Ben Laurie blathering


Just for fun, I wrote a demo implementation of J-PAKE in C, using OpenSSL for the crypto, of course. I’ve pushed it into the OpenSSL CVS tree; you can find it in demos/jpake. For your convenience, there’s also a copy here.

I’ve tried to write the code so the data structures reflect the way a real implementation would work, so there’s a structure representing what each end of the connection knows (JPakeUser), one for the zero-knowledge proofs (JPakeZKP) and one for each step of the protocol (JPakeStep1 and JPakeStep2). Normally there should be a third step, where each end proves knowledge of the shared key (for example, by Alice sending Bob H(H(K)) and Bob sending Alice H(K)), since differing secrets do not break any of the earlier steps, but because both ends are in the same code I just compare the resulting keys.

The code also implements the protocol steps in a modular way, except that communications happen by magic. This will get cleaned up when I implement J-PAKE as a proper OpenSSL library component.

The cryptographic implementation differs from the Java demo (which I used for inspiration) in a few ways. I think only one of them really matters: the calculation of the hash for the Schnorr signature used in the zero-knowledge proofs – the Java implementation simply concatenates a byte representation of the various parameters. This is a security flaw, as it can be subjected to a “moving goalposts” attack. That is, the attacker could use parameters that gave the same byte representation, but with different boundaries between the parameters. I avoid this attack by including a length before each parameter. Note that I do not claim this attack is feasible, but why gamble? It worked on PGP, after all.

The code and data structures are completely different, though. Also, because of the cryptographic difference, the two implementations would not interoperate.


  1. This, of course, is more than I have done, but still, not a demo till it runs on two machines, with a toy browser and toy server. Not a demo till it can be seen.

    Comment by James A. Donald — 20 Oct 2008 @ 0:36

  2. […] I wrote last week that I had implemented a J-PAKE demo someone rather churlishly commented, “not a demo till it runs on two machines, with a toy […]

    Pingback by Links » J-PAKE Again — 27 Oct 2008 @ 15:15

  3. […] (2008-06-28): a crude J-PAKE demo source code (.java). Update (2008-11-04): a more refined J-PAKE in C and OpenSSL module by Ben […]

    Pingback by Light Blue Touchpaper » Blog Archive » J-PAKE: From Dining Cryptographers to Jugglers — 4 Nov 2008 @ 14:47

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress