This library will help you allow two parties to generate a mutual secret key by using a weak key that is known to both beforehand (e.g. via some other channel of communication). This is a simple API for an implementation of password-authenticated key exchange (PAKE).
I decided to fork [@schollz]'s fork because of some breaking changes:
- The default hashing function is now sha3.512. This means that SessionKeys are 64b.
- Functions signatures and names changed.
- gob encoding is now used instead of JSON.
- Some Pake{} private variables are now actually private variables.
- Removed SIEC EC from library, I don't like external imports.
New functionalities:
- You can set any
io.Readeras source of random data. - You can change the bcrypt cost.
- You can provide any curve that implements Add, ScalarBaseMult, ScalarMult, IsOnCurve methods.
- You can provide any
func() hash.Hashthat will be used to validate the remote's input.
Defaults: SHA3_512 & CurveP512
This protocol is derived from Dan Boneh and Victor Shoup's cryptography book (pg 789, "PAKE2 protocol). The H(k) is a bcrypt hashed session key, which only the keeper of a real session key can verify. Passing this between P and Q allows them to understand that the other party does indeed have the session key derived correctly through the PAKE protocol. The session key can then be used to encrypt a message because it has never passed between parties.
Anytime some part of the algorithm fails verification: i.e. the points are not along the elliptic curve, or if a hash from either party is not identified, a non-nil error is returned. When this happens, you should abort and start a PAKE session as it could have been compromised.
Known working ECs:
- elliptic.P256(),
- elliptic.P384(),
- elliptic.P521(),
- secp256k1.S256(),
- siec.SIEC255(),
go get -u github.com/nexus166/pakepackage main
import (
"crypto/elliptic"
"crypto/sha512"
"fmt"
"os"
"github.com/nexus166/pake"
)
func main() {
// both parties should have a weak key
pw := []byte{1, 2, 3}
// initialize sender P ("0" indicates sender)
P, err := pake.New(pw, 0, elliptic.P521(), sha512.New)
check(err)
// initialize recipient Q ("1" indicates recipient)
Q, err := pake.New(pw, 1, elliptic.P521(), sha512.New)
check(err)
// first, P sends u to Q
Pe := P.Export()
fmt.Printf("P public: %x\n", Pe)
// Q computes k, sends H(k), v back to P
err = Q.Import(Pe)
check(err) // errors will occur when any part of the process fails
Qe := Q.Export()
fmt.Printf("Q public: %x\n", Qe)
err = P.Import(Qe)
check(err)
// P computes k, H(k), sends H(k) to Q
err = Q.Import(P.Export())
check(err)
// both P and Q now have session key
Pk, err := P.Key()
check(err)
fmt.Printf("key P: %x\n", Pk)
Qk, err := Q.Key()
check(err)
fmt.Printf("key Q: %x\n", Qk)
}
func check(err error) {
if err != nil {
fmt.Println(err.Error())
os.Exit(2)
}
}Thanks @tscholl2 for implementing the first version, and @schollz for implementing the second version.
MIT.