Score:0

ECDHE without initial handshake

tz flag

Is it possible to do a key agreement with ECDH ephemeral-ephemeral without requiring an initial handshake first?

Is it possible to have the key agreement in the same message as the encrypted data with ECDHE?

I know this is possible with ECDH ephemeral-static but that does not have perfect forward secrecy. And with ephemeral-static you need to have a secure way to store the static private key.

kelalaka avatar
in flag
[Diffie-Hellman algorithm and MITM attack](https://crypto.stackexchange.com/q/72370/18298) and [See how it is performed](https://crypto.stackexchange.com/q/87532/18298). See [secretbox of the libsodium](https://doc.libsodium.org/secret-key_cryptography/secretbox) for the second part.
Score:1
gb flag

Is it possible to do a key agreement with ECDH ephemeral-ephemeral without requiring an initial handshake first?

Yes, however this is vulnerable to man-in-the-middle (MITM) attacks.

Is it possible to have the key agreement in the same message as the encrypted data with ECDHE?

For the receiver to use an ephemeral key, they would have to send it before you can use it for the exchange. Alternatively they could load a number of ephemeral keys onto a trusted third party server to be retrieved by senders later (this is kind-of what is done by Signal). But usually you'd assume the sender just uses the recipients static key so they know it is going to the right person. In this case, all the ephemeral randomness is provided by the sender, so you really have a KEM (key encapsulation mechanism) rather than a key exchange.

So essentially, if you're willing to forgo authentication and risk impersonation / man in the middle attacks, you can achieve perfect forward secrecy with a KEM, and you can have the receiver regularly rotate the receiving key so they don't have to worry about secure long-term storage (a semi-static key).

tz flag
Thanks. We are going to add ECDSA static-static to prevent MITM attacks and provide authentication. Our issue right now is on Android we don't have a secure way of securing ECDH private keys (if we go ephemeral-static).
tz flag
Could you elaborate on storing ephemeral keys on a server? You mean storing the receivers ephemeral ECDH public keys on the server, right?
meshcollider avatar
gb flag
Correct, then obviously the receiver would have to store the corresponding private keys themselves securely. How will you manage the static keys for the authentication part on android then?
tz flag
This will actually work really well for us then. Thank you. Android KeyMaster and KeyStore both support securely storing ECDSA keys but not ECDH. iOS Secure Enclave has supported ECDH for years so Android is really behind on this.
tz flag
I suppose on Android we will have to keep the ECDH private key in memory. Which is a big question mark on security.
meshcollider avatar
gb flag
Interesting, I wasn't aware that android keystore didn't support ECDH. Would this work? https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec#example:ecdh
tz flag
That looks like it's using an EC keypair stored in KeyStore for ECDH. Perfect thanks!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.