[DRAFT v1] Define the SPAKE2+ algorithms #126
Conversation
* Add key encodings * Define public key format * Define key derivation procedure
* Moved the hash algorithm parameter to the PAKE cipher suite into the PAKE algorithm identifier, instead of a separate attribute of the cipher suite. * This also makes the hash algorithm value available to the `PSA_PAKE_OUTPUT_SIZE()` and `PSA_PAKE_INPUT_SIZE()` macros.
* Replace psa_pake_get_implicit_key() with psa_pake_get_shared_key() * Add key confirmation attribute to the PAKE cipher suite
* The shared secret is always output as a single key * Removed the input key size, key size is determined by operation * Removed key-size helper macro as unnecessary
* Recognise that not all PAKE algorithms produce a secret that is suitable for use as an encryption key * Encourage the use of PAKE output as a key-derivation key
* Supporting both RFC 9393 and Matter * New APIs: - `PSA_ALG_SPAKE2P_HMAC()` - `PSA_ALG_SPAKE2P_CMAC()` - `PSA_ALG_SPAKE2P_MATTER` - `PSA_ALG_IS_SPAKE2P()` - `PSA_ALG_IS_SPAKE2P_HMAC()` - `PSA_ALG_IS_SPAKE2P_CMAC()`
athoelke
added
enhancement
athoelke
requested review from
gilles-peskine-arm,
ndevillard and
MarcusJGStreets
|
@silabs-Kusumit, @silabs-hannes, @oberon-sk, @yanesca: this might be the PR you have been waiting for? |
|
Reviewing the flow:
It seems slightly odd that the key is provided during the It seems it might feel more logical for the role to be declared as part of the setup (see #115 where the key input was moved to the setup function) so the combination of cipher-suite, key and role can be validated together. On the other hand, it is possible to call |
|
I think that |
|
|
||
| The SPAKE2+ key types can be output from a key derivation using :code:`psa_key_derivation_output_key()`. The SPAKE2+ protocol recommends that a key-stretching kdf, such as PBKDF2, is used to hash the SPAKE2+ password. See RFC 9383 for details. | ||
|
|
||
| For example, after setting up the PBKDF2 operation, the following process will derive the SPAKE2+ key pair for use with the P-256 Elliptic curve group :issue:`(This example may be more than necessary in the specification?)`: |
There was a problem hiding this comment.
We can add the flow with exact steps in the registration phase diagram. And reference the same here.
There was a problem hiding this comment.
This is what I have done in Draft-2, as part of the reorganisation. See #129
| * A SPAKE2+ public key is the pair (w0, L). | ||
|
|
||
| .. todo:: | ||
| Would a table of required w0s/w1s lengths for each of the supported SPAKE2+ elliptic curve groups be useful here? |
There was a problem hiding this comment.
I think the table would be helpful for implementations
Maybe adding a document in the appendix folder for the details on SPAKE2+ would be helpful |
I've thought about this a bit more, and think there are approximately three main ways to slice this:
The last option would mostly work in this Extension specification. However, when integrated into the main specification, I would be concerned that they would become detached from the PAKE API definition, and lose value as a result. On the whole I have been trending toward moving the summaries for each category of algorithm into the section that defines that API. For example, the change in v1.1 where most of that material from the Functionality overview was moved into the intro to each cryptographic operation section of the API. I'm going to draft something like (1) above for the next revision, to see how that looks... |
athoelke
changed the title
|
This PR has been superseded by the alternative document layout in the [v2] PR #129. |
[Edited] : This is the first draft. An revised and reorganised version of this PR is now available: #129
This PR merges the 'best guess' result of the other PAKE and SPAKE2+ PRs (#114, #119, #120, #124), before defining the SPAKE2+ algorithms.
The Algorithm definition begins in commit e784de8, in case you have reviewed the other pieces already.
For a draft of the whole spec: Crypto_API-1.2_PAKE_Extension-bet.2-draft-spake2plus.pdf
DO NOT MERGE
There remain open issues in the preceding PRs. Once there is broad agreement on the open API design issues, I will merge the PR changes, to permit a second pass editorial review and rework of the result.
I am not convinced that the document structure is quite right. SPAKE2+ benefits from significant explanatory text for how the keys, algorithms, and operation work together - but this material is shared by three algorithm and two key API identifiers, and is currently somewhat scattered. This material cannot be delegated to other sources (as is the case for most other algorithms in the API), because the asymmetric key approach used here is novel, and we [reasonably] constrain some SPAKE2+ options in order to conform to the Matter specification.