Hi Paul, I think NSS has all you need here. Including TLS 1.3 should you prefer that. Unfortunately, we can't say that we have a PAKE, so I appreciate that you aren't able to just drop that in. In the meantime,,,
On Fri, Dec 7, 2018 at 9:18 AM Paul Smith <p...@mad-scientist.net> wrote: > I have a session key from SRP. I need the following: > * SHA256 (?) to convert the session key into a 256bit key for AES For key derivation, you probably want HKDF with SHA-256 rather than a straight hash function. I have an example of this that you can look at: https://searchfox.org/nss/source/lib/ssl/tls13hkdf.c - that's ALL the code for TLS 1.3, but a good basis for a design.. > * AES256, preferably in CTR mode but I can handle that myself easily > if I have access to the block cipher. I think that what you want is AES-GCM rather than one of the modes closer to the block function. Do you have a constraint that prevents records from being expanded? There are examples of how to use that in the TLS 1.3 code: https://searchfox.org/nss/rev/3b6a2dd92c56b13f15ad3d0bf2a0e451b898612f/lib/ssl/tls13con.c#3571 > * Strong RNG for generating a CTR nonce. I can use my own RNG if it's > easier. Random nonces are probably not as good as a deterministic nonce (like a counter). But if you need one, then PK11_GenerateRandom() works very well. Use the above site to look for examples. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
