[BUG] unable to decrypt own message in ecdh
sirpy opened this issue · comments
Prerequisites
Please answer the following questions for yourself before submitting an issue.
- I am running the latest version
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
Current Behavior
The decrypter fails when trying to decode sender message with sender secretkey
Expected Behavior
Sender should be able to decrypt his own message since the shared secret should be the same in ecdh
Please provide detailed steps for reproducing the issue.
const userKeyPair = genX25519EphemeralKeyPair()
const senderKeyPair = genX25519EphemeralKeyPair()
const clearText = await prepareCleartext({x:"record"})
const encrypter = xc20pAuthEncrypterEcdh1PuV3x25519WithXc20PkwV2(Buffer.from(userKeyPair.publicKeyJWK.x || "","base64url"),senderKeyPair.secretKey)
const result = await createJWE(clearText,[encrypter])
const decrypter = xc20pAuthDecrypterEcdh1PuV3x25519WithXc20PkwV2(senderKeyPair.secretKey,Buffer.from(userKeyPair.publicKeyJWK.x || "","base64url")) //doesnt fail if switching between sendKeyPair and userKeyPair, ie the standard flow
const decrypted = await decryptJWE(result,decrypter) //fails
This is normal and expected.
ECDH-1PU is not bidirectional.
The shared secret is computed as a concatenation between 2 ECDH operations:
- on the sender side:
ephemeralSecret * recipientPublicKey || senderSecret * recipientPublicKey
- on the recipient side:
recipientSecret * ephemeralPublicKey || recipientSecret * senderPublicKey
If you try to replace the recipient with the sender you would compute:
senderSecret * ephemeralPublicKey || senderSecret * recipientPublicKey
as the shared secret, but the first half would not match and therefore result in a different shared secret.
A similar situation happens with ECDH-ES, where the shared secret is computed between the recipient key pair and an ephemeral key pair (whose secret part is discarded by the sender).
Please close this issue if this information is sufficient.
ok thanks.
is there an option to use regular ecdh?
For the moment, no. But you're free to try to create your own.