What is the KDF for ECIES?

I am trying to use ECIES to encrypt some data on MacOS using SecKeyCreateEncryptedData() and then Decrypt the data on Linux using OpenSSL.

I can currently encrypt and decrypt mac to mac or linux to linux but not cross platform.
I am trying to match the behaviour of "eciesEncryptionStandardVariableIVX963SHA256AESGCM" on MacOS.
I am at the point where i have generated the 32 byte symmetric key from the curve using the Ephemeral private key and peer public key.
According to this:
https://github.com/practicalswift/osx/blob/master/src/security/keychain/SecKey.h#L1153
"Ephemeral public key data is used as sharedInfo for KDF"
I'm stuck at knowing which KDF is used, and how can i recreate that function using openSSL.
I assume it will make a 32 Byte key since the first 16 bytes are the AES key and last 16 are the IV.
I also assume it will use SHA256.
From there I should be ok to use the peer public key as AAD and follow AES-GCM using the generated key.
Any help would be greatly appreciated.

Up vote post of ServerSideSwiftDeveloper Down vote post of ServerSideSwiftDeveloper
2.3k views
Posted by
ServerSideSwiftDeveloper
Reply
Add a Comment

Accepted Reply 

kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM
uses the ANSI X9.63 key derivation function with SHA-256 as the hash function. As far as I can tell the spec for that is not available publicly, but if you search the ’net for “ANSI X9.63 KDF” that will turn up a bunch of references and various implementations [1].

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Indeed the Apple implementation (

ccansikdf_x963
) is included in the corecrypto library, downloadable from the main Security page.
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM
uses the ANSI X9.63 key derivation function with SHA-256 as the hash function. As far as I can tell the spec for that is not available publicly, but if you search the ’net for “ANSI X9.63 KDF” that will turn up a bunch of references and various implementations [1].

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Indeed the Apple implementation (

ccansikdf_x963
) is included in the corecrypto library, downloadable from the main Security page.
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thanks you eskimo. I have now got it working.
Here is the Sudo code for my KDF. Since the key length is equal to the Hash length we only hash once.
symKey is the symmetricKey calculated by ECDH, ephPubkey is the ephemeral public key:
```
let symmetricKeyData = Data(bytes: symKey, count: 32)
let counterData = Data(bytes: [0x00, 0x00, 0x00, 0x01])
let sharedInfo = Data(bytes: ephPubkey, count: 65)
let preHashKey = symKeyData + counterData + sharedInfo
let hashedKey = SHA256.digest(data: preHashKey) // 32 Bytes long
let aesKey = [UInt8](hashedKey.subdata(in: 0 ..< 16))
let iv = [UInt8](hashedKey.subdata(in: 16 ..< 32))
```


The aesKey and iv are then used for AES-GCM.
One important thing i noticed was that in the docs it claims:
"static public key data is used as authenticationData for AES-GCM processing"
However this doesn't appear to be the case. You have to provide no authenticationData for the encryption/decryption to work.

Posted by
ServerSideSwiftDeveloper
Up vote reply of ServerSideSwiftDeveloper Down vote reply of ServerSideSwiftDeveloper
Add a Comment