Need help in loading private key for ECDSA

[jeetendra gangele]

Hi i tried to load private key into 224 curve for ecdsa and I am
getting below error.

EC_KEY_check_key failed:
error:100B1043:lib(16):func(177):reason(67).



Bleow is my fun to load key.

Can anybody guide me?

static int loadkey_ecdsa(EC_KEY *pkey)
{

EC_POINT *pub_key = NULL;
EC_GROUP *group = NULL;
BIGNUM start;
BIGNUM *res;

BN_CTX *ctx;
int ret =0;

BN_init(&start);
ctx = BN_CTX_new();

res = &start;
char b1[] =
"18679335321211177614181391980475641049275229937844945546185683145837";
BN_dec2bn(&res,b1);
// BN_dec2bn(&x,b1);
// BN_dec2bn(&y,b1);

// BN_dec2bn(&(pub_key->X), "1234567890123456789012345678");
// BN_dec2bn(pub_key->Y, "1234567890123456789012345678");


pkey = EC_KEY_new_by_curve_name(NID_secp224r1);
group = EC_KEY_get0_group(pkey);
pub_key = EC_POINT_new(group);

ret = EC_KEY_set_private_key(pkey, res);
//EC_KEY_set_public_key_affine_coordinates(pkey,x,y);

if (!EC_KEY_check_key(pkey)) {
printf("EC_KEY_check_key failed:\n");
printf("%s\n",ERR_error_string(ERR_get_error(),NULL));
} else {
printf("Public key verified OK\n");
}

BN_free(res);

BN_CTX_free(ctx);

}
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

[Jeffrey Walton]

On Thu, Dec 13, 2012 at 12:34 AM, jeetendra gangele
<gange...@gmail.com> wrote:
> Hi i tried to load private key into 224 curve for ecdsa and I am
> getting below error.
>
> EC_KEY_check_key failed:
> error:100B1043:lib(16):func(177):reason(67).
>
> Bleow is my fun to load key.
>
> Can anybody guide me?

$ openssl errstr 100B1043
error:100B1043:elliptic curve routines:EC_KEY_check_key:passed a null parameter

I have not really been following this thread, so please forgive my
dumb questions.

Are you using a NIST curve? If I recall correctly, OpenSSL only
supports some (all?) NIST curves. If you are trying to use Bernstein's
Curve-25519 (or an arbitrary curve), I don't believe it will work.

How did you generate the private key (the exponent) and public key
(point on the curve)?

Jeff

[Dave Thompson]

> From: owner-ope...@openssl.org On Behalf Of Jeffrey Walton
> Sent: Thursday, 13 December, 2012 16:31

> On Thu, Dec 13, 2012 at 12:34 AM, jeetendra gangele
> <gange...@gmail.com> wrote:

<snip>

> I have not really been following this thread, so please forgive my
> dumb questions.
>
> Are you using a NIST curve? If I recall correctly, OpenSSL only
> supports some (all?) NIST curves. If you are trying to use Bernstein's
> Curve-25519 (or an arbitrary curve), I don't believe it will work.
>

OP's code in some places uses secp224r1 and in some places sect163k1.
It's not clear which (if either?) is correct. IIRC both of these are
in the NIST subset, but just SECG is enough to be standard.

libcrypto EC_*, and thus EVP_*, supports both named/standard curves
and "explicit" ones. I believe that includes cert verification
as relevant to SSL/TLS, but haven't tested.

libssl *for key exchange* only supports named curves.

> How did you generate the private key (the exponent) and public key
> (point on the curve)?
>

OP apparently didn't generate any key, he's trying to use
key values he got from someplace that appear bogus.

Nit: the primitive operation in ECC is called addition and
the iterated form multiplication, so the privatekey value is
called a multiplicand. Unlike RSA and DH, where multiplication
in Z_n is iterated to give exponentiation.

[Matt Caswell (frodo@baggins.org)]

    char b1[] =
"18679335321211177614181391980475641049275229937844945546185683145837";

Where did you get this value from? Is this a private key you have been provided with that you *must* use?

Unless you particularly need to use a specific private key it is better to use

EC_KEY_generate_key

This will create a private key for you as well as calculating the associated public key.
 

    BN_dec2bn(&res,b1);
  //  BN_dec2bn(&x,b1);
   // BN_dec2bn(&y,b1);

   // BN_dec2bn(&(pub_key->X), "1234567890123456789012345678");
   // BN_dec2bn(pub_key->Y, "1234567890123456789012345678");


    pkey = EC_KEY_new_by_curve_name(NID_secp224r1);
    group = EC_KEY_get0_group(pkey);
    pub_key = EC_POINT_new(group);

    ret = EC_KEY_set_private_key(pkey, res);
    //EC_KEY_set_public_key_affine_coordinates(pkey,x,y);

It appears you have commented out all of the code above to insert the public key. This is probably why the EC_KEY_check_key call is failing. One of the things this function checks is that the public key is sane.

In addition the code you have that is commented out above for the public key looks very odd. The public key is not just any (x, y) co-ordinate - it must point a point which is on the curve! Further it must be equal to the curve generator multiplied by the private key. If you use the EC_KEY_generate_key function referred to above then this will all be dealt with for you. If however you need to calculate the public key itself from an existing private key then use something like this to create it:

    if (!EC_POINT_mul(group, pub_key, pkey, NULL, NULL, ctx))
        goto err;


Matt

[jeetendra gangele]

But why we need to load the public key for signing the data?
for signing I need only private key.
When I load the public and private both key I could sign the data.
but when I load only private key and calling Key_check function its failing.



Thanks
Jeetendra

On 14 December 2012 15:32, Matt Caswell (fr...@baggins.org)

[Matt Caswell (frodo@baggins.org)]

On 14 December 2012 10:32, jeetendra gangele <gange...@gmail.com> wrote:

But why we need to load the public key for signing the data?
for signing I need only private key.
When I load the public and private both key I could sign the data.
but when I load only private key and calling Key_check function its failing.

Well technically of course you never need to explicitly have the public key if you have the private key - it can always be generated if needed. However thats not the way the library works. According to the way the library has been written an EC_KEY object is only valid if it contains either a public key, or a private/public key pair. If you are going to call EC_KEY_check_key then you must have a public key present (even if it is never used for your scenario). The presence of a public key is one of the first things that EC_KEY_check_key looks for.

Matt

[jeetendra gangele]

Okay,
Thankd for ur reply.

If i have only private key in my ECC_key object Will be able to sign the data?.
I mean i will load only private key and use the curve.Will I be able
to sign the data?
and How can i load other parametes like a,b,g,n in to the object.


On 14 December 2012 16:12, Matt Caswell (fr...@baggins.org)

[Matt Caswell (frodo@baggins.org)]

On 14 December 2012 11:14, jeetendra gangele <gange...@gmail.com> wrote:

Okay,
Thankd for ur reply.

If i have only private key in my ECC_key object Will be able to sign the data?.

I've not tried it, so I'm not sure. I've had a quick review of the code and I can't see any reason why not, but I wouldn't recommend it. I would not consider an EC_KEY object that failed an EC_KEY_check_key call to be valid, and I would expect the library to make the same assumption. It is safer to have the public key present, and it is not difficult to do so.
 

I mean i will load only private key and use the curve.Will I be able
to sign the data?
and How can i load other parametes like a,b,g,n in to the object.

If you are using a named curve (as you are in the code example you posted), you do not need to worry about the other parameters. These are incorporated into the definition of the named curve.

Matt

[jeetendra gangele]

Thanks
But i have these parameters and I wanted to load them p,a,b,q
Do u know how can i load them?


Thanks
jeetendra



On 14 December 2012 17:10, Matt Caswell (fr...@baggins.org)

[jeetendra gangele]

sorry its p,a,b,x,y

[Matt Caswell (frodo@baggins.org)]

On 14 December 2012 11:47, jeetendra gangele <gange...@gmail.com> wrote:

Thanks
But i have these parameters and I wanted to load them p,a,b,q
Do u know how can i load them?

The parameters are related to the definition of the curve. Where did you get the parameters from? Are you sure they are not just the parameters from a standard curve? It is much better to use the standard built in curves that attempting to create your own. Can you ask the person that supplied you with these parameters to tell you which standard curve they are using?

If you really *have* to use the parameters directly, and they are not from a standard curve then you will need to create the curve yourself. You can use EC_GROUP_new_curve_GFp for an Fp (NID_X9_62_prime_field) curve or EC_GROUP_new_curve_GF2m for an F2m (NID_X9_62_characteristic_two_field) curve. You will also need to call EC_GROUP_set_generator to set the generator point for the curve.

Matt

[jeetendra gangele]

I got these parameters from marlin and I wanted to load these parameter.
Its must for me to load these parameters.


On 14 December 2012 17:37, Matt Caswell (fr...@baggins.org)

[jeetendra gangele]

Ok Do you know if there any dependency between these curve parameters
and private and public key.?

I mean I am loading these parameters and generating private and public
keys from Openssl command line tools.
It did not worked for me .
but when i use standard curve and load public and private keys it worked for me.
So is there any relation between curve parameters and public and private keys.


thanks

[Matt Caswell (frodo@baggins.org)]

On 14 December 2012 12:37, jeetendra gangele <gange...@gmail.com> wrote:

I got these parameters from marlin and I wanted to load these parameter.
Its must for me to load these parameters.

I am not familiar with what marlin is, so I cannot advise on that. I would double check that the parameters do not correspond to a standard curve. Have a look in src/crypto/ec/ec_curve.c in the openssl source code. Check to see if your "p" value is present in the built in data structures somewhere.

If not you will have to do it by creating the curve yourself as per my previous post. Assuming you have a Fp curve, then you will need to know p, a, b, generator (x and y co-ords), order and co-factor. You can then do something like:

        if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) goto err;
        if ((gen = EC_POINT_new(group)) == NULL) goto err;
        if (!EC_POINT_set_affine_coordinates_GFp(group, gen, x, y, ctx)) goto err;
        if (!EC_GROUP_set_generator(group, gen, order, cofactor)) goto err;

If you have an F2m curve then the parameters are the same except you need to know m instead of p (the code is similar but replace GFp with GF2m). Confusingly though the Openssl codebase refers to p for F2m curves to mean p = 2^m. If you're not sure which one you've got, then if p is odd then its probably an Fp curve, whilst if its even its probably F2m.

Matt

[Matt Caswell (frodo@baggins.org)]

Yes there is a dependency. The curve parameters define what the curve is, whilst the public key is a point on the curve. The public key is inherently linked to the curve parameters. If you change the parameters then the public key will no longer be valid.

Matt

On 14 December 2012 12:42, jeetendra gangele <gange...@gmail.com> wrote:

Ok Do you know if there any dependency between these curve parameters
and private and public key.?

I mean I am loading these parameters and generating private and public
keys from Openssl command line tools.
It did not worked for me .
but when i use standard curve and load public and private keys it worked for me.
So is there any relation between curve parameters and public and private keys.


thanks

On 14 December 2012 18:07, jeetendra gangele <gange...@gmail.com> wrote:
> I got these parameters from marlin and I wanted to load these parameter.
> Its must for me to load these parameters.
>
>

[jeetendra gangele]

Ok,
So is there any way after setting these parameters I can get the
public key(point) on curve.?
after setting the curve parameter I can ask for point in the curve
there is one API I have seen right?
GetPublicKey.
Can u do that from command line?

thanks
jeetendra

On 14 December 2012 18:40, Matt Caswell (fr...@baggins.org)

[Matt Caswell (frodo@baggins.org)]

On 14 December 2012 13:36, jeetendra gangele <gange...@gmail.com> wrote:

Ok,
So is there any way after setting these parameters I can get the
public key(point) on curve.?

Setting the parameters just gets you a curve, not a private/public key pair. To create a private/public key pair create an EC_KEY object (passing in the curve as a parameter), and then call EC_KEY_generate_key. Then you can get the public key from the EC_KEY object.

after setting the curve parameter I can ask for point in the curve
there is one API I have seen right?
GetPublicKey.
Can u do that from command line?

As far as I know you can't use custom curves from the command line - but I am not an expert on the command line tool so others on this list may be able to answer that.

Matt

[jeetendra gangele]

it looks very odd loading of public key during sign operation.
Ok tell me one thing I can load any valid point on the curve during sign.
and whn I verify the signed message i should be able to verify with
the other valid public key?


Thanks
jeet


On 14 December 2012 19:11, Matt Caswell (fr...@baggins.org)

[Matt Caswell (frodo@baggins.org)]

On 14 December 2012 14:20, jeetendra gangele <gange...@gmail.com> wrote:

it looks very odd loading of public key during sign operation.
Ok tell me one thing I can load any valid point on the curve during sign.

An ECDSA sign operates on the curve and associated parameters, the private key, and the message, and outputs two values (which are just numbers) r and s. No points on the curve are provided as input or received as output (although they are used internally).

What I have recommended to you is that you fill in both the private and public key in the EC_KEY object so that an EC_KEY_check_key call passes. This is not loading "any valid point on the curve"...it must be the public key for the associated private key, or EC_KEY_check_key will not pass. As I said in one of my first emails, it is straight forward to find the public key given the private key.

 

and whn I verify the signed message i should be able to verify with
the other valid public key?

When verifying you will be able to verify with the public key that corresponds to the private key used originally to sign the message.

Matt
 

[jeetendra gangele]

On 14 December 2012 20:18, Matt Caswell (fr...@baggins.org)

<fr...@baggins.org> wrote:
>
>
> On 14 December 2012 14:20, jeetendra gangele <gange...@gmail.com> wrote:
>>
>> it looks very odd loading of public key during sign operation.
>> Ok tell me one thing I can load any valid point on the curve during sign.
>
>
> An ECDSA sign operates on the curve and associated parameters, the private
> key, and the message, and outputs two values (which are just numbers) r and
> s. No points on the curve are provided as input or received as output
> (although they are used internally).
>
> What I have recommended to you is that you fill in both the private and
> public key in the EC_KEY object so that an EC_KEY_check_key call passes.
> This is not loading "any valid point on the curve"...it must be the public
> key for the associated private key, or EC_KEY_check_key will not pass. As I
> said in one of my first emails, it is straight forward to find the public
> key given the private key.
>

Here I wont agree because suppose if I loaded all the curve parameters
and try to load public key which wont lie on the curve,Its failing.

>
>>
>> and whn I verify the signed message i should be able to verify with
>> the other valid public key?
>
>
> When verifying you will be able to verify with the public key that
> corresponds to the private key used originally to sign the message.

This I understand....

>
> Matt
>



--

[Matt Caswell (frodo@baggins.org)]

On 14 December 2012 15:02, jeetendra gangele <gange...@gmail.com> wrote:

On 14 December 2012 20:18, Matt Caswell (fr...@baggins.org)

<fr...@baggins.org> wrote:
>
>
> On 14 December 2012 14:20, jeetendra gangele <gange...@gmail.com> wrote:
>>
>> it looks very odd loading of public key during sign operation.
>> Ok tell me one thing I can load any valid point on the curve during sign.
>
>
> An ECDSA sign operates on the curve and associated parameters, the private
> key, and the message, and outputs two values (which are just numbers) r and
> s. No points on the curve are provided as input or received as output
> (although they are used internally).
>
> What I have recommended to you is that you fill in both the private and
> public key in the EC_KEY object so that an EC_KEY_check_key call passes.
> This is not loading "any valid point on the curve"...it must be the public
> key for the associated private key, or EC_KEY_check_key will not pass. As I
> said in one of my first emails, it is straight forward to find the public
> key given the private key.
>

Here I wont agree because suppose if I loaded all the curve parameters
and try to load public key which wont lie on the curve,Its failing.

As previously mentioned the code to find a public key given a private key looks like this:

    if (!EC_POINT_mul(group, pub_key, pkey, NULL, NULL, ctx))
        goto err;

All you need is the curve and the private key and in one line you can get the public key.

Matt
 

[jeetendra gangele]

On 14 December 2012 20:39, Matt Caswell (fr...@baggins.org)

Yes i did same thanks for all ur support.
Is there any relation between curve parameter and private key or
private key can be any random number?
As far I remeber there is relation and it depend upon discrete math
problem that is unsolved as of now.
so once that problem got resolved private key can be broken.
am i correct?




>
> Matt

[Matt Caswell (frodo@baggins.org)]

Yes i did same thanks for all ur support.
Is there any relation between curve parameter and private key or
private key can be any random number?

Yes there is a relationship. The private key must be a random number between 0 and the order of the curve.
 

As far I remeber there is relation and it depend upon discrete math
problem that is unsolved as of now.
so once that problem got resolved private key can be broken.
am i correct?

You are talking about the relationship between the private key and the public key. The security is based on the difficulty of solving the discrete logarithm problem. Basically if g^x = h, where g and h are elements of a finite cyclic group (in other words points on our curve in this case), it is hard to find x given g and h. In this case g is the generator point (one of the curve parameters), x is the private key and h is the public key. If someone finds a short cut for solving this problem then the security is broken.

Matt

[Jeffrey Walton]

On Thu, Dec 13, 2012 at 7:21 PM, Dave Thompson <dtho...@prinpay.com> wrote:
>> From: owner-ope...@openssl.org On Behalf Of Jeffrey Walton
>> Sent: Thursday, 13 December, 2012 16:31
>
>> On Thu, Dec 13, 2012 at 12:34 AM, jeetendra gangele
>> <gange...@gmail.com> wrote:
> <snip>

>>...

>>
> Nit: the primitive operation in ECC is called addition and
> the iterated form multiplication, so the privatekey value is
> called a multiplicand. Unlike RSA and DH, where multiplication
> in Z_n is iterated to give exponentiation.

Yes, being lazy. Thanks.

[Dave Thompson]

>From: owner-ope...@openssl.org On Behalf Of Matt Caswell
(fr...@baggins.org)
>Sent: Friday, 14 December, 2012 08:42

>On 14 December 2012 13:36, jeetendra gangele <gange...@gmail.com> wrote:
<snip>

>> Can u do that from command line?
>As far as I know you can't use custom curves from the command line -
>but I am not an expert on the command line tool so others on this list
>may be able to answer that.

commandline ecparam can read any curve definition, but has builtin
only named ones. I haven't tested, but if you build a custom EC_GROUP
and write it out in "explicit" form, -genkey should work.

Of course then all it's really doing is calling EC_generate_key and
PEM_write_ or i2d_ to a file, which you can easily do yourself.

[jeetendra gangele]

Actaully I was trying to generate the signature of lenght 56 bytes but
its failing.
When I check the code it said lenght of the sig should not lessa than 56.
can anybody help me how can I generate the signature of lenght 56 bytes?.


On 14 December 2012 19:11, Matt Caswell (fr...@baggins.org)

<fr...@baggins.org> wrote:
>
> On 14 December 2012 13:36, jeetendra gangele <gange...@gmail.com> wrote:
>>

>> Ok,
>> So is there any way after setting these parameters I can get the
>> public key(point) on curve.?
>
>
> Setting the parameters just gets you a curve, not a private/public key pair.
> To create a private/public key pair create an EC_KEY object (passing in the
> curve as a parameter), and then call EC_KEY_generate_key. Then you can get
> the public key from the EC_KEY object.
>
>> after setting the curve parameter I can ask for point in the curve
>> there is one API I have seen right?
>> GetPublicKey.

>> Can u do that from command line?
>>
> As far as I know you can't use custom curves from the command line - but I
> am not an expert on the command line tool so others on this list may be able
> to answer that.
>

> Matt

[jeetendra gangele]

Can anybody guide me how can I generate the digital signature of 56
bytes for ecdsa.
I am using the curve NID_secp224r1.
Thanks
jeetendra

[jeetendra gangele]

Its generating 64 bytes when I print with ECDSA_size(eckey)
But i neeed 56 bytes signature.

[Dave Thompson]

> From: owner-ope...@openssl.org On Behalf Of jeetendra gangele
> Sent: Sunday, 16 December, 2012 22:57

> Actaully I was trying to generate the signature of lenght 56 bytes but
> its failing.
> When I check the code it said lenght of the sig should not
> lessa than 56.
> can anybody help me how can I generate the signature of
> lenght 56 bytes?.
>

To be clear: you are talking about the length of the *signature*,
not of the data that was signed?

If you are using a 224-bit ECDSA keypair, as your previous posts
suggest, the signature semantically consists of two numbers
each 224 bits or 28 bytes; however, openssl (at least) encodes
these numbers in an ASN.1 SEQUENCE with total length 62-64 bytes.

If you want to generate such a signature, either use the EVP_Sign*
functions to do the usual process for you (hash the bulk data,
using a hash you specify whose output size should not be larger
than your keysize, then ECDSA-sign the hash) or do the hash yourself
and then call ECDSA_sign or one of its variants yourself.

[jeetendra gangele]

Yes i am talking about signature.
ECDSA_SIG this ouptput structure will have r and s componet of 28 bytes each.
So if I merge both r and s I will get 56 bytes right?
These will not have any padding information?.


Thanks
jeet

--

[Dave Thompson]

> From: owner-ope...@openssl.org On Behalf Of jeetendra gangele

> Sent: Monday, 17 December, 2012 01:58

> Its generating 64 bytes when I print with ECDSA_size(eckey)

> But i neeed 56 bytes signature. [for secp224r1]
>
ECDSA_size is the *maximum* length of the encoded signature,
see the man page. An actual encoded signature may be less,
see my earlier reply; you are supposed to use ECDSA_size
to allocate the buffer, but the length stored by ECDSA_sign
or similar for actual length.

But the ASN.1 encoding from ECDSA_sign, or i2d_ECDSA_SIG, is
(a little) more than just the two numbers r and s. If you want
an encoding that only has the two numbers either:
1. get the ASN.1 encoding, pick out the numbers (in ASN.1 signed
but positive bigendian form), and do your other encoding
2. use ECDSA_do_sign or similar to get the ECDSA_SIG structure, and
do your own encoding from that (by encoding the two bignums)

Referring to my previous reply, if you use the more convenient
high-level EVP_ interface you may need approach 1; I don't see
option to change the encoding used there (but I may have missed).

[Dave Thompson]

> From: owner-ope...@openssl.org On Behalf Of jeetendra gangele

> Sent: Monday, 17 December, 2012 02:48

> Yes i am talking about signature.
> ECDSA_SIG this ouptput structure will have r and s componet

> of 28 bytes each. [for 224-bit curve]

> So if I merge both r and s I will get 56 bytes right?
> These will not have any padding information?.
>

The struct points to two bignums, which use an internal
format; openssl can put what it likes in there.
If you get the (near-trivial) encoding as big-endian btyes
using BN_bn2bin, *that* does not have padding or overhead.

Note that the numbers in an ECDSA signature are effectively
uniform random up to the field order, so they will *rarely*
be *smaller* than the keysize (here, less then 28 bytes).
If you want *fixed* 28 bytes each, *you* will need to pad.

(I forgot to allow for this in my earlier reply. The ASN.1
encoding can be less than 62 bytes in these cases.)

[jeetendra gangele]

Thanks for ur help .


Can you guide me how can I use ECDH for exachnaging of the secret key.
I have to implement in two phases.
1.i have private key of 256 bit lenght need to get phase i1 value wx,wy
2.In second I have phase1 value and private key and need to get secret
key or public key.



Thanks

[jeetendra gangele]

I need to use ECDH to derive the shared key using public and private key given.

[jeetendra gangele]

HI for ECDH can I use the HAs256 algorithm.

I have gone through the inside DS and written this piece of code and
it worked also.
But here how can U sesha256 ,when i used i am getting the error.
How can i use here sha256?



int alen = 0;
int blen = 0;
int aout = 0;
int bout = 0;
static const int KDF1_SHA1_len = 20;
unsigned char *abuf = NULL;
unsigned char *bbuf = NULL;


EC_KEY *ecdh = NULL;
EC_KEY *ecdh2 = NULL;


//Generate Public
// ecdh = EC_KEY_new_by_curve_name(NID_secp521r1);
// ecdh2 = EC_KEY_new_by_curve_name(NID_secp521r1);
ecdh = EC_KEY_new_by_curve_name((NID_sect163k1));
ecdh2 = EC_KEY_new_by_curve_name(NID_sect163k1);


EC_KEY_generate_key(ecdh);
EC_KEY_generate_key(ecdh2);

alen = KDF1_SHA1_len;
abuf = (unsigned char *) OPENSSL_malloc (alen);
aout = ECDH_compute_key(abuf, alen, EC_KEY_get0_public_key(ecdh2),
ecdh, KDF1_SHA1);
printf("aout is %d\n",aout);
blen = KDF1_SHA1_len;
bbuf = (unsigned char *)OPENSSL_malloc(blen);
bout = ECDH_compute_key(bbuf, blen, EC_KEY_get0_public_key(ecdh),
ecdh2, KDF1_SHA1);

[Dave Thompson]

> From: owner-ope...@openssl.org On Behalf Of jeetendra gangele

> Sent: Monday, 17 December, 2012 13:17

> HI for ECDH can I use the HAs256 algorithm.
>
> I have gone through the inside DS and written this piece of code and
> it worked also.
> But here how can U sesha256 ,when i used i am getting the error.
> How can i use here sha256?
>

<snip>

> aout = ECDH_compute_key(abuf, alen, EC_KEY_get0_public_key(ecdh2),
> ecdh, KDF1_SHA1);

What is KDF1_SHA1? If it's copied from ec/ecdhtest.c or apps/speed.c,
that's designed to use SHA1; if you want something else, change it.
I'm not sure why it's even there; the comment in speed.c says it was
in a tls-ecc draft, but it is NOT in 4492. I don't know of any other
ECDH (or DH) applications that apply a nontrivial KDF directly to
the agreement; if they do key derivation, it's somewhere else.

Note that if you use a 163-bit curve as you coded, you won't get more
than about 80 bits of security strength out of it no matter how you
hash it, and that is now considered inadequate by most authorities.
If you use your commented version with p521, and sha256 or maybe 384,
you can get 256-bit strength, IF your keys actually have at least 256
bits of entropy going in. But no one actually needs 256-bit strength,
and it's often a distraction from much more serious flaws elsewhere.

[Dave Thompson]

> From: owner-ope...@openssl.org On Behalf Of jeetendra gangele

> Sent: Monday, 17 December, 2012 08:26
> To: openss...@openssl.org
> Subject: Re: Need help in loading private key for ECDSA

>
> Thanks for ur help .
>
>
> Can you guide me how can I use ECDH for exachnaging of the
> secret key.
> I have to implement in two phases.
> 1.i have private key of 256 bit lenght need to get phase i1
> value wx,wy
> 2.In second I have phase1 value and private key and need to get secret
> key or public key.
>

If you are using a 224-bit curve, as in your previous posts,
a privatekey larger than 224-bits (really, larger than the field
order, which is fractionally less) is at best a waste of time.
The point_mul probably does work -- I haven't tested -- but if so
it wraps around and gives no more security than a 224-bit value.

For ECDH agreement, like DH, you need to do two phases at both parties.
A has or chooses A-privatekey which determines A-publickey and sends
A-pub to B; B similarly has or chooses B-priv and sends B-pub to A.
A uses B-pub with A-priv to compute a resulting secret and B uses
A-pub with B-priv to compute the same (shared) secret. The only real
difference is that DH pubkey is one number in Z_p while ECDH
pubkey is a nominally 2-dimensional point in the EC group.

If you somehow have a secure privkey but not the corresponding pubkey,
do what the last lines of EC_generate_key do: multiply (in the group)
the base point by your privkey to get your pubkey. To do "phase 2",
use EC_compute_key which multiplies the *peer* pubkey (point) by
your privkey and takes the x coordinate as the agreed value.

Note if both parties have fixed keys -- called static [EC]DH or more
specifically both-static or static-static -- the resulting agreed value
is always the same. If you allow this, you must ensure the agreed value
is used in a way that does not reduce security or allow attacks. Often
this means not using it directly as a key. (TLS always mixes per-connection
client and server nonces into its key derivation, for all key-exchange
methods including both static and ephemeral/anonymous *DH.) If you force
at least one party to use dynamic/nonce/transient/ephemeral key, with
sufficient randomness/entropy in its key, that avoids this issue.