stackoom
  简体   繁体   中英

Ephemeral ECDH (ECDHE) using OpenSSL EVP

 原文  2017-01-14 04:12:55       c++/ c/ encryption/ openssl

Question

So, I'm trying to perform a key exchange using the OpenSSL EVP methods for elliptic curve DH to derive a shared secret. This is necessary to provide strong security using AES in GCM mode for a custom protocol.

Problem is, I can only seem to find information and examples about exchange of static keys (ECDH) (see here ).

To make my key exchange "ephemeral", do I do the following?

  1. Generate a new "ephemeral" public and private key on the server (pub_s_e,priv_s_e) and on the client (pub_c_e, priv_c_e) using EVP_PKEY_keygen
  2. Sign the new ephemeral public keys with the master private key on both the client and server (sign pub_s_e with priv_s on the server, pub_c_e with priv_c on the client) using EVP_DigestSign functions.
  3. Exchange the signed ephemeral public keys between client and server (can be in cleartext).
  4. Authenticate the server's ephemeral public key against the known master public key for the server, authenticate the client's ephemeral public key against the known master public key for the client using EVP_DigestVerify functions.
  5. Perform ECDH to derive a shared secret, hash it (to remove the weak bits) and using a key derivation function like EVP_BytesToKey to get an encryption key and initialization vector (IV) for AES.
  6. Encrypt as usual using the derived key and IV.

This would seem to provide perfect forward secrecy since a compromise of the master keys would allow signing of future keys but not allow retrieval of past ephemeral keys.

Am I missing anything?

2 answers

solution1
 0  2017-01-15 17:32:13

Alright, I ended up solving this. Ephemeral ECDH simply requires the generation of ephemeral keypairs on both the server and client (using EVP_PKEY_keygen . Authenticating them is optional for ECDHE but the "signing" approach using the static key I suggested above is valid.

Sending the static public keys via cleartext should pose no problems so all the client needs to do is authenticate the server's certificate and verify the signature on the server's ephemeral public key.

solution2
 0  2018-06-21 10:37:54

I did some experiment with the openssl evp library for performing a simple ECDH key agreement in C. The readme has some info on how to compile. I added a few comments for myself to understand what was going on. Hope it helps. https://github.com/prithuadhikary/OPENSSL_EVP_ECDH_EXAMPLE

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to decrypt using openssl EVP? How to do RSA public key encryption using OpenSSL EVP routines? OpenSSL EVP_DigestSignFinal segfault OpenSSL Fails at EVP_VerifyFinal EVP_DigestVerifyUpdate Alternative for OpenSSL openssl EVP fails randomly in decryption Openssl ‘EVP_KDF’ was not declared Using only 1 EVP_PKEY while generating EC keys using OpenSSL 1.1 No matching function for call to 'EVP_DigestFinal' - Using openssl lib in C++ EVP_MD_CTX_destroy segfaults when linking to a dynamic lib using openssl 1.1
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM