jiep/spake2plus

# SPAKE2+ [](https://github.com/jiep/spake2plus/actions/workflows/test.yml) [](https://github.com/jiep/spake2plus/actions/workflows/lint.yml) [](https://github.com/jiep/spake2plus/actions/workflows/wheel.yml) [](https://github.com/jiep/spake2plus/actions/workflows/dependabot/dependabot-updates)

**SPAKE2+** 是根据 [RFC 9383 SPAKE2+, an Augmented Password-Authenticated Key Exchange (PAKE) Protocol](https://www.rfc-editor.org/rfc/rfc9383.html) 实现的 SPAKE2+ 协议的 Python 3 版本。 ## 什么是 SPAKE2+？ SPAKE2+ 是一种加密协议，旨在通过不安全的通道在双方（Prover 和 Verifier）之间建立共享密钥。它是 SPAKE2 协议的增强版，添加了明确的身份标识以防止密钥泄露模拟（KCI）攻击。 该协议高效、安全，适用于基于密码的认证密钥交换（PAKE）。与传输哈希密码或挑战-响应的传统方法不同，SPAKE2+ 确保在存在窃听者或主动攻击者的情况下，也能在不暴露密码的情况下派生共享密钥。 ### 主要特性： 1. **基于密码的认证**：确保双方使用共享密码进行认证，防止未经授权的访问。 2. **隐式相互认证**：如果协议成功，双方确认他们拥有相同的密码。 3. **抵抗 KCI 攻击**：将明确的身份标识（`idProver` 和 `idVerifier`）纳入协议，以防止被攻破的一方进行模拟。 4. **椭圆曲线密码学（ECC）**：利用 ECC 实现计算效率和安全性。 5. **无密码暴露**：密码本身在协议期间永远不会被传输或直接派生。 ### 工作原理： 1. **注册阶段**：双方交换公共参数以安全地初始化协议。 2. **密码派生**：使用明确的身份标识（`idProver` 和 `idVerifier`）以及密码套件的哈希函数，通过 Argon2id 处理共享密码，以派生密钥材料。 3. **密钥交换**：Prover 和 Verifier 计算并交换值（`X`，`Y`）以建立共享密钥。 4. **验证**：双方派生加密秘密（`confirmP`，`confirmV`）以验证交换的完整性并完成认证。 SPAKE2+ 通常用于需要基于密码的安全认证且不依赖可信第三方的应用程序。它特别适用于双方已经共享秘密（如密码）并且需要建立安全通信通道的环境。 ### 协议概述 ``` sequenceDiagram participant Prover participant Verifier Note left of Prover: password Note left of Prover: w0, w1 <- Argon2id(password)
L = w1*P Prover->>Verifier: Offline Registration
w0, L Note left of Prover: x <- [0, p-1]
X = x*P + w0*M Prover->>Verifier: X Note right of Verifier: y <- [0, p-1]
Y = y*P + w0*N Verifier->>Prover: Y Note left of Prover: Z = h*x*(Y - w0*N)
V = h*w1*(Y - w0*N) Note right of Verifier: Z = h*y*(X - w0*M)
V = h*y*L Note over Prover,Verifier: Compute transcript TT
K_main = Hash(TT)
K_confirmP || K_confirmV = KDF(K_main, "ConfirmationKeys")
K_shared = KDF(K_main, "SharedKey") Note right of Verifier: confirmV = MAC(K_confirmV, X) Verifier->>Prover: confirmV Note left of Prover: confirmP = MAC(K_confirmP, Y)
expected_confirmV = MAC(K_confirmV, X)
equal_constant_time(expected_confirmV, confirmV) Prover->>Verifier: confirmP Note right of Verifier: expected_confirmP = MAC(K_confirmP, Y)
equal_constant_time(expected_confirmP, confirmP) ``` ## 需求 此软件包需要以下依赖项： * [`cryptography`](https://pypi.org/project/cryptography/) * [`ecpy`](https://pypi.org/project/ecpy/) 通过 `pip` 安装此软件包时，所有依赖项都会自动安装。 ## 安装 从 [Releases](https://github.com/jiep/spake2plus/releases) 下载最新版本并使用以下命令安装： ``` pip install spake2plus--py3-none-any.whl ``` ## 从源码构建 克隆此代码库后，你可以使用 `pip` 在本地安装此软件包： ``` pip install -e . ``` ## 使用方法 ``` usage: spake2plus [-h] [-v] [--host HOST] [--port PORT] {verifier,prover,registration} ... SPAKE2+ Protocol positional arguments: {verifier,prover,registration} verifier Run the verifier role in the SPAKE2+ protocol prover Run the prover role in the SPAKE2+ protocol registration Perform registration for the Prover options: -h, --help show this help message and exit -v, --verbose Increase output verbosity (e.g., -v, -vv, -vvv) --host HOST Host to connect to (default: localhost) --port PORT Port to connect to (default: 12345) ``` ### 离线注册 `Prover` 计算值 `w0` 和 `w1`，以及注册记录 `L`。`w0` 和 `w1` 是通过使用两个参与者的身份标识对密码进行哈希处理而派生的。然后，`w0` 和记录 `L` 与 `Verifier` 共享。 ``` usage: spake2plus registration [-h] --password PASSWORD --idProver IDPROVER --idVerifier IDVERIFIER [--ciphersuite {P256-SHA256,P256-SHA512,P384-SHA256,P384-SHA512,P521-SHA512,Edwards25519-SHA256,Edwards448-SHA512}] options: -h, --help show this help message and exit --password PASSWORD Password for key generation --idProver IDPROVER Prover's identity --idVerifier IDVERIFIER Verifier's identity --ciphersuite {P256-SHA256,P256-SHA512,P384-SHA256,P384-SHA512,P521-SHA512,Edwards25519-SHA256,Edwards448-SHA512} Ciphersuite to use (default: P256-SHA256) ``` ### Verifier ``` usage: spake2plus verifier [-h] --idProver IDPROVER --idVerifier IDVERIFIER --context CONTEXT --w0 W0 --L L [--ciphersuite {P256-SHA256,P256-SHA512,P384-SHA256,P384-SHA512,P521-SHA512,Edwards25519-SHA256,Edwards448-SHA512}] options: -h, --help show this help message and exit --idProver IDPROVER Prover's identity --idVerifier IDVERIFIER Verifier's identity --context CONTEXT Protocol context --w0 W0 Value for w0 as hexadecimal string --L L Value for L as hexadecimal string --ciphersuite {P256-SHA256,P256-SHA512,P384-SHA256,P384-SHA512,P521-SHA512,Edwards25519-SHA256,Edwards448-SHA512} Ciphersuite to use (default: P256-SHA256) ``` ### Prover ``` usage: spake2plus prover [-h] --idProver IDPROVER --idVerifier IDVERIFIER --context CONTEXT --w0 W0 --w1 W1 [--ciphersuite {P256-SHA256,P256-SHA512,P384-SHA256,P384-SHA512,P521-SHA512,Edwards25519-SHA256,Edwards448-SHA512}] options: -h, --help show this help message and exit --idProver IDPROVER Prover's identity --idVerifier IDVERIFIER Verifier's identity --context CONTEXT Protocol context --w0 W0 Value for w0 as hexadecimal string --w1 W1 Value for w1 as hexadecimal string --ciphersuite {P256-SHA256,P256-SHA512,P384-SHA256,P384-SHA512,P521-SHA512,Edwards25519-SHA256,Edwards448-SHA512} Ciphersuite to use (default: P256-SHA256) ``` ## 示例 ### 注册 ``` spake2plus registration --password superImporT4antPassWord! --idProver alice --idVerifier bob --ciphersuite P256-SHA256 ```

显示输出

``` 2024-12-01 14:06:51.789 [INFO] Ciphersuite: P256-SHA256 2024-12-01 14:06:52.048 [INFO] w0 = 3bccdf7f0940907dac69758d327eb9c40c5a7f95ee63a80e042e5473ce789e76 2024-12-01 14:06:52.048 [INFO] w1 = 59f7bce5c93c087e114d95b542f100124e1814be7f383c376a9a441045092a0b 2024-12-01 14:06:52.048 [INFO] L = 04c9b019fbe6d4e727dfd9cd831f3c36a6fec8b05972bed62d3b0493c8cfc2163dc739cda27dcb7aa6726008f7312281d9ffe61edc178af1f26a96a1a6dc6cfbc4 ```

### Verifier `Verifier` 在协议中充当服务器。你可以按如下方式运行它： ``` spake2plus verifier --idProver alice --idVerifier bob --context KeyExchange --w0 3bccdf7f0940907dac69758d327eb9c40c5a7f95ee63a80e042e5473ce789e76 --L 04c9b019fbe6d4e727dfd9cd831f3c36a6fec8b05972bed62d3b0493c8cfc2163dc739cda27dcb7aa6726008f7312281d9ffe61edc178af1f26a96a1a6dc6cfbc4 --ciphersuite P256-SHA256 ```

显示输出

``` 2024-12-01 14:11:45.727 [INFO] Ciphersuite: P256-SHA256 2024-12-01 14:11:45.728 [INFO] Verifier is listening on localhost:12345... 2024-12-01 14:13:04.771 [INFO] P -> V [65]: X = 04dfc96734066fd75a4093d402f33945312f71637c8515524cd44736d0d762cd8a162a72d868fb5e155908f01af1319f69739f6591451ca9978b6bb64a4c4383a8 2024-12-01 14:13:04.886 [INFO] P <- V [65]: Y = 04835bd8437b2dd3bd920dcbb3aa81c72874e8bdb81aa76c3c2b99a7e9ca22ad397dd844c701eb77264d61f13926a5fc3730d100bb08e4935d770885392d29e1dd 2024-12-01 14:13:04.887 [INFO] V: Computing key schedule... 2024-12-01 14:13:04.888 [INFO] P <- V [32]: confirmV = ab44635917470ac4cf52130c881749151e544b8f4fcc987aad2e64afc5201665 2024-12-01 14:13:04.979 [INFO] P -> V [[32]]: confirmP = d97eba35ac718b69bc8549bb5d73646d42d68739cf392f4d346eab88a6e556a3 2024-12-01 14:13:04.979 [INFO] V: Protocol completed successfully. ```

### Prover `Prover` 在协议中充当客户端。你可以按如下方式运行它： ``` spake2plus prover --idProver alice --idVerifier bob --context KeyExchange --w0 3bccdf7f0940907dac69758d327eb9c40c5a7f95ee63a80e042e5473ce789e76 --w1 59f7bce5c93c087e114d95b542f100124e1814be7f383c376a9a441045092a0b --ciphersuite P256-SHA256 ```

显示输出

``` 2024-12-01 14:13:04.724 [INFO] Ciphersuite: P256-SHA256 2024-12-01 14:13:04.725 [INFO] Connected to Verifier at localhost:12345 2024-12-01 14:13:04.771 [INFO] P -> V [65]: X = 04dfc96734066fd75a4093d402f33945312f71637c8515524cd44736d0d762cd8a162a72d868fb5e155908f01af1319f69739f6591451ca9978b6bb64a4c4383a8] 2024-12-01 14:13:04.886 [INFO] P <- V [65]: Y = 04835bd8437b2dd3bd920dcbb3aa81c72874e8bdb81aa76c3c2b99a7e9ca22ad397dd844c701eb77264d61f13926a5fc3730d100bb08e4935d770885392d29e1dd 2024-12-01 14:13:04.977 [INFO] P: Computing key schedule... 2024-12-01 14:13:04.979 [INFO] P <- V [32]: confirmV = ab44635917470ac4cf52130c881749151e544b8f4fcc987aad2e64afc5201665 2024-12-01 14:13:04.979 [INFO] P -> V [32]: confirmP = d97eba35ac718b69bc8549bb5d73646d42d68739cf392f4d346eab88a6e556a3 2024-12-01 14:13:04.979 [INFO] P: Protocol completed successfully. ```

## 密码套件 | Ciphersuite | G | Hash | KDF | MAC | PBKDF | |-----------------------|--------------|-------------------|-----------------------|-----------------------|--------------------| | `P256-SHA256` | P-256 | SHA256 [RFC6234] | HKDF-SHA256 [RFC5869] | HMAC-SHA256 [RFC2104] | Argon2id [RFC9106] | | `P256-SHA512` | P-256 | SHA512 [RFC6234] | HKDF-SHA512 [RFC5869] | HMAC-SHA512 [RFC2104] | Argon2id [RFC9106] | | `P384-SHA256` | P-384 | SHA256 [RFC6234] | HKDF-SHA256 [RFC5869] | HMAC-SHA256 [RFC2104] | Argon2id [RFC9106] | | `P384-SHA512` | P-384 | SHA512 [RFC6234] | HKDF-SHA512 [RFC5869] | HMAC-SHA512 [RFC2104] | Argon2id [RFC9106] | | `P521-SHA512` | P-521 | SHA512 [RFC6234] | HKDF-SHA512 [RFC5869] | HMAC-SHA512 [RFC2104] | Argon2id [RFC9106] | | `P521-SHA512` | P-521 | SHA512 [RFC6234] | HKDF-SHA512 [RFC5869] | HMAC-SHA512 [RFC2104] | Argon2id [RFC9106] | | `Edwards25519-SHA256` | Edwards25519 | SHA256 [RFC6234] | HKDF-SHA256 [RFC5869] | HMAC-SHA256 [RFC2104] | Argon2id [RFC9106] | | `Edwards448-SHA512` | Edwards448 | SHA512 [RFC6234] | HKDF-SHA512 [RFC5869] | HMAC-SHA512 [RFC2104] | Argon2id [RFC9106] |

显示引用

- [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, May 2011, https://www.rfc-editor.org/info/rfc6234 - [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, https://www.rfc-editor.org/info/rfc5869 - [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, https://www.rfc-editor.org/info/rfc2104 - [RFC9106] Biryukov, A., Dinu, D., Khovratovich, D., and S. Josefsson, "Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications", RFC 9106, DOI 10.17487/RFC9106, September 2021, https://www.rfc-editor.org/info/rfc9106

显示 N 和 M 的值

- `P-256` M = 02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f seed: 1.2.840.10045.3.1.7 point generation seed (M) N = 03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49 seed: 1.2.840.10045.3.1.7 point generation seed (N) - `P-384` M = 030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3dc36f15314739074d2eb8613fceec2853 seed: 1.3.132.0.34 point generation seed (M) N = 02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518f9c543bb252c5490214cf9aa3f0baab4b665c10 seed: 1.3.132.0.34 point generation seed (N) - `P-521` M = 02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d85608cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7aa seed: 1.3.132.0.35 point generation seed (M) N = 0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542bc669e494b2532d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc349d95575cd25 seed: 1.3.132.0.35 point generation seed (N) - `Edwards25519` M = d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf seed: edwards25519 point generation seed (M) N = d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab seed: edwards25519 point generation seed (N) - `Edwards448` M = b6221038a775ecd007a4e4dde39fd76ae91d3cf0cc92be8f0c2fa6d6b66f9a12942f5a92646109152292464f3e63d354701c7848d9fc3b8880 seed: edwards448 point generation seed (M) N = 6034c65b66e4cd7a49b0edec3e3c9ccc4588afd8cf324e29f0a84a072531c4dbf97ff9af195ed714a689251f08f8e06e2d1f24a0ffc0146600 seed: edwards448 point generation seed (N)

## 许可证 本项目采用 MIT 许可证授权。有关更多详细信息，请参阅 [LICENSE](LICENSE) 文件。 ## 标志 本项目使用的标志由 **ChatGPT** 自动创建。此过程涉及由 AI 辅助的创意设计组合，以提供项目的视觉表现形式。

标签：Authentication, Cryptography, KCI攻击防护, PAKE, Python, RFC 9383, SPAKE2+, StruQ, 加密协议, 增强型密码认证密钥交换, 密码学, 密钥交换, 密钥协商, 开发库, 开源库, 手动系统调用, 搜索引擎爬虫, 无后门, 网络安全, 隐私保护, 零知识证明