I need to find out where you went wrong, but that is not the intent. Note that there is both an ECDH-ES and an ECDH-SS version in the table. One uses the ephemeral key and one uses the static key for doing the key agreement. The paragraph that discusses these options is the "Ephemeral-static or static-static" bullet above the table.
There is a small number of common ECDH routines because, modulo how to find the second key, the processing is the same. If you can identify where you got confused, please let me know so I can look at doing clarifications. Jim > -----Original Message----- > From: COSE [mailto:[email protected]] On Behalf Of Adam Langley > Sent: Saturday, July 09, 2016 2:49 PM > To: [email protected] > Subject: [COSE] Binding of sender's key in ECDH-ES. > > I think from reading > https://tools.ietf.org/html/draft-ietf-cose-msg-14#section-12.4.1 that ECDH-ES > is supposed to authenticate the sender, i.e. that successfully decrypting an > ECDH-ES message also authenticates it. For example, Table 19 lists a label for a > sender's static key for use with ECDH-ES, which would be meaningless if ECDH- > ES was supposed to be anonymous. > > Given that, I don't see how the sender's static key is included in the key > derivation. I would have expected something like the input keying material to > HKDF to be ECDH(sender-static, receiver-static) ++ ECDH(sender-ephemeral, > receiver-static). That would give one-way forward secrecy and would > authenticate the message w.r.t the sender's static key (*) > > There are many words, so it's very possible that I missed something, so I also > looked at > https://github.com/cose-wg/cose- > implementations/blob/master/csharp/COSE/EncryptMessage.cs#L1529 > and I only see a single ECDH operation in there. > > Is it that I misunderstood the aim and that ECDH-ES is sender-anonymous? If > not, how does the sender show possession of their static key? > > (* Modulo key-compromise impersonation.) > > > Cheers > > AGL > > -- > Adam Langley [email protected] https://www.imperialviolet.org > > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
