Documentation ¶
Overview ¶
Package cpace implements the CPace password authenticated key exchange (PAKE) instantiated with the ristretto255 group.
PAKEs allow two peers to establish a shared secret key if they agree on a password or similar low-entropy value, without letting eavesdropping or machine-in-the-middle attackers make multiple attempts at guessing the password value. CPace is a balanced PAKE, meaning that both peers need to know the password plaintext.
This implementation is loosely based on draft-haase-cpace-01.
Example ¶
package main import ( "bytes" "fmt" "filippo.io/cpace" ) func main() { password := "password" c := cpace.NewContextInfo("192.0.2.1:12345", "192.0.2.2:42", nil) msgA, s, err := cpace.Start(password, c) if err != nil { panic(err) } msgB, keyB, err := cpace.Exchange(password, c, msgA) if err != nil { panic(err) } keyA, err := s.Finish(msgB) if err != nil { panic(err) } fmt.Println("keyA == keyB:", bytes.Equal(keyA, keyB)) }
Output: keyA == keyB: true
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Exchange ¶
func Exchange(password string, c *ContextInfo, msgA []byte) (msgB, key []byte, err error)
Exchange executes a PAKE exchange authenticated by password, processing msgA generated by a peer with Start, and returns the shared secret key and msgB. msgB should be sent to the peer, to be processed by (*State).Finish.
If the two peers agree on the password and ContextInfo, they will derive the same key. Note that an error is NOT returned otherwise: the two peers will simply derive different keys.
The returned key is suitable to be passed to hkdf.Expand.
Types ¶
type ContextInfo ¶
type ContextInfo struct {
// contains filtered or unexported fields
}
ContextInfo captures the additional connection information that the two peers need to agree on for the key to be the same.
func NewContextInfo ¶
func NewContextInfo(idA, idB string, ad []byte) *ContextInfo
NewContextInfo returns a ContextInfo for use with Start or Exchange.
idA represents the identity of the party that uses Start, idB of the party that uses Exchange. Identities could be MAC addresses, or IPs and ports.
ad is any additional context the two parties share, and can be nil. Examples of values that could be included in ad to protect against protocol downgrade and mismatch attacks are the name and transcript of the higher level protocol, including any negotiation inputs that led to the use of this PAKE.
type State ¶
type State struct {
// contains filtered or unexported fields
}
State is a PAKE session in progress, where the initiating party is waiting for the peer response.
func Start ¶
func Start(password string, c *ContextInfo) (msgA []byte, s *State, err error)
Start initiates a new PAKE exchange authenticated by password. msgA should be sent to the peer, to be processed by Exchange, and s used to process the peer's response.
func (*State) Finish ¶
Finish processes the peer's response, generated by Exchange, and returns the shared secret key.
If the two peers agree on the password and ContextInfo, they will derive the same key. Note that an error is NOT returned otherwise: the two peers will simply derive different keys.
The returned key is suitable to be passed to hkdf.Expand.