret Key
Note left of Client: Request user stores Secret Key in a safe place
Client ->> Server: OPAQUE Register with Secret Key<br/>https://github.com/facebook/opaque-ke
Client ->> Server: OPAQUE Login with email + Secret Key
opt Secret Key OPAQUE tunnel
Client ->> Server: Get New Icons
Server -->> Client: icons
Note left of Client: Icons are stored on Client
Note left of Client: well-known nonce: 0x1 (or any number)
Client ->> Client: Assign random names to icons from<br/>secret_key and well known nonce
Client ->> Server: list of random icon names
Note right of Server: Only a client with the secret key can request these icons.<br/>Server doesn't know the owner
loop assign icons
Client ->> Client: Regenerate 4-6 icons until user accepts them
end
Client ->> Client: Create new nonce
Client ->> Client: ChaCha20 key derivation (pass_key, mask_key, prop_key, pos_key)
Client ->> Client: Compute Mask
Note left of Client: User Password is concat([list of assigned icon values])
Client ->> Server: OPAQUE Register with User Password + nonce, mask
end
Note over Client, Server: Login
Client ->> Server: OPAQUE Login with email + Secret Key
opt Secret Key OPAQUE tunnel
Server ->> Client: nonce, mask
Client ->> Client: Display Keypad to User<br/>User makes key selection
Client ->> Client: recover user password
Client ->> Server: OPAQUE Password Login
end
Note over Client, Server: User Session
opt Secret Key PAKE Key XOR nKode PAKE Key tunnel
Client ->> Server: all communication goes through this double PAKE
end