RSA equivalent of DH key agreement

24 views
Skip to first unread message

George K

unread,
Jul 19, 2019, 8:13:56 AM7/19/19
to Crypto++ Users
Hi,

Is there a way to produce a shared secret key to be used for symmetric encryption(e.g. AES) by using RSA key pairs? I know that the standard way of doing something like that is to use the recipient's RSA public key to encrypt the randomly generated symmetric key and then send it to the other side alongside the symmetrically encrypted message.
I wonder if it is possible to skip the first message and compute a shared secret by using each other's public keys, similar to how DH works.

Thanks,
George

Uri Blumenthal

unread,
Jul 19, 2019, 8:44:33 AM7/19/19
to George K, Crypto++ Users
Yes. What RSA provides is KEM - Key Encapsulation Mechanism. You would run *two* of them - one in reach direction - and then run a KDF over concatenation of these two encapsulated symmetric keys.

AFAIK, it's the only way. And that's what NIST is doing with their Post-Quantum competition: they requested only KEMs, but no Key Agreement.

Sent from my test iPhone
--
You received this message because you are subscribed to "Crypto++ Users". More information about Crypto++ and this group is available at http://www.cryptopp.com and http://groups.google.com/forum/#!forum/cryptopp-users.
---
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cryptopp-users/0cc9242e-06f5-4ded-8924-4a1aaac05075%40googlegroups.com.

γιωργος γιωργος

unread,
Jul 19, 2019, 10:44:08 AM7/19/19
to Uri Blumenthal, Crypto++ Users
Hi, thanks for the answer,

So, If i understand correctly in KEM the following steps are performed by each party:
  1. Generate RSA key pair
  2. Pick a random symmetric key that will be used in creating the final key
  3. Encrypt key with each other's RSA public key
  4. Send the encrypted key to the other side
  5. Decrypt with private key
  6. Concatenate the 2 parts together and run the KDF
  7. Use the result in a symmetric algorithm
I was thinking of producing the shared secret the way DH does, where the key generation based on a common base allows for that. I guess this can't be done with RSA keys.

Thanks,
George

Jeffrey Walton

unread,
Jul 22, 2019, 12:37:53 PM7/22/19
to Crypto++ Users


On Friday, July 19, 2019 at 8:13:56 AM UTC-4, George K wrote:

Is there a way to produce a shared secret key to be used for symmetric encryption(e.g. AES) by using RSA key pairs? I know that the standard way of doing something like that is to use the recipient's RSA public key to encrypt the randomly generated symmetric key and then send it to the other side alongside the symmetrically encrypted message.
I wonder if it is possible to skip the first message and compute a shared secret by using each other's public keys, similar to how DH works.

As far as I know there is no standard way to use RSA to produce a shared secret like DH.

To give you an idea of how TLS does it... in TLS, RSA is Key Transport (versus Key Agreement). In TS, I believe the key transported by RSA is the premaster secret. In TLS, when using RSA is Key Transport, each party contributes to the shared secret through client.random and server.random.

So, in TLS, the master key = premaster secret + client.random + server.random. Then, the four or six encryption and authentication keys are derived from master secret.

In TLS when using DH, master key = premaster secret + client.random + server.random still holds. However, the premaster secret is derived from the DH Key Agreement rather than the RSA Key Transport.

TLS lacks Key Confirmation in the protocol. I understand it complicates the proofs. If you are building a scheme you should include Key Confirmation.

After the four or six keys are derived then the messages flow. Messages do not begin until the derived keys are created.

Jeff

γιωργος γιωργος

unread,
Jul 22, 2019, 3:52:00 PM7/22/19
to Jeffrey Walton, Crypto++ Users
Hi Jeff,

Thanks for your answer, it was very informative.

Best regards,
George

--
You received this message because you are subscribed to "Crypto++ Users". More information about Crypto++ and this group is available at http://www.cryptopp.com and http://groups.google.com/forum/#!forum/cryptopp-users.
---
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cryptopp-users/e05d0991-19ea-4f75-aec1-8e321d243777%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages