[openssl-users] Better understanding of EC encryption API

Viktor Dukhovni openssl-users at dukhovni.org
Fri Nov 27 16:59:59 UTC 2015

On Fri, Nov 27, 2015 at 09:36:41AM +0000, Matt Caswell wrote:

> >> OpenSSL only supports ECDH and ECDSA, neither of which can be used to
> >> perform encryption.
> > 
> > This is not entirely true, in sufficiently recent versions of
> > OpenSSL, ECDSA keys can be used with CMS to encrypt keys.
> Well, perhaps I should modify the statement to say
> "OpenSSL only supports ECDH and ECDSA, neither of which can be used *by
> themselves* to perform encryption."

Of course, but I generally interpret requests for "encryption" with
EC to mean the ability to exchange encrypted messages with the
holder of an EC public key.  In which case, CMS provides a broadly
interoperable mechanism to do so.

> I'm not particularly familiar with CMS but from my very quick reading of
> what is going on in your example is that the EC key is being used by
> ECDH to agree a shared secret (in combination with a KDF).


> Then AES128
> key wrapping is used to encrypt the CEK, followed by AES to actually
> encrypt the data. So ECDH is not encrypting anything directly (it can't
> - its not an encryption algorithm - it a key agreement algorithm).

Correct, as described in RFC 3278 the KEK from the key agreement
encrypts the CEK.  This supports multi-recipient messages with a
single CEK and (unavoidably) a separate KEK for each recipient
derived from the ephemeral-fixed key agreement.

The CMS API takes care of the internal details, but can be difficult
to learn because of its flexibility (signed or unsigned, encrypted
or unencrypted, detached signatures, ...).


More information about the openssl-users mailing list