44 lines
1.9 KiB
Markdown
44 lines
1.9 KiB
Markdown
# Zero Trust nKode with aPAKE (OPAQUE)
|
|
|
|
```mermaid
|
|
sequenceDiagram
|
|
participant Client
|
|
participant Server
|
|
Note over Client, Server: Enrollment
|
|
Client ->> Server: Signup Session: email
|
|
Client ->> Client: Create 128-bit Secret Key
|
|
Note left of Client: Request user stores Secret Key in a safe place
|
|
Client ->> Server: OPAQUE Register with Secret Key<br/>https://github.com/facebook/opaque-ke
|
|
Client ->> Server: OPAQUE Login with email + Secret Key
|
|
opt Secret Key OPAQUE tunnel
|
|
Client ->> Server: Get New Icons
|
|
Server -->> Client: icons
|
|
Note left of Client: Icons are stored on Client
|
|
Note left of Client: well-known nonce: 0x1 (or any number)
|
|
Client ->> Client: Assign random names to icons from<br/>secret_key and well known nonce
|
|
Client ->> Server: list of random icon names
|
|
Note right of Server: Only a client with the secret key can request these icons.<br/>Server doesn't know the owner
|
|
loop assign icons
|
|
Client ->> Client: Regenerate 4-6 icons until user accepts them
|
|
end
|
|
|
|
Client ->> Client: Create new nonce
|
|
Client ->> Client: ChaCha20 key derivation (pass_key, mask_key, prop_key, pos_key)
|
|
Client ->> Client: Compute Mask
|
|
Note left of Client: User Password is concat([list of assigned icon values])
|
|
Client ->> Server: OPAQUE Register with User Password + nonce, mask
|
|
end
|
|
Note over Client, Server: Login
|
|
Client ->> Server: OPAQUE Login with email + Secret Key
|
|
opt Secret Key OPAQUE tunnel
|
|
Server ->> Client: nonce, mask
|
|
Client ->> Client: Display Keypad to User<br/>User makes key selection
|
|
Client ->> Client: recover user password
|
|
Client ->> Server: OPAQUE Password Login
|
|
end
|
|
Note over Client, Server: User Session
|
|
opt Secret Key PAKE Key XOR nKode PAKE Key tunnel
|
|
Client ->> Server: all communication goes through this double PAKE
|
|
end
|
|
```
|