https://devzone.nordicsemi.com/f/nordic-q-a/118938/spake2-example-psa-libraryHello everyone, I was looking at SPAKE2+ example (NCS v2.6.99) and trying to understand where the password used to derived the shared secret is set or used. Can anyone help me? BR.en-USTelligent Community 13Mon, 24 Feb 2025 09:29:09 GMThttps://devzone.nordicsemi.com/thread/524276?ContentTypeID=1Mon, 24 Feb 2025 09:29:09 GMT137ad170-7792-4731-bb38-c0d22fbe4515:7d349e7d-35f1-423a-a503-a5df64f05d04dejans<p>Hi,<br /><br />We mainly support Matter version of SPAKE2+ which is HMAC based. You could try to follow the logic in sdk-oberon-psa-crypto to change to <a href="https://github.com/nrfconnect/sdk-oberon-psa-crypto/blob/d66c20787f82b9469439fb7c1436463c02ca3b10/oberon/drivers/oberon_spake2p.c#L173">CMAC-AES-128</a>. For intermediate values, please note that PAKE is basically implementing APIs from PSA. You can look at this&nbsp;<a href="https://arm-software.github.io/psa-api/crypto/1.2/ext-pake/about.html">PSA API</a>&nbsp;document.<br /><br />Best regards,<br />Dejan</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/523655?ContentTypeID=1Wed, 19 Feb 2025 09:44:13 GMT137ad170-7792-4731-bb38-c0d22fbe4515:cdf34519-c7de-48fa-840e-49efde3fbd13dejans<p>Hi,<br /><br />I will discuss your questions with our developers. I expect to get back to you by the end of the next week.<br /><br />Best regards,<br />Dejan</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/523453?ContentTypeID=1Tue, 18 Feb 2025 10:17:07 GMT137ad170-7792-4731-bb38-c0d22fbe4515:3b7c5eb0-0e48-4358-aa7a-7c3619c108d4Portilha<p>I want to have something like this example:<br /><img style="max-height:240px;max-width:320px;" src="https://devzone.nordicsemi.com/resized-image/__size/640x480/__key/communityserver-discussions-components-files/4/pastedimage1739873791493v1.png" alt=" " /></p> <p>Where the CMAC output (confirmP and confirmV) are both 16 bytes.</p> <p>BR.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/523298?ContentTypeID=1Mon, 17 Feb 2025 14:06:58 GMT137ad170-7792-4731-bb38-c0d22fbe4515:bd40f27c-32ec-4fda-99c8-6a2dbfc94151Portilha<p>The second message exchange (different values for verifier and prover), before the final message that has the same K_shared. Also, I want to know if there is any way to adjust the example to use CMAC-AES-128.</p> <p>BR.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/523261?ContentTypeID=1Mon, 17 Feb 2025 12:58:58 GMT137ad170-7792-4731-bb38-c0d22fbe4515:378e3b72-ab44-4854-87bf-d1d0daefa4a8dejans<p>Hi,</p> [quote user="Portilha"]Next, I see that the following pair of messages consists of 32-byte messages. Could you clarify what exactly these intermediate messages represent?[/quote] <p>Which intermediate messages and 32-byte messages do you refer to?<br /><br />Best regards,<br />Dejan</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/523215?ContentTypeID=1Mon, 17 Feb 2025 09:57:41 GMT137ad170-7792-4731-bb38-c0d22fbe4515:e04c920c-efdb-46bc-a2ce-10b9b191f956Portilha<p data-start="137" data-end="145">Hello,</p> <p data-start="147" data-end="177">Thank you for your response.</p> <p data-start="179" data-end="449">Does your example follow the&nbsp;<a href="https://datatracker.ietf.org/doc/rfc9383/">RFC 9383</a> specification? In your example, the first two exchanged messages are both 65-byte messages (0x04 followed by 64 bytes), which I assume represent the X and Y coordinates - each 32 bytes. These first two messages should correspond to:</p> <ul data-start="450" data-end="503"> <li data-start="450" data-end="476"><strong data-start="452" data-end="457">X</strong> = x * P + w₀ * M</li> <li data-start="477" data-end="503"><strong data-start="479" data-end="484">Y</strong> = y * P + w₀ * N</li> </ul> <p data-start="505" data-end="852">Next, I see that the following pair of messages consists of 32-byte messages. Could you clarify what exactly these intermediate messages represent? I understand that both parties need to compute the shared secret curve points (Z and V) and then derive a shared secret from these points, but I&rsquo;m unsure of the role of these intermediate messages.</p> <p data-start="854" data-end="1362">Finally, the last set of messages should serve as confirmation or &quot;evidence&quot; that both parties possess the password and that the process was successful. In your example, this confirmation message is also 32 bytes long, but I was expecting (and require) a 16-byte message instead. Would it be possible to adjust this? Specifically, I need to use the last configuration from the table in the provided link:<br data-start="1258" data-end="1261" /><strong data-start="1261" data-end="1290">G: P-256 and CMAC-AES-128</strong> (I need CMAC instead of HMAC) to obtain a 16-byte confirmation value.</p> <p data-start="1364" data-end="1401">I appreciate your guidance on this.</p> <p data-start="1403" data-end="1432">Best regards.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/523187?ContentTypeID=1Mon, 17 Feb 2025 08:46:46 GMT137ad170-7792-4731-bb38-c0d22fbe4515:030d5c40-90b6-434a-9443-b9146b30b139dejans<p>Hi,<br /><br />Our PSA Crypto API Implementation implements the&nbsp;<a href="https://arm-software.github.io/psa-api/crypto/">PSA Crypto API specification</a>. You could consider opening discussion on specification there.<br /><br />Here is relevant&nbsp;<a href="https://github.com/athoelke/psa-api/blob/999f3b2afcdc97ac9da3ae7cdebcaad72fc2ae6b/doc/ext-pake/api/pake.rst#key-formats">discussion</a>&nbsp;on the use of public key.<br /><br />Best regards,<br />Dejan</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/523112?ContentTypeID=1Fri, 14 Feb 2025 23:32:41 GMT137ad170-7792-4731-bb38-c0d22fbe4515:ecf3a257-ea7d-4822-9c56-d994ee91e4dfEmil Lenngren<p>The SPAKE2+ algorithm itself does not operate on a password, but rather an already hashed password; where the first half of the hash is denoted w0 and the second half w1.</p> <p>Typically, a nordic chip acts as the verifier and a smartphone/tablet/computer acts as the prover (typically with a user interface with a password field or qr code camera). The cpu at the prover is powerful enough to perform a slow hash operation such as scrypt or Argon2. The verifier only stores a pre-hashed verifier entry and thus does not perform any hashing. Therefore, you will not see any API function taking a password.</p> <p>The API takes w0 concatenated by w1*P for the verifier instead of a password. The idea is to pre-hash this value on a different device and then transfer this data over to the verifier device and store it on flash. I suggest that you read RFC9383 to get familiar how the mechanism works.</p> <p>The example code as well as the PSA API unfortunately calls the verifier &quot;public_key&quot;. This is certainly not a public key but the password hash and should hence not be leaked, since an attacker in the possession of this can perform a brute force attack to recover the password. Remember that SPAKE2+ is designed to operate on passwords with low entropy.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/523106?ContentTypeID=1Fri, 14 Feb 2025 19:25:31 GMT137ad170-7792-4731-bb38-c0d22fbe4515:a36a52eb-3e80-4d99-b58e-d8c0c3e1b958dejans<p>Hi,<br /><br /><a href="https://datatracker.ietf.org/doc/rfc9383/">RFC9383</a>, mentions that w0 and w1 are obtained by hashing the password with identities of the participants. In the crypto spake2+ sample, you can see that w0||w1 is given in the key_pair[]. Some additional information about PAKE can be found in&nbsp;v2.7.0\modules\crypto\oberon-psa-crypto\include\psa\crypto_types.h and in v2.7.0\modules\crypto\oberon-psa-crypto\include\psa\crypto_extra.h. You can also look at&nbsp;<a href="https://github.com/nrfconnect/sdk-nrfxlib/blob/main/crypto/nrf_oberon/include/ocrypto_spake2p_p256.h">ocrypto_spake2p_p256.h</a>.<br /><br />Best regards,<br />Dejan</p><div style="clear:both;"></div>