- From: Jim Schaad <ietf@augustcellars.com>
- Date: Thu, 28 Jan 2016 14:16:53 -0800
- To: "'Mitar'" <mmitar@gmail.com>, <public-webcrypto@w3.org>
> -----Original Message----- > From: Mitar [mailto:mmitar@gmail.com] > Sent: Thursday, January 28, 2016 11:36 AM > To: public-webcrypto@w3.org > Subject: ECDH and deriveKey > > Hi! > > >From my reading of the spec, deriveKey uses directly output of the deriveBits. > > > Let secret be the result of executing the derive bits operation specified by > normalizedAlgorithm using key, algorithm and length. > > Let result be the result of executing the import key operation specified by > normalizedDerivedKeyAlgorithm using "raw" as format, secret as keyData, > derivedKeyType as algorithm and using extractable and usages. > > And deriveBits for ECDH seems to directly return the computed secret: > > > Perform the ECDH primitive specified in X9.63 Section 5.4.1 with key as the EC > private key d and the EC public key represented by the [[handle]] internal slot of > publicKey as the EC public key Q. > > Let secret be the result of applying the field element to octet string conversion > defined in Section ? of X9.63 to the output of the ECDH primitive. > > This is bad. This means that computed secret is used directly. This is not advised. > There should be at least some hashing function on the computed secret to > remove weak bits. Derive bits needs to be able to return the secret directly, otherwise one could not implement a KDF function which is not supported by the base spec - for example using the AES-CMAC that you seem to be supporting. If memory serves, there was discussion at one point of allowing a KDF function to be passed in. But it was never specified. Derive key has a KDF algorithm that is applied to the raw shared secret in order to a better secret to be use, and to import that secret and return a key object. If you use derive bits you are expected to know to apply a KDF function to the returned values to get the type and count of bits that you are after. As Ryan would say -- hence the word subtle in the interface name Jim > > > Mitar > > -- > http://mitar.tnode.com/ > https://twitter.com/mitar_m
Received on Thursday, 28 January 2016 22:19:54 UTC