Skip to main content

Module sas

wire

Module sas 

Source
Expand description

SPAKE2 PAKE + Short Authentication String (SAS).

Pairing flow (the magic-wormhole pattern, applied to agent identity):

  1. Operator A runs wire init paul. We generate a low-entropy code phrase like 73-2QXC4P (~36 bits) and print it.
  2. Operator A says the code aloud to Operator B.
  3. Operator B runs wire join 73-2QXC4P.
  4. Both sides run SPAKE2 with the code phrase as the shared password. SPAKE2 elevates the low-entropy code into a high-entropy shared key without leaking anything brute-force-able to a passive eavesdropper OR to the relay we route messages through.
  5. Both sides derive a 6-digit SAS from the SPAKE2 transcript. Each operator’s terminal shows the same digits (“384-217”) iff they truly negotiated with each other. They read the digits aloud and both type y to confirm.
  6. After confirm: bootstrap payload (signed agent-card + relay slot coords) is exchanged authenticated-encrypted via ChaCha20-Poly1305 under a key HKDF-derived from the SPAKE2 secret.

SAS confirmation is the trust-establishment moment. An MITM that sat between A and B during SPAKE2 would derive a different shared key from each side, so the SAS digits would not match. That’s why this is safe even though the code phrase has only ~36 bits — brute-forcing requires interactive presence in the handshake, which the SAS catches.

v0.1 ships the offline crypto in this module + a self-test suite. Wiring it through the relay (wire init opens a pair-slot, wire join talks SPAKE2 across it) lands in iter 9.

Structs§

PakeSide
One side of a SPAKE2 handshake. Created with the shared code phrase + a pairing identity (e.g. relay pair-slot id) so distinct pairings can’t be confused.

Functions§

compute_sas_pake
6-digit SAS over the SPAKE2 shared key + the canonical (sorted) pair of public keys. Symmetric: either side computes the same digits.
derive_aead_key
HKDF-SHA256 derive a 32-byte ChaCha20-Poly1305 key from the SPAKE2 secret.
generate_code_phrase
Generate a fresh code phrase like 73-2QXC4P (~36 bits entropy).
open_bootstrap
Decrypt a bootstrap payload produced by seal_bootstrap.
parse_code_phrase
Validate a code phrase has the expected shape.
seal_bootstrap
Encrypt the bootstrap payload (signed agent-card + slot coords) under the AEAD key. Returns nonce || ciphertext — caller transmits the whole blob and recipient splits at byte 12.