1

Is it possible to do a key agreement with ECDH ephemeral-ephemeral without requiring an initial handshake first?

Is it possible to have the key agreement in the same message as the encrypted data with ECDHE?

I know this is possible with ECDH ephemeral-static but that does not have perfect forward secrecy. And with ephemeral-static you need to have a secure way to store the static private key.

ArcadeRenegade
  • 113
  • 3

1 Answers1

2

Is it possible to do a key agreement with ECDH ephemeral-ephemeral without requiring an initial handshake first?

Yes, however this is vulnerable to man-in-the-middle (MITM) attacks.

Is it possible to have the key agreement in the same message as the encrypted data with ECDHE?

For the receiver to use an ephemeral key, they would have to send it before you can use it for the exchange. Alternatively they could load a number of ephemeral keys onto a trusted third party server to be retrieved by senders later (this is kind-of what is done by Signal). But usually you'd assume the sender just uses the recipients static key so they know it is going to the right person. In this case, all the ephemeral randomness is provided by the sender, so you really have a KEM (key encapsulation mechanism) rather than a key exchange.

So essentially, if you're willing to forgo authentication and risk impersonation / man in the middle attacks, you can achieve perfect forward secrecy with a KEM, and you can have the receiver regularly rotate the receiving key so they don't have to worry about secure long-term storage (a semi-static key).

meshcollider
  • 1,573
  • 1
  • 10
  • 14
  • Thanks. We are going to add ECDSA static-static to prevent MITM attacks and provide authentication. Our issue right now is on Android we don't have a secure way of securing ECDH private keys (if we go ephemeral-static). – ArcadeRenegade Jan 31 '22 at 05:19
  • Could you elaborate on storing ephemeral keys on a server? You mean storing the receivers ephemeral ECDH public keys on the server, right? – ArcadeRenegade Jan 31 '22 at 05:21
  • 1
    Correct, then obviously the receiver would have to store the corresponding private keys themselves securely. How will you manage the static keys for the authentication part on android then? – meshcollider Jan 31 '22 at 05:37
  • 1
    This will actually work really well for us then. Thank you. Android KeyMaster and KeyStore both support securely storing ECDSA keys but not ECDH. iOS Secure Enclave has supported ECDH for years so Android is really behind on this. – ArcadeRenegade Jan 31 '22 at 05:48
  • I suppose on Android we will have to keep the ECDH private key in memory. Which is a big question mark on security. – ArcadeRenegade Jan 31 '22 at 05:50
  • 1
    Interesting, I wasn't aware that android keystore didn't support ECDH. Would this work? https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec#example:ecdh – meshcollider Jan 31 '22 at 07:01
  • 1
    That looks like it's using an EC keypair stored in KeyStore for ECDH. Perfect thanks! – ArcadeRenegade Jan 31 '22 at 07:50