13
$\begingroup$

Alice, Bob, and Carol each generate ECDH keypairs. Alice and Bob establish a communication channel and negotiate an AliceBob secret.

The question is: Is it safe for Alice and/or Bob to reuse their keypairs to negotiate a new AliceCarol and/or BobCarol secret?

The intended use is authentication. Each party can persistently store the others' public keys, and persistently store or deterministically recreate their own private keypair. Each party could establish a new communication channel with another party at a later time, verify that the other party's current public key matches their previous public key, generate a random message M and send it to the other party. The other party can then use the negotiated secret to HMAC sign M to generate M' and send M' back. At this point, M' can be verified by the originating party re-calculating M' using the negotiated secret, thus validating the other party's identity.

Improve this question
$\endgroup$

2 Answers 2

Reset to default
8
$\begingroup$

Such keys are called static keys. Keys that are newly generated each time are called ephemeral keys. Note that you need to trust the public keys of the static key pairs to use them for authentication. This trust can be established by embedding the DH public keys in leaf certificates within an PKI.

Please note that there is an issue when static keys are used on both sides during common Diffie-Hellman key agreement: the generated secret will be static as well, as the whole scheme has now become deterministic. The solution for this is to send a nonce as well as a public key by one of the parties; this nonce can then be used during key establishment to create a unique secret key.

More information in chapter 6 of NIST SP 800-56A, specifically 6.3 Scheme Using No Ephemeral Key Pairs, C(0, 2) scheme.

Improve this answer
$\endgroup$
7
$\begingroup$

Yes, the same keypairs can be used to derive shared secrets between multiple pairs of parties.

If knowing the shared secret between Alice and Bob would help Eve find out the shared secret between Alice and Carol, Eve could just create her own random private key and calculate a "shared" secret between that key and Alice's public key to get the same advantage.

Improve this answer
$\endgroup$

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.