Re: Encrypting to a public key?

[Schanzenbach, Martin]

> On 7. Jul 2020, at 21:58, Cy <fromgnunet@cy1.allowed.org> wrote:
> 
> On Tue, 7 Jul 2020 09:16:00 +0200
> "Schanzenbach, Martin" <mschanzenbach@posteo.de> wrote:
> 
>> P_bob does not have to be ephemeral.
> 
> My understanding was that P_bob had to be ephemeral. So, that makes ECDH a 
> lot more
> appealing. If P_bob is static, Bob can publish it, perhaps as a CHK. Then 
> many people can
> get it, and immediately start a conversation, without having to wait for him 
> to publish
> anything else.
> 
>>> 2. Wait for Bob to send it to you and do nothing.
>> 
>> This transfer of public key of the destination identity will always have to 
>> happen.
> 
> The time it takes to get Bob's key is definitely not a concern. I was 
> concerned with the
> time it takes to wait for Bob to generate his (ephemeral) key. If that isn't
> necessary, then that's great! So to use Alice instead of me, after Alice has 
> Bob's key,
> she has to send Bob something once, and she does not have to wait for a 
> reply. Bob might
> still have to wait, if he doesn't yet have Alice's key, but he won't have to 
> wait for
> Alice to generate it either. Is that right?
> 
> d_N = private ECDSA key
> P_N = public ECDSA key
> 
> Alice:
>  1. ECDH(d_alice, P_bob) => shared secret
>  2. HKDF(shared secret) => ???
>  3. Send P_alice to Bob or maybe its CHK, as a request to talk
>  4. Send ENC(shared secret, message) to Bob
>  5. Go to step 4.

Yes, except that you can just send the (ephemeral) P_alice along with 
ENC(shared secret, message).
ECDHE keys in GNUnet are just 256 bit (I think).
That would allow you to change P_alice periodically (or even every time you 
send a message).
Note that this eventually leads to a axolotl-style ratchet: 
https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm
We use that for CADET.

> 
> And Bob:
>  1. Receive request to talk and get P_alice's key, or its CHK then download 
> P_alice
>  2. ECDH(d_bob, P_alice) => same shared secret as Alice
>  3. HKDF(shared secret) => ???
>  4. Send ENC(shared secret, message) to Alice
>  5. go to step 4
> 
> I'm not entirely sure the purpose of HKDF here.

The result of the ECDH is already a shared secret. In GNUnet, it is a 512-bit 
hash.
This could be used as an 512-bit AES key.
But, usually you use that to derive a key by adding a salt, like 
"my-application-salt".

> Some sort of anti-flooding measure? Also
> didn't you say ECDSA keys were only to be used for signing? Because I don't 
> see this as
> having much to do with signing.

Ok, signing and ECDH ;)

> 
>> But they do not have to be. In TLS this is true because ephemeral keys
>> for both parties are a better idea.
> 
> A better idea for certificate authorities at least. -_-
>

signature.asc
Description: Message signed with OpenPGP