> -----Original Message----- > From: COSE [mailto:[email protected]] On Behalf Of Adam Langley > Sent: Saturday, July 09, 2016 4:38 PM > To: Jim Schaad <[email protected]> > Cc: [email protected] > Subject: Re: [COSE] Binding of sender's key in ECDH-ES. > > On Sat, Jul 9, 2016 at 3:40 PM, Jim Schaad <[email protected]> wrote: > > I need to find out where you went wrong, but that is not the intent. > > > > Note that there is both an ECDH-ES and an ECDH-SS version in the > > table. One uses the ephemeral key and one uses the static key for doing the > key > > agreement. The paragraph that discusses these options is the > > "Ephemeral-static or static-static" bullet above the table. > > > > There is a small number of common ECDH routines because, modulo how to > > find the second key, the processing is the same. > > > > If you can identify where you got confused, please let me know so I > > can look at doing clarifications. > > Thank you for the clarification. > > I came into the document expecting ECDH-ES to bind a sender's static key (i.e. in > the style of 6.2.1 of NIST SP 800-56A: > http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-56Arev1_3-8-07.pdf), > so the fault might well be entirely my own. There's much discussion of a sender > static key in that area of the document, which fed my incorrect assumption, and > there's the label -2 in table 19, which is defined as the sender's static key for > ECDH-ES. Should that be for ECDH-SS, or is it a "return address" for the recipient > in the case of ECDH-ES?
Now I understand exactly where you got confused. Using the NIST terminology ECDH-ES --> C(1, 1) ECDH-SS --> C(0, 2) Thus ECDH-ES should NEVER have any of the sender static fields and only have the ephemeral key field. Likewise, ECDH-SS should ONLY have one of the sender static fields and never have the ephemeral key field. > > I'm not sure that anything needs to change in the document, but would the > expected structure for a sender-authenticated, one-way forward-secure > message be an ECDH-ES message encrypted in an ECDH-SS message? It would be an ECDH-SS message. I will cogitate and see if I can come up with some clarifications. Jim > > > Cheers > > AGL > > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
