a Secarta project ...

HTTPsec Authentication Protocol

[ View as one printable page ]

Preamble

1. Introduction
1.1. Editorial Conventions
1.2. Terms
1.3. Identifiers
2. Summary
2.1. Authentication Model
2.2. Peer Identifiers
2.3. Protocol Operation
2.3.1. Initialization
2.3.2. Continuation
3. Protocol Messages
3.1. Initialization Messages
3.1.1. Initialization Request
3.1.2. Initialization Response
3.2. Continuation Messages
3.2.1. Continuation Request
3.2.2. Continuation Response
3.3. Challenge Messages
3.3.1. Challenge Response
3.4. Message Flow
4. Protocol Directives
4.1. id
4.2. dh
4.3. certificate
4.4. url
4.5. group
4.6. nonce
4.7. auth
4.8. token
4.9. signature
4.10. count
4.11. mac
4.12. digest
5. Other Headers
5.1. Content-Encoding
5.2. Cache-Control
5.3. Expires
6. Protocol Computations
6.1. Algorithms
6.1.1. Hash Algorithm
6.1.2. Public Key Algorithm
6.1.3. Encryption Scheme
6.1.4. Signature Scheme
6.1.5. Block Cipher
6.1.6. Block Cipher Mode
6.2. Header Canonicalization
6.3. Initialization Transcript
6.4. Continuation Request Transcript
6.5. Continuation Response Transcript
6.6. Shared Secret
6.7. Keys
6.7.1. MAC Keys
6.7.2. Cipher Keys
6.8. Message Body Ciphering
7. Message Validation
7.1. Initialization Request Validation
7.2. Initialization Response Validation
7.3. Continuation Request Validation
7.4. Continuation Response Validation
8. Cache Considerations
9. Security Considerations
10. References
11. Editor Address

4.10. count

The count directive is a sequence counter for continuation messages. This directive allows the detection of message replays and provides partial message sequence integrity. It is also required for the production of unique initialization vectors for message body ciphering.

The value of the count directive is a decimal number. In a request, it MUST be greater than zero and less than (2^128 - 1). In a response, it MUST be greater than one and less than or equal to (2^128 - 1).

The following constraints apply to this directive in continuation messages containing identical token directive values. Messages with identical or out-of-sequence count directive values MUST be rejected by the receiving peer. Peers MUST validate the count directive in each received message to establish uniqueness and correct sequence. Each peer is required to maintain a local record of the value of the count directive employed in the last continuation message that it sent. The validity constraints and logic for setting this directive differ slightly from the perspectives of the two peers:

requester's perspective:
A received response MUST have a count value of N+1, where N is the count value in the associated request.
requester's perspective:
A received request's count value N MUST be strictly greater than the count value that the responder sent in its last response. The response MUST be given a count value of N+1.

If a first request receives no response, the count directive in a second request that immediately follows should increment by (at least) 2, to allow for the fact that the unreceived response was nevertheless sent by the responder. In the case that the first request contained an "Expect: 100-continue" header [HTTP][14.20] the increment should be (at least) 3, as such requests may elicit two distinct responses.
© Secarta. All rights reserved.