Re: Using CONCAT and ECDH

On Wed, Oct 8, 2014 at 9:01 AM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2014-10-08 17:13, Mark Watson wrote:
>
>> Surely you should change this:
>>
>> crypto.subtle.deriveKey(__derive_alg, key_pair.privateKey, {name:
>> 'AES-CBC', length: 256}, false, ['encrypt']).then (function(aes_key)
>>
>> to this:
>>
>> crypto.subtle.deriveKey(__derive_alg, key_pair.privateKey, {name:
>> 'CONCAT'}, false, ['deriveKey']).then (function(concat_key)
>>
>> var concat_params = { name: 'CONCAT', hash: 'SHA-1', algorithmId: ...,
>> partyUInfo: ..., partyVInfo: ... };
>> crypto.subtle.deriveKey(concat_params, concat_key, {name: 'AES-CBC',
>> length: 256}, false, ['encrypt']).then (function(aes_key)
>>
>> ?
>>
>
> Whow!  This looks great albeit a bit puzzling for a java-guy :-)
>
> The first deriveKey only runs the ECDH primitive (generating Z) but marks
> the result as a CONCAT key?
>

​Yes. deriveKey is equal to ( deriveBits + import ), so the ECDH deriveKey​
above derives some bits using ECDH and imports those as a CONCAT key.

​This is equivalent to doing the deriveBits and import separately yourself,
except that the key material is not exposed to Javascript.

...Mark



>
> Future user's of WebCrypto will surely look for answers at stacktrace.com
> because the specification is not very easy to interpret for programmers.
> A user's guide would be an excellent addition to this work.  There is one
> for XML Schema and it was my life-saver!
>
> thanx,
> Anders
>
>
>
>> ...Mark
>>
>> On Wed, Oct 8, 2014 at 7:45 AM, Richard Barnes <rlb@ipv.sx <mailto:
>> rlb@ipv.sx>> wrote:
>>
>>     On Wed, Oct 8, 2014 at 10:36 AM, Ryan Sleevi <sleevi@google.com
>> <mailto:sleevi@google.com>> wrote:
>>
>>
>>         On Oct 8, 2014 10:22 AM, "Anders Rundgren" <
>> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>
>> wrote:
>>          >
>>          > Dear List;
>>          > I'm not particularly up-to-speed on the WebCrypto API but I at
>> least got this working fairly quickly:
>>          >
>>          > // Generate ephemeral ECDH key-pair
>>          > var gen_alg = {name: 'ECDH', namedCurve:
>> selected_card.bank_encryption_key.crv};
>>          > crypto.subtle.generateKey(gen_alg, false, ['deriveKey']).then
>> (function(key_pair) {
>>          >
>>          > // Import static ECDH key
>>          > crypto.subtle.importKey('jwk', selected_card.bank_encryption_key,
>> {name: 'ECDH'}, false, ['deriveKey']).then (function(public_key) {
>>          >
>>          > // Derive key using ECDH
>>          > var derive_alg = {name: 'ECDH', public: public_key};
>>          > crypto.subtle.deriveKey(derive_alg, key_pair.privateKey,
>> {name: 'AES-CBC', length: 256}, false, ['encrypt']).then (function(aes_key)
>> {
>>          >
>>          > // Encrypt using derived key
>>          > var encryption_algorithm = { name: 'AES-CBC',  iv:
>> window.crypto.getRandomValues(new Uint8Array(16))};
>>          > crypto.subtle.encrypt(encryption_algorithm, aes_key,
>> signed_auth_data).then (function(encrypted_auth_data) {
>>          >
>>          > Naturally I wanted to use a KDF as well but then it got a bit
>> less obvious how to do.
>>          > There is no support for deriveKey and CONCAT?
>>          >
>>          > So the proper solution is to deriveBits() and then import()
>> the raw secret for usage with symmetric encryption algorithms?
>>          >
>>          > Pardon me if I'm totally off, WebCrypto is quite different to
>> JCA/JCE which is my primary tool...
>>          >
>>          > Cheers
>>          > Anders
>>          >
>>          >
>>
>>         "Derive bits" is the description of the internal algorithm used
>> to support both the deriveKey and deriveBits API surface.
>>
>>         So you can use deriveKey
>>
>>     However, Anders is correct that there's no support for Concat right
>> now (AFAIK).  You should be able to polyfill with digest, though, if you
>> really need it.  You'll just have to export the secret from ECDH (or just
>> use deriveBits).
>>
>>     --Richard
>>
>>
>>
>