6

I have a symmetric key that I would like to encrypt with an ECC public key using OpenSSL. In its high-level portion, EVP, OpenSSL offers a solution to encrypt "an envelop", which is exactly what I need.

However, I would like to have these in separate steps, not all in one, as OpenSSL offers in EVP. I would like to have control where I encrypt the symmetric key myself with OpenSSL, and encrypt the message using my own C++ wrappers, and put them both in my selected format.

How can I encrypt the just symmetric key with a public key using OpenSSL without having it encrypt the message as well? Is this doable?

I've tried to have zero-length plaintext in the example provided, but it crashes. Is this possible?

If not, how can I encrypt with a public key without EVP with an EC_KEY?

The Quantum Physicist
  • 24,987
  • 19
  • 103
  • 189
  • Not entirely sure why you would go this route, but [`RSA_public_encrypt`](https://www.openssl.org/docs/manmaster/man3/RSA_public_encrypt.html) should do what you want, assuming you're using RSA keys. It's a straight up API. Though it shouldn't matter to you, as you're just encrypting a simple session key, but always worth mentioning to make sure the data size is at least 11-bytes under the modulus size of the key. – WhozCraig Nov 19 '19 at 18:55
  • @WhozCraig Sorry, I should've made it clear I'll update the question. I'm looking to encrypt with ECC (the type of my key is `EC_KEY`). Is there an equivalent function for ECC? – The Quantum Physicist Nov 19 '19 at 19:04
  • If there is, I haven't seen it. I don't use ECC because frankly to this day I still can't wrap my head around the ephemeral key generation, hmacs, etc. As soon I started looking into them years ago and one of the first things I read was "ECC isn't really for encryption/decryption; but there are algorithms to use ECC that do" my head started to swell. Wish I could help you. Sry. – WhozCraig Nov 19 '19 at 19:17
  • @WhozCraig Unfortunately, it's not my choice. The keys already exist and I have to use them for encryption. Thanks anyway :-) – The Quantum Physicist Nov 19 '19 at 19:21
  • Are you actually trying to encrypt with ECC or are you trying to use ECC to generate a shared secret, i.e. ECDH (Elliptic-Curve Diffie-Hellman)? – dbush Nov 19 '19 at 19:52
  • @dbush No, I'm trying to encrypt with ECC. There's no second party (I, the encrypter, don't have a public key). I want to generate a random symmetric key, encrypt a message with it, then encrypt the symmetric key with the ECC public key, then store all that somewhere where the receiver can reach it. ECDH implies there's a "second party", whose public key (ephemeral or not) can be used to calculate a shared key. Please tell me if I'm wrong. – The Quantum Physicist Nov 19 '19 at 20:03
  • As far as I'm aware, you can't really use ECC to directly encrypt - you're talking about an ECIES scheme. It's really just a drawn-out ECDH interaction. But this does require an existing, long-lived public key from the recipient. – Luke Joshua Park Nov 19 '19 at 20:05
  • @LukeJoshuaPark Wait, a minute. You're telling me it's impossible to encrypt with an ECC key on its own, just like we encrypt with an RSA public key? – The Quantum Physicist Nov 19 '19 at 20:06
  • Well - I'm fairly sure, yes. Remember that RSA is an algorithm, whereas ECC is a set of related cryptographic primitives that are based on elliptic curves. I'm not claiming it is impossible, but there definitely isn't a "mainstream" way of doing it other than ECIES. – Luke Joshua Park Nov 19 '19 at 20:08
  • Relevant: https://crypto.stackexchange.com/questions/31602/how-does-encryption-work-in-elliptic-curve-cryptography - the interactions between the parties are similar to PGP - one generates a public key, gives it to the sender and the sender uses it to produce a ciphertext. But the key isn't used directly to encrypt, it's used to generate a shared secret that **is** the symmetric key. – Luke Joshua Park Nov 19 '19 at 20:09
  • @LukeJoshuaPark What about this function that I just found: `EVP_PKEY_encrypt()`. It seems to take an `EVP_PKEY` as parameter. I learned this by digging into OpenSSL source code, which is in the function `EVP_SealInit`, where I don't see any comments there in the [wiki page](https://wiki.openssl.org/index.php/EVP_Asymmetric_Encryption_and_Decryption_of_an_Envelope) that ECC encryption is not possible. That's why I'm confused. What am I missing here? – The Quantum Physicist Nov 19 '19 at 20:19
  • .@TheQuantumPhysicist It doesn't say explictly, but that interface only supports public key algorithms that support encryption and decryption directly, which ECC doesn't. You'll need to create an ephemeral ECC key pair and use your private key and the receiver's public key to create a shared secret to encrypt the message with. Then you send the encrypted message along with the ECC public key you created. – dbush Nov 19 '19 at 20:27
  • @dbush That's not such a bad plan to be honest. You're right. I can create a public/private key pair for my end, then throw the private key away. It'll have the same effect. I'll see if I can do ECIES with OpenSSL. Thanks for the idea! – The Quantum Physicist Nov 19 '19 at 20:31

1 Answers1

7

Unlike RSA, encryption and decryption can't be performed directly with ECC.

The preferred way to do this is to create an ephemeral ECC key pair and use your private key and the receiver's public key to create a shared secret to encrypt the message with. Then you send the encrypted message along with the ECC public key you created. This scheme is called ECIES (Elliptic Curve Integrated Encryption Scheme).

You would need to call ECDH_compute_key to create the shared secret and pass it your ephemeral private key and the receiver's public key along with a pointer to a key derivation function (KDF) that you define. The simplest KDF would be a hash of the x-coordinate of the output of the ECDH calculation. Whatever scheme you use, the other side would need to agree on the KDF that is being used.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
dbush
  • 205,898
  • 23
  • 218
  • 273