https://docs.yubico.com/yesdk/users-manual/application-piv/…
https://docs.yubico.com/yesdk/users-manual/application-piv/key-agreement.html
Replies
Elliptic Curve Diffie-Hellman key agreement
If a slot contains an ECC key (
An ECDH operation does not encrypt data. Rather, it generates a shared secret.
Here is a description of "classical" ECDH.
- Two correspondents agree to an EC parameter set.
- Phase 1: Each correspondent generates a private and public value.
- The correspondents send each other the public values.
- Phase 2: Each correspondent uses their own private value with the other correspondent's
public value to generate a secret.
- If the two use the same parameters, they will generate the same secret.
The value each correspondent generates is a point on the curve. The ECDH algorithm is defined as using the x-coordinate of that resulting point.
The correspondents can now use this "shared secret" as a key, or as the foundation of a key derivation operation. They share a key. Or we can say they agree on a key, hence the term "Key Agree". Generally they will use the key to encrypt bulk data in a message or conversation.
An eavesdropper can see the parameters and public values, but without at least one of the private values, cannot compute the shared secret.
This is similar to the RSA digital envelope. In that system, a sender generates a session key, encrypts it using the recipient's public key, and encrypts the bulk data with the session key. The recipient uses their private key to decrypt the session key, then uses the session key to decrypt the bulk data.
Note that the RSA algorithm can be used for encryption and signing, but cannot be used for key agreement. ECC can be used for signing and key agreement.
It is possible to use ECC for encryption as well. It is generally called ECES (Elliptic Curve Encryption Scheme) or EC ElGamal. However, the .NET Base Class Libraries (BCL) and the YubiKey do not support EC encryption.
"Perfect Forward Secrecy"
One of the strengths of Diffie-Hellman in general (EC and the original formulation based on large prime numbers) is that it is possible to use different public…