Conscrypt KeyStore and ECDH

[lolivier...@gmail.com]

Is there a Conscrypt KeyStore where I could store some EC keys and perform an ECDH operation to compute a shared secret?

I'm developping on Android and I have specified Conscrypt as the security provider.

If I use the Android Keystore, it is not clear to me how it is interacting with Conscrypt. I know that my application can generate some asymetric keys in the Android KeyStore. The application can then sign, encrypt or decrypt with those keys without knowing them (the private key is only known by the keystore). I'm wondering if that is possible to generate a shared secret with ECDH if the keys (a key pair + a public key) are in the Android Key store.

Thanks for your help

[Kenny Root]

As of today Android Keystore doesn't support KeyAgreement and, as you mentioned, the private part of the key is not exposed, so you can't use a key from Android Keystore to do KeyAgreement. You can see where the key type constraints are set in Conscrypt's provider. You could use key-wrapping to import the keys.

--
You received this message because you are subscribed to the Google Groups "conscrypt" group.
To unsubscribe from this group and stop receiving emails from it, send an email to conscrypt+...@googlegroups.com.
To post to this group, send email to cons...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/conscrypt/58004049-a8b9-4c5c-b921-5db8aeb4dd48%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kenny Root

[lolivier...@gmail.com]

Thanks Kenny.

There is something not clear to me about the "key wrapping". This "key wrapping" looks like an encryption of a key (encryption done with another key which is stored in the keystore). I can see that the Cipher Class (https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html#wrap(java.security.Key)) has some wrap() and unwrap() functions. Why don't we simply use the usual methods to encrypt and decrypt? Is it to make the wrapping more straightforward?

Thanks

[ro...@aspirevc.com]

Is there a reason that Android doesn't support KeyAgreement in the KeyStore?

Do you think it will ever be added?

Thanks,

-Rosco

On Tuesday, August 21, 2018 at 10:44:37 AM UTC-4, Kenny Root wrote:

As of today Android Keystore doesn't support KeyAgreement and, as you mentioned, the private part of the key is not exposed, so you can't use a key from Android Keystore to do KeyAgreement. You can see where the key type constraints are set in Conscrypt's provider. You could use key-wrapping to import the keys.

On Tue, Aug 21, 2018 at 3:25 PM <lolivier...@gmail.com> wrote:

Is there a Conscrypt KeyStore where I could store some EC keys and perform an ECDH operation to compute a shared secret?

I'm developping on Android and I have specified Conscrypt as the security provider.

If I use the Android Keystore, it is not clear to me how it is interacting with Conscrypt. I know that my application can generate some asymetric keys in the Android KeyStore. The application can then sign, encrypt or decrypt with those keys without knowing them (the private key is only known by the keystore). I'm wondering if that is possible to generate a shared secret with ECDH if the keys (a key pair + a public key) are in the Android Key store.

Thanks for your help

--
You received this message because you are subscribed to the Google Groups "conscrypt" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cons...@googlegroups.com.

To post to this group, send email to cons...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/conscrypt/58004049-a8b9-4c5c-b921-5db8aeb4dd48%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kenny Root