David,

Thanks for your reply. We wanted to avoid using TLS due the overhead and thus wanted to go the ECIES way.

Would it be feasible to do authentication via ecc signing the public exchanged keys on both sides? This seems still be be way cheaper than TLS right?

We'd, however, want to send a certificate at the end from the client to the server to verify that the client is allowed to execute certain actions on our server, does this make sense? I understand via wolfSSL we could manually verify the complete chain of certificates to understand whether the incoming certificate is valid or not.

We wanted to make sure to exchange the certificate from client -> server via an already encrypted channel as we don't use it for authentication but for understanding if the user is allowed to do certain actions means we must prevent anyone catching the certificate from the client via a MITM.

hope this all makes sense,
thanks
Alex

David,

Yes we use different keys, unique per server / client each. We have the public key of the server installed at the client to avoid rundtroup and the client generates its key at connection for each session and lets the server know including the signature to verify authencity.

For certificates -- yes the overhead is quite big. What would be the alternative actually to have something the user could send that we could verify for authencity (without the server knowing about it) and ensuring ie the user can not change things like the expiration and such?

thanks
Alex

David,

Thank you so much. Last question on this topic promised so I really get this right please forgive me ;-)

We want to authenticate the client on the server. The server holds the public key of the client.

The client generates a new session key via wc_ecc_make_key()
Then it creates a sha256 hash out of this session key and signs it with its client key via wc_ecc_sign_hash()

The server receives both the session key plain text and the signature. It hashes the session key with sha256 and verifies the signature via wc_ecc_verify_hash() and the known client's public key the server has.

Is this a correct approach or does it have any flaws because its not the server sending random which the client signs and returns back but the client signs its own generated session key and sends it?

Thanks so much
Alex

Thank you very much.

Btw we're also currently in inquiry to buy commercial licenses so this is very helpful here to solve our issue to implement it properly.

My approach was actually just following the sample code in here:

https://github.com/wolfSSL/wolfssl-exam … ver.c#L113

Where it says one should implement signing (hashing + sign) the generated public key on server side and verify that signature on client side. This is actually what I am doing just vice versa (generating the public key on client side, signing it there with my private key and the server verifying it).

Can you tell me where this is wrong or did I missunderstand the sample?

Furthermore my approach is to have one side using a static key while the other side generates a dynamic key for the session. In the example given both sides generate a dynamic/temporary key for each session. The only difference I understood from reading some documentation is that your approach provides forward secrecy and mine doesn't correct? (Reading about the ECIES they also seem to use one static key?)

However because a secret and a salt is generated for each session even with one side being a static key we still would have  forward secrecy or not?

Or should we simply go the exact route of the sample (both sides generate a temporary key) but why would the signing be required then as the code states?

And then do the authentication later over secure connection ie via a certificate sent by the client?

Sorry for those dumb questions I am trying to wrap my head around this since days and everytime I think I got it I understand I didn't ;-)

Alex

Hi Alex,

David asked me if I had any thoughts on this.

ECIES is about securely sending a message from the client to the server.
The client uses a server's public, along with an ephemeral key, to create a secret that becomes the encryption key for an algorithm like AES.
Only the owner of the private key corresponding to the public key used can decrypt the message.
The client does not know who the public key is for unless PKI is used.
The server does not know who the client is.

PKI is used to authenticate the owner of the public key.
A certificate wraps the public key with information that identifies the server and the a chain of certificate is used to authenticate the certificate up to a root of trust. The root of trust is a known trusted certificate.

From your postings, you want to authenticate the client.
Creating an ephemeral key and signing is not going to allow the server to authenticate the client.
Any client can send a message with any ephemeral key.
PKI, using certificates, should be used again to authenticate the client's public key.

Does any of this help?

Sean Parkinson, wolfSSL