On Thu, Nov 23, 2017 at 06:19:31PM +0000, Laurence Lundblade wrote:
> I'm looking for a scheme that uses elliptic curves where the sender encrypts
> and the receiver decrypts. The receiver has given the sender some key
> material out of band in a one-time exchange that is secured by some other
> means. The sender can't decrypt with the key material given by the receiver.
>
> I understand how to do this with RSA and CMS -- RSA OEAP to wrap an AES CEK,
> but not yet how to do it with EC and COSE.
>
> The integration of both integrity protection and data enveloping is nice, but
> it's mostly the data protection I'm after.
>
> I did look at 12.4, but ephemeral-static nor static-static seem right. 12.5
> seems closer.
Something like this might do (enveloped structure, as simple encrypted
does not seem to suffice):
84 -- Top level array
51 -- Wrapping bstr, 17 bytes.
A2 -- Two headers
01 03 -- AES-256-GCM
05 4C -- IV, 12 bytes
<12 bytes of random IV>
A0 -- Empty unprotected
<ciphertext, including bstr header>
A3 -- Recipients
40 -- Empty protected
A3 -- Unprotected
01 38 18 -- ECDH-ES+HKDF-256
20 A3 -- Ephemeral key, 3 fields.
01 01 -- OKP
20 04 -- X25519
21 58 20 -- X25519 public key.
<32 bytes pubkey>
F6 -- NULL
That seems to be 85-93 bytes of overhead (60 of those are crypto)
depending on the message size.
-Ilari
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
