RE: Separate method for key agreement? from Vijay Bharadwaj on 2013-04-02 (public-webcrypto@w3.org from April 2013)

From: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
Date: Tue, 2 Apr 2013 19:11:48 +0000
To: Ryan Sleevi <sleevi@google.com>
CC: Wan-Teh Chang <wtc@google.com>, Richard Barnes <rbarnes@bbn.com>, "public-webcrypto@w3.org Group" <public-webcrypto@w3.org>
Message-ID: <e4ca39bbdb8842b39bcd1cff48eab3b2@DFM-DB3MBX15-07.exchange.corp.microsoft.com>

Poorly phrased - late night.

It's not intrinsically harder to do in the JS language. It involves a bit more complicated usage in browser JS written to our API. That said, it's not a bad idea - as others have noted, many protocols use a single Z to derive multiple keys. So while it's nice to experiment with collapsing the two steps down to one, it does seem like we need the two (or more, as you note) to be separate at least in the low-level API.

From: Ryan Sleevi [mailto:sleevi@google.com]
Sent: Tuesday, April 2, 2013 11:07 AM
To: Vijay Bharadwaj
Cc: Wan-Teh Chang; Richard Barnes; public-webcrypto@w3.org Group
Subject: Re: Separate method for key agreement?

On Tue, Apr 2, 2013 at 1:57 AM, Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com<mailto:Vijay.Bharadwaj@microsoft.com>> wrote:
Windows CAPI is unique in its handling of DH. It is not a great example to emulate.

CNG is a better example. As I understand it, the proposal below combines the secret agreement and key derivation steps (which are distinct in CNG) into a single step. This seems like a good idea - CNG has to use a secret handle to allow the caller to link these two steps without exposing the raw secret, but this would be harder to do neatly in JS. Am I understanding the proposal correctly?

Vijay,

I'm not sure why you say this would be harder to do neatly in JS? The current proposal uses a secret handle to link the two steps as well.

However, it also extends to agreement schemes that support > 2 steps.

-----Original Message-----
From: Wan-Teh Chang [mailto:wtc@google.com<mailto:wtc@google.com>]
Sent: Monday, April 1, 2013 5:45 PM
To: Ryan Sleevi
Cc: Richard Barnes; public-webcrypto@w3.org<mailto:public-webcrypto@w3.org> Group
Subject: Re: Separate method for key agreement?

On Mon, Apr 1, 2013 at 12:25 PM, Ryan Sleevi <sleevi@google.com<mailto:sleevi@google.com>> wrote:
>
> I'm not sure I'd agree here. Do you also see separate functions for
> ECDH agreement?

No.  The function that Richard proposed can handle both DH and ECDH:

"""
KeyOperation agreeKey(Key privateKey,
                      Key publicKey,
                      AlgorithmIdentifier? derivedKeyType,
                      bool extractable = false,
                      KeyUsage[] keyUsages = []); """

Richard's proposal is consistent with Windows CNG:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa833130(v=vs.85).aspx

Note: Windows CAPI does Diffie-Hellman in a non-obvious manner (using CryptImportKey), so Widows CAPI is not worth being consistent with:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa381969(v=vs.85).aspx

Wan-Teh

Received on Tuesday, 2 April 2013 19:12:47 UTC