spake2-ee icon indicating copy to clipboard operation
spake2-ee copied to clipboard

Published 20 hours ago verified publisher icon jedisct1

Better API

Open Sc00bz opened this issue 6 years ago • 2 comments

I came up with a simple PAKE API: https://gist.github.com/Sc00bz/9d5c8e98143f68377e17dc82c5955f2b

The C API will basically look like this:

#include <stdint.h>

const int PAKE_USER_CLIENT = 0;
const int PAKE_USER_SERVER = 1;

const int PAKE_MODE_USE      = 0;
const int PAKE_MODE_REGISTER = 1;

const int PAKE_STATUS_FLAG_ERROR                   = 0x01;
const int PAKE_STATUS_FLAG_KEY_AVAILABLE           = 0x02;
const int PAKE_STATUS_FLAG_SERVER_SECRET_AVAILABLE = 0x04;
const int PAKE_STATUS_FLAG_VERIFIED_OTHER          = 0x08;
const int PAKE_STATUS_FLAG_FINISHED                = 0x10;

const size_t SPAKE2_PLUS_EE_BS_MAX_MESSAGE_SIZE = 84;
const size_t SPAKE2_PLUS_EE_BS_SERVER_SECRET_SIZE = 132;

/* returns message size */
size_t spake2PlusEeBs_start(
	spake2PlusEeBs_ctx *ctx,
	void *message, int *status,
	const char *myId,    size_t myIdSize,
	const char *otherId, size_t otherIdSize,
	const void *secret,  size_t secretSize,
	int pakeUser, int pakeMode = PAKE_MODE_USE);

/* returns messageOut size */
size_t spake2PlusEeBs_receiveMessage(
	spake2PlusEeBs_ctx *ctx,
	void *messageOut, int *status,
	const void *messageIn, size_t messageInSize);

int spake2PlusEeBs_getKey(spake2PlusEeBs_ctx *ctx, void *key);
int spake2PlusEeBs_getServerSecret(spake2PlusEeBs_ctx *ctx, void *serverSecret);
int spake2PlusEeBs_getStatus(const spake2PlusEeBs_ctx *ctx);

With the current way you do SPAKE2+EE the client needs to store the full password for later use or have receiveMessage() also take a secret. Since ids are only used in _shared_keys_and_validators() and hashed first. You can move the crypto_generichash_state into the PAKE state and hash the ids in start(). When you move to blind salt the server generates the salt value and you now need to include the ids into the password hashing to prevent an evil server from using the same salt for everyone. Basically you can use H(idC, idS, pw) as the secret. Which is fixed length and can be stored in the PAKE state.

Sc00bz avatar Jan 31 '19 15:01 Sc00bz

Moving the hash state to the PAKE state in order to avoid keeping the password around is a very good idea, thanks!

The alternative API doesn't look very intuitive, though.

Since the intent is to eventually implement this in libhydrogen, it makes sense to keep the API similar to what already exists for key exchange.

jedisct1 avatar Jan 31 '19 16:01 jedisct1

Oh hey @Sc00bz, just happened to find this (I was the one who brought up contributing this API to libsodium after your talk today).

buu700 avatar Aug 11 '19 06:08 buu700