Score:2

What benefit is gained when combining AES GCM/GMAC with ECDSA?

in flag

This is a real world question (and as I'm not an expert in cryptography I have only some basic knowledge in terms of just using it, not a deep understanding how ist works under the hood.): A system for data collection from many embedded end-devices employs AES128 GCM/GMAC to protect messages in terms of confidentiality and authenticity: each message $M$ is encrypted $C = E(K, M)$ and protected with a tag $T=T(K, M)$ using symmetric keys: $(C, T)$ is sent over to the receiver.

In an advanced version of the system, additionally to this protection, a digital signature $S=S(M)$ based on ECDSA (using ECC NIST key material) is employed: first sign $M$, then encrypt:

The result of signing is the tuple $(S, M)$

then ${ E(K,(S,M)), T(K, (S,M))}$ is sent to the receiver which has the public ECC key.

Q1: What is the additional benefit we gain from using this additional signing?

If GCM/GMAC is used in the right way (e.g. using initialization vectors only once) and the symmetric key is not compromised, then GCM/GMAC is a good protection. What are the scenarios where the additional use of the signature helps to make an improvement in terms of security?

Q2: In addition to signing messages, ECDH is used to agree on new symmetric keys from time to time. In the "old" version this was done via (standardized) key wrap algorithm, which depends on a symmetric KEK. Again I ask: What is the real benefit of using ECDH instead of Key Wrap?

I know of course the principles of public key cryptography but cannot really estimate the additional value we gain as compared to using just the symmetric variant which justifies the effort to implement the advanced version.

Score:3
in flag

Q1: What is the additional benefit we gain from using this additional signing?

There are a few benefits that I could see, although in the end it is the use case which should indicate the possible benefits.

  1. only the party with the private key could have signed the document. With a MAC, both parties are able to sign using the shared secret key;
  2. the verification option may not be available anymore after tag verification and decryption (the symmetric encryption is only used to provide transport security, in other words);
  3. signature verification on the plaintext message might be performed by another party that obtains the (trusted) public key.

Q2: In addition to signing messages, ECDH is used to agree on new symmetric keys from time to time. In the "old" version this was done via (standardized) key wrap algorithm, which depends on a symmetric KEK. Again I ask: What is the real benefit of using ECDH instead of Key Wrap?

My guess is that this is simply because Elliptic Curve crypto doesn't offer a direct method to encapsulate keys, while it may offer benefits over other primitives that do offer encapsulation (efficiency at high security).

MichaelW avatar
in flag
1) would be what is called "non-repudiation". Right? But what do you mean in 2) ? Since each device has an individual symmetric key, a positively verified tag would guarantee, that a message comes really from this device.
Maarten Bodewes avatar
in flag
1. Yes, that's (tied to) non-rep. 2. E.g. session keys are often destroyed after verification & decryption of the message. Keys used to create signatures are generally persistent (and the public key needs to be trusted).
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.