Update asymmetric-ciphering.md

Adding examples for ECDH key derivation.
2026-01-17 01:18:06 +00:00 · 2022-03-17 00:43:44 +01:00 · 2022-03-17 00:43:44 +01:00 · daf0f98660
commit daf0f98660
parent 1f06c44a89
1 changed files with 34 additions and 0 deletions
--- a/doc/asymmetric-ciphering.md
+++ b/doc/asymmetric-ciphering.md
@ -4,6 +4,7 @@ Pico HSM supports in place decryption with the following algorithms:
 * RSA-PKCS
 * RSA-X-509
 * RSA-PKCS-OAEP
+* ECDH-DERIVE

 First, we generate the data:
 ```
@ -76,3 +77,36 @@ OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, source_ptr=0x0,
 This is a test string. Be safe, be secure.
 ```

+## ECDH-DERIVE
+ECC keys do not allow ciphering operations. Instead, the ECDH scheme provides a mechanism to exchange a shared symmetric key without transmitting it to the remote part. The shared key is composed by multiplying the local private key and the remote public key. 
+
+First, we create the remote part, Bob, by generating an ECC keypair and getting the public key:
+```
+$ openssl ecparam -genkey -name prime192v1 > bob.pem
+$ openssl ec -in bob.pem -pubout -outform DER > bob.der
+```
+
+We derive the shared key by giving the Bob's public key to the Pico HSM:
+```
+$ pkcs11-tool --pin 648219 --id 11 --derive -i bob.der -o mine-bob.der
+```
+
+We compute the other shared key, with Bob's private key and our public key:
+```
+$ openssl pkeyutl -derive -out bob-mine.der -inkey bob.pem -peerkey 11.pub
+```
+
+Finally, we compare both shared keys:
+```
+$ cmp bob-mine.der mine-bob.der
+```
+
+If both are equal, no output is displayed.
+
+or displayed:
+```
+$ xxd -p bob-mine.der             
+9874558aefa9d92cc051e5da6d1753987e5314925d6d78bf
+$ xxd -p mine-bob.der             
+9874558aefa9d92cc051e5da6d1753987e5314925d6d78bf
+```