Re: J-PAKE in NSS

Tue, 01 Mar 2011 08:51:23 -0800 

Robert Relyea wrote:

>  So the end result : I see that J-PAKE code got included inside NSS
>  https://bugzilla.mozilla.org/show_bug.cgi?id=609076  with a layer to
>  access it from js (bug 601645). This was not announced here, and even
>  if it looked like Sync Would keep J-PAKE, I did not imagine it would
>  be included as a new mechanism in NSS, I thought it would stay inside
>  an external layer.

It's a crypto authentication mechanism. It involves keys. I needs to be
in NSS if we are to support it at all. (which is why it's there;).



It involves no key, in the usual meaning of a secret permanent key, 
which makes it *possible* to implement it externally.
I notice the committed code extracts the generated shared symmetric key 
up to the javascript level, so takes no real advantage from having 
generated it inside NSS (I'd expect it instead to leave the AES256 key 
inside NSS and just get back the handle to it to encrypt what it needs 
later. It seems they believe they *must* be able to extract the key, but 
I don't really understand why).



Now it's certainly the most sensible things to do to have all crypto be 
handled by NSS.



But I thought J-PAKE was intended as an as quick as possible hack, which 
is why the Sync team was so reluctant to switch to using SRP (unless it 
was proven J-PAKE was cryptographically weak), despite SRP being much 
more widely used (and having already several open bugs, with patch even, 
requesting it's inclusion in NSS/Firefox).



Seeing the J-PAKE patch, it would be quite fast to rewrite it using SRP 
instead of J-PAKE using the existing SRP patch 
(CKM_NSS_JPAKE_ROUND1-ROUND2_SHAxxx/CKM_NSS_JPAKE_FINAL_SHAxxx would 
change to CKM_NSS_SRP_SERVER_KEY_PAIR_GEN/CKM_NSS_SRP_DERIVE, etc.), 
it's totally equivalent functionally, we'd just add a small step where 
the server, before deriving the shared key, make a call to generate the 
password verifier from the password.



BTW, it's a bit disappointing to see the javascript so entangled with 
the specificities of J-PAKE, when the P11 layer below maps it to generic 
PK11_KeyGenWithTemplate / PK11_DeriveWithTemplate / PK11_Derive operations.

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to