You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: doc/crypto/api/ops/pake.rst
+16-2Lines changed: 16 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1208,6 +1208,8 @@ The same key value must be provided to the PAKE operation in both participants.
1208
1208
The key can be the password text itself, in an agreed character encoding, or some value derived from the password, as required by a higher level protocol.
1209
1209
For low-entropy passwords, it is recommended that a key-stretching derivation algorithm, such as PBKDF2, is used, and the resulting password hash is used as the key input to the PAKE operation.
1210
1210
1211
+
.. _jpake-operation:
1212
+
1211
1213
J-PAKE operation
1212
1214
~~~~~~~~~~~~~~~~
1213
1215
@@ -1230,6 +1232,9 @@ J-PAKE does not assign roles to the participants, so it is not necessary to call
1230
1232
J-PAKE requires both an application and a peer identity.
1231
1233
If the peer identity provided to `psa_pake_set_peer()` does not match the data received from the peer, then the call to `psa_pake_input()` for the `PSA_PAKE_STEP_ZK_PROOF` step will fail with :code:`PSA_ERROR_INVALID_SIGNATURE`.
1232
1234
1235
+
J-PAKE does not use a context.
1236
+
A call to `psa_pake_set_context()` for a J-PAKE operation will fail with :code:`PSA_ERROR_BAD_STATE`.
1237
+
1233
1238
The following steps demonstrate the application code for 'User' in :numref:`fig-jpake`. The code flow for the 'Peer' is the same as for 'User', as J-PAKE is a balanced PAKE.
1234
1239
1235
1240
1. To prepare a J-PAKE operation, initialize and set up a :code:`psa_pake_operation_t` object by calling the following functions:
@@ -1575,6 +1580,15 @@ Both participants in SPAKE2+ have an optional identity.
1575
1580
If no identity value is provided, then a zero-length string is used for that identity in the protocol.
1576
1581
If the participants do not supply the same identity values to the protocol, the computed secrets will be different, and key confirmation will fail.
1577
1582
1583
+
Participants in SPAKE2+ can optionally provide a context:
1584
+
1585
+
* If `psa_pake_set_context()` is called, then the context and its encoded length are included in the SPAKE2+ transcript computation.
1586
+
This includes the case of a zero-length context.
1587
+
* If `psa_pake_set_context()` is not called, then the context and its encoded length are omitted entirely from the SPAKE2+ transcript computation.
1588
+
See :RFC:`9383#3.3`.
1589
+
1590
+
If the participants do not supply the same context value to the protocol, the computed secrets will be different, and key confirmation will fail.
1591
+
1578
1592
The following steps demonstrate the application code for both Prover and Verifier in :numref:`fig-spake2p`.
1579
1593
1580
1594
**Prover**
@@ -1597,7 +1611,7 @@ The following steps demonstrate the application code for both Prover and Verifie
Copy file name to clipboardExpand all lines: doc/crypto/appendix/history.rst
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,6 +41,9 @@ Clarifications and fixes
41
41
* Clarified the constraint on `psa_key_derivation_output_key()` for algorithms that have a `PSA_KEY_DERIVATION_INPUT_PASSWORD` input step.
42
42
* Removed the redundant key input constraints on `psa_key_derivation_verify_bytes()` and `psa_key_derivation_verify_key()`. These match the policy already checked in `psa_key_derivation_input_key()`.
43
43
44
+
* Documented the use of context parameters in J-PAKE and SPAKE2+ PAKE operations.
45
+
See :secref:`jpake-operation` and :secref:`spake2p-operation`.
0 commit comments