[Help-gnutls] Dynamically building the PSK keys

David Marín Carreño davefx at gmail.com
Wed Jul 15 09:24:32 CEST 2009


I think you are keeping the same confusion in data formats.
A string with characters "ABCD" is saved in memory as characters 'A' (ascii
0x41), 'B' (ascii 0x42), 'C' (ascii 0x43) and 'D' (ascii 0x44) in 4 bytes,
not as 2 bytes 0xAB and 0xCD.

Greetings
--
David Marín Carreño

2009/7/14 Ram G <mydevforums at gmail.com>

>
> I tried out a couple of more ideas but no luck.
>
> Setting the key on the server side as follows works:
>
> key->data = gnutls_malloc (4);
> key->data = "\xDE\xAD\xBE\xEF";
> key->size = 4;
>
> I also tried as follows:
>
> char * somekey = "DEADBEEF"; //DEADBEEF is hardcoded for test but will be
> dynamically generated
> int i,temp;
>
> for (i = 0; somekey[i]; i += 2) {
>  sscanf(&somekey[i], "%02x", &temp);
>  key->data[i / 2] = temp;
> }
> This does not work either. I'm scratching my head how to take a string like
> "DEADBEEF" and convert it to "\xDE\xAD\xBE\xEF" and assign it to key->data.
>
> If PSK key value on the client side is given as
> const gnutls_datum_t key = { (char*) "DEADBEEF", 8 };
> why doesn't it work if I assign it the same way on the server side? Why
> does it expect it as hexadecimal values ?
>
> Any ideas highly appreciated.
>
> -Ramg
>
>
> On Mon, Jul 13, 2009 at 4:36 PM, Ram G <mydevforums at gmail.com> wrote:
>
>> Hi Nikos,
>>
>> Thanks for your response.
>>
>> I tried your suggestion and that does not work either. However the sample
>> program works fine when assigning two hexadecimal characters each to the 4
>> bytes.
>>
>> It is a weird requirement but we cannot use certificates or previously
>> known keys for the PSK authentication. Instead what I'm doing is establish
>> an anonymous DH handshake between the client and the server. Now both the
>> client and the server know the master secret. I would like to use this
>> master secret as pre-shared keys between the client and the server.
>>
>> Can you please let me know if this can weaken the cryptosystem ? I'll try
>> out any alternate suggestion you might have.
>>
>> Thanks and Regards
>>
>> Ramg
>>
>>   On Mon, Jul 13, 2009 at 4:10 PM, Nikos Mavrogiannopoulos <
>> nmav at gnutls.org> wrote:
>>
>>> Ram G wrote:
>>> > Hi,
>>> >
>>> > I'm working on the sample programs provided in the source examples
>>> folder
>>> > and I would like some help from you. I'm trying to do a DH key exchange
>>> with
>>> > PSK authentication.
>>> >
>>> > The client sample (ex-client-psk.c) assigns the pre shared key as
>>> follows:
>>> >
>>> > const gnutls_datum_t key = { (char*) "DEADBEEF", 8 };
>>> >
>>> > The server sample (ex-serv-psk.c) does the key assignment in the
>>> callback
>>> > function pskfunc as follows:
>>> >
>>> >   key->data = gnutls_malloc (4);
>>> >   key->data[0] = 0xDE;
>>> >   key->data[1] = 0xAD;
>>> >   key->data[2] = 0xBE;
>>> >   key->data[3] = 0xEF;
>>> >   key->size = 4;
>>>
>>> It is not the same as above. Above you use 8 bytes and here 4. Use
>>> instead:
>>>   key->data[0] = 'D';
>>>   key->data[1] = 'E';
>>>   key->data[2] = 'A';
>>>   key->data[3] = 'D';
>>>   key->data[4] = 'B';
>>>   key->data[5] = 'E';
>>>   key->data[6] = 'E';
>>>   key->data[7] = 'F';
>>>   key->size = 8;
>>>
>>> > I would like to assign the pre-shared key dynamically. If I assign the
>>> PSK
>>> > in the server as follows, it does not work. I get the error "Decryption
>>> has
>>> > failed".
>>>
>>> Actually how the keys are going to be generated? You have to think about
>>> that seriously and make sure that the key generation is not weakening
>>> the cryptosystem. To be on the safe side, and especially if you are not
>>> experienced in the field use the tools provided by gnutls for the key
>>> generation.
>>>
>>>
>>> regards,
>>> Nikos
>>>
>>>
>>
>
> _______________________________________________
> Help-gnutls mailing list
> Help-gnutls at gnu.org
> http://lists.gnu.org/mailman/listinfo/help-gnutls
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20090715/89a6392c/attachment.htm>


More information about the Gnutls-help mailing list