I heard about the problem choosing between ECDH vs. RSA. But as far as I know, RSA can encrypt the key and sign it. So for ECDH to replace it it has to do both. But which elliptic curve is used for that?
Asked
Active
Viewed 537 times
1 Answers
2
ECDH isn't directly used for signing and it's not needed either. You can use static ECDH key pairs to agree on a secret key on both sides and then use a symmetric algorithm such as HMAC to verify the resulting secret - or a derived key from that secret.
It is of course possible to sign using elliptic curves. For that ECDSA is commonly used. ECDSA can be used to sign the key material used in ephemeral-ephemeral ECDH where each key pair is regenerated for each key agreement.
As for the Elliptic Curves: there are many curves capable of performing ECDH or ECDSA. There isn't any specific curve that needs to be used. Choice of the curve is performed before the ECDH keys are used. In general the HMAC or other authentication code will also use the chosen domain parameters as input to the calculation of the HMAC authentication tag.
Maarten Bodewes
- 92,551
- 13
- 161
- 313
-
As example protocols for static DH for authentication plus ephemeral DH for encryption, you could look at the CurveCP and Noise protocols. – CodesInChaos Jul 05 '17 at 07:42