u/N_T_F_D

Hi,

I am building a key import mechanism for a hardware token (smartcard).

The tokens each hold exactly one P-256 key pair and can either import a new key pair replacing the old one, or sign a SHA-256 digest.

Instead of generating additional RSA keys in order to allow importing using a standard RSAES_OAEP_SHA_1 algorithm I am trying to use the existing key pair as the wrapping key for importing a new key pair, as using RSA would make it more complex and bug-prone (if the commands sent to the token are larger than 255 bytes you need to implement mechanisms such as chaining or extended length).

What I'm doing currently is:

1. Collect the current public key of the token that will import a new key pair

2. Generate an ephemeral key pair

3. Perform ECDH with the ephemeral private key and the token's public key

4. Hash the result with SHA-512 to get enough common secret data Use the NIST SP800-108 KDF on the common secret to derive the key and the nonce

5. Encrypt the new key pair with AES-CCM, outputting a 16 byte tag

6. Concatenate the ephemeral public key, the tag and the ciphertext

7. Send this to the token that will import it all

And then something similar happens on the token: get the common secret with ECDH, decrypt the data, verify the tag

Now my main question is, should the ephemeral public key be part of the authenticated data protected by the AES-CCM tag? And in general, is the design sound?

And is it enough to compute a SHA-512 digest to get enough key material instead of a proper KDF?

As indeed a KDF is not used because it's potentially not available as the new key generation and wrapping is also happening on a different smartcard where resources are limited, and it's the same reason why it's AES-CCM and not AES-GCM, and why the whole key pair is transmitted encrypted and not just the private key (as again point multiplication is potentially not available).

I say potentially because with enough money and connections I could get access to some private APIs for extra crypto algorithms including KDFs and ECC point multiplication.