{"library":"spake2","title":"SPAKE2 Password-Authenticated Key Exchange","type":"library","description":"The `spake2` library is a pure-Python implementation of the SPAKE2 password-authenticated key exchange (PAKE) algorithm. It enables two parties sharing a weak password to securely derive a strong shared secret over an insecure channel, preventing passive eavesdropping and limiting active attackers to a single password guess per protocol execution. The current stable version is 0.9, released in September 2024, with an infrequent release cadence.","language":"python","status":"active","last_verified":"Thu Apr 16","install":{"commands":["pip install spake2"],"cli":null},"imports":["from spake2 import SPAKE2_A","from spake2 import SPAKE2_B","from spake2 import SPAKE2_Symmetric","from spake2.parameters.all import ParamsEd25519"],"auth":{"required":false,"env_vars":[]},"links":{"homepage":null,"github":"https://github.com/warner/python-spake2","docs":null,"changelog":null,"pypi":"https://pypi.org/project/spake2/","npm":null,"openapi_spec":null,"status_page":null,"smithery":null},"quickstart":{"code":"import os\nfrom spake2 import SPAKE2_A, SPAKE2_B\nfrom spake2.parameters.all import ParamsEd25519 # Or other parameter sets like Params3072\n\ndef run_spake2_exchange(password: bytes, idA: bytes, idB: bytes):\n    # Alice (Side A)\n    alice = SPAKE2_A(password, idA=idA, idB=idB, params=ParamsEd25519)\n    alice_msg = alice.start()\n\n    # Bob (Side B)\n    bob = SPAKE2_B(password, idA=idA, idB=idB, params=ParamsEd25519)\n    bob_msg = bob.start()\n\n    # Exchange messages\n    # In a real application, alice_msg would be sent to Bob, and bob_msg to Alice.\n    # For this example, we directly pass them.\n\n    # Alice processes Bob's message\n    alice_key = alice.finish(bob_msg)\n\n    # Bob processes Alice's message\n    bob_key = bob.finish(alice_msg)\n\n    print(f\"Alice's derived key: {alice_key.hex()}\")\n    print(f\"Bob's derived key:   {bob_key.hex()}\")\n\n    if alice_key == bob_key:\n        print(\"\\nShared secret derived successfully!\")\n        return alice_key\n    else:\n        print(\"\\nFailed to derive shared secret. Keys do not match.\")\n        return None\n\nif __name__ == \"__main__\":\n    # Example usage\n    shared_password = os.environ.get('SPAKE2_PASSWORD', 'test-password').encode('utf-8')\n    alice_id = b\"Alice\"\n    bob_id = b\"BobServer\"\n\n    print(f\"Using password: {shared_password.decode('utf-8')}\")\n    print(f\"Alice ID: {alice_id.decode('utf-8')}, Bob ID: {bob_id.decode('utf-8')}\")\n\n    derived_key = run_spake2_exchange(shared_password, alice_id, bob_id)\n    if derived_key:\n        # The derived key can then be used for symmetric encryption, HMAC, or fed into HKDF.\n        print(f\"Using derived key for subsequent secure communication.\")\n","lang":"python","description":"This quickstart demonstrates a basic SPAKE2 key exchange between two parties, Alice (role A) and Bob (role B), who share a weak password. Both parties initialize their respective SPAKE2 instances with the shared password and unique identity strings. They then exchange initial messages, process the received message, and derive a strong, shared secret key. The `idA` and `idB` strings are crucial for binding the key to specific parties and preventing replay/substitution attacks. The example uses `ParamsEd25519` for elliptic curve security.","tag":null,"tag_description":null,"last_tested":null,"results":[]},"compatibility":null}