[BUG] unable to decrypt own message in ecdh

Question

[BUG] unable to decrypt own message in ecdh

sirpy opened this issue 7 months ago · comments

sirpy commented 7 months ago

Prerequisites

Please answer the following questions for yourself before submitting an issue.

I am running the latest version
I checked the documentation and found no answer
I checked to make sure that this issue has not already been filed

Current Behavior

The decrypter fails when trying to decode sender message with sender secretkey

Expected Behavior

Sender should be able to decrypt his own message since the shared secret should be the same in ecdh

Please provide detailed steps for reproducing the issue.

   const userKeyPair = genX25519EphemeralKeyPair()
    const senderKeyPair = genX25519EphemeralKeyPair()
    const clearText = await prepareCleartext({x:"record"})
    const encrypter = xc20pAuthEncrypterEcdh1PuV3x25519WithXc20PkwV2(Buffer.from(userKeyPair.publicKeyJWK.x || "","base64url"),senderKeyPair.secretKey)
    const result = await createJWE(clearText,[encrypter])
    const decrypter = xc20pAuthDecrypterEcdh1PuV3x25519WithXc20PkwV2(senderKeyPair.secretKey,Buffer.from(userKeyPair.publicKeyJWK.x || "","base64url")) //doesnt fail if switching between sendKeyPair and userKeyPair, ie the standard flow
    const decrypted = await decryptJWE(result,decrypter) //fails

Mircea Nistor · Answer 1 · Wed Feb 28 2024 21:36:26 GMT+0800 (China Standard Time)

This is normal and expected.
ECDH-1PU is not bidirectional.
The shared secret is computed as a concatenation between 2 ECDH operations:

on the sender side: ephemeralSecret * recipientPublicKey || senderSecret * recipientPublicKey
on the recipient side: recipientSecret * ephemeralPublicKey || recipientSecret * senderPublicKey

If you try to replace the recipient with the sender you would compute:
senderSecret * ephemeralPublicKey || senderSecret * recipientPublicKey as the shared secret, but the first half would not match and therefore result in a different shared secret.

A similar situation happens with ECDH-ES, where the shared secret is computed between the recipient key pair and an ephemeral key pair (whose secret part is discarded by the sender).

Please close this issue if this information is sufficient.

sirpy · Answer 2 · Thu Feb 29 2024 20:02:25 GMT+0800 (China Standard Time)

ok thanks.
is there an option to use regular ecdh?

Mircea Nistor · Answer 3 · Thu Feb 29 2024 20:29:42 GMT+0800 (China Standard Time)

For the moment, no. But you're free to try to create your own.