On Fri, Nov 27, 2015 at 09:36:41AM +0000, Matt Caswell wrote: > >> OpenSSL only supports ECDH and ECDSA, neither of which can be used to > >> perform encryption. > > > > This is not entirely true, in sufficiently recent versions of > > OpenSSL, ECDSA keys can be used with CMS to encrypt keys. > > Well, perhaps I should modify the statement to say > "OpenSSL only supports ECDH and ECDSA, neither of which can be used *by > themselves* to perform encryption." Of course, but I generally interpret requests for "encryption" with EC to mean the ability to exchange encrypted messages with the holder of an EC public key. In which case, CMS provides a broadly interoperable mechanism to do so. > I'm not particularly familiar with CMS but from my very quick reading of > what is going on in your example is that the EC key is being used by > ECDH to agree a shared secret (in combination with a KDF). Correct. > Then AES128 > key wrapping is used to encrypt the CEK, followed by AES to actually > encrypt the data. So ECDH is not encrypting anything directly (it can't > - its not an encryption algorithm - it a key agreement algorithm). Correct, as described in RFC 3278 the KEK from the key agreement encrypts the CEK. This supports multi-recipient messages with a single CEK and (unavoidably) a separate KEK for each recipient derived from the ephemeral-fixed key agreement. The CMS API takes care of the internal details, but can be difficult to learn because of its flexibility (signed or unsigned, encrypted or unencrypted, detached signatures, ...). -- Viktor.
