On Mon, Mar 26, 2018 at 6:58 AM, Миша Винник <m.vinni...@gmail.com> wrote: > Hello, Jeff. > > Still have questions:/ Google manual says to do so: > > Using your private key and the given ephemeralPublicKey, derive a 256 bit > long shared key using ECIES-KEM. Use the following parameters as defined in > ISO 18033-2: > > Using your private key and the given ephemeralPublicKey, derive a 256 bit > long shared key using ECIES-KEM. Use the following parameters as defined in > ISO 18033-2: > > Elliptic curve: NIST P-256 (also known in OpenSSL as prime256v1) > CheckMode, OldCofactorMode, SingleHashMode and CofactorMode are 0 > Encoding function: Uncompressed Point format > Key derivation function: HKDFwithSHA256, as described in RFC 5869, using the > following parameters: > > Salt should not be provided (per the RFC, this should be equivalent to a > salt of 32 zeroed bytes) > Info should be Android or Google encoded in ASCII for protocol versions ECv0 > and Ecv1 respectively > > Split the generated key into two 128-bit-long keys: symmetricEncryptionKey > and macKey. > Verify that the tag field is a valid MAC for encryptedMessage: > > For generating the expected MAC, use HMAC (RFC 5869) with hash function > SHA256 and the macKeyobtained above > Use a constant time array comparison to avoid timing attacks > > Decrypt encryptedMessage using AES128 CTR mode with a zero IV, no padding, > and the symmetricEncryptionKey derived above. > > > Question is: is equal to do it so: > > DH2 deriving shared secret using Agree method (own ephemeral private > obtained by generating from GenerateEphemeralPrivateKey ) > using CryptoPP::HKDF<CryptoPP::SHA256> to derive key > splitting key > using CryptoPP::CTR_Mode<CryptoPP::AES> for final decryption > > OR: should I use > CryptoPP::DL_ES< > CryptoPP::DL_Keys_EC<CryptoPP::ECP>, > CryptoPP::KeyAgreementAlgorithm_DH<CryptoPP::ECP,CryptoPP::NO_COFACTOR_MULTIPLICTION>, > CryptoPP::DL_KeyDerivationAlgorithm > > somehow? With overriding DL_KeyDerivationAlgorithm_P1363 with implementation > of "HKDFwithSHA256" and so on? > > Or this is equal approaches? > > Still have questions, because on friday, I've recovered shared_key, but > still cannot decrypt message for now.
They should be equal approaches but I suspect they are not at the moment. You will probably have to do the former - do things in discrete pieces. I think you are most of the way there. Eventually I plan on dropping patches for the later - add an AdroidPay IES. I'm waiting for enough details and documentation to emerge for the cut-in. Jeff -- You received this message because you are subscribed to "Crypto++ Users". More information about Crypto++ and this group is available at http://www.cryptopp.com and http://groups.google.com/forum/#!forum/cryptopp-users. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
