yanesca
commented
3 years ago The design document mentions two other kind of key outputs from PAKEs:
- Key extraction for TLS-SRP
- Potential other outputs in OPAQUE (the so called "export key" in particular)
Both of these are out of scope for this task because:
- Key extraction is not a feature that we should encourage or support in any way. If a scheme requires key extraction, then it should be handled as a different variant of the scheme, requiring a different algorithm ID and proper documentation about the caveats (if any). For example in the above case there would be two different algorithm IDs for SRP: one for SRP and another for TLS-SRP.
- The other outputs in OPAQUE are specific to OPAQUE and it should be feasible to add support for them incrementally if and when it is needed.
Enhancement / Feature Request
Suggested enhancement
Add the ability to output the missing types of keys from PAKEs.
Justification - why does the library need this feature?
Some schemes specify key confirmation as part of the algorithm (see #4519). Before the key confirmation completes the schemes provide only implicit key confirmation for the key.
Some schemes output raw keying material that must not be used as keys directly, some others session keys that in theory could be used directly (but in practice they still should be used in key derivation as a typical session needs at least two symmetric keys).
In summary, in the output we need to differentiate between the following:
4000 only specifies parts of the PAKE interface that are needed for J-PAKE. J-PAKE doesn't mandate or specify key confirmation and results in key material.
Background
See the "Key confirmation" section of the design document for more information.
Prerequisites: #4000, #4519