I am moving from RSA to ECC for my application.
Looking at these posts 1 2 3, they all suggest that Alice generates a temporary (ephemeral) ECC keypair eKP to send a message to Bob. The sessionkey sK is then generated at Alice' side as (privateKey eKP * publicKeyBob). The publicKey of eKP is transmitted along with the sK encrypted message. At Bob's side, he can calculate the same sessionkey sK as (publicKey eKP * privateKeyBob) and decrypt the message.
What I do not understand is why using a temporary (ephemeral) keypair eKP is better then just generating a session key sK directly from (privateKeyAlice*publicKeyBob).
Is it because we would re-use the same session key every time? Is it because we would have to pre-agree on seeds or initialization vectors for directly generated session keys, adding more interactions? Any other reasons?
Any insights greatly appreciated.
What I do not understand is why using a temporary (ephemeral) keypair eKP is better then just generating a session key sK directly from (publicKeyBob + privateKeyAlice).
The trouble with the above, known as the Integrated Encryption Scheme (IES), is that an attacker may be able to replace the message with one of their choosing, and the recipient would be unaware.
You typically want to authenticate the sender. Therefore, I would recommend a stronger version of the authenticated key exchange you describe so you can still authenticate the sender whilst getting benefits 1 and 2. It goes like this:
Make sure you include the sender's and recipient's public key in the key derivation. Otherwise, with some algorithms, the same shared secret may be derived for multiple public keys, which affects sender authentication and can lead to vulnerabilities.
External links referenced by this document: