Wednesday, January 30, 2008

Elliptic Curve Cryptography is not your usual encrypt-decrypt

When I began work on my security project for securing m-commerce transactions, I made all the design around the single concept (used in SSL, etc), of encrypting a secret/symmetric key with a public key of party X and sending it to the party X who will decrypt it with its private key. Subsequent communication will occur using the symmetric key. This encrypt-decrypt can happen using RSA.

However, after coming across many online documents and posts on the Bouncy Castle forums, I realized that ECC is not designed this way, at least in Bouncy Castle. You need to use something called as ECIES or Elliptic Curve Integrated Encryption Scheme. (See Wikipedia). ECIES takes care of key exchange (Diffie-Hellman) to establish a symmetric key (Confidentiality) and Message Authentication for Integrity.

However, encrypt-decrypt in ECC can be done using El Gamal Encryption over an Elliptic Curve. An open source Java library has been developed in this direction at the National University of Ireland Maynooth. Check out the publication and software section here

I learnt my lessons the hard way and need to stick to Bouncy Castle due to several reasons and had to change my design extensively. However, the library provided by the Irish University seems promising.

14 comments:

yunpu zhu said...

Hi there,

Long time no see.

In your article, I conclude that ECDSA is a Digital Signature Algorithm which can not do encryption/decryption functions. So you choose ECISE. My question is if you employed both ECDSA and ECISE in your project, do they use the same key pair or not?

Thanks

Himanshu said...

Hi, hows it goin. Yes, you can use the same public private key pair. Is that a problem? Having each party maintain two sets of key pairs seems unnecessary to me though I think some algorithms do it this way. I guess it would depend on the application.

However, I noticed with ECIES in Bouncy Castle, using the same key pairs A and B, the encrypted contents of a message X look the same each time. I think this is not safe. I am sure there is a better way to use ECIES and you may have to see some standard documents (I forget which one there is something like CMS..) . Anyway, the way I added an additional step to ECIES that involves exchanging random values before ECIES begins. This random value is then used to generate the secret key for ECIES. The secret key is difficult to break since one would need the private key of one of the parties.

yunpu zhu said...

Thank you very much for your answer.

That's correct. Another question is:

Did you use BC to implement ECIES? I noticed that BC does not advice to use ECIES? Did you make the evaluation for your ECIES? How about the speed? Also the speed with implementation of ECDSA?

Himanshu said...

hmm...I did not come across such information. EC Key Generation is faster than RSA Key generation. The encryption/decryption times are more or less similar to RSA (I did these tests on a mobile emulator, I did not have access to a mobile phone for testing). To encrypt a 128 bit AES symmetric key, a 256 bit EC Key pair is considered as strong as a 2048 bit RSA Key. Other than the mathematical operations in ECC are generous with regards to battery power (see www.certicom.com for more info on this) compared to RSA.

However, read this post from one of the bouncy castle developers: http://www.eaves.org/blog-archive/000066.html It claims that ECC is not as good. But on a mobile platform, key size and battery power become very important. Why we chose ECDSA was mainly because that was the only available digital signature algorithm with BC for J2ME that used an EC key pair.

Himanshu said...

Aha....another important information for you. found it from my old project docs:

• RSA encryption duration is extremely short compared to ECIES. However, ECIES makes of a symmetric key to provide message authentication and integrity. RSA provides only data confidentiality (by encryption). ECIES is a one-all approach.

yunpu zhu said...

Hi Bro,

Thanks for your information. It is very useful for me. At this moment, I should do some research on ECIES. Currently I employ ECDSA in my application, but I have to get Encrypt/Decrypt Algorithm to protect confidentiality. Maybe I can choose Symmetric Key cryptography + ECDSA to realize it.

Himanshu said...

As far as I can remember you are working on mobile environment. If not then you have the option of using EC based El Gamal Encryption. (Dont ask me what it is....I know too many naimplementmes :) ). However, there is no implementation of the same in Bouncy Castle for J2ME. ECIES is always there for encryption otherwise but yes the way you should use it is very important and you may have to study some complicated RFC.

Harkeerat said...

Hi Himanshu,
I am trying to use ECIES (from bouncycastle) to encrypt an AES symmetric key. However my code gives the following error:
java.security.InvalidKeyException: must be passed IE key
at org.bouncycastle.jce.provider.JCEIESCipher.engineInit(Unknown Source)
Do you have any idea what it might be?
Can you help me with some basic code (or links) that addresses this requirement?

Himanshu said...

Hi Harkeerat,

I am afraid I have never seen this exception. I can suggest few things:
1. If you get your hands on source for BC, there is a test package which may contain a file called ECIESTest.java which is the simplest example available on how to use ECIES

2. Similarly, you can check the source of JCEIESCipher. If you are using some IDE, you can attach the source to your run configuration and debug the code.

3. Shoot your questions on the BC mailing list :). Usually some one will reply within a day or two.

4. Show me the complete exception trace and maybe I can get a better idea.

Harkeerat said...

Hi Himanshu,
Thank you so much for your pointers. I was able to find the file ECIESTest.java and am going through it now.
I will email you again if I run into something.
Thanks again man and have a nice day!
Regards,
Harkeerat

kongja27 said...

hii himanshu ..
i have a question about EC key pair generation, it is possible using EC key pair for securing my secret key ?
if it's possible what i must to do? for information i'm using BC provider

Anonymous said...

Hi,

Im testing ECIES for symmetric key exchange and compare it with RSA for the same purpose. I encrypted AES using ECIES and RSA(1024). I can't believe the result. RSA is extremely faster than ECIES.I don't know if there is something wrong or not but the only thing I couldn't releaze is how to know the key strength of ECIES in the example provide by Bouncycastle under test. Also I don't know how to modify it for larger or smaller size.

Amri Shodiq said...

Kongja, you could simply use Elliptic Curve Diffie Hellman to transfer your secret key. I found an example of how to use it as a part of Beginning Cryptography with Java.

You can download just the examples here: http://as.wiley.com/WileyCDA/WileyTitle/productCd-0764596330,descCd-DOWNLOAD.html

srni said...

hi

i have doubt whether ECC encryption/ decryption is easy to implement or ECIES is easy?