Score:0

RSA Encryption and ECDH in OpenPGP

pe flag

According to RFC4880 standard

1.Refer to section 2.1 Confidentiality via Encryption --> OpenPGP combines symmetric-key encryption and public-key encryption to provide confidentiality

+To protect the session key --> encrypted with the receiver’s public key

+To decrypt session key --> use receiver’s private key

2.Refer to section 5.1 Public-Key Encryption session key Packets

+RSA encryption

+Elgamal encryption (Diffie-Hellman)

  1. ECDH
  • sender: calculate shared secret --> KDF --> derived key --> AES-CFB
  • receiver: calculate shared secret --> KDF --> derived key --> AES-CFB

So, my question is:

  1. which case use RSA to comply with the OpenPGP standard
  2. which case use ECDH to comply with the OpenPGP standard
  3. Is my understand about ECDH model as mention above correct ? (sender encrypt message only ? not encrypt session key as RSA encryption) and is it possible to use PBKDF2 instead of KDF as standard?
Score:2
cn flag

ECDH encryption for OpenPGP is defined in RFC6637 not RFC4880, and for compatibility with the existing message format(s) as well as allowing multiple recipients, it does not use the ECDH result directly, but rather uses it to wrap the 'session' key using AES-KW (RFC3394).

The KDF used in the ECDH agreement is not PBKDF2, and shouldn't be; there is no point in using a KDF intended to provide stretching for passwords on data that is not a password and doesn't need stretching. It is in fact one of the KBKDFs from SP800-56A, and is fairly trivial (although it is still important to specify, as it is vital all participants implement exactly the same thing).

Finally a nit: the message or 'bulk' encryption in OpenPGP is (tweaked) CFB, but not necessarily AES; several symmetric block ciphers are supported. Although AES is popular, and for good reasons.

I'm not sure I understand your first 2 questions. Both encryption using RSA wrapping, and encryption using ECDH+wrapping, are standard. You can use RSA encryption when sending to a recipient that has an RSA key (whose usage allows encryption), and ECDH encryption when sending to a recipient that has an ECDH key; you could use both when sending to recipients some of whom have one kind of key and some the other. You could use neither when sending to someone with an ElGamal (FFC/modp) key, if you can find anybody still doing that.

To be clear, OpenPGP also supports RSA for signature/authentication, but that is completely different from its use for encryption. You could sign with RSA (using your own key) and encrypt with ECDH (using the recipient's key) both in a single message if that combination is applicable.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.