Possible bug in encryptionEciesEdh: SecKeyAlgorithm?

[dschuetz-expel]

I'm trying to figure out how to generate a message from another tool (right now, I'm working in python) and then decrypt it inside the demo app. In the process of working all this out (which is far more complicated and poorly-documented than I'd expected :( ), I may have found a pair of typos.

In the encryptionEciesEcdh: SecKeyAlgorithm switch statement, the algorithms returned for .sha256 and .sha384 seem to have been swapped. That is, case .sha256 returns SecKeyAlgorithm....SHA384AESGCM, while .sha384 returns ....SHA256AESGCM.

[hfossli]

Hey, thanks for taking the time to report your findings. Much appreciated. Good catch on the switch case typo. If you would like to submit a pr I’ll be happy to merge it er... swiftly...

Okay, so if I get you right you are basically trying to

1. Create a keypair on device
2. Share the public key to some python code
3. Encrypt some message in python using the public key
4. Decrypt the message on device using the private key

I don’t know much about 3rd here, but let me know if I can assist with the others.

[dschuetz]

My first pull request. :) Hopefully I didn't screw it up too badly.

Re: "the others" -- it's #3 that I'm stuck on. Obviously this is off-topic for this thread, but I'm still futzing around. At this point I'm digging into public code from Apple to try and drop some strategic prints into the key generation and encryption routines...but it's slow going. At some point I may come back with further requests, or (ideally) with a demo of how to actually make it work. But that's a discussion for a different time.

Thanks!

[hfossli]

🎉 Congratulations! And thanks for contributing! 🎉Awesome!

[hfossli]

If you would like to elaborate I would be happy to discuss these things. What are you trying to accomplish?

[hfossli]

This is btw very useful for verifying signatures https://github.com/agens-no/EllipticCurveKeyPair/blob/master/Utils.swift#L30-L42

https://github.com/agens-no/EllipticCurveKeyPair#verifying-a-signature

[dschuetz]

I've been trying to verify that something else (say, a server) could encrypt a message using the Public key the app derives, so that it can be sent to the user and decrypted using the private key in the SE, enabled by the TouchID sensor.

It took a lot of digging, guessing, and experimentation, not to mention selecting the exact right combination of all the variables I've been messing with, but I eventually got it to work. Hopefully I'll publish a gist soonish. TL;DR:

• ECDH key agreement using cofactor (which cofactor I think is "1" for the curve used here so it works out)
• Use the ephemeral public key data as "Shared Info" for the KDF
• Do NOT use the static (recipient's) public key data as AAD for AES-GCM (contrary to the one bit of pertinent Apple documentation I could find)
• Leave the GCM tag at the end, so the final message is "EphPubKey + CT + Tag" (while the spec, I believe, specifies the tag to come between the Pub key and Ciphertext).

Anyway, I'm writing it all up and will drop you a note when I'm able to get it published somewhere.

[hfossli]

I don’t understand any of it - I’m no crypto expert, I just love making nice libraries. Thanks for sharing. The use case is very powerful.

[hfossli]

How was your journey? I would love to hear about it and what you found :)

[dschuetz]

I had written up a post a while back but wanted to see if we would publish it on the company site. Didn't happen. So I cleaned it up over the last couple of days, and just posted it on my own blog.

https://darthnull.org/security/2018/05/31/secure-enclave-ecies/

I've got to keep playing with this...have a couple demo apps of my own in mind...if I ever find any free time. :)

[hfossli]

Wow! This is just truly amazing. Thank you for sharing. This has certainly been a missing piece of documentation!

[hfossli]

I am linking to your article in the readme! Thanks a lot!

https://github.com/agens-no/EllipticCurveKeyPair/blob/master/README.md#encrypting-on-a-different-deviceosplatform

[hfossli]

I have tried to port your script line by line to open ssl commands. Not quite there yet... :( https://gist.github.com/hfossli/6763c2ceeba0f03ce45cc630bbbec7b0