Hi all. Hopefully this is the right place. I have a system (first created ~8 years ago) based on SRP and RC4 (I know). This system creates TCP connections rarely and uses them for a very long time, and they cannot be dropped/reconnected without user- visible disruption, so it's very different from a browser/web server setup.
In the fullness of time I'd like to update the system to use full TLS 1.3 but what I need to do in the very immediate future (like, the next month or so) is replace RC4 with something secure while keeping my existing SRP key exchange. I'm looking at AES256-CTR. I have a session key from SRP. I need the following: * SHA256 (?) to convert the session key into a 256bit key for AES * AES256, preferably in CTR mode but I can handle that myself easily if I have access to the block cipher. * Strong RNG for generating a CTR nonce. I can use my own RNG if it's easier. I hoped to use NSS for this, especially because I'd like to be able to use the same library to get TLS 1.3 in the future, but I must confess to being utterly stymied by the lack of API descriptions. Is there anywhere I can look to find documentation for, or examples of, accessing the various ciphers and hash functions through the NSS API? Or, can someone jot down some quick pseudo-code to get me going in the right direction? Or, is NSS just not an appropriate solution for my situation? Thanks! -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
