3

I configured a Windows CA and created a certificate template to issue certificates with ECDH_P384 keys:

1

Then I noticed that it's not possible to set the "Key Encipherment" key usage in the "Extensions" tab:

2]

What is the reason behind this limitation?
Is it correct to say that the "Key Encipherment" key usage makes no sense when using ECDH since it's already a key agreement protocol?

Chris
  • 81
  • 1
  • 7

2 Answers2

5

The relevant spec is section 3 of RFC 5480 ("Elliptic Curve Cryptography Subject Public Key Information") which extends RFC 5280 ("Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile").

A key used for ECDSA is used for digitalSignature.

If the key is used for signing things other than certificates and CRLs (and TLS handshakes) then use nonRepudiation, if the key is controlled by hardware device and certificate was issued in a way you can't later claim "it wasn't me". It can have specific legal meaning in some jurisdictions.

A key can be used for keyAgreement (ECDH), but modern TLS uses ephemeral DH to provide forward secrecy, so the key for the certificate is not itself used for ECDH.

It is generally not used for ECIES (encryption), though technically you can do that. It is a best practice to not use the same key for both signatures and encryption, though I am not aware of any vulnerabilities if you do. But generally, if you encrypt backups using a public key, use another key.

Look at the google.com and cloudflare.com ECC certs. They use bare digitalSignature bit in keyUsage. A CA ECC cert uses Digital Signature, Certificate Sign, CRL Sign.

Z.T.
  • 7,768
  • 1
  • 20
  • 35
2

Exactly. ECDH/ECDSA keys do not use symmetric key encryption like RSA does. Instead, they use key agreement to secure symmetric keys.

Crypt32
  • 5,750
  • 12
  • 24