W3C home > Mailing lists > Public > public-webcrypto@w3.org > January 2016

RE: ECDH and deriveKey

From: Jim Schaad <ietf@augustcellars.com>
Date: Thu, 28 Jan 2016 14:16:53 -0800
To: "'Mitar'" <mmitar@gmail.com>, <public-webcrypto@w3.org>
Message-ID: <062c01d15a19$97efea60$c7cfbf20$@augustcellars.com>


> -----Original Message-----
> From: Mitar [mailto:mmitar@gmail.com]
> Sent: Thursday, January 28, 2016 11:36 AM
> To: public-webcrypto@w3.org
> Subject: ECDH and deriveKey
> 
> Hi!
> 
> >From my reading of the spec, deriveKey uses directly output of the deriveBits.
> 
> > Let secret be the result of executing the derive bits operation specified by
> normalizedAlgorithm using key, algorithm and length.
> > Let result be the result of executing the import key operation specified by
> normalizedDerivedKeyAlgorithm using "raw" as format, secret as keyData,
> derivedKeyType as algorithm and using extractable and usages.
> 
> And deriveBits for ECDH seems to directly return the computed secret:
> 
> > Perform the ECDH primitive specified in X9.63 Section 5.4.1 with key as the EC
> private key d and the EC public key represented by the [[handle]] internal slot of
> publicKey as the EC public key Q.
> > Let secret be the result of applying the field element to octet string conversion
> defined in Section ? of X9.63 to the output of the ECDH primitive.
> 
> This is bad. This means that computed secret is used directly. This is not advised.
> There should be at least some hashing function on the computed secret to
> remove weak bits.

Derive bits needs to be able to return the secret directly, otherwise one could not implement a KDF function which is not supported by the base spec - for example using the AES-CMAC that you seem to be supporting.  If memory serves, there was discussion at one point of allowing a KDF function to be passed in.  But it was never specified.

Derive key has a KDF algorithm that is applied to the raw shared secret in order to a better secret to be use, and to import that secret and return a key object.

If you use derive bits you are expected to know to apply a KDF function to the returned values to get the type and count of bits that you are after.

As Ryan would say -- hence the word subtle in the interface name

Jim


> 
> 
> Mitar
> 
> --
> http://mitar.tnode.com/
> https://twitter.com/mitar_m
Received on Thursday, 28 January 2016 22:19:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:03:03 UTC