Next: Authentication and credentials, Previous: Authentication using SRP, Up: Authentication methods
Authentication using Pre-shared keys is a method to authenticate using usernames and binary keys. This protocol avoids making use of public key infrastructure and expensive calculations, thus it is suitable for constraint clients.
The implementation in GnuTLS is based on paper [TLSPSK] (see Bibliography). The supported PSK key exchange methods are:
PSK:DHE-PSK:Clients supporting PSK should supply the username and key before the connection to the client credentials by calling the function gnutls_psk_set_client_credentials. Alternatively they could specify a callback function by using the function gnutls_psk_set_client_credentials_function. This has the advantage that the callback will be called only if PSK has been negotiated.
In server side the default behaviour of GnuTLS is to read the usernames and PSK keys from a password file. The password file should contain usernames and keys in hexadecimal format. The name of the password file can be stored to the credentials structure by calling gnutls_psk_set_server_credentials_file. If a different password file format is to be used, then the function gnutls_psk_set_server_credentials_function, should be used instead.
The server can help the client chose a suitable username and password, by sending a hint. In the server, specify the hint by calling gnutls_psk_set_server_credentials_hint. The client can retrieve the hint, for example in the callback function, using gnutls_psk_client_get_hint.
There is no standard mechanism to derive a PSK key from a password specified by the TLS PSK document. However, GnuTLS provides gnutls_psk_netconf_derive_key which follows the algorithm specified in draft-ietf-netconf-tls-02.txt.
Some helper functions such as:
are included in GnuTLS, and may be used to generate and maintain PSK keys.