[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Encrypting to a public key?
From: |
Schanzenbach, Martin |
Subject: |
Re: Encrypting to a public key? |
Date: |
Tue, 7 Jul 2020 22:07:38 +0200 |
> On 7. Jul 2020, at 21:58, Cy <fromgnunet@cy1.allowed.org> wrote:
>
> On Tue, 7 Jul 2020 09:16:00 +0200
> "Schanzenbach, Martin" <mschanzenbach@posteo.de> wrote:
>
>> P_bob does not have to be ephemeral.
>
> My understanding was that P_bob had to be ephemeral. So, that makes ECDH a
> lot more
> appealing. If P_bob is static, Bob can publish it, perhaps as a CHK. Then
> many people can
> get it, and immediately start a conversation, without having to wait for him
> to publish
> anything else.
>
>>> 2. Wait for Bob to send it to you and do nothing.
>>
>> This transfer of public key of the destination identity will always have to
>> happen.
>
> The time it takes to get Bob's key is definitely not a concern. I was
> concerned with the
> time it takes to wait for Bob to generate his (ephemeral) key. If that isn't
> necessary, then that's great! So to use Alice instead of me, after Alice has
> Bob's key,
> she has to send Bob something once, and she does not have to wait for a
> reply. Bob might
> still have to wait, if he doesn't yet have Alice's key, but he won't have to
> wait for
> Alice to generate it either. Is that right?
>
> d_N = private ECDSA key
> P_N = public ECDSA key
>
> Alice:
> 1. ECDH(d_alice, P_bob) => shared secret
> 2. HKDF(shared secret) => ???
> 3. Send P_alice to Bob or maybe its CHK, as a request to talk
> 4. Send ENC(shared secret, message) to Bob
> 5. Go to step 4.
Yes, except that you can just send the (ephemeral) P_alice along with
ENC(shared secret, message).
ECDHE keys in GNUnet are just 256 bit (I think).
That would allow you to change P_alice periodically (or even every time you
send a message).
Note that this eventually leads to a axolotl-style ratchet:
https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm
We use that for CADET.
>
> And Bob:
> 1. Receive request to talk and get P_alice's key, or its CHK then download
> P_alice
> 2. ECDH(d_bob, P_alice) => same shared secret as Alice
> 3. HKDF(shared secret) => ???
> 4. Send ENC(shared secret, message) to Alice
> 5. go to step 4
>
> I'm not entirely sure the purpose of HKDF here.
The result of the ECDH is already a shared secret. In GNUnet, it is a 512-bit
hash.
This could be used as an 512-bit AES key.
But, usually you use that to derive a key by adding a salt, like
"my-application-salt".
> Some sort of anti-flooding measure? Also
> didn't you say ECDSA keys were only to be used for signing? Because I don't
> see this as
> having much to do with signing.
Ok, signing and ECDH ;)
>
>> But they do not have to be. In TLS this is true because ephemeral keys
>> for both parties are a better idea.
>
> A better idea for certificate authorities at least. -_-
>
signature.asc
Description: Message signed with OpenPGP