Re: Help me for ECDHE algorithm
If this is only ECDH than how to perform ECDHE? what changes i have to made in this code? -- View this message in context: http://openssl.6102.n7.nabble.com/Help-me-for-ECDHE-algorithm-tp49168p49499.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
On 16 April 2014 05:48, chetan chet...@neominds.in wrote: If this is only ECDH than how to perform ECDHE? what changes i have to made in this code? Well the final E in ECHDE stands for ephemeral. It is not really a difference in the way the algorithm itself works, but more about how it is used. With ECDH both parties will reuse the same keys between different invocations, and therefore end up with the same shared secret each time. In ECDHE, one or both parties will create a new key each time that a shared secret is required. In order for that to work they will have to exchange public keys. How that happens is protocol specific (and you haven't said what protocol you are going to be using). The public keys can be exchanged in-the-clear - but they *must* be authenticated in some way (e.g. by use of a MAC or digital signature). Typically you might use RSA or ECDSA to do this. Failure to authenticate the key exchange will leave you open to a man-in-the-middle attack. The actual key generation is quite straight forward and is done in the code sample on the wiki page link I originally sent you. http://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman The important bit is this bit: /* Create the context for the key generation */ if(NULL == (kctx = EVP_PKEY_CTX_new(params, NULL))) handleErrors(); /* Generate the key */ if(1 != EVP_PKEY_keygen_init(kctx)) handleErrors(); if (1 != EVP_PKEY_keygen(kctx, pkey)) handleErrors(); /* Get the peer's public key, and provide the peer with our public key - * how this is done will be specific to your circumstances */ peerkey = get_peerkey(pkey); I would also remind you about this important comment at the end of the code sample: /* Never use a derived secret directly. Typically it is passed * through some hash function to produce a key */ Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
Thanks to you...it's working. Now i have one last query for you. I'm generating public and private key files using command line openssl. I generated 2 .PEM files each for public and private key. Now i want to generate shared secret from that files using APIs like EVP_PKEY_derive and others. So,Can i do like this or not? If yes than how? thanks once again for help. -- View this message in context: http://openssl.6102.n7.nabble.com/Help-me-for-ECDHE-algorithm-tp49168p49452.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
On 15 April 2014 05:40, chetan chet...@neominds.in wrote: Thanks to you...it's working. Now i have one last query for you. I'm generating public and private key files using command line openssl. I generated 2 .PEM files each for public and private key. Now i want to generate shared secret from that files using APIs like EVP_PKEY_derive and others. So,Can i do like this or not? If yes than how? thanks once again for help. There are functions to read and write PEM files. See: https://www.openssl.org/docs/crypto/pem.html In particular see the functions: PEM_read_PUBKEY and PEM_read_PrivateKey There is a discussion on EC Key files on the wiki here: http://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations However, note that if both sides of your communication are reading from key files (and reusing those key files), then you are not doing ECDHE (as is in the subject of this thread) - you're just doing ECDH. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Help me for ECDHE algorithm
From: owner-openssl-us...@openssl.org On Behalf Of chetan Sent: Monday, April 14, 2014 00:42 xxx.c is my program file. So, i'm compile simply like cc xxx.c . I am Gettting [undefined reference] This is basic C programming. Whenever you link (not just compile) a C program that uses a library (or several) other than the standard C lib(s) you must specify it(them) to the linker, or to the compiler when it runs the linker as here. The exact syntax depends on what compiler and/or linker you are using, which you don't say, but AFAIK the component 'collect2' indicates GCC/binutils. The syntax for that (and some others) is -lxxx where l is lowercase ell and xxx is the 'short' name of the library; the actual filename is usually libxxx.so or libxxx.a . For OpenSSL EVP* routines (and more generally everything but actual SSL/TLS) the library you need is -lcrypto . If the library(s) you want isn't placed in the compiler's (or platform's) default location for libs, you also need to specify -L (uppercase ell) with the directory. If you are using a OS-vendor-provided or packaged version, as on Linux, it will almost certainly be in the default location, whatever that is for a given distro. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
xxx.c is my program file. So, i'm compile simply like cc xxx.c . I am Gettting errors as below: xxx.c:(.text+0x19): undefined reference to `EVP_PKEY_CTX_new' xxx.c:(.text+0x30): undefined reference to `EVP_PKEY_derive_init' xxx.c:(.text+0x48): undefined reference to `EVP_PKEY_derive_set_peer' xxx.c:(.text+0x68): undefined reference to `EVP_PKEY_derive' xxx.c:(.text+0x88): undefined reference to `EVP_PKEY_derive' collect2: ld returned 1 exit status -- View this message in context: http://openssl.6102.n7.nabble.com/Help-me-for-ECDHE-algorithm-tp49168p49377.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
On 14 April 2014 05:42, chetan chet...@neominds.in wrote: xxx.c is my program file. So, i'm compile simply like cc xxx.c . I am Gettting errors as below: xxx.c:(.text+0x19): undefined reference to `EVP_PKEY_CTX_new' xxx.c:(.text+0x30): undefined reference to `EVP_PKEY_derive_init' xxx.c:(.text+0x48): undefined reference to `EVP_PKEY_derive_set_peer' xxx.c:(.text+0x68): undefined reference to `EVP_PKEY_derive' xxx.c:(.text+0x88): undefined reference to `EVP_PKEY_derive' collect2: ld returned 1 exit status You are not linking to libcrypto. I don't know anything about the platform you are compiling for, but typically in gcc you would use something like: gcc -o xxx xxx.c -lcrypto Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
I tried your sample code but compiler showing error like Undefined refrence to EVP_PKEY_CTX_new although i included header file openssl/evp.h. You have any idea why this errors occuring??? And by the way thanks for the help friend. -- View this message in context: http://openssl.6102.n7.nabble.com/Help-me-for-ECDHE-algorithm-tp49168p49279.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
On 11 April 2014 06:25, chetan chet...@neominds.in wrote: I tried your sample code but compiler showing error like Undefined refrence to EVP_PKEY_CTX_new although i included header file openssl/evp.h. You have any idea why this errors occuring??? And by the way thanks for the help friend. Please 1) Post the steps you are using to compile and link your application, along with the exact errors and output 2) Confirm the version of openssl and platform that you are using Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
Thanks for giving time to me. I was given a task that i have to implement ECDHE algorithm means i can use openssl. So, can you please tell me what i have to do after generatic public and private key files. How to generate shared secret and what next after that. Thanks again -- View this message in context: http://openssl.6102.n7.nabble.com/Help-me-for-ECDHE-algorithm-tp49168p49213.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
On 10 April 2014 07:29, chetan chet...@neominds.in wrote: Thanks for giving time to me. I was given a task that i have to implement ECDHE algorithm means i can use openssl. So, can you please tell me what i have to do after generatic public and private key files. How to generate shared secret and what next after that. Thanks again Well the E on the end of ECDHE stands for Ephemeral which means that the public/private key pairs for one or both parties are generated on the fly each time rather than being persisted (and hence you would not normally need to use key files). So broadly speaking the steps are: The parties agree on their parameters (for ECDHE this means agreeing on a curve to use) The parties create their private/public key pairs and exchange their public keys Each party derives the shared secret from a combination of their own private key, and the peer public key Although not strictly part of ECDHE itself, you would then normally pass the shared secret through some subsequent hash algorithm (e.g. SHA256) to create the shared key HOW communication between the parties works is protocol specific (ECDHE is just the algorithm and says nothing about the protocol). An important point though is that ECHDE is vulnerable to man-in-the-middle attacks if the exchange of parameters/keys is not authenticated (typically you might use RSA to authenticate this) See the code sample on the link I gave you for an outline of how to put all this together. The actually key derivation bit is here (pkey holds the private/public key, peerkey holds the peer's public key): /* Create the context for the shared secret derivation */ if(NULL == (ctx = EVP_PKEY_CTX_new(pkey, NULL))) handleErrors(); /* Initialise */ if(1 != EVP_PKEY_derive_init(ctx)) handleErrors(); /* Provide the peer public key */ if(1 != EVP_PKEY_derive_set_peer(ctx, peerkey)) handleErrors(); /* Determine buffer length for shared secret */ if(1 != EVP_PKEY_derive(ctx, NULL, secret_len)) handleErrors(); /* Create the buffer */ if(NULL == (secret = OPENSSL_malloc(*secret_len))) handleErrors(); /* Derive the shared secret */ if(1 != (EVP_PKEY_derive(ctx, secret, secret_len))) handleErrors(); Hope that helps, Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
On 9 April 2014 08:39, chetan chet...@neominds.in wrote: I am newer to this and i want to make ECDHE algorithm for cilient-server. Can anyone tell me basic steps and functions to do this. all response are acceptable. Thankss in advance Its unclear from your question whether you are looking to programatically use openssl's ECDHE capabilities directly, or whether you are looking to set up an SSL/TLS communication using ECDHE based ciphersuites. Assuming the former, then this page is a good start: http://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
