1

我正在寻找一种没有大型图书馆重量的 ECDH 方法。经过一番搜索/头痛后,我找到了几乎执行它的 libECC。

在库中,您可以找到一个 ECDH“example_ECDH.c”,但使用它我在导入 PEM 证书并对其进行处理时遇到了很多麻烦。所以在这里我发布我的例子,希望它能帮助其他人赢得时间。

祝你今天过得愉快。

/**
  Perform ECDH with libECC!
  This src code is given as is without ANY WARANTY.
  use at your own risk, but do wathever you want with.

  I had big headeach trying to make it work, so I thougth it may
  worth it to give if to the internet.


  ECDH : Elliptic-curve Diffie–Hellman
  ------------------------------------
  let's say Alice and Bob (ho surprise) want to talk 
  on a public channel.

  pB: private key of bob (a 'random' big number )
  pA: private key of Alice (a 'random' big number )

  pubB: public key  of BOB   (the resulting )
  pubA: public key  of ALice (the resulting )

  G: the generator point specified by the parametre of the chossen curve

  Bob compute his public key by doing  pubB=pB*G  
  Alice compute his public key by doing pubA=pA*G

  Bob and Alice echange their public key. and multiply by theit private key:
  we have thus : 

  finalPointBob = pB*pubA = pB*pA*G
  finalPointAlice = pA*pubB = pA*pB*G=pB*pA*G

  In general, we only use the X coordinate of the resulting point :)

  !!!IMPORTANT!!!
  ---------------
  never use the result of ECDH exchange directly!  use HKDF after 
  to generate the final key.  First this allow you to generate
  bigger key, second, this prevent some attacks.


  M.G.
**/
#include <stdio.h>
#include "libec.h"
#define MAX_BUFFER_SIZE 256
#define SIZE_ONE_PTS BYTECEIL(curve_params.ec_fp.p_bitlen)

/**
  Transform an affine coordinate in projection one.
  Let me explain a little : 
  to optimise calculus by preventing division, mathematiciens
  has found that passing in a 3D domain will help a lot.

  we call coordinate in this domain projected coordinate. 
  how to project ?
  {x,y}->{X,Y,Z}    simply by selecting a z != 0 and then doing
  {x,y}->{xz,yz,z}  since it work with any z!=0, I'll use z =1

  btw maybe libECC can perform this operation but didn't see where :(

  return -1 if point not on curve
  return 0 else
**/
int public_key_to_prj_pt( prj_pt_t out, fp_src_t x,
                                        fp_src_t y,
                            ec_params  *curve_params)
{
  uint8_t one[1]={1};
  fp z;
  fp_init_from_buf(&z, &(curve_params->ec_fp), one,1);

  if(is_on_curve(x, y, &(curve_params->ec_curve)))
  {
    prj_pt_init_from_coords(out, &(curve_params->ec_curve), x, y, &z);
    return 0;
  }
  return -1;
}

/**
  given a public key X,Y buffer, we will return a point (projected)
  on the curve

  return -1 if point not on curve
  return 0 else
**/
int prj_pt_from_buffer(prj_pt_t out, 
              const uint8_t * x_bfr, 
              const uint8_t * y_bfr,
           ec_params  *curve_params)
{
  fp x,y;
  fp_init_from_buf(&x,&(curve_params->ec_fp),
        x_bfr,BYTECEIL(curve_params->ec_fp.p_bitlen));
  fp_init_from_buf(&y,&(curve_params->ec_fp),
        y_bfr,BYTECEIL(curve_params->ec_fp.p_bitlen));
  return public_key_to_prj_pt(out, &x,&y,curve_params);
}


/**
  actually perform the ECDH given the public projected point 
  and the privateKey

  !!!IMPORTANT!!!
  never use the result of this exchange directly!  use HKDF after 
  to generate the final key.  First this allow you to generate
  bigger key, second, this prevent some attacks.

**/
void performECDH(fp_t sharedSecret, nn_t privKey, prj_pt_t pubKey)
{

  //3) multiply the public key by our private number ...
  prj_pt Q;
  aff_pt Q_aff;
  prj_pt_mul_monty(&Q, privKey, pubKey);
  //4) exctract the X coordinate
  prj_pt_to_aff(&Q_aff, &Q);
  fp_copy(sharedSecret, &(Q_aff.x));
}



/**
  used only for this example, 
  thoses buffer should be filled with certificate/pre established value.

  will generate a private key , fill buffer with 
  then generate the public key and fill buffer too
**/
void generate_key(uint8_t* priv_bfr, uint8_t * x_bfr, uint8_t * y_bfr,ec_params  *curve_params)
{
  nn priv;
  prj_pt pub; // public point inside the 3D plans
  aff_pt pub_aff; // remember we want point in 2D plans not 3D one
  // private 
  nn_init(&priv, 0);
  nn_get_random_mod(&priv, &(curve_params->ec_gen_order));
  // public 
  prj_pt_mul_monty(&pub, &priv, &(curve_params->ec_gen));
  prj_pt_to_aff(&pub_aff, &pub);
  // fill buffers 
  nn_export_to_buf(priv_bfr, BYTECEIL(curve_params->ec_fp.p_bitlen), &priv);
  fp_export_to_buf(x_bfr, BYTECEIL(curve_params->ec_fp.p_bitlen), &(pub_aff.x));
  fp_export_to_buf(y_bfr, BYTECEIL(curve_params->ec_fp.p_bitlen), &(pub_aff.y));

}




int main()
{
  printf("---------- start the test ------------ \n");

  /**
    Generally key are exchanged in a standard way,
    But for the example, we will regenerate wath we get if we use
    for example PEM format to key exchange. this specify :
    - the curve we use 
    - one public/private key 
    here we will simulate this, since libECC have no PEM parser ;)

  -------------------------------------------------------------------------
                        GENERATING "CERTIFICATS"
  -------------------------------------------------------------------------
  **/
  // all these info should be extracted from a standard way to
  // exchange key (ie: PEM X509, DEM, ..) since we don't have parser,...
  // we generate them ..
  const char * curve_name =  "SECP384R1" ;  // the curve we will use 
  const ec_str_params *the_curve_const_parameters; //stock const info about the curve
  ec_params  curve_params;// stock info about the curve in structured way.

  uint8_t pB[MAX_BUFFER_SIZE]={0}; //buffer bigger thant wath we need ... prevent a malloc
  uint8_t pA[MAX_BUFFER_SIZE]={0}; 

  // one should ratther use only one buffer for X,Y since we know the size 
  // for this example, we will split all 
  uint8_t pubB_x[MAX_BUFFER_SIZE]={0};
  uint8_t pubB_y[MAX_BUFFER_SIZE]={0};
  uint8_t pubA_x[MAX_BUFFER_SIZE]={0};
  uint8_t pubA_y[MAX_BUFFER_SIZE]={0};

  // fetch information pedetermined by the library. for the selected curve
  the_curve_const_parameters = ec_get_curve_params_by_name(curve_name,
                          (u8)local_strnlen((const char *) curve_name, 
                                               MAX_CURVE_NAME_LEN)+ 1);
  import_params(&curve_params, the_curve_const_parameters);
  if(MAX_BUFFER_SIZE < SIZE_ONE_PTS) // SIZE_ONE_PTS depend on the curve you have selected via const char * curve_name
  {
    printf("ERROR: select an other curve or increase MAX_BUFFER_SIZE define\n");
    return -1;
  }

/**
  generate pB, pA, pubB and pubA
**/
  generate_key(pA, pubA_x, pubA_y, &curve_params); // generate ALice priv/pub key
  generate_key(pB, pubB_x, pubB_y, &curve_params); // generate Bob priv/pub key
// ok we have all what we need to perform:



/**
  from here we return in a more "standard" way ;) 
  we had certificate that were stocked into uint8_t buffer after parsing
  we have one selected curve defined by 'curve_params'
  we can perform the ECDH


  -------------------------------------------------------------------------
                       PERFORMING ECDH Bob -> Alice
  -------------------------------------------------------------------------
**/
// all this actions are performed on the Alice's side only
nn privA;
prj_pt pubB;
fp shared_AliceSide; // the shared secret seen by alice
// loading private key from "certificatee"
nn_init_from_buf(&privA, pA, SIZE_ONE_PTS);


if(prj_pt_from_buffer(&pubB, pubB_x, pubB_y, &curve_params ))
{
    printf("ERROR: public Key is not on the curve %s",curve_name); 
    return -2;
}

performECDH(&shared_AliceSide, &privA, &pubB);


/**
  -------------------------------------------------------------------------
                       PERFORMING ECDH Alice -> Bob
  -------------------------------------------------------------------------
**/
// all this actions are performed on the Alice's side only
nn privB;
prj_pt pubA;
fp shared_BobSide; // the shared secret seen by alice
// loading private key from "certificatee"
nn_init_from_buf(&privB, pB, SIZE_ONE_PTS);
if(prj_pt_from_buffer(&pubA, pubA_x, pubA_y, &curve_params ))
{
    printf("ERROR: public Key is not on the curve %s",curve_name); 
    return -2;
}

performECDH(&shared_BobSide, &privB, &pubA);

/**
  -------------------------------------------------------------------------
                   ENDING 
  -------------------------------------------------------------------------
in practive, this section don't exist,  we perform a HKDF to 
increase the security and the size of the shared secret.
but since here we have bob's and alice's side.
we can check that they both have the same secret.
**/


fp_print("Alice secret: ",&shared_AliceSide);
fp_print("  Bob secret: ",&shared_BobSide);

return fp_eq_or_opp(&shared_AliceSide,&shared_BobSide)? 0:-3;
}

4

1 回答 1

1

正如 Chris A. 所建议的,回答我的问题的答案。祝你今天过得愉快。(直到明天才能接受我的回答)

/**
  Perform ECDH with libECC!
  This src code is given as is without ANY WARANTY.
  use at your own risk, but do wathever you want with.

  I had big headeach trying to make it work, so I thougth it may
  worth it to give if to the internet.


  ECDH : Elliptic-curve Diffie–Hellman
  ------------------------------------
  let's say Alice and Bob (ho surprise) want to talk 
  on a public channel.

  pB: private key of bob (a 'random' big number )
  pA: private key of Alice (a 'random' big number )

  pubB: public key  of BOB   (the resulting )
  pubA: public key  of ALice (the resulting )

  G: the generator point specified by the parametre of the chossen curve

  Bob compute his public key by doing  pubB=pB*G  
  Alice compute his public key by doing pubA=pA*G

  Bob and Alice echange their public key. and multiply by theit private key:
  we have thus : 

  finalPointBob = pB*pubA = pB*pA*G
  finalPointAlice = pA*pubB = pA*pB*G=pB*pA*G

  In general, we only use the X coordinate of the resulting point :)

  !!!IMPORTANT!!!
  ---------------
  never use the result of ECDH exchange directly!  use HKDF after 
  to generate the final key.  First this allow you to generate
  bigger key, second, this prevent some attacks.


  M.G.
**/
#include <stdio.h>
#include "libec.h"
#define MAX_BUFFER_SIZE 256
#define SIZE_ONE_PTS BYTECEIL(curve_params.ec_fp.p_bitlen)

/**
  Transform an affine coordinate in projection one.
  Let me explain a little : 
  to optimise calculus by preventing division, mathematiciens
  has found that passing in a 3D domain will help a lot.

  we call coordinate in this domain projected coordinate. 
  how to project ?
  {x,y}->{X,Y,Z}    simply by selecting a z != 0 and then doing
  {x,y}->{xz,yz,z}  since it work with any z!=0, I'll use z =1

  btw maybe libECC can perform this operation but didn't see where :(

  return -1 if point not on curve
  return 0 else
**/
int public_key_to_prj_pt( prj_pt_t out, fp_src_t x,
                                        fp_src_t y,
                            ec_params  *curve_params)
{
  uint8_t one[1]={1};
  fp z;
  fp_init_from_buf(&z, &(curve_params->ec_fp), one,1);

  if(is_on_curve(x, y, &(curve_params->ec_curve)))
  {
    prj_pt_init_from_coords(out, &(curve_params->ec_curve), x, y, &z);
    return 0;
  }
  return -1;
}

/**
  given a public key X,Y buffer, we will return a point (projected)
  on the curve

  return -1 if point not on curve
  return 0 else
**/
int prj_pt_from_buffer(prj_pt_t out, 
              const uint8_t * x_bfr, 
              const uint8_t * y_bfr,
           ec_params  *curve_params)
{
  fp x,y;
  fp_init_from_buf(&x,&(curve_params->ec_fp),
        x_bfr,BYTECEIL(curve_params->ec_fp.p_bitlen));
  fp_init_from_buf(&y,&(curve_params->ec_fp),
        y_bfr,BYTECEIL(curve_params->ec_fp.p_bitlen));
  return public_key_to_prj_pt(out, &x,&y,curve_params);
}


/**
  actually perform the ECDH given the public projected point 
  and the privateKey

  !!!IMPORTANT!!!
  never use the result of this exchange directly!  use HKDF after 
  to generate the final key.  First this allow you to generate
  bigger key, second, this prevent some attacks.

**/
void performECDH(fp_t sharedSecret, nn_t privKey, prj_pt_t pubKey)
{

  //3) multiply the public key by our private number ...
  prj_pt Q;
  aff_pt Q_aff;
  prj_pt_mul_monty(&Q, privKey, pubKey);
  //4) exctract the X coordinate
  prj_pt_to_aff(&Q_aff, &Q);
  fp_copy(sharedSecret, &(Q_aff.x));
}



/**
  used only for this example, 
  thoses buffer should be filled with certificate/pre established value.

  will generate a private key , fill buffer with 
  then generate the public key and fill buffer too
**/
void generate_key(uint8_t* priv_bfr, uint8_t * x_bfr, uint8_t * y_bfr,ec_params  *curve_params)
{
  nn priv;
  prj_pt pub; // public point inside the 3D plans
  aff_pt pub_aff; // remember we want point in 2D plans not 3D one
  // private 
  nn_init(&priv, 0);
  nn_get_random_mod(&priv, &(curve_params->ec_gen_order));
  // public 
  prj_pt_mul_monty(&pub, &priv, &(curve_params->ec_gen));
  prj_pt_to_aff(&pub_aff, &pub);
  // fill buffers 
  nn_export_to_buf(priv_bfr, BYTECEIL(curve_params->ec_fp.p_bitlen), &priv);
  fp_export_to_buf(x_bfr, BYTECEIL(curve_params->ec_fp.p_bitlen), &(pub_aff.x));
  fp_export_to_buf(y_bfr, BYTECEIL(curve_params->ec_fp.p_bitlen), &(pub_aff.y));

}




int main()
{
  printf("---------- start the test ------------ \n");

  /**
    Generally key are exchanged in a standard way,
    But for the example, we will regenerate wath we get if we use
    for example PEM format to key exchange. this specify :
    - the curve we use 
    - one public/private key 
    here we will simulate this, since libECC have no PEM parser ;)

  -------------------------------------------------------------------------
                        GENERATING "CERTIFICATS"
  -------------------------------------------------------------------------
  **/
  // all these info should be extracted from a standard way to
  // exchange key (ie: PEM X509, DEM, ..) since we don't have parser,...
  // we generate them ..
  const char * curve_name =  "SECP384R1" ;  // the curve we will use 
  const ec_str_params *the_curve_const_parameters; //stock const info about the curve
  ec_params  curve_params;// stock info about the curve in structured way.

  uint8_t pB[MAX_BUFFER_SIZE]={0}; //buffer bigger thant wath we need ... prevent a malloc
  uint8_t pA[MAX_BUFFER_SIZE]={0}; 

  // one should ratther use only one buffer for X,Y since we know the size 
  // for this example, we will split all 
  uint8_t pubB_x[MAX_BUFFER_SIZE]={0};
  uint8_t pubB_y[MAX_BUFFER_SIZE]={0};
  uint8_t pubA_x[MAX_BUFFER_SIZE]={0};
  uint8_t pubA_y[MAX_BUFFER_SIZE]={0};

  // fetch information pedetermined by the library. for the selected curve
  the_curve_const_parameters = ec_get_curve_params_by_name(curve_name,
                          (u8)local_strnlen((const char *) curve_name, 
                                               MAX_CURVE_NAME_LEN)+ 1);
  import_params(&curve_params, the_curve_const_parameters);
  if(MAX_BUFFER_SIZE < SIZE_ONE_PTS) // SIZE_ONE_PTS depend on the curve you have selected via const char * curve_name
  {
    printf("ERROR: select an other curve or increase MAX_BUFFER_SIZE define\n");
    return -1;
  }

/**
  generate pB, pA, pubB and pubA
**/
  generate_key(pA, pubA_x, pubA_y, &curve_params); // generate ALice priv/pub key
  generate_key(pB, pubB_x, pubB_y, &curve_params); // generate Bob priv/pub key
// ok we have all what we need to perform:



/**
  from here we return in a more "standard" way ;) 
  we had certificate that were stocked into uint8_t buffer after parsing
  we have one selected curve defined by 'curve_params'
  we can perform the ECDH


  -------------------------------------------------------------------------
                       PERFORMING ECDH Bob -> Alice
  -------------------------------------------------------------------------
**/
// all this actions are performed on the Alice's side only
nn privA;
prj_pt pubB;
fp shared_AliceSide; // the shared secret seen by alice
// loading private key from "certificatee"
nn_init_from_buf(&privA, pA, SIZE_ONE_PTS);


if(prj_pt_from_buffer(&pubB, pubB_x, pubB_y, &curve_params ))
{
    printf("ERROR: public Key is not on the curve %s",curve_name); 
    return -2;
}

performECDH(&shared_AliceSide, &privA, &pubB);


/**
  -------------------------------------------------------------------------
                       PERFORMING ECDH Alice -> Bob
  -------------------------------------------------------------------------
**/
// all this actions are performed on the Alice's side only
nn privB;
prj_pt pubA;
fp shared_BobSide; // the shared secret seen by alice
// loading private key from "certificatee"
nn_init_from_buf(&privB, pB, SIZE_ONE_PTS);
if(prj_pt_from_buffer(&pubA, pubA_x, pubA_y, &curve_params ))
{
    printf("ERROR: public Key is not on the curve %s",curve_name); 
    return -2;
}

performECDH(&shared_BobSide, &privB, &pubA);

/**
  -------------------------------------------------------------------------
                   ENDING 
  -------------------------------------------------------------------------
in practive, this section don't exist,  we perform a HKDF to 
increase the security and the size of the shared secret.
but since here we have bob's and alice's side.
we can check that they both have the same secret.
**/


fp_print("Alice secret: ",&shared_AliceSide);
fp_print("  Bob secret: ",&shared_BobSide);

return fp_eq_or_opp(&shared_AliceSide,&shared_BobSide)? 0:-3;
}
于 2020-04-11T08:14:56.810 回答