Modify the ECDH exchange program to derive six pieces of information: a write encryption key, a write IV, a write MAC key, a read decryption key, a read IV, and a read MAC key. The hard part will be getting both sides to derive the same keys. Remember, the keys will be derived in the same order. So how does Alice determine that the first key derived is her write key and not Bob’s write key? One way to do this is to take the first \(n\) bytes of each side’s public key bytes as an integer and whoever has the lowest number goes “first.”
Start from the code given in Exercise 6.9. Then instead of generating a key of length \(64\) inside of the HKDF, you generate \(2 * (32 + 16 + 32) = 160\) bytes, and then slice to get the 6 keys.
The tip given in the question answers which half of the \(160\) bytes belongs to whom. But how about if the first \(n\) bytes of each side’s ephemeral public key, is the same (it is possible). Then a natural thing to do would be to compare the first \(n + 1\) bytes and so on, until they differ. You can start by setting \(n = 1\).
I will leave you with another question. Are the six pieces of information that you generate independent of each other? Recall that,
shared secret: 2a d7 cb 89 67 9f 6f bc c4 06 7e 4e 6b 9b 38 3e 68 2a 96 d0 a3 c2 72 f3 6e 00 d4 e3 97 ab 93 4a 17 d5 c3 35 bc eb e3 39 69 96 7f 5f 96 d3 a8 f4
length: 48
Thus we are using \(48\) bytes of shared secret to generate \(160\) bytes of keys, which is not good security wise. So what should we do????? May be, 🧂🧂 the HKDF??