Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Extract the Spake2p module to separate header and allow to switch backend between raw keys and PSA keys. #32985

Open
ArekBalysNordic opened this issue Apr 15, 2024 · 0 comments
Open

[Feature] Extract the Spake2p module to separate header and allow to switch backend between raw keys and PSA keys. #32985

ArekBalysNordic opened this issue Apr 15, 2024 · 0 comments
Labels
darwin feature request feature work needs triage

Comments

@ArekBalysNordic
Copy link
Contributor

Feature description

The Spake2p cryptographic class is currently part of the Crypto PAL within the CHIPCryptoPAL.h file. It uses raw keys and has many methods that are not needed for the PSA (Platform Security Architecture) version.

To improve organization and flexibility, we can restructure the Spake2p code as follows:

1. Create a base interface class for Spake2p with these virtual methods:

  • Init()
  • Clear()
  • BeginVerifier()
  • BeginProver()
  • ComputeRoundOne()
  • ComputeRoundTwo()
  • KeyConfirm()
  • GetKeys()

2. Develop a RawKey Spake2p class that extends the base interface. This class will implement methods related to finite element and point operations, such as:

  • FELoad()
  • FEWrite()
  • FEGenerate()
  • FEMul()
  • PointLoad()
  • PointWrite()
  • PointMul()
  • PointAddMul()
  • PointInvert()
  • PointCofactorMul()
  • PointIsValid()
  • ComputeW0()
  • ComputeL()

3. The RawKey Spake2p class should also define an interface for cryptographic methods that will be provided by MbedTLS or OpenSSL:

  • InitImpl()
  • Hash()
  • HashFinalize()
  • Mac()
  • MacVerify()
  • KDF()

By doing this, we will have a clear Spake2p base interface that can be used for different implementations, leading to better-organized code. The new structure will result in the following implementations:

  1. PSA_Spake2p_P256_SHA256_HKDF_HMAC derived from the Spake2p base interface.
  2. RawKey_Spake2p_P256_SHA256_HKDF_HMAC also derived from the Spake2p base interface.
  3. An MbedTLS version of the RawKey_Spake2p_P256_SHA256_HKDF_HMAC interface to handle specific cryptographic operations.
  4. An OpenSSL version of the RawKey_Spake2p_P256_SHA256_HKDF_HMAC interface to handle specific cryptographic operations.

In the CHIPCryptoPAL.h file or the GN configuration, we should select the appropriate Spake2p version based on the cryptographic backend in use. This chosen version will then be utilized in the PASESession.

This extracting will help use the Spake2p implementation proposed in this PR: #32924 and remove choosing between RawKey spake2+ and PSA spake2+ from the PASESession.h file.

Platform

all

Platform Version(s)

No response

Anything else?

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
darwin feature request feature work needs triage
Projects
[Platform] Darwin
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ArekBalysNordic