ECDH和ECDSA密钥之间有区别吗?
[英]Is there a difference between ECDH and ECDSA keys?
问题描述
I'm building a network application that uses BouncyCastle as a cryptography provider. 
我正在构建一个使用BouncyCastle作为加密提供程序的网络应用程序。 Let's say you have this to generate a keypair: 假设你有这个生成密钥对:
ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("prime192v1");
KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC");
g.initialize(ecSpec, new SecureRandom());
KeyPair pair = g.generateKeyPair();
I'm confused as to why you're getting an instance of an ECDSA KeyPairGenerator. 我很困惑为什么你得到一个ECDSA KeyPairGenerator的实例。 Why doesn't it just say EC ? 为什么不说EC呢? I know that there's an ECDH Key type that is shipped with BouncyCastle, but I thought that the two represented the same stuff about the points on the curve -- or am I completely wrong with the theory behind it? 我知道BouncyCastle附带了一个ECDH Key类型,但我认为这两个代表关于曲线上的点的相同内容 - 或者我对其背后的理论完全错误?
The reason that I ask is that right now my application uses ECDH fine to establish an AES secret key, but now I want to use the same EC key to sign each message using ECDSA. 我问的原因是,我现在的应用程序使用ECDH罚款来建立AES密钥,但现在我想使用相同的EC密钥使用ECDSA对每条消息进行签名。
1 个解决方案
解决方案1
25 已采纳 2011-02-11 15:13:00
ECDSA and ECDH are from distinct standards (ANSI X9.62 and X9.63, respectively), and used in distinct contexts. ECDSA和ECDH来自不同的标准(分别为ANSI X9.62和X9.63),并用于不同的上下文中。 X9.63 explicitly reuses elements from X9.62, including the standard representation of public keys (eg in X.509 certificates). X9.63显式地重用了X9.62中的元素,包括公钥的标准表示(例如在X.509证书中)。 Hence, ECDSA and ECDH key pairs are largely interchangeable. 因此,ECDSA和ECDH密钥对在很大程度上是可互换的。 Whether a given implementation will permit such exchange, however, is an open question. 然而,给定的实施是否允许这种交换是一个悬而未决的问题。 Historically, (EC)DSA and (EC)DH come from distinct worlds. 从历史上看,(EC)DSA和(EC)DH来自不同的世界。
Note, though, that usage contexts are quite distinct. 但请注意,使用上下文非常明显。 There is a bit more to cryptography than computations on elliptic curves; 密码学比椭圆曲线上的计算要多一些; the "key lifecycle" must be taken into account. 必须考虑“关键生命周期”。 In plain words, you do not want to manage key agreement keys and signature keys with the same procedures. 简单来说,您不希望使用相同的过程管理密钥协商密钥和签名密钥。 For instance, if you lose your key agreement key (your dog eats your smartcard -- do not laugh, it really happens), then you can no longer decrypt data which was encrypted relatively to that key (eg encrypted emails sent to you, and stored in encrypted format). 例如,如果您丢失了密钥协议密钥(您的狗吃掉了智能卡 - 不要笑,它确实发生了),那么您就不能再解密相对于该密钥加密的数据(例如发送给您的加密电子邮件,以及以加密格式存储)。 From a business point of view, the loss of a key can also be the loss of an employee (the employee was fired, and was struck by a bus, or retired, or whatever). 从商业角度来看,丢失钥匙也可能是员工的损失(员工被解雇,被公共汽车撞击,或退休,或其他任何事情)。 Hence, encryption keys (including key agreement keys) must often be escrowed (for instance, a copy of the private key is printed and stored in a safe). 因此,加密密钥(包括密钥协商密钥)必须经常被托管(例如,私钥的副本被打印并存储在保险箱中)。 On the other hand, loss of a signature key implies no data loss; 另一方面,丢失签名密钥意味着没有数据丢失; previously issued signatures can still be verified; 以前签发的签名仍可以验证; recovering from such a loss is as simple as creating a new key pair. 从这种损失中恢复就像创建新密钥对一样简单。 However, the existence of an escrow system tends to automatically strip signatures of any legal value that could be attached to them. 但是,托管系统的存在往往会自动剥离可能附加在其上的任何法律价值的签名。
Also, on a more general basis, I would strongly advise against using the same private key in two distinct algorithms: interactions between algorithms have not been fully explored (simply studying one algorithm is already hard work). 此外,在更一般的基础上,我强烈建议不要在两种不同的算法中使用相同的私钥:算法之间的交互尚未完全探索(简单地研究一种算法已经很难)。 For instance, what happens if someone begins to feed your ECDH-based protocol with curve points extracted from ECDSA signatures which you computed with the same private key ? 例如,如果某人开始使用从您使用相同私钥计算的ECDSA签名中提取的曲线点开始提供基于ECDH的协议,会发生什么?
So you really should not reuse the same key for ECDH and ECDSA. 所以你真的不应该为ECDH和ECDSA重复使用相同的密钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.