javascript - 如何使用椭圆曲线 Diffie-Hellman 与 JS 中的 SJCL 和 Ruby 中的 OpenSSL

Question

使用 Elliptic-Curves Diffie-Hellman，我想连接客户端上的 SLCL - JS （文档）和服务器上的 OpenSSL - Ruby （文档）。

我在这里找到了一个类似的问题，但它并没有真正得到正确的回答，而且它也不是我真正想要的，因为它使用了sjcl.ecc.elGamal.generateKeys(384, 10)，而我希望使用sjcl.ecc.curves['c384']<- NIST

尽管如此，我仍然使用并修改了他的代码来测试，因为我在使用sjcl.ecc.curves['c384']生成单个公共点密钥时遇到了问题，这就是我想出的。

//Javascript
keypair = sjcl.ecc.elGamal.generateKeys(384, 10);
console.log(keypair.pub._point.toBits()); //Changed from his serialize()

这输出到

[-1992414123, 638637875, 1917312913, 73389700, -425224557, 743777818, 970253455, 723842951, -1751664279, 982132367, -1949786746, 1067402923, -869929568, 157928816, 1651634060, 1968161300, -216192372, -1858642177, -1345910998, -2128793177, -1325754797, 143080818, 1868787479, -484135391]

使用 ruby 的输出：

#Ruby
pointArr = [-1992414123, 638637875, 1917312913, 73389700, -425224557, 743777818, 970253455, 723842951, -1751664279, 982132367, -1949786746, 1067402923, -869929568, 157928816, 1651634060, 1968161300, -216192372, -1858642177, -1345910998, -2128793177, -1325754797, 143080818, 1868787479, -484135391]

# ugly bit magic to somehow convert the above array into a proper byte array (in form of a string)
pointStr = [(pointArr.map { |i| (i>=0)?('0'*(8-i.to_s(16).length)+i.to_s(16)):("%08X" % (2**32-1+i+1)) }*'').upcase].pack("H*")

#My modified code
pointInt = pointStr.unpack('B*').first.to_i(2) #Convert BitStr to integer
pointBN = OpenSSL::BN.new(pointInt.to_s, 10) #Int to BigNumber (to be used as param below)

group = OpenSSL::PKey::EC::Group.new('secp384r1') #EC Group to be used

client_pub_point = OpenSSL::PKey::EC::Point.new(group, pointBN)
# ^
# ^ ABOVE'S MY PROBLEM -> OpenSSL::PKey::EC::Point::Error: invalid encoding
# ^

#Server EC: code taken and modified from https://www.ruby-forum.com/topic/3966195 
ec = OpenSSL::PKey::EC.new(group)
ec.generate_key

pub = OpenSSL::PKey::EC.new(group)
pub.public_key = client_pub_point

#Compute Shared Key
shared_key = ec.dh_compute_key(pub.public_key)

puts shared_key.unpack('I>*')

当使用上面 [(link)] ( https://www.ruby-forum.com/topic/3966195 )中的原始代码时，此“放置”如下所示

应该是这样，但以防万一这是我的测试

irb(main):113:0> ec = OpenSSL::PKey::EC.new(group)
=> #<OpenSSL::PKey::EC:0x37f4250>
irb(main):114:0> ec.generate_key
=> #<OpenSSL::PKey::EC:0x37f4250>

irb(main):115:0> pub = OpenSSL::PKey::EC.new(group)
=> #<OpenSSL::PKey::EC:0x374f070>
irb(main):116:0> pub.public_key = ec.public_key
=> #<OpenSSL::PKey::EC::Point:0x37f8090>

irb(main):117:0> pub.public_key.to_bn
=> 7699789176960498967958014210931326569901199635665512831714857096185925821659134057981449113945854620725216613989823482205311316333140754760317456176281271361802541262755346331375041208726203461213190230560617504850860621520632944763
irb(main):119:0> OpenSSL::PKey::EC::Point.new(group, pub.public_key.to_bn)
=> #<OpenSSL::PKey::EC:0x4029f48>

#The ABOVE FORMAT works, unlike the error I got like the following

irb(main):122:0> pointBN
=> 832312614609895991150696681555479456971598284480953722479085426901428295415600048953528780331647571635767075686130334170313461289491500162782258792834115040597490936949579748064005380309022482780162833924377801386781542770068991521
irb(main):123:0> OpenSSL::PKey::EC::Point.new(group, pointBN)
OpenSSL::PKey::EC::Point::Error: invalid encoding

但是比较上面的工作和不工作，似乎小数位数的总数是相同的，所以我认为我有点走上正轨，但我真的无法解决。

对于那些可能遇到此类问题的人，这些是我的参考代码(1) (2) (3) (4) (5)

我被困在这两天了，网上似乎没有太多关于这方面的文章，而且我找不到任何其他支持椭圆曲线的 JS 库。任何帮助将非常感激。

score 0 · Accepted Answer

#Server EC：从https://www.ruby-forum.com/topic/3966195获取和修改的代码 ec = OpenSSL::PKey::EC.new(group) ec.generate_key ...

通常，我们只是EC_KEY_new_by_curve_name用已知曲线的 NID 调用。NID 将包括：

NID_secp160k1
NID_secp192k1
NID_secp224k1
NID_secp256k1
NID_secp384r1
NID_secp521r1
其他初级场曲线
其他二元场曲线

我认为它们的完整列表可在 OpenSSL 来源中找到obj_mac.h：

#define SN_secp112r1        "secp112r1"
#define NID_secp112r1       704
#define OBJ_secp112r1       OBJ_secg_ellipticCurve,6L

#define SN_secp112r2        "secp112r2"
#define NID_secp112r2       705
#define OBJ_secp112r2       OBJ_secg_ellipticCurve,7L

#define SN_secp128r1        "secp128r1"
#define NID_secp128r1       706
#define OBJ_secp128r1       OBJ_secg_ellipticCurve,28L

#define SN_secp128r2        "secp128r2"
#define NID_secp128r2       707
#define OBJ_secp128r2       OBJ_secg_ellipticCurve,29L

#define SN_secp160k1        "secp160k1"
#define NID_secp160k1       708
#define OBJ_secp160k1       OBJ_secg_ellipticCurve,9L

#define SN_secp160r1        "secp160r1"
#define NID_secp160r1       709
#define OBJ_secp160r1       OBJ_secg_ellipticCurve,8L

#define SN_secp160r2        "secp160r2"
#define NID_secp160r2       710
#define OBJ_secp160r2       OBJ_secg_ellipticCurve,30L

#define SN_secp192k1        "secp192k1"
#define NID_secp192k1       711
#define OBJ_secp192k1       OBJ_secg_ellipticCurve,31L

#define SN_secp224k1        "secp224k1"
#define NID_secp224k1       712
#define OBJ_secp224k1       OBJ_secg_ellipticCurve,32L

#define SN_secp224r1        "secp224r1"
#define NID_secp224r1       713
#define OBJ_secp224r1       OBJ_secg_ellipticCurve,33L

#define SN_secp256k1        "secp256k1"
#define NID_secp256k1       714
#define OBJ_secp256k1       OBJ_secg_ellipticCurve,10L

#define SN_secp384r1        "secp384r1"
#define NID_secp384r1       715
#define OBJ_secp384r1       OBJ_secg_ellipticCurve,34L

#define SN_secp521r1        "secp521r1"
#define NID_secp521r1       716
#define OBJ_secp521r1       OBJ_secg_ellipticCurve,35L

#define SN_sect113r1        "sect113r1"
#define NID_sect113r1       717
#define OBJ_sect113r1       OBJ_secg_ellipticCurve,4L

#define SN_sect113r2        "sect113r2"
#define NID_sect113r2       718
#define OBJ_sect113r2       OBJ_secg_ellipticCurve,5L

#define SN_sect131r1        "sect131r1"
#define NID_sect131r1       719
#define OBJ_sect131r1       OBJ_secg_ellipticCurve,22L

#define SN_sect131r2        "sect131r2"
#define NID_sect131r2       720
#define OBJ_sect131r2       OBJ_secg_ellipticCurve,23L

#define SN_sect163k1        "sect163k1"
#define NID_sect163k1       721
#define OBJ_sect163k1       OBJ_secg_ellipticCurve,1L

#define SN_sect163r1        "sect163r1"
#define NID_sect163r1       722
#define OBJ_sect163r1       OBJ_secg_ellipticCurve,2L

#define SN_sect163r2        "sect163r2"
#define NID_sect163r2       723
#define OBJ_sect163r2       OBJ_secg_ellipticCurve,15L

#define SN_sect193r1        "sect193r1"
#define NID_sect193r1       724
#define OBJ_sect193r1       OBJ_secg_ellipticCurve,24L

#define SN_sect193r2        "sect193r2"
#define NID_sect193r2       725
#define OBJ_sect193r2       OBJ_secg_ellipticCurve,25L

#define SN_sect233k1        "sect233k1"
#define NID_sect233k1       726
#define OBJ_sect233k1       OBJ_secg_ellipticCurve,26L

#define SN_sect233r1        "sect233r1"
#define NID_sect233r1       727
#define OBJ_sect233r1       OBJ_secg_ellipticCurve,27L

#define SN_sect239k1        "sect239k1"
#define NID_sect239k1       728
#define OBJ_sect239k1       OBJ_secg_ellipticCurve,3L

#define SN_sect283k1        "sect283k1"
#define NID_sect283k1       729
#define OBJ_sect283k1       OBJ_secg_ellipticCurve,16L

#define SN_sect283r1        "sect283r1"
#define NID_sect283r1       730
#define OBJ_sect283r1       OBJ_secg_ellipticCurve,17L

#define SN_sect409k1        "sect409k1"
#define NID_sect409k1       731
#define OBJ_sect409k1       OBJ_secg_ellipticCurve,36L

#define SN_sect409r1        "sect409r1"
#define NID_sect409r1       732
#define OBJ_sect409r1       OBJ_secg_ellipticCurve,37L

#define SN_sect571k1        "sect571k1"
#define NID_sect571k1       733
#define OBJ_sect571k1       OBJ_secg_ellipticCurve,38L

#define SN_sect571r1        "sect571r1"
#define NID_sect571r1       734
#define OBJ_sect571r1       OBJ_secg_ellipticCurve,39L
...

#计算共享密钥 shared_key = ec.dh_compute_key(pub.public_key)

OpenSSL wiki 上有一个 ECDH 示例。我相信马特·卡斯威尔提供了它。您可以在Elliptic Curve Diffie Hellman找到它。

我认为 OpenSSL wiki 示例也在这里复制/粘贴过一次：由 BouncyCastle Java API 和 OpenSSL 生成的 ECDH 机密是不同的。

我不知道 SJCL 或 Ruby，所以我帮不了你。

sjcl.ecc.curves['c384'] <- NIST

我相信你会想要NID_secp384r1这个，但我不了解 Ruby，所以从表面上看。有关 NID 的命名曲线列表，请参阅OpenSSL：openssl/CHANGES openssl/apps/ecparam.c openssl/crypto ...。

如果您要将密钥保存到磁盘并可能稍后在证书中使用它（例如，ECDSA 签名），那么您将需要设置OPENSSL_EC_NAMED_CURVE标志。该标志只是按名称（例如，ASN1 OID: prime256v1）保存组参数，而不是列出 ASN1 对象中的所有域参数（字段类型、主要或二进制字段、基点等）。

你这样做：

EC_KEY_set_asn1_flag(key, OPENSSL_EC_NAMED_CURVE);

如果不设置该标志，那么在协商套件时会遇到“无共享密码”错误。以下是客户端和服务器上的症状：

客户端（s_client）：
- 139925962778272:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
- 139925962778272:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
服务器（s_server）：
- 140339533272744:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:

score 0 · Accepted Answer

我终于解决了这个问题！:)

我使用了不同的 Javascript 库。如果您正在寻求解决类似的问题，请参考我的另一个问题（链接）

javascript - 如何使用椭圆曲线 Diffie-Hellman 与 JS 中的 SJCL 和 Ruby 中的 OpenSSL

2 回答 2

Related

Reference