EXT0011: EdDSA Authentication
- Extension dependencies: none
- Document status: Discussion
Two-way authentication using EdDSA (Ed25519). Public key length: 32 bytes, signature: 64 bytes.
Both public keys known to both parties. Private keys never transferred. Device public key serves as unique identifier.
Authentication Process
Section titled “Authentication Process”- Server sends
001Awith its public key and randomDCHALLENGE - Device verifies server key, responds with its public key and
SCHALLENGE - Server sends
001Bwith signature ofSCHALLENGE - Device responds with signature of
DCHALLENGE
Unauthenticated clients have minimum rights (0000, 001A, 001B, Keep Alive).
Commands
Section titled “Commands”001A Start Authentication
Section titled “001A Start Authentication”Request:
<TID> 3900 0042 001A <SPUBKEY> <DCHALLENGE>Response:
<TID> 3900 0042 001A <DPUBKEY> <SCHALLENGE>| Field | Length | Description |
|---|---|---|
SPUBKEY | 32 bytes | Server public key |
DPUBKEY | 32 bytes | Device public key |
SCHALLENGE | 32 bytes | Random bytes for server to sign |
DCHALLENGE | 32 bytes | Random bytes for device to sign |
Errors: 000A Server key mismatch, 000B Too many requests
001B Confirm Authentication
Section titled “001B Confirm Authentication”Request:
<TID> 3900 0042 001B <SSIGN>Response:
<TID> 3900 0042 001B <DSIGN>| Field | Length | Description |
|---|---|---|
SSIGN | 64 bytes | Server signature of SCHALLENGE |
DSIGN | 64 bytes | Device signature of DCHALLENGE |
Errors: 000A Invalid signature, 000B Not initialized/timeout, 000C Device busy
001C Create New EdDSA Secret
Section titled “001C Create New EdDSA Secret”Change server public key and regenerate device key pair. Requires prior authentication.
Request/Response:
<TID> 3900 0022 001C <SPUBKEY>/<DPUBKEY>Errors: 000A Key generation error