(Tcl) How to Generate an Elliptic Curve Shared Secret

Demonstrates how to generate an ECC (Elliptic Curve Cryptography) shared secret. Imagine a cilent has one ECC private key, the server has another. A shared secret is computed by each side providing it's public key to the other. The private keys are kept private.

Chilkat Tcl Extension Downloads Chilkat Tcl Extension Downloads

load ./chilkat.dll

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

# This example includes both client-side and server-side code.
# Each code segment is marked as client-side or server-side.
# Imagine these segments are running on separate computers...

# -----------------------------------------------------------------
# (Client-Side) Generate an ECC key, save the public part to a file.
# -----------------------------------------------------------------
set prngClient [new_CkPrng]

set eccClient [new_CkEcc]

# privKeyClient is a CkPrivateKey
set privKeyClient [CkEcc_GenEccKey $eccClient "secp256r1" $prngClient]
if {[CkEcc_get_LastMethodSuccess $eccClient] != 1} then {
    puts [CkEcc_lastErrorText $eccClient]
    delete_CkPrng $prngClient
    delete_CkEcc $eccClient
    exit
}

# pubKeyClient is a CkPublicKey
set pubKeyClient [CkPrivateKey_GetPublicKey $privKeyClient]
CkPublicKey_SavePemFile $pubKeyClient 0 "qa_output/eccClientPub.pem"
delete_CkPublicKey $pubKeyClient

# -----------------------------------------------------------------
# (Server-Side) Generate an ECC key, save the public part to a file.
# -----------------------------------------------------------------
set prngServer [new_CkPrng]

set eccServer [new_CkEcc]

# privKeyServer is a CkPrivateKey
set privKeyServer [CkEcc_GenEccKey $eccServer "secp256r1" $prngServer]
if {[CkEcc_get_LastMethodSuccess $eccServer] != 1} then {
    puts [CkEcc_lastErrorText $eccServer]
    delete_CkPrng $prngClient
    delete_CkEcc $eccClient
    delete_CkPrng $prngServer
    delete_CkEcc $eccServer
    exit
}

# pubKeyServer is a CkPublicKey
set pubKeyServer [CkPrivateKey_GetPublicKey $privKeyServer]
CkPublicKey_SavePemFile $pubKeyServer 0 "qa_output/eccServerPub.pem"
delete_CkPublicKey $pubKeyServer

# -----------------------------------------------------------------
# (Client-Side) Generate the shared secret using our private key, and the other's public key.
# -----------------------------------------------------------------

# Imagine that the server sent the public key PEM to the client.
# (This is simulated by loading the server's public key from the file.
set pubKeyFromServer [new_CkPublicKey]

CkPublicKey_LoadFromFile $pubKeyFromServer "qa_output/eccServerPub.pem"
set sharedSecret1 [CkEcc_sharedSecretENC $eccClient $privKeyClient $pubKeyFromServer "base64"]
delete_CkPrivateKey $privKeyClient

# -----------------------------------------------------------------
# (Server-Side) Generate the shared secret using our private key, and the other's public key.
# -----------------------------------------------------------------

# Imagine that the client sent the public key PEM to the server.
# (This is simulated by loading the client's public key from the file.
set pubKeyFromClient [new_CkPublicKey]

CkPublicKey_LoadFromFile $pubKeyFromClient "qa_output/eccClientPub.pem"
set sharedSecret2 [CkEcc_sharedSecretENC $eccServer $privKeyServer $pubKeyFromClient "base64"]
delete_CkPrivateKey $privKeyServer

# ---------------------------------------------------------
# Examine the shared secrets.  They should be the same.
# Both sides now have a secret that only they know.
# ---------------------------------------------------------
puts "$sharedSecret1"
puts "$sharedSecret2"

delete_CkPrng $prngClient
delete_CkEcc $eccClient
delete_CkPrng $prngServer
delete_CkEcc $eccServer
delete_CkPublicKey $pubKeyFromServer
delete_CkPublicKey $pubKeyFromClient