Re: BER decode error on loading EC private key.

[Jeffrey Walton]

> 2. One more thing that I'm missing right now - which params should I store 
> in NameValuePairs?
>
> I guess for:
>  - deriviation they should be at least: null sault, info string Android 
> encoded in Ascii.
>

This looks like what you need for the KDF:

template <class H>
class AndroidPay_KDF
{
public:
    static void CRYPTOPP_API DeriveKey(byte *output, size_t outputLength, 
const byte *input, size_t inputLength,
            const byte *derivationParams, size_t derivationParamsLength)
    {
        CRYPTOPP_UNUSED(derivationParams), 
CRYPTOPP_UNUSED(derivationParamsLength);

        static const byte INFO[] = "Android";
        static const size_t INFO_SIZE = 7;
        
        HKDF<H> hkdf;
        hkdf.DeriveKey(output, outputLength, input, inputLength, NULL, 0, 
INFO, INFO_SIZE);
    }
};
 

>  - encryption algo: zero IV and no padding
>
>
This will probably be specified in the Encryption Algorithm (EA) to the 
Discrete Log Encryption Scheme (DL_ES). For ECIES 
(https://www.cryptopp.com/docs/ref/struct_e_c_i_e_s.html), that is:

    DL_EncryptionAlgorithm_Xor

Here's the full view of ECIES 
(http://www.cryptopp.com/docs/ref/eccrypto_8h_source.html#l00284):

289 template <class EC, class COFACTOR_OPTION = NoCofactorMultiplication, 
bool DHAES_MODE = false>
290 struct ECIES
291  : public DL_ES<
292  DL_Keys_EC<EC>,
293  DL_KeyAgreementAlgorithm_DH<typename EC::Point, COFACTOR_OPTION>,
294  DL_KeyDerivationAlgorithm_P1363<typename EC::Point, DHAES_MODE, 
P1363_KDF2<SHA1> >,
295  DL_EncryptionAlgorithm_Xor<HMAC<SHA1>, DHAES_MODE>,
296  ECIES<EC> >
297 {
298  static std::string CRYPTOPP_API StaticAlgorithmName() {return "ECIES";}
        ...
305 };

We'll still need to map Android Pay specs to ECIES terminology, like 
Cofactor Options and DHAES_MODE. Some of this has been documented in 
Crypto++, like COFACTOR_OPTIONS 
(http://www.cryptopp.com/docs/ref/pubkey_8h.html#ae4b59f7b9d3c7e03bb739f0584905ff1).
 
See, for example, "Methods for Avoiding the "Small-Subgroup" Attacks on the 
Diffie-Hellman Key Agreement Method", http://tools.ietf.org/html/rfc2785.

I'm not familiar with other terminology like CheckMode and SingleHashMode, 
but I believe the answer lies in the implementation of the algorithm. Once 
you get there, it will be obvious what they meant.

Jeff

-- 
-- 
You received this message because you are subscribed to the "Crypto++ Users" 
Google Group.
To unsubscribe, send an email to cryptopp-users-unsubscr...@googlegroups.com.
More information about Crypto++ and this group is available at 
http://www.cryptopp.com.
--- 
You received this message because you are subscribed to the Google Groups 
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cryptopp-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.