| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CRYPTO_P224_SPAKE_H_ | 5 #ifndef CRYPTO_P224_SPAKE_H_ |
| 6 #define CRYPTO_P224_SPAKE_H_ | 6 #define CRYPTO_P224_SPAKE_H_ |
| 7 #pragma once | 7 #pragma once |
| 8 | 8 |
| 9 #include <base/string_piece.h> | 9 #include <base/string_piece.h> |
| 10 #include <crypto/p224.h> | 10 #include <crypto/p224.h> |
| 11 #include <crypto/sha2.h> | 11 #include <crypto/sha2.h> |
| 12 | 12 |
| 13 namespace crypto { | 13 namespace crypto { |
| 14 | 14 |
| 15 // P224EncryptedKeyExchange provides a means to authenticate an | 15 // P224EncryptedKeyExchange implements SPAKE2, a variant of Encrypted |
| 16 // encrypted transport using a low-entropy, shared secret. | 16 // Key Exchange. It allows two parties that have a secret common |
| 17 // | 17 // password to establish a common secure key by exchanging messages |
| 18 // You need a value derived from the master secret of the connection in order | 18 // over unsecure channel without disclosing the password. |
| 19 // to bind the authentication to the encrypted channel. It's the |session| | |
| 20 // argument to the constructor and can be of any length. | |
| 21 // | 19 // |
| 22 // The password can be low entropy as authenticating with an attacker only | 20 // The password can be low entropy as authenticating with an attacker only |
| 23 // gives the attacker a one-shot password oracle. No other information about | 21 // gives the attacker a one-shot password oracle. No other information about |
| 24 // the password is leaked. (However, you must be sure to limit the number of | 22 // the password is leaked. (However, you must be sure to limit the number of |
| 25 // permitted authentication attempts otherwise they get many one-shot oracles.) | 23 // permitted authentication attempts otherwise they get many one-shot oracles.) |
| 26 // | 24 // |
| 27 // The protocol requires several RTTs (actually two, but you shouldn't assume | 25 // The protocol requires several RTTs (actually two, but you shouldn't assume |
| 28 // that.) To use the object, call GetMessage() and pass that message to the | 26 // that.) To use the object, call GetMessage() and pass that message to the |
| 29 // peer. Get a message from the peer and feed it into ProcessMessage. Then | 27 // peer. Get a message from the peer and feed it into ProcessMessage. Then |
| 30 // examine the return value of ProcessMessage: | 28 // examine the return value of ProcessMessage: |
| (...skipping 13 matching lines...) Expand all Loading... |
| 44 | 42 |
| 45 // PeerType's values are named client and server due to convention. But | 43 // PeerType's values are named client and server due to convention. But |
| 46 // they could be called "A" and "B" as far as the protocol is concerned so | 44 // they could be called "A" and "B" as far as the protocol is concerned so |
| 47 // long as the two parties don't both get the same label. | 45 // long as the two parties don't both get the same label. |
| 48 enum PeerType { | 46 enum PeerType { |
| 49 kPeerTypeClient, | 47 kPeerTypeClient, |
| 50 kPeerTypeServer, | 48 kPeerTypeServer, |
| 51 }; | 49 }; |
| 52 | 50 |
| 53 // peer_type: the type of the local authentication party. | 51 // peer_type: the type of the local authentication party. |
| 54 // password: a, possibly low-entropy, mutually known password. | 52 // password: secret session password. Both parties to the |
| 55 // session: a value securely derived from the connection's master secret. | 53 // authentication must pass the same value. For the case of a |
| 56 // Both parties to the authentication must pass the same value. For the | 54 // TLS connection, see RFC 5705. |
| 57 // case of a TLS connection, see RFC 5705. | |
| 58 P224EncryptedKeyExchange(PeerType peer_type, | 55 P224EncryptedKeyExchange(PeerType peer_type, |
| 59 const base::StringPiece& password, | 56 const base::StringPiece& password); |
| 60 const base::StringPiece& session); | |
| 61 | 57 |
| 62 // GetMessage returns a byte string which must be passed to the other party | 58 // GetMessage returns a byte string which must be passed to the other party |
| 63 // in the authentication. | 59 // in the authentication. |
| 64 const std::string& GetMessage(); | 60 const std::string& GetMessage(); |
| 65 | 61 |
| 66 // ProcessMessage processes a message which must have been generated by a | 62 // ProcessMessage processes a message which must have been generated by a |
| 67 // call to GetMessage() by the other party. | 63 // call to GetMessage() by the other party. |
| 68 Result ProcessMessage(const base::StringPiece& message); | 64 Result ProcessMessage(const base::StringPiece& message); |
| 69 | 65 |
| 70 // In the event that ProcessMessage() returns kResultFailed, error will | 66 // In the event that ProcessMessage() returns kResultFailed, error will |
| 71 // return a human readable error message. | 67 // return a human readable error message. |
| 72 const std::string& error() const; | 68 const std::string& error() const; |
| 73 | 69 |
| 70 // The key established as result of the key exchange. Must be called |
| 71 // at then end after ProcessMessage() returns kResultSuccess. |
| 72 const std::string& GetKey(); |
| 73 |
| 74 private: | 74 private: |
| 75 // The authentication state machine is very simple and each party proceeds | 75 // The authentication state machine is very simple and each party proceeds |
| 76 // through each of these states, in order. | 76 // through each of these states, in order. |
| 77 enum State { | 77 enum State { |
| 78 kStateInitial, | 78 kStateInitial, |
| 79 kStateRecvDH, | 79 kStateRecvDH, |
| 80 kStateSendHash, | 80 kStateSendHash, |
| 81 kStateRecvHash, | 81 kStateRecvHash, |
| 82 kStateDone, | 82 kStateDone, |
| 83 }; | 83 }; |
| (...skipping 15 matching lines...) Expand all Loading... |
| 99 | 99 |
| 100 // x_ is the secret Diffie-Hellman exponent (see paper referenced in .cc | 100 // x_ is the secret Diffie-Hellman exponent (see paper referenced in .cc |
| 101 // file). | 101 // file). |
| 102 uint8 x_[p224::kScalarBytes]; | 102 uint8 x_[p224::kScalarBytes]; |
| 103 // pw_ is SHA256(P(password), P(session))[:28] where P() prepends a uint32, | 103 // pw_ is SHA256(P(password), P(session))[:28] where P() prepends a uint32, |
| 104 // big-endian length prefix (see paper refereneced in .cc file). | 104 // big-endian length prefix (see paper refereneced in .cc file). |
| 105 uint8 pw_[p224::kScalarBytes]; | 105 uint8 pw_[p224::kScalarBytes]; |
| 106 // expected_authenticator_ is used to store the hash value expected from the | 106 // expected_authenticator_ is used to store the hash value expected from the |
| 107 // other party. | 107 // other party. |
| 108 uint8 expected_authenticator_[kSHA256Length]; | 108 uint8 expected_authenticator_[kSHA256Length]; |
| 109 |
| 110 std::string key_; |
| 109 }; | 111 }; |
| 110 | 112 |
| 111 } // namespace crypto | 113 } // namespace crypto |
| 112 | 114 |
| 113 #endif // CRYPTO_P224_SPAKE_H_ | 115 #endif // CRYPTO_P224_SPAKE_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8903001:
Simplify SPAKE2 implementation. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src